Windows surfaces Secure Boot certificate status
What happened
Microsoft added Secure Boot certificate status indicators to the Windows Security app as a 2026 certificate expiration approaches, making it easier to spot devices that may lose boot-trust. For fleets with a long tail of older laptops, the new indicators turn a hidden firmware trust issue into a triageable maintenance item. (helpnetsecurity.com) (technobezz.com)
Why it matters
Microsoft started showing per‑device status badges inside the Windows Security app so administrators and users can see whether a PC has received the replacement startup security certificates; that visibility began rolling out in April 2026 with broader system notifications scheduled to appear in May 2026. (windowslatest.com) (support.microsoft.com) Machines that miss the update will continue to start and run applications, but they will stop receiving new protections that apply during the earliest stage of startup, and some third‑party boot components may fail to update without the new certificates; some older laptops will therefore need firmware updates from their manufacturer to complete the transition. (support.microsoft.com) (bleepingcomputer.com) Secure Boot is the startup check that accepts only code signed by trusted signing certificates so early boot components can’t be replaced by malware, and the certificates Microsoft originally shipped in 2011 begin expiring in June 2026; Microsoft created a new set of 2023 certificates and started delivering them through Windows Update earlier in 2026 to preserve that boot‑time trust. (support.microsoft.com) (blogs.windows.com) For managed fleets the new Windows Security indicators are turned off by default — Microsoft assumes administrators will control rollout centrally — and Microsoft published registry keys and management guidance that let IT teams trigger, monitor, or opt devices in and out of the update; the registry deployment flags include a value (0x5944) that initiates the full deployment (new certificates, updated key exchange entries, and the new boot manager). (support.microsoft.com 1) (support.microsoft.com 2) Microsoft added a dedicated Intune workflow so administrators can enable the certificate update setting via the Settings Catalog and use model‑based assignment filters to stage rollouts by hardware model, and administrators can also monitor installation status with Intune Remediations that run a PowerShell detection script and report results back to the Intune admin center. (support.microsoft.com) (4sysops.com)
Key numbers
- Microsoft added Secure Boot certificate status indicators to the Windows Security app as a 2026 certificate expiration approaches, making it easier to spot devices that may lose boot-trust.
What happens next
- (support.microsoft.com) (4sysops.com) Microsoft added Secure Boot certificate status indicators to the Windows Security app as a 2026 certificate expiration approaches, making it easier to spot devices that may lose boot-trust.
Quick answers
What happened in Windows surfaces Secure Boot certificate status?
Microsoft added Secure Boot certificate status indicators to the Windows Security app as a 2026 certificate expiration approaches, making it easier to spot devices that may lose boot-trust. For fleets with a long tail of older laptops, the new indicators turn a hidden firmware trust issue into a triageable maintenance item. (helpnetsecurity.com) (technobezz.com)
Why does Windows surfaces Secure Boot certificate status matter?
Microsoft started showing per‑device status badges inside the Windows Security app so administrators and users can see whether a PC has received the replacement startup security certificates; that visibility began rolling out in April 2026 with broader system notifications scheduled to appear in May 2026. (windowslatest.com) (support.microsoft.com) Machines that miss the update will continue to start and run applications, but they will stop receiving new protections that apply during the earliest stage of startup, and some third‑party boot components may fail to update without the new certificates; some older laptops will therefore need firmware updates from their manufacturer to complete the transition. (support.microsoft.com) (bleepingcomputer.com) Secure Boot is the startup check that accepts only code signed by trusted signing certificates so early boot components can’t be replaced by malware, and the certificates Microsoft originally shipped in 2011 begin expiring in June 2026; Microsoft created a new set of 2023 certificates and started delivering them through Windows Update earlier in 2026 to preserve that boot‑time trust. (support.microsoft.com) (blogs.windows.com) For managed fleets the new Windows Security indicators are turned off by default — Microsoft assumes administrators will control rollout centrally — and Microsoft published registry keys and management guidance that let IT teams trigger, monitor, or opt devices in and out of the update; the registry deployment flags include a value (0x5944) that initiates the full deployment (new certificates, updated key exchange entries, and the new boot manager). (support.microsoft.com 1) (support.microsoft.com 2) Microsoft added a dedicated Intune workflow so administrators can enable the certificate update setting via the Settings Catalog and use model‑based assignment filters to stage rollouts by hardware model, and administrators can also monitor installation status with Intune Remediations that run a PowerShell detection script and report results back to the Intune admin center. (support.microsoft.com) (4sysops.com)
