Microsoft will begin displaying escalating Secure Boot certificate warnings in Windows Security starting May 13, 2026 for Windows 10, and May 16, 2026 for Windows 11. The alerts target PCs that have not yet applied firmware updates containing the new Secure Boot certificates required to keep the platform operational after the original certificates expire.

If ignored, these warnings will eventually prevent the operating system from booting, as the Secure Boot database will no longer trust the older, expiring cryptographic keys. The move marks the final phase of a years-long effort to replace Secure Boot certificates that underpin the entire Windows boot chain.

Why Secure Boot Certificates Matter

Secure Boot ensures that only trusted, digitally signed code loads during the PC startup process. It relies on a set of public key certificates stored in the UEFI firmware. When a bootloader or OS component runs, its signature is checked against those stored certificates. If it’s signed by a trusted authority, it’s allowed to execute; otherwise, it’s blocked.

Microsoft’s original Secure Boot certificates—the Microsoft Corporation KEK CA 2011 and related chains—were issued with a limited lifespan. Their expiration date has been looming for years, and failing to replace them before they become invalid would leave millions of systems unbootable or require disabling Secure Boot entirely, which is not recommended.”

To address this, Microsoft partnered with OEMs and firmware vendors to issue updated firmware that includes a new root certificate—the Microsoft Corporation KEK CA 2023—along with a refreshed UEFI CA certificate. The new keys are valid well into the future, but the transition must be completed before the old ones expire.

The Escalating Warning System

Starting on the targeted dates, Windows Security will show a notification under the Device Security section. The warning will escalate in severity over time:

  • Initial Phase (May 2026): A yellow advisory banner appears, informing users that the current Secure Boot configuration will become unsupported. No immediate impact on boot, but the PC is flagged.
  • Intermediate Phase (~3–4 months after initial): The banner turns orange, and a full-screen notification may appear during logon, reminding the user to contact their device manufacturer.
  • Final Phase (~2 months before certificate expiry): A persistent red warning displays, and Windows may begin slowing boot times with prompts. At this stage, failure to update means the PC will eventually fail Secure Boot checks.
  • Post-Expiry: If the original certificate expires without the update, Secure Boot will refuse to load Windows. The only workaround would be to disable Secure Boot in the UEFI settings, which weakens security against rootkits and bootkits.

Which Systems Are Affected?

Any Windows 10 or 11 PC that shipped with the original 2011 Secure Boot certificates and has not received a firmware update containing the newer 2023 certificates is vulnerable. This includes:

  • Older desktops and laptops from major OEMs (Dell, HP, Lenovo, ASUS, etc.) that may not have received the update through Windows Update or the manufacturer’s update tools.
  • Custom-built PCs where the motherboard vendor has not provided an updated UEFI firmware.
  • Virtual machines configured with Secure Boot but using an outdated UEFI template.

Most devices purchased after late 2023 already ship with the updated certificates, and many pre-2023 devices have received the firmware update through Windows Update as an optional or automatic update. However, a significant number of unmanaged or legacy systems remain unpatched.

How to Check Your Secure Boot Certificate Status

Microsoft provides a built-in tool called System Information (msinfo32) that reveals which Secure Boot certificates are present. Here’s what to look for:

  1. Press Win + R, type msinfo32, and press Enter.
  2. In the System Summary pane, locate the Secure Boot State entry. It should say On.
  3. Scroll down to BIOS Mode and confirm it shows UEFI.
  4. Now expand Software Environment and click System Driver. Search for the Secure Boot driver information, though this part may not directly show certificates.

A more reliable method is to check via PowerShell:

Confirm-SecureBootUEFI
Get-SecureBootUEFI -Name PK
Get-SecureBootUEFI -Name KEK

If the output includes Microsoft Corporation KEK CA 2011 without an accompanying Microsoft Corporation KEK CA 2023, your firmware needs updating. Another telltale sign is the presence of the expired or expiring UEFI CA 2011 certificate without the newer UEFI CA 2023.

How to Obtain the Necessary Update

The firmware update containing the new certificates is typically distributed through Windows Update, but it may not install automatically on all systems. Follow these steps:

  1. For OEM systems (Dell, HP, Lenovo, etc.): Visit the manufacturer’s support site, locate your specific model, and download the latest BIOS/UEFI firmware. Many OEMs have published dedicated advisories with details about the Secure Boot certificate update. Install the firmware following the vendor’s instructions.
  2. For custom-built PCs: Go to the motherboard manufacturer’s website, download the latest UEFI/BIOS for your board model, and apply it. Look for release notes mentioning “Secure Boot certificate update,” “UEFI CA update,” or “KB number 4577266” (the KB that originally addressed the certificate extension).
  3. Via Windows Update: Settings > Windows Update > Check for updates. Under Optional updates, look for firmware updates. Some OEMs push the update through this channel as an optional driver or firmware package.
  4. Enterprise environments: Use management solutions like SCCM, Intune, or OEM-provided tools to deploy the firmware update at scale. Microsoft endpoint managers can use the SecureBootUEFI CSP to verify certificate status across devices.

