Microsoft is introducing a recent visual tracking system within Windows to alert users that original Secure Boot certificates, some dating back to 2011, are set to expire in June. This security layer is critical for the startup process, ensuring that a PC only loads trusted software and preventing sophisticated malware from embedding itself into the boot process—a type of attack that can often survive even a complete operating system reinstall.
To manage this transition, Microsoft is rolling out a Secure Boot status dashboard. This tool is designed to help users verify your PC is updated and determine if their hardware is still protected against boot-level vulnerabilities. The dashboard will be integrated directly into the Windows Security app, providing a clear, color-coded indicator of a device’s current security posture.
For the vast majority of users on Windows 11, the update process will be seamless. The new software certificates are delivered automatically through regular monthly Windows updates. However, the expiration of these legacy certificates creates a significant security gap for those remaining on unsupported versions of Windows 10, as well as a small subset of users whose hardware requires manual firmware intervention.
The new status indicator can be found by navigating to Device security and then selecting Secure Boot within the Windows Security app. According to Microsoft, this page “now shows whether your device has received these updates, what your current status is, and whether any action is needed.”
Understanding the Secure Boot Status Badges
The dashboard utilizes a three-tier badge system to communicate the health of the boot process. Because the requirements for updating these certificates vary by hardware and OS version, the colors indicate different levels of urgency and action.
A green badge is the ideal state, confirming that the PC has successfully received and applied the necessary updates. A yellow badge indicates that Microsoft has a safety recommendation. In many cases, this means the OS is ready, but the user may need to install a firmware update from their motherboard or device manufacturer to actually load the new certificates.
The most critical alert is the red badge. This indicates that the PC cannot receive the new Secure Boot software certificates. Microsoft states that this state “appears only after a security vulnerability that affects the boot process is discovered and cannot be serviced on devices that have not yet received the updated certificates.” The company warns that this could occur as early as June 2026 as current certificates begin to expire.
Who Is At Risk and How to Respond
The primary group affected by this expiration are users on standard versions of Windows 10. Since Windows 10 officially lost support in October, these systems no longer receive standard software patches, including the new Secure Boot certificates. Even as the PC will continue to operate, it will enter what Microsoft describes as a “degraded security state,” limiting its ability to receive future boot-level protections and increasing susceptibility to exploits.
There is a notable exception for those enrolled in the Windows 10 Extended Security Updates (ESU) program. Microsoft has confirmed that the new Secure Boot status indicator is arriving specifically for Windows 10 ESU PCs, allowing them to maintain a level of protection similar to Windows 11 users.
For those who see a red badge and cannot update their hardware or OS, Microsoft provides a manual override. Users can select an option stating, “I accept the risks, don’t remind me,” though this leaves the device exposed to potential boot-level vulnerabilities.
Comparison of Update Paths by OS Version
| OS Version | Update Method | Status Dashboard Availability |
|---|---|---|
| Windows 11 | Automatic via Windows Update | Available |
| Windows 10 (ESU Program) | Automatic via Windows Update | Available |
| Windows 10 (Standard/Unsupported) | No Official Update Path | Not Available |
The Technical Impact of Expired Certificates
From a technical perspective, Secure Boot acts as a “root of trust.” By verifying the digital signature of the bootloader and kernel, it ensures that no unauthorized code executes before the operating system takes over. When certificates expire, the chain of trust is broken. This doesn’t crash the computer, but it removes the “lock” on the front door, potentially allowing rootkits to hide in the UEFI (Unified Extensible Firmware Interface) where antivirus software cannot reach them.
For some users, the bottleneck isn’t the OS, but the hardware. This is why the yellow badge exists; some motherboard manufacturers must release a BIOS/UEFI update to allow the system to accept the new certificates provided by Microsoft. Users seeing a yellow alert should visit their manufacturer’s support page to check for the latest firmware revisions.
The transition is further complicated by the fact that many older PCs do not meet the system requirements for Windows 11, such as TPM 2.0, forcing a security trade-off between using an outdated OS and purchasing new hardware.
Timeline and Next Steps
The rollout of the status dashboard begins this month, providing a window for users to verify their status before the June expiration dates. Microsoft is also planning to expand these alerts beyond the security app to ensure users aren’t missing critical warnings.
According to the company’s support documentation, “Beginning in May 2026, additional improvements will become available, including notifications outside the app (such as system alerts) and additional in-app guidance and controls to help you respond to Secure Boot warnings.”
Users are encouraged to check their official Microsoft support page for detailed guidance on updating their OS or contacting device manufacturers if a red or yellow badge appears.
The next major checkpoint for this security transition will occur in May 2026, when system-wide alerts will begin notifying users of remaining vulnerabilities. Until then, the most effective way to ensure protection is to maintain an up-to-date version of Windows 11 or a supported ESU version of Windows 10.
Do you have questions about your PC’s security status? Share your experience with the new dashboard in the comments below.
