Microsoft is introducing a significant change to its Windows security update system, marking the first major overhaul of Secure Boot certificate management in more than a decade. The update, rolling out from April 2026, affects millions of users worldwide — particularly those still running Windows 10 — and comes alongside a critical monthly security patch.
Major Windows Security Update Brings New Urgency
April’s Patch Tuesday release is one of the most substantial in recent months, addressing eight critical vulnerabilities, including an actively exploited zero-day flaw. As with previous updates, users are strongly advised to install patches immediately to minimise risk.
For those on Windows 11, updates remain straightforward and automatic. However, the situation is more complex for Windows 10 users, many of whom must now rely on Microsoft’s Extended Security Updates (ESU) programme to continue receiving protection.
While monthly security updates are routine, this release introduces a notable shift in how Windows handles Secure Boot — a core security feature designed to prevent malicious software from loading during system startup.
First-Ever Expiry of Secure Boot Certificates
For the first time since Secure Boot was introduced in 2011, Microsoft is allowing its original certificates to expire. These certificates underpin the trust model that ensures only verified software runs during boot-up.
The existing certificates are set to expire in June 2026. Devices that have not received the updated 2023 certificates by then could face increased security risks or compatibility issues.
In practical terms, this affects a vast number of devices. Any PC more than two years old is likely still dependent on the older certificates and will require updating to maintain protection.
New Windows Security App Features Introduced
From April, users will begin to see enhanced information within the Windows Security app. This includes a dedicated section under:
Device Security > Secure Boot
Here, users can now check whether their system has received the latest certificate updates.
Microsoft has introduced a simple visual system to indicate status:
- Green badge – Secure Boot is properly configured, though further checks are required
- Yellow badge – Attention needed
- Red badge – Immediate action required
However, Microsoft warns that a green indicator alone is not sufficient confirmation. Users must also verify accompanying text stating:
“Secure Boot is on and all required certificate updates have been applied. No further certificate changes are needed.”
This added layer of clarity aims to reduce confusion and ensure users take appropriate action where necessary.
Integration with Windows Update and ESU Requirements
The updated certificates are being distributed automatically via Windows Update. However, access depends on eligibility.
Devices not enrolled in Microsoft’s Extended Security Updates scheme — particularly those still running Windows 10 — may not receive the update or the accompanying alerts. This creates a clear divide between supported and unsupported systems.
For UK users, where Windows 10 still maintains a sizeable installed base across homes, schools and small businesses, this could present a logistical challenge as the June deadline approaches.
More Prominent Warnings from May
Microsoft has confirmed that additional alerts will begin appearing from May 2026. These will extend beyond the Windows Security app and include system-level notifications.
Users can expect:
- Pop-up alerts warning of impending certificate expiry
- Expanded in-app guidance
- More direct controls to resolve Secure Boot issues
The aim is to ensure that users are fully aware of the deadline and cannot overlook necessary updates.
A Shift Towards Stronger Baseline Security
This move reflects a broader industry trend towards tightening baseline security standards, particularly as cyber threats become more sophisticated.
By enforcing certificate updates and making system status more visible, Microsoft is effectively removing ambiguity around device security. For organisations and individual users alike, the message is clear: keeping systems up to date is no longer optional.
Conclusion
Microsoft’s decision to expire Secure Boot certificates for the first time marks a significant turning point in Windows security management. With a June deadline looming and new alert systems rolling out from April and May, users are being given both the tools and the warnings needed to act.
For millions still using older systems, particularly Windows 10, the update serves as a timely reminder to ensure devices remain supported, secure and fully up to date.
“Web geek. Wannabe thinker. Reader. Freelance travel evangelist. Pop culture aficionado. Certified music scholar.”