Your PC's security depends on layers of protection, most of which operate silently in the background without requiring any attention from you. One of the most fundamental of these layers is Secure Boot — a feature built into the UEFI (Unified Extensible Firmware Interface) firmware of your computer's motherboard that runs before Windows even begins to load. Secure Boot acts as a gatekeeper, verifying that every component of the software your PC loads during startup carries a valid digital signature from a trusted authority. If anything in the startup process has been tampered with — replaced by malware, modified by a rootkit, or corrupted — Secure Boot detects the invalid signature and prevents the compromised component from loading.

Secure Boot relies on digital certificates to perform this verification. These certificates, like all cryptographic certificates, have expiration dates built into them — a standard security practice that limits the window of opportunity for attackers if a certificate's private key is ever compromised. The original Secure Boot certificates that Microsoft issued when Secure Boot was first deployed are now approaching their expiration date. Starting in June 2026, some of these original certificates will expire.

For most Windows 11 users and Windows 10 Extended Security Update (ESU) subscribers, this is being handled automatically: new replacement certificates are being distributed through regular monthly Windows Update cycles, and the transition should happen without any visible disruption. But for users on unsupported versions of Windows 10 — which lost mainstream support in October 2025 — and for some users whose PC hardware requires a firmware update to accept the new certificates, this transition requires attention. Microsoft has estimated that a meaningful number of Windows PCs remain on unsupported Windows 10, none of which will automatically receive the new certificates.

This comprehensive guide explains everything you need to know about the Secure Boot certificate expiration: what Secure Boot is and why it matters, what is changing and when, how to use Microsoft's new Secure Boot status dashboard to check your PC's status, what each status means and what to do about it, and the broader implications for users who remain on unsupported Windows 10. Whether you are a home user, a small business owner, or an IT administrator responsible for a fleet of devices, this guide gives you the information you need to ensure your PCs remain protected.

Understanding Secure Boot: The Foundation

Before diving into the certificate expiration issue and how to address it, it is worth taking time to understand what Secure Boot actually does and why it occupies such an important position in Windows security architecture. Many users are aware that Secure Boot exists — Windows 11 made it a system requirement — but the precise mechanism by which it protects against threats is less commonly understood.

The Boot Process and Its Vulnerabilities

When you press the power button on your PC, a complex sequence of events unfolds before you see the Windows login screen. The processor first executes code stored in the motherboard's UEFI firmware — the low-level software that initializes hardware components and prepares the system for operating system loading. The UEFI then locates the boot loader for your operating system (for Windows, this is Windows Boot Manager) and transfers control to it. The boot loader then loads the core Windows kernel and critical drivers, and finally Windows completes its startup sequence and presents the user interface.

Each stage in this sequence represents a potential attack surface. Malware that can insert itself into the early boot stages — before the operating system and its security software have loaded — gains extraordinary persistence and capability. Such 'bootkit' or 'rootkit' malware can survive complete OS reinstallations, hide itself from antivirus software running within Windows, and intercept security-critical operations at the lowest possible level. This category of threat is considered among the most dangerous in the security landscape precisely because it is so difficult to detect and eliminate using conventional security tools.

How Secure Boot Protects Against Boot-Level Malware

Secure Boot addresses the boot-process vulnerability by establishing a chain of trust from the very first code that runs on your PC. At its heart, Secure Boot is a signature verification system: before the UEFI loads any bootloader, driver, or operating system component, it checks that the component's cryptographic signature matches a signature from a certificate stored in the UEFI's secure key database. If the signature matches, the component is trusted and allowed to load. If it doesn't match — because the component has been modified, replaced by malware, or is simply not in the trusted certificate database — the UEFI refuses to load it and halts the boot process.

The certificates in the UEFI key database are issued by trusted authorities, most prominently Microsoft. Microsoft's Secure Boot certificates vouch for the authenticity of Windows boot components, drivers, and third-party software that has been through Microsoft's review and signing process. This creates a practical system where only software whose integrity Microsoft has verified can participate in the Windows boot process — effectively eliminating the attack surface that bootkits and rootkits exploit.

