Secure Boot Certificate Expiration: A Looming Security Challenge for Windows Ecosystems
The foundation of PC startup security is undergoing a critical refresh. Secure Boot certificates, initially implemented in 2011 to protect against boot-level malware, are nearing their expiration date, beginning in June. Microsoft is responding with a new Secure Boot status dashboard within the Windows Security app, designed to inform users about their protection status and necessary actions.
Starting this month, the status page will be integrated into the Windows Security app, specifically under Device security > Secure Boot. “The Windows Security app now shows whether your device has received these updates, what your current status is, and whether any action is needed,” Microsoft says on a new support page.
The dashboard will utilize a color-coded badge system to convey security status. A green badge signifies a successfully updated system. A yellow badge indicates a safety recommendation, potentially requiring a firmware update to install the new certificates. A red badge signals an inability to receive the updated certificates, representing a significant security risk and prompting users and IT administrators to consider hardware replacement or OS migration plans.
(Credit: Microsoft)
A red badge indicates a critical vulnerability. “This state appears only after a security vulnerability that affects the boot process is discovered and cannot be serviced on devices that have not yet received the updated certificates. This could occur as early as June 2026, when some of the current Secure Boot certificates begin to expire,” the company explains. Microsoft will provide detailed status messages and guidance, potentially including OS updates or manufacturer contact information, to address the issue. For enterprise and public-sector fleets, this dashboard effectively becomes an early-warning mechanism that can be folded into patch management and compliance reporting.
The Architecture of Secure Boot and its Vulnerabilities
Secure Boot relies on a chain of trust, beginning with the Unified Extensible Firmware Interface (UEFI). UEFI firmware verifies the digital signature of bootloaders and operating system kernels before execution, preventing unauthorized code from loading during startup. This process is crucial for mitigating rootkits and boot sector viruses-malware that establishes itself before the operating system even loads, making it exceptionally difficult to detect and remove. The certificates act as the root of trust for this verification process. Without valid, updated certificates, the system’s ability to confirm the integrity of the boot process is compromised.
The expiration of these certificates isn’t a sudden failure, but a gradual erosion of security. The current certificates were designed with a limited lifespan, anticipating the need for periodic renewal to address evolving threats and cryptographic best practices. The transition to new certificates is a complex undertaking, requiring coordination between Microsoft, hardware manufacturers, and firmware developers, as well as alignment with broader platform-security expectations set out by standard-setting and regulatory bodies such as the NIST firmware security guidelines.
For organizations that must comply with cybersecurity frameworks or sector-specific regulations, Secure Boot is one of the technical controls that underpins assurances about device integrity. As certificates age out, IT and security leaders will need clear inventories of which machines are still dependent on legacy boot trust anchors and whether those systems remain acceptable for use in regulated environments.
Windows 10 Support and the Extended Security Updates Program
The situation is particularly acute for systems still running Windows 10, which reached its end of support in October. Without ongoing security updates, these systems are increasingly vulnerable. Microsoft warns that Windows 10 PCs will not receive the new Secure Boot certificates unless enrolled in the Windows 10 Extended Security Updates (ESU) program.
The new Secure Boot status indicator is currently available only for Windows 10 ESU PCs. Therefore, users on unsupported Windows 10 versions should assume their certificates will expire starting in June and plan accordingly. In practice, that means weighing the cost of ESU enrollment, OS upgrades, or hardware refreshes against the operational and compliance risks of running devices in a degraded-security state. US users can access two free options for enrolling in the ESU program, but those routes still require active decision-making by system owners rather than passive reliance on background updates.
PCs running Windows 11 and Windows 10 ESU are expected to receive the new software certificates “automatically” through regular Windows updates. However, some PCs may require a separate firmware update from their device or motherboard manufacturer to successfully load the new certificates, triggering the yellow or red badge warnings. For large organizations, coordinating those firmware rollouts across multiple OEMs and device generations will be a nontrivial governance task.
Implications for System Integrity and Security Posture
While a PC without the updated certificates will continue to operate, Microsoft cautions that it will enter a “degraded security state.” This means the system will be more susceptible to boot-level vulnerabilities, potentially allowing attackers to compromise the system before the operating system even loads. This is a significant concern, particularly for systems handling sensitive data, industrial control systems, or critical infrastructure. The risk is amplified by the increasing sophistication of boot-level attacks, which are often designed to bypass traditional security measures and can persist even after OS reinstalls.
The inability to update can stem from hardware limitations. Microsoft’s support page notes that some older PCs may not meet the system requirements to update to Windows 11, and therefore may not be able to receive the necessary firmware updates to support the new certificates. That creates a policy dilemma for government agencies, hospitals, and schools that still rely on aging hardware: either segment and strictly limit these devices, or accelerate replacement timelines to maintain an auditable root of trust.
Users encountering a red badge will have the option to “accept the risks, don’t remind me.” However, this is strongly discouraged, as it effectively disables a critical security feature. For managed environments, IT departments will want to ensure such overrides are centrally controlled and logged, rather than left to individual end users. Microsoft plans to expand notifications beyond the Windows Security app, including system alerts and in-app guidance, beginning in May 2026, to further emphasize the importance of addressing this issue and to nudge decision-makers toward proactive remediation rather than last-minute crisis responses.
About Our Expert
Michael Kan
Senior Reporter
Experience
I’ve been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I’m currently based in San Francisco, but previously spent over five years in China, covering the country’s technology sector.
Since 2020, I’ve covered the launch and explosive growth of SpaceX’s Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I’ve combed through FCC filings for the latest news and driven to remote corners of California to test Starlink’s cellular service.
I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. Earlier this year, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.
I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I’m now following how President Trump’s tariffs will affect the industry. I’m always eager to learn more, so please jump in the comments with feedback and send me tips.
Read Full Bio