What Happens If You Ignore the Warnings?

Ignoring the Windows Security warnings will eventually lead to boot failures. Once the original certificate expires, the UEFI firmware’s Secure Boot policy will reject any bootloader signed only with the old certificate. Windows will not load. The only recovery options then become:

  • Disabling Secure Boot via UEFI settings, which exposes the system to boot-level malware.
  • Reinstalling Windows with a media image that uses the updated certificates—but only if the firmware update has already been applied.

For businesses, this could mean thousands of machines becoming inaccessible, leading to costly IT remediation. Microsoft is giving over a year of warning, so IT administrators should start planning now.

Timeline and Key Dates

  • May 13, 2026: Windows 10 devices (version 22H2 and later) begin receiving advisory warnings in Windows Security.
  • May 16, 2026: Windows 11 devices (all supported versions) start displaying the warnings.
  • Q3 2026: Warnings escalate to urgent, with broader notifications.
  • October 19, 2026: The original Microsoft Corporation KEK CA 2011 certificate expires. At this point, unpatched systems can no longer pass Secure Boot checks.

Note that the expiration date may vary slightly depending on the specific certificate in question (some subordinate CAs expire earlier), but October 19 is the critical drop-dead date for the main KEK.

Why Microsoft Is Taking This Approach

Microsoft has been gradually ramping up enforcement to ensure that the Secure Boot ecosystem migrates to the new certificates in time. Earlier phases included:

  • KB4535680 (2023): An optional security update that installed the new certificates on supported firmware.
  • KB4577266 (2023): Addressed the expiring UEFI CA 2011 certificate by extending its validity period temporarily to smooth the transition.
  • Windows 11 2023 Update: Mandated the presence of the new certificates for new installations.

Now, with the final expiration approaching, the in-OS warnings are the last line of defense to prevent users from being locked out of their own devices.

Industry Response and OEM Readiness

Major OEMs have been preparing for this transition for years. Dell, for instance, issued an advisory in early 2024 detailing which models received the update and how to apply it manually. HP likewise published a support document with per-model instructions. Lenovo integrated the certificate update into its regular BIOS update packages starting in mid-2023.

However, not all older models are supported. Many manufacturers have declared certain devices out of service life and will not provide the update. For those machines, users will either need to disable Secure Boot permanently or replace the hardware.

What If My Device Can’t Get the Update?

If your PC is too old to have a firmware update available, you face a tough choice:

  • Disable Secure Boot: This allows the device to continue booting Windows but removes a critical security layer. For everyday home use with safe browsing habits, the risk is moderate, but it’s not advisable for business or sensitive environments.
  • Retire the device: Upgrade to a modern PC with built-in support for the new certificates.
  • Risk bypass: Some advanced users have experimented with injecting certificates manually using tools like KeyTool.efi, but this is unsupported and can lead to firmware corruption.

Microsoft’s official guidance is clear: obtain and apply the firmware update if available. If not, plan for device replacement.

A Call to Action for IT Admins

Enterprise IT departments should immediately:

  1. Inventory all Windows 10 and 11 devices in the environment.
  2. Use PowerShell scripts or Intune reports to check the Secure Boot certificate versions.
  3. Work with OEMs to identify firmware update availability and deployment methods.
  4. Schedule a phased rollout of firmware updates, prioritizing critical systems.
  5. Test the update on a small set of machines to avoid any compatibility issues.
  6. Communicate the deadline to end users, especially those with remote or unmanaged devices.

Ignoring these steps now means facing a flood of support tickets in mid-2026 just as the warnings become invasive—and a potential outage when certificates expire.

The Bigger Security Picture

Secure Boot certificate rotation is not just a maintenance chore; it reflects a maturing hardware root of trust. As quantum computing and advanced persistent threats evolve, cryptographic agility—the ability to swap out roots of trust without breaking compatibility—becomes crucial. The current certificate update exercise proves that the Windows ecosystem can handle such transitions, but only if users and IT pros act before deadlines.

Microsoft’s phased warning approach mirrors its successful strategy with Windows 7 end-of-support notifications. By starting early and escalating gently, the hope is that most users will have updated long before they see a red alert.

Final Takeaway

The message is clear: if you run Windows 10 or 11, open Windows Security today, navigate to Device Security, and look for any notification about Secure Boot. Better yet, check your firmware version and certificates via msinfo32 or PowerShell. Apply any pending firmware updates from your OEM. May 2026 might seem distant, but firmware updates can be tricky, and last-minute scrambles often lead to data loss or downtime. Starting now means smooth sailing when the warning icons finally appear.