Microsoft is warning that the June expiration of software certificates will put those still using Windows 10 in an even more vulnerable state.
The software certificates deal with a feature called Secure Boot, which can prevent a PC from loading malicious code as the machine starts up. Microsoft initially introduced the feature in 2011 with Windows 8 to ensure only trusted software runs during the boot process, warding off potential "pre-boot malware" threats.
The problem is that “all Windows-based devices have carried the same set of Microsoft certificates,” which are slated to expire in late June. The company has been warning businesses about the issue, but on Tuesday, Microsoft published a new blog post that talks about what consumers can expect.
To keep Secure Boot up-and-running, the software giant has started to roll out fresh certificates through monthly Windows updates for consumers and enterprise users. So if you’re on Windows 11, you should receive the update “with no additional action required,” the blog post notes.
In addition, PC manufacturers “have been provisioning updated certificates on new devices and many newer PCs built since 2024, and almost all the devices shipped in 2025, already include the certificates and require no action from customers,” Microsoft says.
This Tweet is currently unavailable. It might be loading or has been removed.But it’s no secret that millions of consumers continue to use Windows 10, which officially lost support last year. This means Microsoft is no longer distributing new updates or security patches for the OS, leaving it more vulnerable to malware and other hacking threats.
The good news is that Microsoft offers a free way for Windows 10 users to receive security patches through Oct. 13, 2026 via its “Extended Security Updates” program. If your Windows 10 machine is in the ESU program, then you can expect to receive new software certificates for Secure Boot. Otherwise, your computer will miss out.
Specifically, the company warns: “If a device does not receive the new Secure Boot certificates before the 2011 certificates expire, the PC will continue to function normally, and existing software will keep running. However, the device will enter a degraded security state that limits its ability to receive future boot-level protections.”
The danger is that an unsupported Windows PC could become vulnerable to malware capable of infecting components on a firmware-level, and thus could even survive OS reinstalls.
“As new boot‑level vulnerabilities are discovered, affected systems become increasingly exposed because they can no longer install new mitigations,” Microsoft added. “Over time, this may also lead to compatibility issues, as newer operating systems, firmware, hardware, or Secure Boot–dependent software may fail to load.”
Recommended by Our Editors
(Photo by Beata Zawrzel/NurPhoto via Getty Images)
However, consumers still on Windows 10 may be well aware of the security trade-offs. Many older Windows 10 PCs can't update to Windows 11 due to a security chip requirement, meaning affected consumers need to pay for new hardware or register for the ESU program to keep their Windows installation secure.
As a result, the Windows 10 OS continues to hold a 35.77% share of the desktop market, compared to Window 11’s 62.4% share, according to Statcounter. Users can also mitigate the threat by installing a third-party antivirus onto an unsupported Windows 10 PC.
In the meantime, Microsoft’s blog post notes that it plans on making the Secure Boot certificate update status available in the built-in Windows Security App “to help consumers track the certificate updates more closely.” If you run into a problem, Microsoft says you should check that you're running the latest monthly Windows updates.
The company added: “For a fraction of devices, a separate firmware update from the device manufacturer may be required before the system can apply the new Secure Boot certificates delivered via Windows Update. To prepare, we recommend that customers check their OEM (PC manufacturer) support pages to ensure they have the latest firmware updates.”
(Credit: Microsoft)
About Our Expert
Michael Kan
Principal Reporter
Experience
I've been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I'm currently based in San Francisco, but previously spent over five years in China, covering the country's technology sector.
Since 2020, I've covered the launch and explosive growth of SpaceX's Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I've combed through FCC filings for the latest news and driven to remote corners of California to test Starlink's cellular service.
I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. In 2024 and 2025, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.
I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I'm now following how the AI-driven memory shortage is impacting the entire consumer electronics market. I'm always eager to learn more, so please jump in the comments with feedback and send me tips.
Read Full Bio