Secure Boot Certificate Update Status in Windows Security App

Time is running out, Microsoft's first Secure Boot certificates expire in June 2026. The distribution of the updated certificates is being rolled out gradually for desktop systems; for servers and in corporate environments, admins must take action. Starting this week, Microsoft plans to distribute updates for the Windows Security app, which will then display the status of the Secure Boot certificate update on machines.

Microsoft announced the upcoming app update in the Message Center of the Windows Release Health Notes. A green, yellow, or red indicator will then appear on the "Secure Boot" icon to indicate whether action is required. Further details are provided in a Microsoft Support article. On managed machines, Microsoft disables Secure Boot certificate extensions by default. On servers, the Windows Security notification service does not start automatically. If admins want to see information here, they must enable it first. This is done by creating the registry key "HideSecureBootStates" under the "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Device security" branch. With "0", the app displays the Secure Boot certificate status; "1" disables the display. If the entry is not present, Windows uses the default setting.

Multi-phase warning levels

The first phase only displays the status under the device security page, and only in green or yellow, which is intended to mean "caution" and can be reset to green by users by clicking it away. This will come as an app update for Windows 11 from 23H2 and Windows Server 2025 from April 8, 2026, and for Windows 10 from 22H2 and Windows Server 2019 and 2022 from April 14 as a cumulative update, apparently for Microsoft's Patch Tuesday.

Phase 2 will bring app notifications in case actions are required by users or admins, or if the Secure Boot status is not functional. The yellow status still allows dismissal as an option. In addition, for the critical "red" status, there will be the option "I accept the risks, don't remind me." Microsoft plans the app update for the second phase for Windows 11 and Server 2025 for May 16, 2026, and for Windows 10 and Server 2019 and 2022, the company is targeting the cumulative Patch Tuesday update on May 13, 2026.

The Windows Security app can be launched by entering its name in the Start menu or via Windows Settings, under "Privacy & Security" – "Windows Security," by clicking the "Open Windows Security" button. It provides a comprehensive overview of the status of various Windows security components and subsystems. Under "Device Security," you will find the "Secure Boot" section, where the indicator will be found in the future.

Long preparation

At the end of June 2025, Microsoft began preparing IT administrators as well as Windows users for the necessary certificate exchange for Secure Boot. "Prepare for the first global, large-scale Secure Boot certificate update," Microsoft warned. The updated Secure Boot certificates are now being delivered with their own Windows updates and, since the February Windows update previews as part of Windows updates, are reaching Windows computers on Microsoft's regular Patch Tuesday.

(dmk)