Sunday, July 5, 2026
Windows 11

Secure Boot certificates expiring in 2026: What Windows users need to know

4 min read Editorial

Most Windows users never think about Secure Boot until something goes wrong. This security feature acts as a gatekeeper during startup, ensuring that only trusted software can load before Windows takes over. However, the digital certificates that power this protection are aging out.

The original set of Secure Boot certificates was issued in 2011 with a planned expiration in 2026. Three of these four certificates have already reached their end-of-life as of late June 2026, with the final one expiring in October 2026. Without the updated 2023 certificates, your PC loses a critical layer of defense against bootkits.

What is Secure Boot and why does it matter?

Secure Boot was introduced with Windows 8 to combat bootkits. These are malicious programs that infect the startup sequence, allowing attackers to hide from antivirus software and modify the operating system before it even loads. Think of Secure Boot as a security checkpoint at a guarded building. It verifies the digital signatures of drivers and boot files against a database of approved certificates.

Advertisement

If the code trying to load does not match an approved certificate, Secure Boot blocks it. This prevents unauthorized software from gaining control of your system during the most vulnerable phase of startup. While some may argue that average users are not targets for state-sponsored attacks, bootkits have historically affected everyday consumers long before they became a headline issue.

A stylized digital illustration of a secure gateway with glowing blue locks and data streams flowing through, representi
Secure Boot verifies digital signatures to prevent unauthorized code from loading before Windows starts.

How to check your Secure Boot status

You cannot rely on your PC simply booting up to determine if you are protected. A computer can still start Windows even if its Secure Boot certificates have expired, leaving it vulnerable. To verify your status, open the Windows Security app and navigate to Device Security.

Look for the Secure Boot section. A green checkmark indicates you have the current 2023 certificates and are fully protected. If you see a yellow or red warning icon, your system is using outdated certificates. You may also notice a blue shield icon with a yellow or red mark on your taskbar, which serves as another visual cue that action is required.

Updating to the 2023 certificates

Microsoft has been pushing the new 2023 Secure Boot certificates to compatible devices automatically. If you see a green checkmark in Windows Security, no further action is needed. Your system has already received the update and maintains consistent defense against startup malware.

If you have a warning, the next step depends on your hardware. A yellow warning often means you just need to ensure your UEFI/BIOS firmware is up to date, as the new certificates may be delivered via a BIOS update from your manufacturer. Check for pending updates in Windows Update or visit your PC maker’s support site.

A person looking at a laptop screen showing a yellow warning triangle on a taskbar icon, concerned expression, indoor of
A yellow or red warning on the taskbar indicates that Secure Boot certificates may need attention.

What happens if you cannot update?

A red warning can indicate that your device is no longer supported by the manufacturer for Secure Boot updates. Some older PCs have reached their end-of-life and will not receive the necessary UEFI/BIOS firmware to support the 2023 certificates. In these cases, you lose the ability to verify boot integrity using Microsoft’s standard framework.

Ignoring this warning is akin to driving with a Check Engine light on. The car may still run, but underlying issues remain unaddressed. Removing bootkits after infection is difficult and time-consuming. Secure Boot provides a heads-up by preventing the system from booting if malicious code is detected, giving you a chance to intervene.

If your PC cannot be updated, you have limited options. You may need to consider upgrading to a newer machine that supports current security standards. Alternatively, some users turn to Linux distributions that can manage older hardware without relying on Windows-specific Secure Boot certificates. For most everyday users, keeping the firmware updated is the best way to maintain protection.

Source: PCWorld

Over to you: Do you check your Windows Security status regularly, or do you rely on automatic updates to handle these changes?

Share: