Microsoft Adds Secure Boot Certificate Expiration Indicators to Windows Security App Ahead of 2026 Deadline
What Happened — Microsoft’s Secure Boot certificates, originally issued in 2011, will expire in 2026. To help administrators monitor replacement‑certificate rollout, the company has introduced status indicators in the Windows Security app (Device security → Secure Boot). The feature is enabled by default on Home/Pro editions, but disabled by default on Enterprise and Server installations, where it can be toggled via a registry key.
Why It Matters for TPRM
- Un‑tracked certificate expiration can cause boot failures on managed endpoints, disrupting business continuity.
- Visibility gaps in enterprise‑managed devices increase reliance on manual processes, raising operational risk.
- Early detection of out‑of‑date Secure Boot certificates helps vendors and partners maintain compliance with security baselines.
Who Is Affected — Enterprises using Windows 10/11 Enterprise, Windows Server 2019/2022/2025, and consumer devices running Windows Home or Pro.
Recommended Actions
- Verify that your endpoint‑management tooling inventories Secure Boot certificate status.
- Enable the status indicator via the
HideSecureBootStatesregistry key (set to 0) on managed devices, or integrate the check into existing compliance scripts. - Schedule a review of the rollout timeline for each OS version to ensure replacement certificates are applied before the 2026 expiry.
Technical Notes — The new indicators are delivered through Windows Update as part of the 2023 certificate set. On managed devices the feature is off by default; administrators must enable it manually or rely on centralized update mechanisms. No new CVEs are introduced, but failure to apply the updated certificates could render Secure Boot ineffective, exposing devices to firmware‑level attacks. Source: Help Net Security