A critical security deadline looms for Windows users as Microsoft scrambles to alert millions about expiring Secure Boot certificates that could degrade security protections during startup.
The company has rolled out new visual warnings in the Windows Security app showing whether devices have received necessary updates before certificates expire in June 2026. Three colored badges now indicate Secure Boot status: green for fully updated systems, yellow for those needing attention, and red for devices that cannot receive new boot-level protections after vulnerabilities are discovered.
Secure Boot certificates, which verify trusted software during startup, follow a 15-year lifecycle established when Windows first implemented the security feature. Without fresh certificates installed via Windows Update by June, devices will fail cryptographic validation during the UEFI startup sequence, rendering them unable to boot securely.
Microsoft began distributing updated certificates through February's cumulative updates but found many users unaware of the impending deadline. The new dashboard simplifies what was previously a complex process involving firmware checks and manual verification.
Starting in May, additional system-level alerts will appear outside the Windows Security app, including notifications that warn users directly about their Secure Boot status. These warnings aim to catch attention beyond technical users who regularly check security settings.
The issue affects both Windows 11 and Windows 10 systems, though Microsoft ended mainstream support for Windows 10 last October. Devices running unsupported versions won't receive automatic certificate updates through regular monthly patches, though Windows 10 Extended Security Update (ESU) users will see the status indicator.
"Beginning in May 2026, additional improvements will become available, including notifications outside the app," Microsoft states in its support documentation.
The company warns that devices without updated certificates "will enter a degraded security state that limits ability to receive future boot-level protections." For enterprise environments, Microsoft released two dynamic updates in March targeting setup binaries and the Windows Recovery Environment. KB5081494 and KB5083482 deliver backend improvements to ensure systems can transition smoothly before the summer deadline.
IT administrators face particular pressure as failure to systematically deploy updated certificates across organizational environments could result in widespread operational downtime during what Microsoft calls "a critical priority for hardware trust migration."
Home users can check their status under Device Security > Secure Boot in the Windows Security app. The dashboard shows whether required updates have been installed and provides guidance on next steps, which may include contacting device manufacturers for firmware updates.