Why Certificates Expire

All cryptographic certificates have built-in expiration dates, and this is a deliberate security feature rather than a limitation. The reason is straightforward: if the private key associated with a certificate is ever discovered, stolen, or broken through cryptographic attack, a certificate with no expiration date would remain valid indefinitely — meaning an attacker who obtained the private key could sign malicious software with it forever. Expiration dates limit the damage window: even if a private key is compromised, the certificate it belongs to will eventually expire, rendering any malware signed with it invalid.

Microsoft's original Secure Boot certificates were issued when Secure Boot was first deployed, with expiration dates set far in the future — which is now arriving. The approach of refreshing certificates before the original ones expire is standard cryptographic hygiene, similar to renewing an SSL certificate for a website before it expires. The complication in the Windows case is the scale: billions of PCs need to receive these new certificates, and the delivery mechanism (Windows Update) cannot reach devices running unsupported operating systems.

What Is Changing: The Certificate Transition Explained

Microsoft is rolling out new replacement Secure Boot certificates to Windows 10 (ESU) and Windows 11 devices through regular monthly Windows Updates. For devices that receive these updates successfully, the transition is automatic and invisible — the new certificates are installed alongside existing security updates, and the process requires no action from the user.

However, the transition is not universally straightforward, and several categories of devices face complications. Understanding which category your device falls into is the essential first step in assessing your situation.

The Three Categories of Devices

Category 1: Windows 11 and Windows 10 ESU — Likely Automatic

The largest and least complicated category is Windows 11 users and Windows 10 users enrolled in Microsoft's Extended Security Updates (ESU) program. For these devices, Microsoft is delivering the new Secure Boot certificates through the regular monthly Windows Update cycle — the same mechanism that delivers security patches, feature updates, and driver updates. If your PC is configured to receive Windows Updates automatically (the default configuration for most consumer PCs), you should receive the new certificates without needing to take any action.

The caveat, as discussed below, is that a subset of devices in this category may require a separate firmware update from their PC or motherboard manufacturer before the new certificates can be installed. For these devices, Windows Update will deliver the new Secure Boot software configuration, but the underlying UEFI firmware needs to be updated to accept it. Microsoft's new status dashboard is specifically designed to identify whether your device is in this situation.

Category 2: Unsupported Windows 10 — No Certificates

The most concerning category is Windows 10 users who are not enrolled in ESU and are running the now-unsupported version of the OS. Windows 10 lost mainstream Microsoft support in October 2025. While it continues to function, it no longer receives security patches, feature updates, or — critically — the new Secure Boot certificates. Users in this category should presume that their Secure Boot certificates will expire in June 2026 and will not be automatically refreshed.

According to various industry analyses, a very large number of PCs globally remain on Windows 10. Not all of them meet the hardware requirements for Windows 11 — particularly the TPM 2.0 requirement, which many older PCs lack — making an OS upgrade impossible for some devices. These users face a genuine security dilemma that Microsoft's certificate update process does not resolve.

Category 3: PCs Requiring Firmware Updates — Yellow Status

A third category — the most technically complex — consists of PCs running Windows 11 or Windows 10 ESU that receive the new Secure Boot certificates from Windows Update but cannot actually install them because the device's UEFI firmware does not support the new certificate format or the updated Secure Boot configuration. For these devices, a separate firmware update from the PC manufacturer or motherboard manufacturer is required before the new certificates can be loaded.

Microsoft describes this as a 'yellow badge' situation in the new security status dashboard: the device needs attention, and the recommended action is to install a firmware update from the manufacturer. Not all manufacturers provide such updates for all affected devices — older hardware may be abandoned by its manufacturer even if the hardware is technically capable of running Windows 11 with an updated firmware.

The New Secure Boot Status Dashboard

To help users understand their Secure Boot certificate status without requiring technical expertise, Microsoft is rolling out a new dedicated status dashboard in the Windows Security app. Starting in April 2026, this dashboard provides a clear, visual indicator of your device's Secure Boot certificate status and actionable guidance on what to do if your device needs attention.

Accessing the Status Dashboard

The Secure Boot status dashboard is located within the Windows Security app, under Device Security > Secure Boot. Here is how to access it:

• Press the Windows key and type 'Windows Security' to open the Windows Security app.
• In the left-hand navigation panel, click Device security.
• Scroll down to the Secure Boot section.
• If the update has been deployed to your PC (rolling out from April 2026), you will see a Secure Boot status indicator with one of three colored badges.

