certificate update

Winsage
July 14, 2026
Microsoft has acknowledged that several older Secure Boot certificates have expired, necessitating updates for Windows 10 and 11 users. A temporary halt in the issuance of new Secure Boot certificates affects specific PCs, particularly various HP models. Most PCs will receive updates automatically through Windows Update, but some may require a firmware update from the manufacturer. Users may see messages indicating that Secure Boot certificate updates are paused or blocked due to known issues or hardware/firmware limitations. Until manufacturers like HP release necessary firmware updates, users cannot update their Secure Boot certificates. Although the immediate risk from expired certificates is low, it is expected to increase over time. Devices with un-updated Secure Boot certificates will continue to function normally, but they will not receive new security updates, making them vulnerable to emerging threats. Essential features that rely on updated security measures may cease to function correctly as new security challenges arise.
Winsage
July 10, 2026
Microsoft has acknowledged that some Windows 11 PCs are facing issues with Secure Boot certificate updates, which may fail to install or be blocked. The company is working with PC manufacturers to develop a patch, while users may need to take proactive measures if their certificates are obstructed. Microsoft has temporarily halted the rollout of Secure Boot for certain devices due to complications, and affected users will receive detailed error messages in the Windows Security app regarding their Secure Boot certificates. Secure Boot certificates issued in 2011 have expired, and Microsoft is replacing them with new certificates issued in 2023. Most modern hardware is already utilizing the new certificates, but some devices may have disabled Secure Boot or faulty firmware. Users can check their Secure Boot status in the Windows Security app. HP has confirmed that Secure Boot updates are being blocked on some of its PCs due to a BitLocker issue, which prevents the installation of new certificates. Microsoft has paused Secure Boot certificate updates for devices affected by known issues while collaborating with manufacturers to identify specific devices or firmware complications. A firmware update will be necessary for affected devices, but it is not yet available. The majority of PCs have received the Secure Boot certificates via Windows Update, but compatibility issues may prevent some devices from receiving the update. Older devices or those not among the OEM’s top-selling models may not receive updates if the UEFI firmware is unsupported. Secure Boot is a security feature required for Windows 11, preventing unauthorized software from executing at boot. While an expired Secure Boot certificate does not stop a PC from functioning, it may limit long-term security protection. Microsoft advises users not to disable Secure Boot, as it would compromise security further.
Winsage
June 29, 2026
Major PC manufacturers, including HP, Dell, ASUS, Lenovo, MSI, Acer, Samsung, LG, and Microsoft’s Surface division, have provided guidance on transitioning to new Secure Boot certificates as the expiration of Microsoft’s 2011 certificates approaches. The expiration will occur in three phases: Microsoft Corporation KEK CA 2011 expired on June 24, 2026; Microsoft UEFI CA 2011 expired on June 27, 2026; and Microsoft Windows Production PCA 2011 is set to expire on October 19, 2026. Microsoft has begun rolling out replacement certificates through Windows Update, contingent on OEMs providing compatible BIOS updates. ASUS offers detailed documentation for both consumer and commercial devices, confirming that most users will receive updates automatically. Lenovo provides direct download links for BIOS updates organized by product family and specifies which products will not receive updates. Dell's support article covers its entire product lineup, noting that devices with an End of Service Life before January 1, 2026, will not receive updates. HP outlines a dual-track approach for updates, with specific timelines for commercial PCs. Microsoft's Surface devices receive updates directly from Microsoft, while MSI categorizes guidance based on processor generation for its laptops. Acer emphasizes backing up the BitLocker recovery key and provides a model table for confirmed BIOS release dates. Samsung confirms that all PCs running Windows 10 or 11 will function normally post-expiration, but security updates will cease. LG has released a guide for checking BIOS updates for its PCs. To verify if a PC has the 2023 certificates, users can check the Secure Boot section in Windows Security. A green checkmark indicates successful application, while yellow or red icons indicate pending updates or incompatibility. Microsoft has pushed the certificates to all eligible devices as of June 2026.
Search