If you use a Windows PC that’s more than a couple of years old, you’ve just entered an eight‑week countdown you really should not ignore. Microsoft is quietly flipping a major security switch in June 2026, and while your computer won’t suddenly refuse to boot on that day, its protection against some of the nastiest kinds of attacks can start to age very quickly if you do nothing.

At the heart of this story is something most people never think about: Secure Boot. It’s a behind‑the‑scenes security layer built into modern PCs that makes sure only trusted code runs when your machine first powers on. Since around 2011, Windows machines have relied on a set of Microsoft Secure Boot certificates to prove that the boot components they’re loading are genuine and haven’t been tampered with. Those original certificates are now reaching their end of life, with expiry beginning in June 2026 after roughly 15 years in service.

To keep that chain of trust intact, Microsoft has issued new “Windows UEFI CA 2023” certificates and is pushing them out through regular Windows Update. If your PC shipped in the last two years, you’re almost certainly fine, because those newer machines tend to include the updated certificates out of the box or have already received them via updates. The concern is for the huge installed base of older Windows 10 and early Windows 11 hardware that may have missed updates, been paused for patching, or simply been powered off for long stretches of time.

Microsoft has now added a very visible status indicator inside the Windows Security app to make this easier to understand. Under Device security → Secure Boot, Windows shows a green, yellow, or red status badge: green means your device has the new certificates and you’re good; yellow means the update is pending or blocked and may require manual action; red means there is a boot‑level vulnerability that can’t be fixed on your current configuration without the new certificates. Those yellow and red states become more important from May and June 2026 onward, as the older certificates start expiring and certain boot security fixes can no longer be delivered to outdated configurations.

The key nuance: your PC will not suddenly refuse to start the day those old certificates hit their expiry date. Microsoft’s own documentation stresses that the “expiration” primarily affects the ability to deliver future Secure Boot–related security updates to devices that haven’t adopted the updated trust anchors. In other words, your machine will probably boot, but over time it becomes a softer target for threats that attack before Windows even loads, because new mitigations for that early boot phase can’t be properly validated or applied without the updated certificates.

Why does that matter in real life? Boot‑level malware—bootkits and rootkits—operate underneath the operating system, often invisible to antivirus tools that run only after Windows has started. Secure Boot was introduced specifically to make those attacks harder by ensuring only signed, trusted boot loaders and related code are allowed to run. If your system stays on an expired certificate chain, you’re essentially freezing that early boot protection in time. As new vulnerabilities are found in boot components, the system can’t reliably get or enforce fixes without the refreshed certificate infrastructure.

For many home users and small businesses, the immediate action item is simple: make sure Windows Update is actually running and up to date. That means taking your device out of airplane mode or off metered connections long enough to download cumulative updates, and not indefinitely pausing security patches because they’re inconvenient. If you haven’t updated in months, this is the moment to let Windows catch up. Once the latest updates are installed, the Secure Boot certificate update should land automatically on supported hardware, flipping that status badge to green in the Windows Security app.

There are, however, some important edge cases. Older PCs with quirky UEFI firmware, custom dual‑boot setups, or manually tweaked Secure Boot configurations can block the automatic update. In those scenarios, the Windows Security app may show a yellow warning even after you’re fully patched, indicating that the update is being prevented by a hardware or firmware limitation and may require manual intervention—potentially a firmware (BIOS/UEFI) update from your PC maker or adjustments to Secure Boot settings. From June 2026 onward, if a new boot‑level vulnerability is found and cannot be fixed on your current configuration because the certificates are still old, that’s when you hit the red‑badge scenario.

This eight‑week window also intersects awkwardly with the end of life for Windows 10. Microsoft stops providing free security updates for Windows 10 on October 14, 2025, after which the only way to keep receiving security patches is through the Extended Security Updates (ESU) program, a paid subscription that stretches coverage out for a limited time. For individuals and organizations that cannot upgrade older hardware to Windows 11—either because of CPU, TPM, or memory requirements—the advice is to either replace the device with a supported Windows 11 PC or enroll in ESU so that at least critical and important vulnerabilities continue to be patched.

The certificate deadline raises the stakes for those still hanging onto unsupported or soon‑to‑be‑unsupported machines. If your PC has already “fallen off support”—for example, older Windows 10 devices that don’t meet Windows 11 requirements and aren’t enrolled in ESU—then the Secure Boot certificate expiry becomes one more security gap stacking on top of unpatched operating system flaws. At that point, you are running on borrowed time: the OS isn’t receiving regular security fixes, and the boot process itself may no longer benefit from the latest protective updates.

It’s tempting to frame all of this as scare‑mongering, but in practice, this is more like your bank issuing a new debit card when the old one is about to expire. Most people will get the replacement automatically and only need to activate it; the real risk is for those who ignore the envelope or never receive it because their address is out of date. In the Windows world, that “envelope” is Windows Update, and the “activation” is simply allowing the updates to install and checking that Secure Boot shows a healthy status. The users who run into trouble in late 2026 are likely to be those with long‑neglected systems, heavily customized boot setups, or aging PCs that really should have been replaced years ago.

For security‑conscious users, there are also more advanced checks. Power users and admins can query Secure Boot databases from within Windows to see whether the newer 2023 certificate is present, and enterprise IT departments can use centralized tools to audit entire fleets and track compliance ahead of the deadline. Microsoft has been hosting dedicated briefings and Q&A sessions with IT professionals specifically about this Secure Boot transition, underlining that this is not a minor housekeeping update but a coordinated refresh of the root of trust for Windows devices.

If you strip away the jargon, the message for everyday users over the next eight weeks is refreshingly straightforward: don’t panic, but do act. Leave automatic updates on, give your PC time to install them, then open the Windows Security app and look at the Secure Boot section to confirm that everything shows as healthy. If you see warnings, especially as you get closer to June, treat them as a prompt to investigate—check for firmware updates from your PC maker, talk to your IT department if it’s a work device, or consider whether it’s time to move to newer hardware.

And if you’re still clinging to an old Windows 10 machine that can’t move to Windows 11, this is yet another nudge that the clock really is ticking. Between the OS going out of mainstream support in late 2025 and the Secure Boot certificate rollover in 2026, keeping that device on the front line of your digital life—handling banking, email, and sensitive work—starts to look like a bad bet. Using it as a strictly offline backup, or replacing it with a modern, supported system, will be a lot less painful than dealing with a compromised machine down the line.

The bottom line: this isn’t an apocalypse for Windows users, but it is a real, time‑boxed maintenance task that comes around maybe once in a decade and a half. Spend 10 minutes now to let your system update and confirm that Secure Boot shows a green status, and future‑you—in June, and in the years after—won’t be left wondering whether your PC’s most basic line of defense quietly expired while you weren’t looking.