Microsoft has issued a critical security update for Windows 10 users — with a warning. Secure Boot certificates expire next month after 15 years. The new update “enables dynamic status reporting for Secure Boot states in Windows Security App” to help ensure affected PCs remain secure.
In its release notes for KB5087544, the latest ESU update for hundreds of millions of Windows 10 PCs, Microsoft tells users to get ahead of the Secure Boot expiration. “To avoid disruption, we recommend reviewing the guidance and taking action to update certificates in advance.”
This is the first time Secure Boot certificates have expired — even though they date back to 2011. All Windows 10 PCs will need new certificates, albeit only PCs enrolled for extended security updates (ESU) are eligible. Other PCs will be at risk next month, when the old certificates start to expire. Most Windows 11 PCs also need new certificates — except those sold in the last 2 years.
Windows 11 PCs have also been updated with a revised security app to warn of issues ahead of the June deadline. Microsoft warns that if you can’t or don’t install new certificates, “this might affect the ability of certain personal and business devices to boot securely if not updated in time.”
The new update also fixes a Remote Desktop Connection security warning, where a dialog “might render incorrectly in multi-monitor configurations with different display scaling settings. This issue might occur after installing the Windows security update released on April 14, 2026.”
Again, Microsoft warns some updated PCs might restart and request a BitLocker recovery key. You should have this to hand, albeit the number of affected PCs is limited. “The BitLocker recovery key only needs to be entered once — subsequent restarts will not trigger a BitLocker recovery screen.”
Details on finding your recovery key are here.
The Secure Boot update is more the critical change, though. It’s not a simple process. Microsoft says it will only issue new certificates on devices that “demonstrate sufficient successful update signals, maintaining a controlled and phased rollout.” Upgrading your Windows Security App will confirm issues. Another reason to update quickly — to maximise the time available to address any found.
Once your new Secure Boot certificates install, it will flag in your security settings.
