Windows Security App Gets Secure Boot Certificate Status Indicators as 2026 Expiration Approaches

Secure Boot relies on cryptographic certificates to validate firmware integrity at power‑on, and Microsoft’s original 2011 certificates are set to expire in 2026. As the deadline approaches, unpatched devices could fail the boot process or become vulnerable to firmware attacks. By embedding certificate health indicators directly into the Windows Security app, Microsoft provides a native, low‑overhead method for administrators to verify that each endpoint has received the updated 2023 certificates, aligning with broader zero‑trust initiatives.

The new indicators appear as green or yellow badges on the Device security page, with optional red alerts for critical failures. For enterprise‑managed PCs and Windows Server, these badges are off by default, reflecting Microsoft’s assumption that centralized tools like SCCM or Intune will handle updates. However, administrators retain granular control via the HideSecureBootStates registry value, allowing them to enable per‑device visibility when needed. This flexibility helps organizations balance automated compliance with the need for manual oversight in highly regulated environments.

Rollout occurs in two phases: Phase 1, launching in early April 2026, introduces status badges and a “Learn more” link; Phase 2, arriving in mid‑May, adds actionable notifications and risk‑acceptance options for red states. The staggered schedule gives IT teams time to test the feature across Windows 10, Windows 11, and Server editions before full deployment. Proactive monitoring of Secure Boot certificates now becomes part of routine device health checks, helping firms avoid unexpected downtime and maintain a strong security posture as the 2026 expiration nears.