4.2 The Three Status Badges Explained

🟢 GREEN — Your PC Is Protected Your device has successfully received the new Secure Boot certificates through Windows Update. No action is required. Your PC's boot process remains protected against boot-level malware. Continue applying regular Windows Updates to maintain this status.

🟡 YELLOW — Firmware Update Recommended Your device has received the Windows-level configuration update for the new Secure Boot certificates, but a firmware update from your PC manufacturer or motherboard manufacturer is required before the new certificates can be fully loaded into the UEFI. Follow the detailed guidance in the Windows Security app to identify and install the appropriate firmware update. If no firmware update is available, monitor your status after June 2026.

🔴 RED — Device Cannot Receive New Certificates This status appears after a security vulnerability affecting the boot process is discovered that cannot be addressed on devices that haven't received the updated certificates — which Microsoft says 'could occur as early as June 2026.' Your device will be in a degraded security state with limited ability to receive future boot-level protections. Review the detailed guidance in the Windows Security app, contact your device manufacturer, or consider upgrading to Windows 11 if your hardware supports it.

What Microsoft Says About Each State

Microsoft's official language for the three states is worth noting for precision. For the green state, the company simply confirms that the update has been received and the device is protected. For the yellow state, Microsoft says it 'has a safety recommendation,' which will typically point users toward a specific firmware update to download from their PC or motherboard manufacturer. For the red state, Microsoft warns that the device 'will enter a degraded security state that limits its ability to receive future boot-level protections,' potentially exposing it to 'boot-level vulnerabilities' that hackers could exploit.

Microsoft also notes that users who receive a red badge can choose the option 'I accept the risks, don't remind me' — an acknowledgment that not all devices in this situation have a viable remediation path, and that Microsoft will not force users to take action they cannot take. This option is a concession to reality: some older hardware simply cannot be updated, and forcing these devices into a non-functional state would be worse than allowing them to continue operating with the acknowledgment that security is reduced.

Step-by-Step: What to Do Based on Your Status

Once you have checked your Secure Boot status using the Windows Security dashboard, your next steps depend on which badge you see. The following section provides specific, actionable guidance for each status.

Green Badge — You're Protected, But Stay Updated

If your status dashboard shows a green badge, your device has received the new Secure Boot certificates and is protected. However, it is important not to become complacent. The certificates delivered through Windows Update protect against known vulnerabilities as of their issuance date — new threats may emerge in the future that require additional updates. The most important ongoing action is to ensure Windows Update continues to run automatically and that you do not defer or disable updates.

1. Verify that Windows Update is set to install updates automatically: go to Settings > Windows Update > Advanced Options and confirm that automatic updates are enabled.
2. Check periodically that your system has no pending critical updates: open Windows Update and click 'Check for updates' to confirm you are current.
3. Do not disable Secure Boot in your UEFI settings: some users disable Secure Boot to accommodate older software or hardware, but doing so negates all the protections described in this article.

Yellow Badge — Firmware Update Required

A yellow badge means Windows Update has done its part, but your UEFI firmware needs to be updated by your PC's manufacturer before the new certificates can be loaded. This is the most action-intensive scenario for users and requires identifying the correct firmware update for your specific hardware. Here is how to proceed:

• Read the detailed guidance in the Windows Security app: Microsoft provides specific information about what firmware update is needed and links to manufacturer resources where applicable.
• Identify your PC's manufacturer and model number: press Windows key + I to open Settings, then go to System > About. Note the Device name, Manufacturer, and Model information.
• Visit your manufacturer's support website: look for the Downloads or Support section, then find BIOS/UEFI updates for your specific model. Major manufacturers with good update support include Lenovo, Dell, HP, ASUS, and Acer.
• Download and install the latest BIOS/UEFI firmware: follow your manufacturer's specific installation instructions carefully. UEFI firmware updates typically require a restart and may take several minutes to complete. Do NOT interrupt a firmware update once it has begun.
• After the firmware update completes, restart your PC and check the Secure Boot status dashboard again: the badge should now show green if the firmware update was successful.

⚠ BIOS Update Caution Never interrupt a UEFI/BIOS firmware update once it has started. A failed firmware update can leave your PC in a non-bootable state. Ensure your PC is connected to AC power (not running on battery) before starting a firmware update. If you are uncertain, contact your PC manufacturer's support team for guidance.

