Industry observers note that (Not even the staff at PCWorld.) But this Windows security capability provides a vital protection against dangerous malware—one some PCs have just lost. Most people don’t spend time thinking about Secure Boot.

Industry observers note that and why should you pay attention to all the recent news about it? The situation is more complex than you might guess. It also requires a little manual work on everyone’s part. So what is Secure Boot, exactly?

As part of the ongoing story, it was a response to “bootkits,” a type of attack that started in the mid-2000s. Attackers would insert malicious code into the boot sequence, allowing them to modify Windows undetected and evade antivirus programs detection. Secure Boot prevents sketchy programs from running before you start Windows.

According to the latest update, its rollout was a major boost to PC security. Beginning with Windows 8, Microsoft implemented Secure Boot to block such malware.

In a fresh development, only people on an approved list can get in, and an agent verifies identities before allowing anyone through. Think of Secure Boot as similar to a checkpoint for a heavily guarded building.

According to the latest update, it relies on security certificates containing cryptographic information used to verify the drivers and other elements needed to start Windows. On your PC, Secure Boot performs this kind of screening.

The report highlights that code loaded during boot is the person showing an ID (digital signature). And the security certificates are the database containing the IDs of approved entrants. In this analogy, Secure Boot is the agent.

Industry observers note that only newer computers ship with the next set from 2023. Many PCs have shipped with the original versions of the certificates, which were issued in 2011.

As part of the ongoing story, in Microsoft’s own words, this plan was “to ensure Windows devices continue to verify trusted boot programs.” Currently, three of the four certs have already reached end-of-life. (This happened in late June 2026.) The fourth will do so in October 2026. The 2011 Secure Boot certificates were intended to expire after 15 years in 2026.

According to the latest update, updating to the 2023 certs maintains consistent defense against bootkits and other malware targeting the startup process. Expired certificates mean weakened protection for your PC—Secure Boot won’t be able to block newer attacks on your startup process.

The report highlights that a PC can still enter Windows with expired 2011 certs. You must manually verify in Windows that your Secure Boot certificates are up to date—being able to boot up into Windows isn’t proof.

As part of the ongoing story, in most cases, Windows will notify you of the issue—one clue is seeing a blue shield icon on your Taskbar, with either a yellow or red mark on it.

According to the latest update, a green checkmark means you have the 2023 Secure Boot certificates and are up-to-date. A yellow or red warning indicates you must take action. Otherwise, open the Windows Security app and then select Device Security.

The report highlights that (Ex: You’re a journalist covering North Korea.)But that attitude can be traced back to Secure Boot’s presence in Windows. I was around before its implementation. You didn’t need to be targeted by state-sponsored hackers to end up with a bootkit infection. Internet comments now often advise not worrying about UEFI/BIOS level malware, saying only targets of government attacks have to worry.

As part of the ongoing story, but ignoring the warning can lead to a massive headache later. So you can run your PC with expired Secure Boot certificates, just as you can keep using your car when the Check Engine light comes on.

According to the latest update, secure Boot provides protection should that ever happen, because it won’t let your system boot. You at least get a heads-up something nasty has happened to your PC. Getting rid of malware that affects your boot sequence is a huge pain, both for detection and removal.

The report highlights that if you see a green checkmark, you’re set and don’t have to worry any further. Most Windows PCs have had the 2023 Secure Boot certificates pushed to them already.

According to the latest update, you can read more about what to do (and how to do it) in our Secure Boot patch guide. If you have a yellow or red warning, you’ll have to get more involved with your PC—seeing if your computer will get support from its manufacturer, if you need to perform a manual UEFI/BIOS patch, etc.

Industry observers note that yellow generally means you just have to sit tight awhile longer (and be sure that your UEFI/BIOS is up to date). Your next steps depend on if your PC has received a yellow or red warning.

The report highlights that some manufacturers have stated support has ended for certain end-of-life products. This means you won’t get the UEFI/BIOS patch needed for the newer 2023 certificates. Red might mean your PC won’t get the fresh Secure Boot certificates.

As part of the ongoing story, to stay on Windows, you’ll have to buy a fresh PC. Alternatively, you’ll need to get comfortable with Linux—specifically a distro that can bridge this gap. In such an unfortunate situation, you have two main options.

According to the latest update, since joining the team in 2016, she’s written about CPUs, Windows, PC building, Chrome, Raspberry Pi, and much more—while also serving as PCWorld’s resident bargain hunter (#slickdeals). Currently her focus is on security, helping people understand how best to protect themselves online. Her work has previously appeared in PC Gamer, IGN, Maximum PC, and Official Xbox Magazine. A 15-year veteran of technology and video platform releases journalism, Alaina Yee covers a variety of topics for PCWorld.