Microsoft is finally making Secure Boot certificate status visible to regular Windows users after 15 years of relying on outdated authentication that most never knew was expiring.
The change arrives in the April 2026 Windows Update, where the familiar green check in Windows Security > Device Security > Secure Boot now comes with layered meaning. A green icon alone no longer guarantees safety; users must now read the accompanying text: “Secure Boot is on and all required certificate updates have been applied. No further certificate changes are needed.” Without that specific phrasing, the system may still be running on certificates issued in 2011 — set to expire in June 2026 — leaving machines vulnerable to boot-level malware like bootkits that can hijack the startup process before antivirus software even loads.
For years, this expiry date was buried in technical documentation, known to IT administrators but invisible to consumers. Microsoft’s own support pages had warned of the June 2026 deadline, yet the Windows Security app offered no way to verify compliance without digging into PowerShell logs or Event Viewer — tools unfamiliar to most users. The April update closes that gap by embedding certificate status directly into the user interface, turning an abstract firmware concern into a visible, actionable alert.
The rollout is gradual. Microsoft confirmed to Windows Latest that the feature ships via KB5083769 (Build 26200.8246 or newer) but won’t appear immediately on all devices. Users are advised to check back by the end of April if the status isn’t yet visible. This staggered delivery reflects the complexity of updating firmware-level security across hundreds of millions of unique hardware configurations from OEMs worldwide — a coordination effort Microsoft describes as one of the largest in Windows history.
What makes this moment notable isn’t just the technical shift, but the admission that security transparency had been neglected for over a decade. The certificates themselves weren’t flawed; they were simply outdated, their expiry date set when Windows 7 was new and threats like Spectre and Meltdown were theoretical. Now, as firmware attacks grow more sophisticated, Microsoft is treating certificate renewal not as a background task but as a user-facing responsibility — a quiet shift toward accountability in consumer-facing security.
For Windows 10 users still relying on extended support, the stakes are higher. Without access to the latest feature updates, they must manually verify whether their OEM has provided firmware-level certificate updates through alternative channels. Microsoft’s guidance remains clear: if you don’t see the green check with the correct text by late April, assume action is needed — and don’t wait for a red warning to appear.
How do I check if my Secure Boot certificates are up to date?
Go to Windows Security > Device Security > Secure Boot. Look for a green badge accompanied by the exact text: “Secure Boot is on and all required certificate updates have been applied. No further certificate changes are needed.” If you see only a green check without that phrase, or a yellow/red icon, your certificates may still be the 2011 versions expiring in June.
What happens if I don’t update before the certificates expire in June?
Your PC could be exposed to boot-level malware such as bootkits, which infect the system before the operating system loads and can bypass traditional security software. While exploitation requires sophisticated attacks, the risk increases as the expiry date approaches and attackers target known vulnerabilities in legacy validation chains.
Do I need to reinstall Windows to get the update?
No. The Secure Boot 2023 certificate updates are delivered automatically through Windows Update as part of the April 2026 security patch. No reinstallation is required, though a restart may be needed to apply the changes fully.