Red Badge — Limited Options, Understand Your Risk

A red badge indicates that your device cannot receive the new Secure Boot certificates — either because it is running an unsupported version of Windows 10 without ESU, or because a hardware limitation prevents the certificates from being installed even with firmware updates. This situation requires careful consideration of your options.

Your immediate options are:

1. Upgrade to Windows 11: if your PC meets Windows 11's hardware requirements (which include TPM 2.0, a compatible 64-bit processor, and sufficient RAM and storage), upgrading to Windows 11 is the most straightforward path to receiving the new certificates and maintaining full security. Run the PC Health Check app (downloadable from Microsoft's website) to verify your PC's Windows 11 eligibility.
2. Enroll in Windows 10 Extended Security Updates (ESU): US users can sign up for Windows 10 ESU through two free options, which will provide continued security patches including the new Secure Boot certificates. Check Microsoft's current ESU enrollment pages for eligibility and enrollment instructions.
3. Contact your device or motherboard manufacturer: explain the Secure Boot certificate situation and ask whether a firmware update is available or planned. Some manufacturers are actively working on firmware updates in response to this issue.
4. Accept and acknowledge the risk: if none of the above options are viable, you can select 'I accept the risks, don't remind me' in the Windows Security app. Your PC will continue to operate, but you should be aware that its boot-level security is reduced, and you should take compensating security measures such as full-disk encryption, regular offline backups, and enhanced endpoint security software.
5. Consider hardware replacement: for PCs that cannot run Windows 11 and have no path to certificate updates, the most secure long-term solution is replacing the hardware with a PC that meets current security requirements. This is a significant investment but may be the appropriate choice for users who handle sensitive data or whose PC is used in a business context.

The Windows 10 End-of-Support Problem: The Bigger Picture

The Secure Boot certificate expiration issue does not exist in isolation. It is one manifestation of a larger and more fundamental security problem: a very large population of PCs worldwide is running Windows 10 — an operating system that lost mainstream Microsoft support in October 2025 and is no longer receiving security patches.

The Scale of the Problem

Precise figures are difficult to pin down, but multiple market research firms have estimated that a significant share of Windows PCs globally are running Windows 10 rather than Windows 11. The reasons are varied: some users have not upgraded because they are unaware of the end-of-support timeline, some are deterred by the perceived complexity of an operating system upgrade, and a significant number are running hardware that does not meet Windows 11's minimum requirements.

The Windows 11 hardware requirements — particularly the requirement for TPM 2.0 (Trusted Platform Module version 2.0) — have effectively excluded many PCs that are still fully functional for everyday tasks but were manufactured before TPM 2.0 became standard hardware. These machines are in a difficult position: they work fine as computers but cannot receive Windows 11 and are no longer receiving Windows 10 security updates.

What End of Support Actually Means

When Microsoft ends support for a Windows version, it stops releasing security patches for vulnerabilities discovered after the end-of-support date. In the security world, this is highly significant. Cybersecurity researchers and criminal hackers constantly discover new vulnerabilities in Windows components. Microsoft's security research teams investigate these vulnerabilities and release patches to fix them. On a supported OS, these patches are delivered automatically through Windows Update. On an unsupported OS, they are not.

The implication is stark: after October 2025, every new Windows 10 vulnerability discovered — and security researchers discover dozens of significant vulnerabilities in Windows components every year — goes unpatched on unsupported Windows 10 machines. Each unpatched vulnerability is a potential attack vector. Over time, the accumulation of unpatched vulnerabilities makes an unsupported OS increasingly dangerous to use, particularly for internet-connected PCs.

The Secure Boot certificate situation compounds this risk. Not only are unsupported Windows 10 PCs missing application-level security patches — they are now also missing boot-level security protections. An attacker who could compromise such a PC with a bootkit malware would have a long window to operate before detection, and the boot-level compromise would survive even a Windows reinstall.

Windows 10 ESU: A Bridge Solution

Microsoft's Extended Security Updates program provides a way for Windows 10 users to continue receiving security patches — including the new Secure Boot certificates — beyond the mainstream end-of-support date. In the US, Microsoft has made two free enrollment options available, recognizing that asking all Windows 10 users to immediately upgrade hardware or purchase Windows 11 licenses is unrealistic.

