Windows Security App Adds Secure Boot Certificate Trackers Ahead of 2026 Expiration

With Microsoft's original 2011 Secure Boot certificates set to expire in 2026, millions of Windows users and IT administrators face a critical transition to keep their systems secure and bootable. To prevent unexpected boot failures, Microsoft has introduced new certificate status indicators directly within the Windows Security app. This update allows users to verify if their devices have successfully received the updated 2023 replacement certificates.

This rollout is specifically designed for IT administrators and proactive Windows users who need to audit device compliance before the hard expiration date. By delivering the new certificates automatically through Windows Update, Microsoft aims to seamlessly transition consumer devices, while giving enterprise environments the granular control needed to manage the update centrally.

For standard users on Windows Home and Pro editions, the new tracking feature is enabled by default. You can view your current certificate state by navigating to Device security > Secure Boot within the Windows Security app.

However, for enterprise-managed clients and Windows Server environments (including Server 2019, 2022, and 2025), Microsoft has disabled these user-facing indicators by default to prevent unnecessary helpdesk tickets. Administrators who wish to toggle this feature manually can do so using the Windows Registry.

Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security
Name: HideSecureBootStates
Type: REG_DWORD
Value: 0 (Enable) or 1 (Disable)

When the registry entry is absent, the system simply defaults to enabled for Home and Pro editions, and disabled for Enterprise and Server editions. Existing management capabilities for notifications and the system tray icon can be used alongside this registry entry to configure the overall user experience.

Microsoft is deploying these indicators in two distinct phases, with timing dependent on your specific operating system version. Phase 1 introduces the basic status page, icon badges (green for secure, yellow for caution), and a link to official guidance.

• April 8, 2026: Windows 11 (versions 23H2, 24H2, 25H2, 26H1) and Windows Server 2025 via an app update.
• April 14, 2026: Windows 10 (versions 22H2, 21H2, 1809) and Windows Server 2019/2022 with Desktop Experience via a cumulative update.

Phase 2 escalates the system's behavior by introducing active app notifications for actionable or unserviceable states. If a device reaches a red critical state, users with administrator privileges can select an option stating "I accept the risks, don't remind me" to suppress further warnings.

• May 13, 2026: Windows 10 and Windows Server 2019/2022.
• May 16, 2026: Windows 11 and Windows Server 2025.

Microsoft’s decision to disable these Secure Boot notifications by default on managed enterprise devices and Windows Server is a highly pragmatic move. In large-scale corporate environments, IT administrators rely on centralized endpoint management tools rather than per-device, user-facing alerts. Flooding standard corporate users with complex cryptographic certificate warnings would inevitably trigger a massive spike in unnecessary helpdesk tickets.

Furthermore, the inclusion of an "I accept the risks" override for critical red states during Phase 2 highlights the delicate balance between strict security enforcement and operational continuity. By providing this bypass for administrators, Microsoft ensures that legacy systems or specialized hardware configurations won't be permanently bricked or locked out of their workflow as the 2026 expiration deadline approaches.