Microsoft has been warning users about expiring Secure Boot certificates for months, but the clock is ticking down. Three of the four original certificates issued in 2011 expired during the last full week of June 2026. The final certificate from that batch expires in October 2026.
If your PC hasn’t automatically updated to the newer 2023 certificates, it is vulnerable to boot-level attacks. This guide explains how to check your status and what steps you need to take to secure your machine.
What this means for you
Secure Boot acts as a checkpoint during startup, verifying that the code loading into Windows matches a trusted digital signature. Without valid certificates, malicious software can modify the boot process and evade antivirus detection.
While your PC may still boot normally with expired certificates, it lacks this critical layer of protection. You need to ensure your firmware supports the newer 2023 certificates to maintain full security.
How to check if you are at risk
Many modern PCs have already received automatic updates to the new certificates. However, you should not assume you are safe just because your computer starts up.
Look for a blue shield icon in your system tray with a yellow or red mark. This indicates a potential issue. For a definitive check, open the Windows Security app, select Device security, and look at the status next to Secure Boot. A green checkmark means you are protected. A yellow or red warning means you need to take action.

Update your UEFI/BIOS firmware
If you see a warning, the first step is to update your motherboard’s firmware. Microsoft cannot push new certificates if your UEFI or BIOS version is too old to support them.
For prebuilt PCs: Visit the support page for your specific model from Dell, Lenovo, HP, or other manufacturers. Use their diagnostic tools to check for and install the latest firmware updates. These tools often handle the process automatically.
For DIY builds: Identify your motherboard version using a tool like HWiNFO or by checking the UEFI menu at boot. Visit the manufacturer’s support site, ensuring you select the exact revision of your board. Compare your current BIOS version against the available updates and install the latest one.
If your current firmware is very old, consider updating in stages rather than jumping to the latest version all at once. This reduces the risk of compatibility issues during the update process.

Stay cautious while waiting
While you wait for your PC to receive the updated certificates, exercise extra caution online. Expired certificates do not immediately brick your system, but they increase your vulnerability to sophisticated malware over time.
Avoid downloading software from untrusted sources and be wary of browser extensions that request excessive permissions. Keep your antivirus definitions up to date to help block known threats before they can infect your system.
What if your PC cannot be updated?
Microsoft does not control firmware updates; hardware manufacturers do. If your PC’s maker no longer provides firmware updates, you may not be able to install the new Secure Boot certificates.
In this case, your options are limited. You could switch to Linux, though many distributions also rely on similar certificate structures. Continuing to use Windows without updated certificates poses a growing security risk as online threats become more advanced.
Check your manufacturer’s support page for their policy on Secure Boot updates. If no update is available, consider planning a hardware upgrade to ensure long-term security.
Over to you: Have you checked your PC’s Secure Boot status yet, or are you waiting for an automatic update?
You may also like
Leave a Reply