In the Windows 11 April 2026 update, in addition to allowing users to turn on or off Smart App Control without reinstalling the system, Microsoft also quietly added an important improvement related to startup security: Windows Security Center can now directly display the status of the Secure Boot (Secure Boot) certificate, allowing users to confirm whether their computer has applied the 2023 version of the Secure Boot certificate.
The Secure Boot certificate is used to verify whether the software running during the system startup process is trustworthy. If the certificate expires, it may theoretically be exploited by boot-level malware (bootkit) or unauthorized modifications to implant attack code before the system is fully started. The earliest known Secure Boot certificates issued in 2011 will expire in June 2026, and Microsoft has previously confirmed that these old certificates will be replaced with new Secure Boot 2023 certificates through Windows Update. However, for ordinary users, there has been a lack of intuitive and easy-to-use methods to determine whether their computers have been replaced with new certificates.
Previously, users who wanted to confirm whether the Secure Boot 2023 certificate had been applied could only rely on more professional methods such as PowerShell commands or event viewer logs, which were obviously not suitable for the daily operations of most non-technical users. After the April update, Windows Security Center directly displays the Secure Boot certificate status in the interface for the first time, solving this "information black box" problem. Taking the author's own device as an example, the Windows Security Center has shown that the Secure Boot 2023 certificate has been applied and given a "No further action required" prompt.
Before the update, Windows Security Center only displayed information about whether the Secure Boot function was turned on on the "Device Security" page. After the update, users will be able to see not only whether Secure Boot is enabled, but also whether the certificate has been updated to the latest version. This status is located in the "Secure Boot" area under "Device Security". After completing the corresponding update, the interface will give more detailed security status feedback.
According to Microsoft, this Secure Boot status display feature is pushed through Windows 11 cumulative update KB5083769 and is suitable for systems with Build 26200.8246 / 26100.8246 or newer versions. However, not all devices will see this feature at the same time. It is expected that the entire push will gradually cover all supported devices by the end of April 2026. Microsoft noted in a support document that version 2023 certificates are being issued automatically through Windows Update, and the status display in Windows Security Center tells users whether the device has received these updates, its current status, and whether additional action is required.
Under the new design, users can check the Secure Boot status through a simple path: open the Windows Security Center, enter "Device Security" - "Secure Boot" to view the logo and prompt text on the interface. This module uses a three-color marking scheme similar to a traffic light: green means "fully updated, no action required"; yellow means "there is a security advisory" and you may need to contact the computer manufacturer to update the firmware; red means "requires immediate attention", which usually means that due to hardware or firmware limitations, Microsoft is having difficulty applying the latest certificate to the device.
Specifically, when the Secure Boot section displays a green check, the prompt will state "The device is protected and all required certificate updates have been completed, no further changes are required." When a yellow warning icon is displayed, it means that the system can still run, but there are security recommendations, such as the need to review the prompt content and update the device firmware or related components according to the instructions. If a red icon appears, it means that the system needs to handle Secure Boot immediately. This situation often occurs on devices whose hardware conditions cannot meet the certificate update requirements, or where Secure Boot itself is not enabled.
It should be noted that Secure Boot is one of the mandatory hardware requirements for officially installing and running Windows 11. For users who upgrade from Windows 10 to Windows 11 by bypassing hardware checks through unofficial means, Windows Security Center is more likely to display a red alert stating that Secure Boot is not enabled and the latest certificate is missing. Microsoft reminds that when encountering this situation, users should check the BIOS/UEFI settings as prompted or contact the device manufacturer as soon as possible.
Microsoft said that most users do not need to worry too much about Secure Boot certificate issues because the system will automatically issue and apply the 2023 version of the certificate to most compatible devices through Windows Update. However, Windows Latest's observations show that Secure Boot certificate updates on some devices are failing due to firmware limitations, which means that these devices may not be able to obtain new certificates for a long time, and the corresponding Windows Security Center status will continue to display yellow or red warnings.
That said, even if you never receive a Secure Boot 2023 certificate, it doesn't mean the device will necessarily become unstable or immediately exposed to serious security risks. The report pointed out that for most ordinary consumers, the probability of encountering actual attacks just because the Secure Boot certificate has not been updated is still low. However, from the perspective of long-term maintenance and compliance, ensuring that the firmware can be updated, Secure Boot is enabled normally, and obtaining the latest certificate as much as possible is still a key step to improve the security of the entire machine.