Overview
- The Windows Security app now shows Secure Boot certificate badges on the Device security page that report whether the 2023 replacement keys are installed or if action is needed.
- Rollout is staged, with Phase 1 arriving April 8, 2026 for Windows 11 and Windows Server 2025 and April 14, 2026 for supported Windows 10 and older Windows Server versions.
- Phase 2 lands in mid-May with in-app alerts for caution and critical states, and suppressing a critical alert requires an administrator using the "I accept the risks, don’t remind me" option.
- Home and Pro display the indicators by default, Enterprise and Server hide them by default, and on Server the notification service does not start automatically so status appears only after the app is opened.
- Microsoft delivers the new certificates through Windows Update for most PCs, though some devices still need firmware from the OEM or motherboard vendor to complete the refresh.