ESU is explicitly described as a 'bridge' solution — a temporary measure to extend security coverage while users plan their transition to Windows 11 or new hardware. It does not restore all Windows 10 features or guarantee compatibility with future software, but it does provide continued security patching, which is the most critical need for users who cannot immediately upgrade.

For small businesses and organizations with a fleet of Windows 10 devices, ESU may be an important stopgap while hardware refresh planning proceeds. For individual users on older hardware, it provides time to evaluate whether an upgrade path exists without immediately facing the risks of an unpatched OS.

What the Status Dashboard Cannot Tell You (Yet)

The new Secure Boot status dashboard is a welcome addition to Windows Security, but it is important to understand its current limitations. The dashboard shows your current certificate status — whether the update has been received, whether a firmware update is needed, or whether your device cannot receive the certificates. What it cannot currently do is tell you whether a bootkit or rootkit is actually present on your system.

The scenario Microsoft describes for the red badge — 'this state appears only after a security vulnerability that affects the boot process is discovered' — implies that the red badge will initially appear for users who cannot receive the new certificates in the abstract, before any specific exploit has been deployed. The certificates protect against future vulnerabilities; the lack of updated certificates does not mean you have already been compromised, only that your device will be more vulnerable to exploitation when new boot-level vulnerabilities are discovered.

Microsoft has announced that additional notification and guidance features will be rolled out starting in May 2026, including system alerts outside the Windows Security app and enhanced in-app guidance. These additional features will help ensure that users who are not proactively monitoring the Windows Security app are still notified of their status.

Technical Deep Dive: How the Certificate Update Works

For technically minded readers — IT administrators, security professionals, and advanced users — a deeper understanding of the certificate update mechanism provides important context for managing this transition across multiple devices.

The UEFI Key Database

Secure Boot's certificate store is maintained in the UEFI firmware of each PC, in a set of databases with specific names defined by the UEFI specification. The most important is the Signature Database (db), which contains the certificates of trusted boot components and signing authorities. The Forbidden Signature Database (dbx) contains revoked certificates — keys and certificates that should no longer be trusted, typically because they have been associated with vulnerabilities or compromised keys.

The new Secure Boot certificates being delivered through Windows Update will be added to the db database, and the expiring old certificates will eventually be moved to the dbx database — marking them as no longer trusted. This means that hardware or software signed only with the old certificates (and not re-signed with the new ones) may eventually fail Secure Boot validation. This affects primarily very old operating systems and bootloaders that have not been updated, as well as some legacy third-party UEFI applications.

The Firmware Update Requirement

The reason some PCs require a firmware update before they can receive the new Secure Boot certificates relates to the UEFI firmware's own certificate management capabilities. The UEFI firmware must support the cryptographic algorithms and certificate formats used by the new certificates. Older firmware implementations may use algorithms or data structures that are incompatible with the new certificates. A firmware update from the manufacturer replaces the UEFI firmware code with a version that supports the new certificate formats.

This is analogous to the situation with web browsers and TLS certificates: when a new cryptographic algorithm is standardized and old ones are deprecated, browsers that support only the old algorithm cannot validate certificates using the new one. Just as browsers receive updates to support new algorithms, UEFI firmware must be updated to support new Secure Boot certificate formats.

Managing the Transition in Enterprise Environments

For IT administrators managing Windows devices in enterprise environments, the Secure Boot certificate transition requires careful planning. Windows Update management tools, including Windows Server Update Services (WSUS), Windows Update for Business, and Microsoft Intune, will all be able to deliver the new Secure Boot certificates. However, administrators should audit their device fleet to identify machines that may require firmware updates and those that are running unsupported Windows 10.

Microsoft's Intune management console is expected to surface Secure Boot certificate status for managed devices, allowing administrators to identify and prioritize remediation for devices showing yellow or red status. Administrators should also coordinate with their hardware vendors to identify which device models have firmware updates available and plan a deployment schedule to ensure all eligible devices are updated before the June 2026 deadline.

Broader Security Implications: Boot-Level Threats in 2026

The Secure Boot certificate expiration issue is significant in its own right, but it also provides an opportunity to discuss the current threat landscape at the boot level — the types of malware that Secure Boot protects against and why this protection matters in 2026.

