Microsoft held an OEM Secure Boot Office Hours event with manufacturers like Acer, Asus, Dell, and HP to discuss issues related to the Windows 11 Secure Boot 2023 certificate rollout. Many IT administrators left with unresolved concerns, particularly regarding Secure Boot certificate errors. Participants reported persistent problems, including failures of suggested solutions from official documentation to apply to their hardware configurations.
Ed Tittel shared his experience with compliance issues related to CA-2023 certificates, noting that ASUS motherboards sometimes required Secure Boot to be disabled temporarily, while MSI models exhibited erratic behavior. ASRock systems needed manual key resets, and documentation was lacking. Devices from Dell, HP, and Lenovo performed better but still faced staggered rollouts and required multiple reboots for BIOS updates.
Specific issues raised included HP's BitLocker recovery loop persisting even with the latest BIOS, challenges with legacy device support from HP, devices showing Secure Boot Status as Unknown, and failures in updating the KEK on HP EliteBooks. Some questions from IT administrators regarding Dell and HP went unanswered during the session. The experiences highlighted a trend of Secure Boot issues across multiple OEMs, not limited to a single vendor.
IT administrators are advised to pilot updates on representative hardware, back up BitLocker recovery keys, and consult OEM-specific advisories. The unresolved issues reflect common challenges faced by users, indicating that problems with Secure Boot certificate deployments are widespread across various manufacturers.