Microsoft’s Secure Boot certificates, issued in 2011, are approaching expiration in 2026. To help IT administrators track whether devices have received replacement certificates, Microsoft has added new status indicators to the Windows Security app, under Device security > Secure Boot.
Updated 2023 certificates are being delivered automatically through Windows Update to consumer devices and some business devices. The new app indicators show whether a given device has received those updates, what its current certificate state is, and whether any action is required.
New indicators are off by default for managed devices
On enterprise-managed Windows 10 and Windows 11 client devices, the Windows Security app and its notification service run normally. The Device security page and Secure Boot section are populated and updated as expected. The new Secure Boot certificate update indicators are disabled by default on those devices. Microsoft’s documentation states the assumption that IT administrators are likely to manage Secure Boot certificate updates centrally rather than relying on per-device user-facing notifications.
The same default applies to Windows Server. On Windows Server with Desktop Experience on Server 2019, Server 2022, and Server 2025, the Windows Security app and the Device security page are present. The Windows Security notification service does not start automatically on Server, so Secure Boot certificate status checks do not happen automatically. No badges, notifications, or status updates appear unless a user manually launches the app. The new certificate status indicators are disabled by default on Server regardless of whether the service is running.
On Home and Pro editions of Windows, the feature is enabled by default.
Registry key controls the feature
Administrators can enable or disable the Secure Boot certificate status feature using a registry entry. The relevant subkey is:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security
The entry name is HideSecureBootStates, type REG_DWORD. A value of 0 enables the feature and shows Secure Boot certificate status. A value of 1 disables it and hides the status. When the entry is absent, the system uses the default: enabled for Home and Pro editions, disabled for Enterprise and Server.
Existing Windows Security app management capabilities for notifications and the system tray icon can be used alongside this registry entry to configure the overall experience.
Rollout happens in two phases
The new indicators are arriving through a two-phase rollout, with timing that varies by operating system version.
Phase 1 delivers Secure Boot certificate update status on the Device security page, icon badges reflecting the current certificate state, and a “Learn more” link to additional guidance. During Phase 1, badges are either green or yellow (caution). Users can select a dismissal option to revert a yellow badge to green.
Phase 1 availability is scheduled as follows: Windows 11 versions 23H2, 24H2, 25H2, and 26H1, along with Windows Server 2025, receive the update on April 8, 2026, via an app update. Windows 10 versions 22H2, 21H2, and 1809, along with Windows Server 2019 and Windows Server 2022 with Desktop Experience, receive it on April 14, 2026, via a cumulative update.
Phase 2 adds app notifications for actionable and unserviceable Secure Boot states. The yellow caution state allows users to dismiss notifications for that state. For red (critical) states, users can select an option labeled “I accept the risks, don’t remind me,” which reverts badges to green and suppresses all new notifications. That option requires administrator privileges.
Phase 2 arrives on May 16, 2026, for Windows 11 and Windows Server 2025, and on May 13, 2026, for Windows 10, Windows Server 2019, and Windows Server 2022.
Download: CIS Benchmarks March 2026 Update