Bootkits and Rootkits: The Persistent Threat

Bootkit malware — malicious software that infects the boot process before the operating system loads — has been a feature of the advanced threat landscape for over a decade. Unlike conventional malware that can be removed by antivirus software running within Windows, a bootkit operates below the level where conventional security software can see it. It runs before Windows loads, giving it the ability to modify or intercept Windows components before they can defend themselves, and to hide its presence from security tools that scan the file system.

The most sophisticated bootkits can survive complete operating system reinstallation because they reside in parts of the storage device (the Master Boot Record, the EFI System Partition, or the UEFI firmware itself) that a standard OS reinstall does not erase. Once installed, they provide attackers with persistent, deep access to the compromised machine that is extraordinarily difficult to remove. Secure Boot's role is to prevent this class of threat from gaining a foothold in the first place.

Real-World Bootkit Examples

The threat is not theoretical. Several notable bootkit campaigns have affected Windows systems in recent years. BlackLotus, discovered in late 2022 and confirmed as the first publicly known UEFI bootkit capable of bypassing Secure Boot on fully updated Windows 11 systems, demonstrated that even well-maintained systems could be compromised at the boot level through a vulnerability in Secure Boot's implementation. Microsoft released mitigations for the specific vulnerability BlackLotus exploited, but its existence underscored that boot-level security is an active battlefield, not a solved problem.

The scenario Microsoft describes for the red badge — where a new security vulnerability is discovered that 'cannot be serviced on devices that have not yet received the updated certificates' — is specifically this type of situation. If a new bootkit is discovered that exploits a weakness in the old certificate framework but is blocked by the new certificates, devices that haven't received the new certificates would be vulnerable while updated devices would be protected.

Why This Matters Now More Than Ever

The importance of boot-level security has increased as sophisticated threat actors — including nation-state-affiliated groups — have developed increasing capability and motivation to deploy persistent, low-level malware against high-value targets. Endpoint Detection and Response (EDR) software, which many organizations deploy to detect and respond to threats on managed devices, has become sophisticated enough to detect many malware infections — making boot-level persistence an increasingly attractive strategy for attackers who want to evade detection.

For most home users, the risk of a specifically targeted bootkit attack is low — these threats are primarily deployed against organizations, government agencies, and high-value individual targets. However, commodity bootkit tools do exist and are deployed in opportunistic attacks against poorly secured systems. An unpatched, unsupported Windows 10 PC is precisely the type of system that commodity attack toolkits target, because the attack surface grows over time as unpatched vulnerabilities accumulate.

Preparing Your PCs: A Practical Checklist

To consolidate the guidance in this article into a practical action plan, here is a comprehensive checklist for users and administrators preparing for the June 2026 Secure Boot certificate transition.

Immediate Actions (Now — April 2026)

1. Check which version of Windows your PC is running: press Windows key + I, go to System > About, and note the Windows version.
2. Ensure Windows Update is running and current: open Windows Update (Settings > Windows Update) and click 'Check for updates' to install any pending updates.
3. Open the Windows Security app and check Device Security > Secure Boot for the new status dashboard (rolling out from April 2026).
4. Note your status badge color and any specific guidance provided by Microsoft.
5. If you are on unsupported Windows 10: run Microsoft's PC Health Check app to determine whether your PC is eligible for Windows 11.

If You Need a Firmware Update (Yellow Badge)

1. Identify your PC manufacturer and model (Settings > System > About).
2. Visit the manufacturer's support website and search for BIOS/UEFI firmware updates for your specific model.
3. Download and carefully follow the manufacturer's instructions for the firmware update.
4. After the firmware update, re-check your Secure Boot status in Windows Security.
5. If no firmware update is available, monitor Microsoft's guidance for any alternative solutions.

If You Are on Unsupported Windows 10 (Red Badge Risk)

1. Check Windows 11 eligibility using the PC Health Check app.
2. If eligible: plan a Windows 11 upgrade before June 2026.
3. If not eligible: investigate Windows 10 ESU enrollment (free options available for US users).
4. If neither option is available: consider hardware replacement for PCs used in sensitive or business contexts.
5. If continuing to use an unpatched system: enable full-disk encryption (BitLocker or VeraCrypt), maintain regular offline backups, and consider enhanced endpoint security software.

Ongoing Actions (May–June 2026 and Beyond)

1. Watch for the additional notifications and system alerts Microsoft is introducing in May 2026.
2. Re-check your Secure Boot status after any Windows or firmware updates.
3. Monitor Microsoft's support pages for any new guidance on the certificate transition.
4. For enterprise: use Intune or other management tools to audit device fleet Secure Boot status.
5. Do not ignore red or yellow badge warnings — address them before June 2026 if at all possible.

