Windows Secure Boot certificates expire in June 2026 — here's how to check if you're protected

Microsoft's original Secure Boot certificates from 2011 are expiring in June 2026, and the company is rolling out a new status checker in the Windows Security app to help users verify their PCs have updated protection. As reported by PCMag, Windows 11 and Windows 10 ESU users will receive automatic updates, but millions of unsupported Windows 10 PCs will lose crucial boot-level security.

What is Secure Boot and why does it matter?

Secure Boot protects your PC during startup by ensuring only trusted software runs during the boot process, preventing malware that can persist even after operating system reinstalls. This security layer has protected Windows PCs since 2011 using digital certificates that verify legitimate software.

The technology works by checking each piece of software against cryptographic signatures before allowing it to load. For UAE users, this means protection against sophisticated boot-level attacks that traditional antivirus software can't catch — the kind of threats targeting businesses and government systems in the region.

According to Microsoft, "The device will enter a degraded security state that limits its ability to receive future boot-level protections" without updated certificates. This leaves PCs vulnerable to new boot-level vulnerabilities that hackers could exploit. (Source: Microsoft Learn)

How to check your Secure Boot status

Starting April 2026, Microsoft added a dedicated Secure Boot status page in the Windows Security app under Device security > Secure Boot. The system displays one of three colour-coded badges indicating your PC's protection level.

A green badge confirms your PC has received updated certificates and remains fully protected. Yellow indicates Microsoft recommends action — usually installing a firmware update from your PC manufacturer to enable the new certificates.

A red badge means your PC cannot receive new certificates and will lose protection when the current ones expire. Microsoft notes this "could occur as early as June 2026" and will display specific guidance on potential solutions, including contacting your device manufacturer.

From our own checks on a couple of Windows 11 laptops in the office, the quickest way to confirm what your PC reports is to open Windows Security first (rather than hunting through Settings), then follow the Device security path to the Secure Boot page and read the badge and the recommended action text exactly as shown.

Which Windows versions get the updates?

Windows 11 users receive new Secure Boot certificates automatically through monthly Windows updates. The same applies to Windows 10 PCs enrolled in the Extended Security Updates (ESU) programme, which Microsoft offers to extend support beyond the October 2025 end-of-life date. (Source: Microsoft Support)

However, unsupported Windows 10 installations — the majority of Windows 10 PCs — will not receive the updated certificates. These systems will continue operating but enter what Microsoft calls a "degraded security state" after June 2026.

The company acknowledged that some PCs might require additional firmware updates from manufacturers before loading new certificates, explaining why some users might see yellow or red status badges even with supported Windows versions.

What happens if certificates expire on your PC?

PCs with expired Secure Boot certificates don't stop working but lose critical boot-level protection against malware attacks. Microsoft warns these systems become vulnerable to "boot-level vulnerabilities" that could allow sophisticated attacks to bypass traditional security software.

For businesses and individuals in the UAE handling sensitive data, this represents a significant security risk. Boot-level malware can steal credentials, install persistent backdoors, and access encrypted data before the operating system fully loads.

Microsoft's support documentation includes an option for users to "accept the risks" and dismiss warnings about expired certificates. However, cybersecurity experts warn this leaves systems exposed to evolving threats targeting the region.

Editorial take: if you see a yellow or red badge, treat it like a real security maintenance task—not a cosmetic warning. In our experience, the “fix” is often a BIOS/UEFI update from the OEM, and those updates can be easy to postpone until it’s too late.

Recommendation:

Check your Secure Boot status now and plan remediation early. If you’re on Windows 11, stay current with monthly updates and apply any OEM firmware updates flagged by the yellow badge. If you’re on unsupported Windows 10, we recommend budgeting time for a Windows 11 upgrade (or ESU where appropriate) well before June 2026—because once Windows Secure Boot certificates lapse, you’re effectively choosing to run with reduced boot-level trust.

Frequently Asked Questions

What is Secure Boot?

Secure Boot ensures your PC runs only trusted software during startup, preventing malware that can persist even after OS reinstalls. It uses digital certificates to verify legitimate software before allowing it to load.

When do Windows Secure Boot certificates expire?

The original Secure Boot certificates from 2011 expire in June 2026. Microsoft hasn't specified the exact date within the month.

How can I check my Secure Boot status?

Open Windows Security app and go to Device security > Secure Boot. You'll see a green (protected), yellow (action needed), or red (not protected) status badge starting April 2026.

Will Windows 10 receive the new Secure Boot certificates?

Only Windows 10 PCs enrolled in Extended Security Updates (ESU) will receive new certificates. Standard Windows 10 installations lost support in October 2025 and won't get security updates.

What happens if my PC doesn't get new certificates?

Your PC will continue working but enter a degraded security state vulnerable to boot-level attacks. You'll lose protection against sophisticated malware that loads before your operating system starts.

Should I upgrade from Windows 10 to avoid this issue?

If your PC meets Windows 11 requirements, upgrading provides the best long-term security. Alternatively, consider Windows 10 ESU for extended support, though this involves additional costs for most users.

Written by

Share

Copied