Microsoft has made it easier for Windows 11 users to check whether their PCs are ready for an important Secure Boot certificate change. With the April Windows 11 update, the Windows Security app can now show clearer messages about Secure Boot certificate status, so users do not need to rely on manual PowerShell checks as much as before
The change matters because older Microsoft Secure Boot certificates begin expiring in June 2026. Secure Boot helps Windows start with trusted software and blocks certain boot-level threats before the operating system fully loads.
Microsoft says it is moving devices from older 2011 certificates to newer 2023 certificates to keep that protection working properly.
Windows Security now gives users a simpler way to see whether Secure Boot needs attention before certificates expire
To check the status, users can search for Windows Security, open Device Security, and then look under Secure Boot. If everything is fine, Windows may say that Secure Boot is on and that all required certificate updates have been applied. In that case, no further certificate action is needed.
Some users may see a different message saying Secure Boot is on, but the device is using an older boot trust configuration that should be updated. Microsoft’s advice in that case is simple: install the latest Windows updates and restart the device if prompted.
Here is what the new Secure Boot status messages can mean:
| Windows Security message | What you should do |
|---|---|
| Certificate updates have been applied | No action is needed |
| Older boot trust configuration | Install the latest Windows updates |
| Update is paused due to a known issue | Wait for Microsoft and partners to resume it |
| Not enough data to classify the device | Check Microsoft’s Secure Boot guidance |
The important point is that most regular users should not need to manually install certificates. Microsoft says most devices will receive the newer Secure Boot certificates automatically, although some systems may need firmware updates.
For people managing many PCs, Microsoft has also published guidance for organizations and IT professionals. That guidance says Windows devices must move to the 2023 Secure Boot certificates before the older 2011 certificates expire, or they may become out of security compliance and face higher risk.
Home users should mainly make sure Windows Update is turned on and that their device is regularly restarted after updates. We also found that the diagnostic data can help Windows identify which certificates are present on a device.
This does not mean Windows 11 PCs will suddenly stop working the moment June 2026 arrives. Microsoft says devices that have not yet received the newer certificates will still start and operate normally, and standard Windows updates will continue to install. But those devices may miss future Secure Boot protections, which is why updating early is the safer choice.
The new Windows Security messages are useful because they turn a confusing background change into something normal users can actually check. Instead of digging through technical commands, users can now open one app and see whether their PC is ready.
Discussion (0)
Be the first to comment.