IT admin guide: Secure Boot certificate update status in the Windows Security app
Applies To
Original publish date: April 2, 2026
KB ID:Â 5087135
Starting in April 2026, the Windows Security app displays additional information about the status of Secure Boot certificate updates on Windows devices. The new experience is under Device security > Secure Boot. Â
Microsoft's Secure Boot certificates, originally issued in 2011, are approaching expiration in 2026. Updated 2023 certificates are being delivered automatically through Windows Update to consumer devices and some business devices. The Windows Security app now shows whether devices have received these updates, their current status, and whether any action is needed.Â
To learn about these app visual and informational enhancements and related systems notifications, see the KB article: Secure Boot certificate update status in the Windows Security app. For more information about Secure Boot certificate updates, visit aka.ms/getsecureboot.Â
Guidance for IT administrators
The new Windows Security app > Device security enhancements for Secure Boot certificate are disabled by default on devices managed by IT administrators. You can enable them via new and existing controls as described in this article. See below for details about the feature enablement options and when each set of capabilities will be available for each Windows version.Â
Feature enablement and controlÂ
Windows Server 2019 and newer versions
The Windows Security app and its Device security page, including the Secure Boot section, are present on Windows Server with Desktop Experience on Windows Server 2019, Windows Server 2022 and Windows Server 2025. However, the Windows Security notification service doesn't start automatically on Server. As a result, Secure Boot certificate status checks don't happen automatically. No badges, notifications, or status updates will appear unless a user manually launches the Windows Security app.
Additionally, the new Secure Boot certificate status indicators are disabled by default on Windows Server, regardless of whether the service is running. This is by design. It's assumed that IT administrators are likely to manage Secure Boot certificate updates centrally rather than relying on per-device user-facing notifications and text.Â
Enterprise-managed Windows ClientÂ
On enterprise-managed client devices running supported versions of Windows 10 and Windows 11, the Windows Security app and its notification service run normally. The Device security page and Secure Boot section are populated and updated as expected. However, the new Secure Boot certificate update indicators are disabled by default on these devices. It's assumed that, as with Windows Server, IT administrators are likely to manage Secure Boot certificate updates centrally rather than relying on per-device user-facing notifications and text.Â
Feature Enablement Registry KeyÂ
To enable or disable the Secure Boot certificate status feature, use the following registry subkey and entries:
|
Setting |
Details |
|---|---|
|
Registry subkey |
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security |
|
Name |
HideSecureBootStates |
|
Type |
REG_DWORD |
|
Values |
0 = Enabled (Show Secure Boot certificate status.)Â 1 = Disabled (Hide Secure Boot certificate status.)Â Not present = Default (Enabled for Home/Pro;Â Disabled for Enterprise/Server) |
Use existing Windows Security app management capabilities for notifications and the system tray icon to further configure the experience.Â
Feature release schedule per OS versionÂ
Enhancements in the Windows Security app that provide additional information about Secure Boot certificates will roll out in two phases, with timing varying by supported Windows version.
Phase 1 featuresÂ
What's included:Â
-
Secure Boot certificate update status displayed on the Device security page.
-
Icon badges reflecting the current certificate state. During Phase 1, badges are either green or yellow (caution), and the user can select the dismissal option to revert a yellow icon badge to green.
-
A "Learn more" link to additional guidance at aka.ms/getsecureboot.
|
Operating system |
Available |
|---|---|
|
Windows 11 (23H2, 24H2, 25H2, 26H1) |
April 8, 2026 (app update) |
|
Windows Server 2025 |
April 8, 2026 (app update) |
|
Windows 10 (22H2, 21H2, 1809) |
April 14, 2026 (cumulative update) |
|
Windows Server 2019 & 2022 (Desktop Experience) |
April 14, 2026 (cumulative update) |
 Phase 2 featuresÂ
What's included:Â
-
App notifications for actionable and unserviceable Secure Boot states.
-
Yellow (caution) state allows user to select dismissal option to suppresses new notifications for this state.
-
Option for user to select "I accept the risks, don't remind me" for red (critical) states. This option reverts badges to "green" and suppresses all new notifications. (Requires administrator privileges).
|
Operating system |
Available |
|---|---|
|
Windows 11 (23H2, 24H2, 25H2, 26H1)Â & Windows Server 2025 |
May 16, 2026 (app update) |
|
Windows 10 (22H2, 21H2, 1809) |
May 13, 2026 (cumulative update) |
|
Windows Server 2019 & 2022 (Desktop Experience) |
May 13, 2026 (cumulative update) |
Additional resources for IT-managed scenarios:
If you decide to enable this feature for users at your organization, consider sharing this user-focused KB article with them: Secure Boot certificate update status in the Windows Security app. Â
-
For comprehensive review of Secure Boot certificate updates, visit aka.ms/getsecureboot.
-
For devices that don’t have these certificates applied, use the specific monitoring and deployment methods described in the Secure Boot playbook.
-
For Windows Server, see Windows Server Secure Boot playbook for certificates expiring in 2026 | Microsoft Community Hub.
Need more help?
Want more options?
Explore subscription benefits, browse training courses, learn how to secure your device, and more.
Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.
