With the expiration of Microsoft’s 2011 Secure Boot certificates looming, major PC manufacturers have stepped up to provide their customers with comprehensive guidance on the transition to new certificates. HP, Dell, ASUS, Lenovo, MSI, Acer, Samsung, LG, and Microsoft’s Surface division have all released support pages detailing what this change entails for their devices, including which models are supported and the necessary steps users should take.
Secure Boot is an essential UEFI firmware feature that ensures only trusted software is loaded when a PC is powered on, safeguarding against potential tampering by malicious entities. The expiration of the existing certificates will occur in three phases:
- Microsoft Corporation KEK CA 2011 expired June 24, 2026
- Microsoft UEFI CA 2011 expired June 27, 2026
- Microsoft Windows Production PCA 2011 is set to expire on October 19, 2026.
Microsoft has begun rolling out replacement certificates through Windows Update, although the effectiveness of this process hinges on each original equipment manufacturer (OEM) delivering compatible BIOS updates for their hardware. Notably, most regular users have already received the necessary updates and can rest assured they are secure.
ASUS Secure Boot Certificate update guide
ASUS has taken a proactive approach, offering detailed documentation for both consumer and commercial devices. Their consumer guide confirms that most users will receive the update automatically via Windows Update. For those encountering a yellow or red badge in Windows Security, ASUS provides specific PowerShell commands to verify the presence of the KEK and DB certificates. Should these certificates be absent, the guide outlines a straightforward manual registry update process, followed by running the Secure-Boot-Update scheduled task, with a reboot required in between.
The commercial guide goes a step further by listing exact model numbers that come pre-integrated with the 2023 certificates, primarily focusing on models launched in 2024 or later. For models not included in this list, users must rely on the Windows Update path. ASUS has also created a comprehensive Q&A section addressing common event log error codes, guiding users on whether to contact ASUS Service Center or await the Windows Update.
Download Lenovo Secure Boot Certificates
Lenovo’s Secure Boot Certificate Expiration Guide stands out for its depth, featuring direct download links for BIOS updates organized by product family. The guide encompasses various lines, including ThinkPad, ThinkCentre, IdeaPad, Legion, and Yoga, specifying BIOS version numbers that support the 2023 certificates. Each supported model is linked directly to the BIOS download, eliminating the need for users to navigate through generic driver pages.
Lenovo’s documentation also clarifies which products fall outside the support window, as devices that have reached End of Service Life will not receive BIOS updates for the Secure Boot transition. For enterprise customers, Lenovo includes deployment notes for Intune and SCCM alongside the standard consumer Windows Update path.
Dell Secure Boot Certificate update guidelines
Dell has released a comprehensive support article addressing the 2011 certificate expiration across its entire product lineup. The article is organized by product family, covering Alienware, Inspiron, XPS, Latitude, OptiPlex, Precision, Vostro, Wyse, and IoT devices, making it easy for users to check the status of their specific models.
Dell’s policy states that platforms with an End of Service Life before January 1, 2026, will not receive BIOS updates for the Secure Boot transition. For instance, a 2019-era Dell Inspiron would fall outside this window. Notably, Dell has adopted a broader strategy by shipping both 2011 and 2023 certificates on all new platforms since late 2024, extending this dual certificate approach to all factory shipments by the end of 2025. This flexibility is particularly beneficial for enterprise customers managing diverse fleets.
Download HP Secure Boot Certificates
HP has outlined a dual-track approach for its Secure Boot updates. Consumer HP PCs will receive the update through Windows Update, provided the device has the necessary minimum BIOS version installed. In contrast, commercial HP PCs follow a more intricate process, with a dedicated guide listing every supported platform and the minimum BIOS version string required.