Conclusion: Don't Ignore This One

Windows Secure Boot certificate expiration may not generate the same headlines as a major malware outbreak or a zero-day exploit, but it represents a real and time-sensitive security risk that millions of PC users need to address. The good news is that for most users on Windows 11 or Windows 10 ESU, the process is largely automatic — regular Windows Updates will handle the transition, and the new status dashboard in Windows Security provides clear, color-coded guidance if any action is needed.

The more difficult situation is for users on unsupported Windows 10, particularly those whose hardware does not meet Windows 11's requirements. These users face a genuine security gap that Microsoft's automatic update process cannot close. The options — ESU enrollment, Windows 11 upgrade, hardware replacement, or accepting reduced security — each carry their own costs and complexity, but the alternative of doing nothing carries increasing risk as June 2026 approaches and as new boot-level vulnerabilities are inevitably discovered and exploited against unprotected systems.

The recurring lesson of enterprise and consumer security is that deferred security maintenance always costs more in the end than proactive action. A bootkit infection on a machine used for banking, sensitive work, or personal communications can have consequences — financial, reputational, and personal — that far exceed the time and cost investment of checking your Secure Boot status, applying a firmware update, or migrating to a supported operating system.

Open your Windows Security app, find the Secure Boot status dashboard, and check your badge. If it's green, great — keep Windows Update running. If it's yellow, get the firmware update. If it's red and you have options to remediate, take them before June. Your PC's boot-level security is the foundation on which everything else rests. It deserves attention.

Quick Reference: Secure Boot Certificate Status Guide

Green Badge	New certificates received via Windows Update — no action needed. Keep Windows Update enabled.
Yellow Badge	Firmware update required from PC/motherboard manufacturer. Follow guidance in Windows Security app.
Red Badge	Device cannot receive new certificates. Explore: Win11 upgrade / Win10 ESU / hardware replacement.
Win10 No ESU	Will NOT receive new certificates. Presume expiry in June 2026.
Win10 ESU	Will receive new certificates automatically. Enroll via free US options if not yet enrolled.
Windows 11	Will receive new certificates automatically via Windows Update.
Dashboard Location	Windows Security app > Device Security > Secure Boot
Deadline	June 2026 — some original certificates begin to expire
May 2026	Additional system alerts and in-app guidance rolling out
'I accept risks'	Option available in app for users who acknowledge they cannot remediate

Frequently Asked Questions (FAQ)

1. What is Secure Boot and why is it important?
Secure Boot is a security feature in your PC’s UEFI firmware that ensures only trusted software loads during startup. It protects your system from bootkits and rootkits that operate before Windows starts.

2. What is happening to Secure Boot certificates in 2026?
Some original Microsoft Secure Boot certificates will expire starting in June 2026. New replacement certificates are being distributed to keep systems protected.

3. Will my PC update automatically?
If you are using Windows 11 or Windows 10 with Extended Security Updates (ESU), the new certificates should be installed automatically through Windows Update.

4. What happens if I’m using unsupported Windows 10?
Unsupported Windows 10 devices will not receive the new certificates, which may leave them vulnerable to boot-level security threats after the expiration date.

5. How can I check my Secure Boot status?
Open the Windows Security app, go to Device Security, and check the Secure Boot section to see your status (green, yellow, or red badge).

6. What does the green, yellow, and red status mean?
Green means your system is protected, yellow means a firmware update is required, and red means your device cannot receive the new certificates and has reduced security.

7. What should I do if I see a yellow status?
You need to update your PC’s BIOS/UEFI firmware from your manufacturer’s website to support the new certificates.

8. What are my options if I see a red status?
You can upgrade to Windows 11, enroll in Windows 10 ESU, contact your manufacturer for updates, or continue using the device with reduced security risks.

9. What risks do I face if I ignore this update?
Your PC may become vulnerable to advanced malware like bootkits, which can be difficult to detect and remove, even after reinstalling Windows.

10. Is it safe to continue using my PC if I accept the risk?
Yes, but with caution. You should use additional protections like antivirus software, encryption, and regular backups, and avoid sensitive activities on the device.