Starting April 2026, the Windows Security app can show users the status of their Secure Boot certificate updates. This experience is disabled by default on enterprise-managed Windows 10 and Windows 11 client devices and Windows Server. If you want to enable this experience for devices in your organization, see the complete guidance at IT admin guide: Secure Boot certificate update status in the Windows Security app.
When will this happen:
- In April 2026, this enhancement brings green, yellow, and red-color badges to Device security > Secure Boot.
- In May 2026, notifications will appear outside the app (such as system alerts).
- In late June 2026, the 2011 Secure Boot certificates begin expiring. Devices need updated 2023 certificates by this date to remain protected and productive.
How this will affect your organization:
This feature is available in Windows 11, Windows 10, Windows Server 2025, Windows Server 2022, and Windows Server 2019. It’s disabled by default on enterprise IT-managed devices. If enabled, visual indicators and warnings can help users know their Secure Boot certificate update status. If action is required, notifications will guide users to take appropriate steps. This isn’t a replacement but a complement to the IT monitoring and deployment guidance in Secure Boot playbook for certificates expiring in 2026.
What you need to do to prepare:
If you don’t wish to enable this feature for users at your organization, no action is required.
On the contrary, please use the registry key guidance in IT admin guide: Secure Boot certificate update status in the Windows Security app. See additional information for more helpful resources.
Additional information:
- See complete information at IT admin guide: Secure Boot certificate update status in the Windows Security app.
- If you enable this feature, share this user-focused KB article with them: Secure Boot certificate update status in the Windows Security app.
- For comprehensive review of Secure Boot certificate updates, visit https://aka.ms/GetSecureBoot.
- For devices that don’t have these certificates applied, use the specific monitoring and deployment methods described in the Secure Boot playbook.
- For Windows Server, see Windows Server Secure Boot playbook for certificates expiring in 2026.