diff --git a/app/views/ci/variables/_index.html.haml b/app/views/ci/variables/_index.html.haml
index f34305e94fa..dc9ccb6cc39 100644
--- a/app/views/ci/variables/_index.html.haml
+++ b/app/views/ci/variables/_index.html.haml
@@ -1,5 +1,10 @@
 - save_endpoint = local_assigns.fetch(:save_endpoint, nil)
 
+- if ci_variable_protected_by_default?
+  %p.settings-message.text-center
+    - link_start = '<a href="%{url}">'.html_safe % { url: help_page_path('ci/variables/README', anchor: 'protected-variables') }
+    = s_('Environment variables are configured by your administrator to be %{link_start}protected%{link_end} by default').html_safe % { link_start: link_start, link_end: '</a>'.html_safe }
+
 .row
   .col-lg-12.js-ci-variable-list-section{ data: { save_endpoint: save_endpoint } }
     .hide.alert.alert-danger.js-ci-variable-error-box
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 29855c97c7e..24b34eedf6a 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -2675,6 +2675,9 @@ msgstr ""
 msgid "Environment variables are applied to environments via the runner. They can be protected by only exposing them to protected branches or tags. You can use environment variables for passwords, secret keys, or whatever you want."
 msgstr ""
 
+msgid "Environment variables are configured by your administrator to be %{link_start}protected%{link_end} by default"
+msgstr ""
+
 msgid "Environments"
 msgstr ""
 
diff --git a/spec/support/features/variable_list_shared_examples.rb b/spec/support/features/variable_list_shared_examples.rb
index 95f26a01f79..0a464d77cb7 100644
--- a/spec/support/features/variable_list_shared_examples.rb
+++ b/spec/support/features/variable_list_shared_examples.rb
@@ -67,11 +67,11 @@ shared_examples 'variable list' do
     context 'application setting is true' do
       before do
         stub_application_setting(protected_ci_variables: true)
+
+        visit page_path
       end
 
       it 'defaults to protected' do
-        visit page_path
-
         page.within('.js-ci-variable-list-section .js-row:last-child') do
           find('.js-ci-variable-input-key').set('key')
         end
@@ -80,16 +80,20 @@ shared_examples 'variable list' do
 
         expect(values).to eq %w(false true true)
       end
+
+      it 'shows a message regarding the changed default' do
+        expect(page).to have_content 'Environment variables are configured by your administrator to be protected by default'
+      end
     end
 
     context 'application setting is false' do
       before do
         stub_application_setting(protected_ci_variables: false)
+
+        visit page_path
       end
 
       it 'defaults to unprotected' do
-        visit page_path
-
         page.within('.js-ci-variable-list-section .js-row:last-child') do
           find('.js-ci-variable-input-key').set('key')
         end
@@ -98,6 +102,10 @@ shared_examples 'variable list' do
 
         expect(values).to eq %w(false false false)
       end
+
+      it 'does not show a message regarding the default' do
+        expect(page).not_to have_content 'Environment variables are configured by your administrator to be protected by default'
+      end
     end
   end