Secure Boot certificate update status in the Windows Security app
Applies To
Original publish date: April 2, 2026
KB ID: 5087130
Note: This article is intended primarily for Windows Pro and Home users. For IT professionals or enterprise IT-managed devices, refer to IT admin guide: Secure Boot certificate update status in the Windows Security app.
Summary
Starting in April 2026, the Windows Security app displays additional information about the status of Secure Boot certificate updates on your device. You can find this under Device security > Secure Boot.
Microsoft Secure Boot certificates, originally issued in 2011, are approaching expiration in 2026. Updated 2023 certificates are being delivered automatically through Windows Update. The Windows Security app now shows whether your device has received these updates, what your current status is, and whether any action is needed.
Learn more about automatic Secure Boot certificate updates on Windows devices for home users, businesses, and schools with Microsoft-managed updates.
What you'll see in the Windows Security app
In Device security > Secure Boot, a green, yellow, or red badge indicates your current Secure Boot certificate update status. If Secure Boot requires attention, you might see a badge on the Device security area in the Windows Security app. A corresponding indicator might also appear on the Windows Security system tray icon to let you know that action is recommended.
-
A green icon
-
A yellow icon
-
A red icon
To help you easily understand your device’s Secure Boot certificate update status, each badge icon corresponds to a specific update state. The Windows Security app might show one of the following Secure Boot certificate update states:
Your device has received all required Secure Boot certificate updates, and the updated Boot Manager has been installed. No action is needed. The Secure Boot badge shows a green checkmark.
Your device is running with an older Secure Boot certificate. The Secure Boot certificate update is expected to be applied automatically through Windows Update. Make sure your device is connected to the internet and has the latest Windows updates installed.
Starting in May 2026, in addition to informational text about your device’s Secure Boot status, a yellow caution badge might appear if additional action is required. This can happen when the update is blocked by a device's hardware or firmware limitation.
A security update exists for the Windows boot experience that cannot be delivered to your device's current boot configuration. This state appears only after a security vulnerability that affects the boot process is discovered and cannot be serviced on devices that have not yet received the updated certificates. This could occur as early as June 2026, when some of the current Secure Boot certificates begin to expire. When this occurs, the Secure Boot badge changes to a red stop icon.
Note: Some Secure Boot states unrelated to certificates can be reflected in the status messages, such as: “Secure boot is off, your device may be vulnerable.”
In addition to the badges in different colors, depending on your device's configuration, you can see one of the following messages in the Secure Boot section.
|
If you see this message in the Secure Boot section |
What you should do |
|---|---|
|
Secure Boot is on and all required certificate updates have been applied. No further certificate changes are needed. |
No action is needed. |
|
Secure Boot is on, but your device is using an older boot trust configuration that should be updated. |
Make sure your device has the latest Windows updates installed. Restart if prompted. |
|
Secure Boot is on, but your device is affected by a known issue. To reduce risk, Secure Boot certificate updates are temporarily paused while Microsoft and partners work toward a supported resolution. The update will resume automatically once resolved. |
No action is needed. The certificates update will resume automatically once the issue is resolved. |
|
Secure Boot is on, but your device is using an older boot trust configuration that should be updated. There is not yet enough data to classify your device for automatic update. Visit the link below for more information. |
Your device might need additional validation before the update can proceed automatically. Visit aka.ms/getsecureboot for more information. |
|
Secure Boot is on, but your device does not support the automated Secure Boot certificate update due to hardware or firmware limitations. Contact your device manufacturer for assistance. |
Contact your device manufacturer for assistance. |
|
Secure Boot is on, but this device can no longer receive required updates for the Windows boot experience. |
Your device is still using an old certificate after the expiration dates. Visit aka.ms/getsecureboot for guidance. |
Timeline of changes
These feature enhancements are rolling out automatically starting in April 2026. When these features are enabled on your device, you’ll see Secure Boot certificate status inside the Windows Security app (Windows Security > Device security > Secure Boot), including visual indicators that reflect the current state.
Beginning in May 2026, additional improvements will become available, including notifications outside the app (such as system alerts) and additional in‑app guidance and controls to help you respond to Secure Boot warnings.
Windows Security system tray icon
The Windows Security app displays an icon in the system tray (notification area) at the bottom right of your screen. This icon has always included a badge that reflects the overall security status of your device. It's calculated as the most severe state across all security features.
When the Secure Boot certificate state changes the Secure Boot badge to yellow or red, this propagates to the Device security icon as described in What you'll see in the Windows Security app above.
How to dismiss warnings
Warning: If your device has not yet received the updated certificates, dismissing the warnings is not recommended.
You can dismiss Secure Boot warnings from the Device security > Secure Boot section in the Windows Security app. Devices with outdated Secure Boot certificates and boot loaders might be unable to receive future security updates that protect the Windows startup process.
Select the Dismiss button under the Secure Boot status message. When you dismiss:
-
The Secure Boot icon badge reverts to the default state.
-
App notifications are paused for this device until the status changes.
-
The status text in the app remains visible.
Select I accept the risks, don't remind me. This requires administrator privileges. When you dismiss:
-
The Secure Boot icon badge reverts to the default state.
-
App notifications are paused for this device until the status changes.
-
The status text in the app remains visible.
Information for IT administrators
The new Device security enhancements for Secure Boot certificate state are disabled by default on enterprise-managed Windows 10 and Windows 11 client devices and Windows Server. If you're an IT administrator and want to enable this experience for devices in your organization, see the complete guidance at IT admin guide: Secure Boot certificate update status in the Windows Security app.
Frequently asked questions
In the majority of cases, no action is needed. The Secure Boot certificate update is delivered automatically through Windows Update to consumer PCs and some business devices. Make sure your device is connected to the internet and has the latest updates installed. If the Windows Security app shows a green checkmark for Secure Boot, no action is needed.
A yellow badge on Secure Boot means your device has an actionable issue, such as a hardware or firmware limitation that prevents the automated certificate update. Contact your device manufacturer for assistance.
A red badge on Secure Boot means a security vulnerability exists, which cannot be serviced on your device's current boot configuration. Visit aka.ms/getsecureboot for guidance on next steps.
Your device will continue to work normally for some time. However, after the current Secure Boot certificates expire, over time, your device might not be able to receive security updates that protect the Windows startup process. This may also lead to compatibility issues, as newer operating systems, firmware, hardware or Secure Boot-dependent software may fail to load. The Windows Security app will guide you on the next steps.
Microsoft can temporarily pause the Secure Boot certificate updates for certain device configurations while a compatibility issue is being investigated. The update will resume automatically once the issue is resolved. No action is needed.
Some devices cannot receive the automated Secure Boot certificate updates due to limitations in the device's hardware or firmware. Contact your device manufacturer for assistance.
The in-app Secure Boot status text is visible on all supported Windows versions. However, Secure Boot-specific badge changes and app notifications are disabled by default on managed and enterprise devices to reduce notification noise. IT administrators can enable them by setting HideSecureBootStates to 0 in the registry. See the complete guidance at IT admin guide: Secure Boot certificate update status in the Windows Security app.
Visit aka.ms/getsecureboot for the latest information about Secure Boot certificate updates and guidance for your device.
Related articles
Need more help?
Want more options?
Explore subscription benefits, browse training courses, learn how to secure your device, and more.
Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.