HP’s support cutoffs mirror those of Dell. Commercial PCs released between 2022 and 2023 are expected to receive the required BIOS update by September 2025, while models from 2019 to 2021 will be updated by December 2025. All other HP Commercial PCs from 2018 and earlier have reached End of Service Life and will not receive updates. Users should be cautious, as HP’s own BIOS updates in early 2026 led to BitLocker recovery loops and boot failures on some premium commercial devices, an issue that HP has acknowledged and addressed with corrected BIOS versions.
Secure Boot Certificate update for Microsoft Surface devices
Microsoft has established a dedicated Secure Boot certificate page for its Surface devices. These devices receive both firmware and Windows updates directly from Microsoft, simplifying the transition compared to third-party OEMs. Surface Pro, Surface Laptop, Surface Book, and Surface Studio models currently in active support will receive the 2023 certificate updates through the standard update pipeline. However, older Surface devices that have exited the firmware support window will not receive the update, adhering to Microsoft’s standard firmware support policy.
MSI Secure Boot Certificate update guidelines
MSI’s Secure Boot certificate FAQ categorizes guidance based on processor generation. For laptops equipped with Intel 7th to 11th Gen or AMD Ryzen 3000H-5000U processors, the update is delivered automatically through Windows Update, eliminating the need for a BIOS flash. Conversely, laptops with Intel 12th Gen or AMD Ryzen 5000H and newer require BIOS updates containing the 2023 certificates, with direct links provided to the MSI support download portal. MSI advises users to save their BitLocker recovery key prior to flashing the BIOS and to check the Event Viewer for confirmation of a successful update.
Acer Secure Boot Certificate update guide
Acer has published an official guide on its Acer Answers knowledge base regarding the Secure Boot certificate update for its devices. For supported models, the update will arrive automatically through Windows Update. Acer emphasizes the importance of backing up the BitLocker recovery key, as a BIOS update may trigger the recovery screen upon the next restart.
The guide features a model table for Aspire, Nitro, Predator, Swift, Extensa, TravelMate, and Spin devices, detailing confirmed BIOS release dates. While several models received updates between June 12 and June 26, 2026, others remain listed as “Under process,” indicating that the firmware is still being prepared. Users of older Acer systems, particularly models from 2020 to 2022, may encounter issues with no applicable BIOS update available, as these models are not included in the official guide.
Check Samsung Secure Boot Certificate update guide
Samsung has issued a support notice in Korean, confirming that all Samsung PCs running Windows 10 or Windows 11 will continue to function normally after the expiration of the 2011 certificates. However, boot-level security updates and malware mitigations will cease for these devices. Samsung advises users of Galaxy Book 3 and older models to utilize Windows Update for automatic updates or follow Microsoft’s manual update guide for those needing immediate action.
LG Secure Boot Certificate update guide
LG has released a Windows Secure Boot Certificate Update and Troubleshooting Guide for its gram and other PC lines. The guide instructs users to check the Windows Security app for status indicators and to look for BIOS updates for their specific LG PC model if the installation does not complete automatically through Windows Update.
How to check if your PC has the 2023 Certificates regardless of brand
To verify whether your PC has the 2023 certificates, open Windows Security, navigate to Device Security, and locate the Secure Boot section. A green checkmark indicates that the certificates have been successfully applied, while a yellow warning suggests that the update is pending. A red icon signifies a specific firmware incompatibility.
If the Secure Boot section is absent from Device Security, it may indicate that Secure Boot is disabled or that the installation was performed using a bypass method on unsupported hardware. For those who prefer a more traditional approach, detailed PowerShell commands are available to check Secure Boot status.
For users without technical expertise, the Windows 11 taskbar now conveniently informs you if your certificates require attention directly within the Security app. Windows 10 users are also catered to, as the May 2026 update introduced Secure Boot certificate status reporting, ensuring consistency across platforms.
As the deadline approaches, Microsoft has successfully pushed the certificates to all eligible devices as of June 2026, ahead of the expiration date. Users on supported devices who have installed the June 2026 Patch Tuesday update can be confident that their PCs are likely already updated.
