Microsoft has acknowledged that some Windows 11 PCs are experiencing issues with Secure Boot certificate updates, either failing to install or being blocked altogether. The tech giant is currently collaborating with PC manufacturers to develop a patch, but users may need to take proactive measures if their certificates are obstructed for other reasons.
In a recent update to its support documentation, which was first highlighted by Windows Latest, Microsoft revealed that it has temporarily halted the rollout of Secure Boot for certain devices due to identified complications. Affected users will now receive a detailed error message within the Windows Security app, indicating the status of their Secure Boot certificates.
Previously, the Windows Security app advised users to reach out to their device manufacturers if their Secure Boot certificates were outdated. Now, it also provides warnings when Microsoft detects new known issues that could hinder the Secure Boot update process. “Devices in this group are affected by a known issue. To reduce risk, Secure Boot certificate updates are temporarily paused while Microsoft and partners work toward a supported resolution,” the company stated.
As many users may know, Secure Boot certificates issued in 2011 have expired, prompting Microsoft to replace them with new certificates issued in 2023. The company has indicated that all “eligible” PCs will automatically begin utilizing supported certificates via Windows Update. However, this does not apply universally, as some fully supported hardware may encounter configuration or compatibility settings that impede the rollout.
Microsoft confirms some PCs are blocked from getting new Secure Boot certificates
Inquiries directed at Microsoft regarding Secure Boot certificates have yielded a commendable response from the company. Most modern hardware is already utilizing the Secure Boot certificate issued in 2023. Those that are not may have inadvertently disabled Secure Boot or are operating with faulty firmware.
Users can verify the status of Secure Boot by navigating to Windows Security > Device security > Secure Boot. If the status indicates that Secure Boot is active and certificates are applied, there is no cause for concern. However, if the status simply states “Secure Boot is on” without further details, users may need to investigate further.
OEMs confirm Secure Boot issues
HP has recently confirmed that Secure Boot updates are being inadvertently blocked on some of its PCs. In a support document, HP noted that it began deploying an updated BIOS for many devices in preparation for the Secure Boot deadline in June. Unfortunately, some PCs have encountered a BitLocker screen, preventing the installation of Secure Boot certificates. “Microsoft’s 2023 certificates may fail to properly apply on the computer when this BitLocker issue occurs,” HP explained.
Following HP’s notification and similar communications from other manufacturers regarding potential Secure Boot issues, Microsoft provided an update. The company has collaborated with PC manufacturers to identify specific devices or firmware that may experience complications during the Secure Boot certificate update process. For those affected, a firmware update is necessary, but as this update is not yet available, Microsoft has opted to pause Secure Boot certificate updates to mitigate risk.
“Devices in this group are affected by a known issue,” Microsoft cautioned, although it did not specify which PCs are impacted. “To reduce risk, Secure Boot certificate updates are temporarily paused while Microsoft and partners work toward a supported resolution. Contact your device manufacturer for assistance.” This new alert has begun rolling out recently, so users who see that Secure Boot is enabled but lack clarity about the installed certificate should revisit the Security app.
“A firmware update is required but might not yet be available. When it becomes available, the firmware update will be released and installed through your OEM’s standard update channel,” Microsoft clarified.
Why some PCs are not getting Secure Boot 2023 yet
According to Microsoft, the majority of PCs have already received the Secure Boot certificates, which are installed automatically via Windows Update. However, in certain instances, Windows Update may detect compatibility issues, preventing the Secure Boot 2023 update from being delivered.
There is also a warning that indicates Secure Boot is active, yet the device will not receive the Secure Boot certificate update due to hardware or firmware limitations. In such cases, if the device is older and not among the OEM’s top-selling models, users should not anticipate an update. OEMs typically provide firmware updates for newer models, and if the UEFI firmware is unsupported, Microsoft will not issue the Secure Boot 2023 certificate update for that device.
“Many OEMs are actively releasing these firmware updates through their standard update channels. If a firmware update is required, check your OEM’s Secure Boot support page for next steps,” Microsoft advised, echoing previous findings.
Windows Latest has previously reported that OEMs have discreetly updated their Secure Boot documentation to acknowledge existing problems and the absence of necessary firmware updates for essential security modifications. “Your PC model might no longer be supported by the OEM, or the OEM might no longer be able to provide the firmware updates needed to update your device’s Secure Boot trust configuration,” Microsoft noted in another document.
Why Secure Boot 2023 is required, but it’s not a deal breaker if you don’t have it yet
For those unfamiliar, Secure Boot is a security feature embedded within a computer’s UEFI firmware and is a requirement for Windows 11 unless intentionally bypassed. When Secure Boot is enabled and certificates are current, Windows prevents unauthorized or invalid software and potential malware from executing at boot level.
The Secure Boot 2011 and the new 2023 certificates are utilized to manage and verify updates to the Secure Boot DBX, also known as the Forbidden Signature Database. Without an updated certificate, a PC cannot securely receive new lists of compromised or vulnerable bootloaders for blocking.
Microsoft emphasizes that users should not disable Secure Boot if they are not receiving the update, as this would compromise Windows security even further in the absence of updated certificates. As previously reported, an expired Secure Boot certificate does not imply that a PC will cease to boot or function. In fact, most casual users may not notice any difference, and this situation is not an immediate crisis for the majority of consumers. Microsoft has provided additional details in the following table:
| What continues to work without Secure Boot 2023 | What no longer works without Secure Boot 2023 |
|---|---|
| The device continues to start normally. | New Secure Boot and Boot Manager protections can’t be applied. |
| Windows feature and quality updates, including monthly security updates, continue to install. | Boot-related security components that require updated certificates may not install. |
| Everyday tasks, including apps, networking, and browsing, remain unchanged. | Newly discovered malicious or vulnerable bootloaders might not be blocked. |
| Secure Boot remains enabled and continues to protect against previously known threats. | Some non-Microsoft components relying on Microsoft Secure Boot trust may fail to update if they need newer certificate entries. |
| The device does not face an immediate risk or system failure. | Long-term security protection may gradually fall behind fully updated devices. |
Ultimately, Secure Boot serves as a “firmware-based boot chain verification mechanism,” and updated certificates are essential to ensure that PCs only execute verified software.