Windows Secure Boot Certificates Are Expiring. How To Verify Your PC Is Updated

Microsoft’s original Secure Boot certificates that protect your PC’s startup process are set to expire in June. To help users check if they’re still protected, the company is ready to roll out a new Secure Boot status dashboard in Windows 11 and Windows 10.

Starting this month, the new status page will appear in the Windows Security app, where the company is adding a Secure Boot status indicator under Device security > Secure Boot.

“The Windows Security app now shows whether your device has received these updates, what your current status is, and whether any action is needed,” Microsoft says on a new support page.

The status indicator will show one of three badges. A green one indicates your PC has been updated. Yellow means Microsoft has a safety recommendation, which might point you to installing a firmware update to receive the new certificates.

(Credit: Microsoft)

Meanwhile, a red badge indicates that your PC can’t receive the new Secure Boot software certificates. “This state appears only after a security vulnerability that affects the boot process is discovered and cannot be serviced on devices that have not yet received the updated certificates. This could occur as early as June 2026, when some of the current Secure Boot certificates begin to expire,” the company says.

Secure Boot helps ensure your PC runs only trusted software during the boot-up process, preventing malware that can persist even after OS reinstalls. The problem is that a large number of PCs still remain on Windows 10, which officially lost support in October, meaning the OS will no longer receive software patches. In February, Microsoft warned that these Windows 10 PCs won’t receive the new Secure Boot certificates either.

Get Our Best Stories!

Stay Safe With the Latest Security News and Updates

SecurityWatch Newsletter Image

Sign up for our SecurityWatch newsletter for our most important privacy and security stories delivered right to your inbox.

By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy
Policy.

Thanks for signing up!

Your subscription has been confirmed. Keep an eye on your inbox!

The only exception is for PCs enrolled in the Windows 10 Extended Security Updates program, which US users can sign up for using two free options. It’s unclear whether the new Secure Boot status indicator is arriving only for Windows 10 ESU PCs or for all PCs.

Microsoft says PCs on Windows 11 and Windows 10 ESU should receive the new software certificates “automatically” through the regular monthly Windows updates. However, a small portion of PCs might need a separate firmware update from their PC or motherboard manufacturer before they can load the new certificates—hence, the yellow badge.

Recommended by Our Editors

If you don’t receive the fresh certificates, your PC will still operate. But Microsoft warns: “The device will enter a degraded security state that limits its ability to receive future boot-level protections,” exposing it to potential “boot‑level vulnerabilities” that hackers could try to exploit. It’s a security trade-off to run Windows 10, since some older PCs don’t meet the system requirements to update to Windows 11.

Microsoft’s support page notes that if your status page shows a red badge, users can pick the option for “I accept the risks, don’t remind me.”

Notifications about the Secure Boot issue will also extend beyond the Windows Security app. The support page adds: “Beginning in May 2026, additional improvements will become available, including notifications outside the app (such as system alerts) and additional in‑app guidance and controls to help you respond to Secure Boot warnings.”