Windows 11
Content
Secure Boot Certificate Updates: Comprehensive Guide by Major OEMs
What is Secure Boot?
OEM-Specific Secure Boot Certificate Guidance
ASUS Secure Boot Certificate Update Guide
Lenovo Secure Boot Certificate Update Guide
Dell Secure Boot Certificate Update Guidelines
HP Secure Boot Certificate Update Guide
Microsoft Surface Devices
MSI Secure Boot Certificate Update Guidelines
Acer Secure Boot Certificate Update Guide
Samsung Secure Boot Certificate Update Guide
LG Secure Boot Certificate Update Guide
How to Verify Secure Boot Certificate Status
Final Notes
OEMs reveal Windows 11 Secure Boot fix after deadline passes, here's how to update your PC
Time: Jun, 29, 2026

Secure Boot Certificate Updates: Comprehensive Guide by Major OEMs

As Microsoft’s 2011 Secure Boot certificates are now expiring in stages, all major PC manufacturers have provided dedicated guidance to ensure users can transition seamlessly. OEMs including HP, Dell, ASUS, Lenovo, MSI, Acer, Samsung, LG, and Microsoft’s Surface division have published support pages detailing what the certificate update entails, supported models, and steps users need to follow.

What is Secure Boot?

Secure Boot is a UEFI firmware feature that operates before Windows loads. It ensures your PC only loads trusted software, protecting against tampering by hackers or malware. The certificates underpinning Secure Boot since 2011 are expiring in three phases, necessitating updates across hardware platforms.

Microsoft has been deploying 2023 replacement certificates via Windows Update, but this rollout depends on OEMs releasing compatible BIOS updates for their devices. Most users have already received these updates automatically.

OEM-Specific Secure Boot Certificate Guidance

ASUS Secure Boot Certificate Update Guide

ASUS has published comprehensive documentation tailored for both consumer and commercial devices:

  • The consumer Secure Boot guide covers standard laptops, desktops, and gaming PCs. Most users will receive updates automatically via Windows Update.
  • For users encountering a yellow or red badge in Windows Security, ASUS provides PowerShell commands to check for the KEK and DB certificates. If missing, the guide explains a manual registry update followed by executing the Secure-Boot-Update task, requiring a reboot between runs.
  • The commercial PC guide lists specific models that come pre-integrated with the 2023 certificates, particularly those released from 2024 onward. Older models rely on Windows Update for the transition.

ASUS also provides a Q&A page addressing common error codes and when to contact ASUS Service Center.

Lenovo Secure Boot Certificate Update Guide

Lenovo's Secure Boot Certificate Expiration Guide is among the most detailed, offering:

  • Direct download links for BIOS updates sorted by product family, covering ThinkPad, ThinkCentre, IdeaPad, Legion, Yoga, and more.
  • Clear identification of products that have reached End of Service Life, which will not receive updates.
  • For enterprise users, additional notes on Intune and SCCM deployment accompany the consumer Windows Update path.

Dell Secure Boot Certificate Update Guidelines

Dell has released a detailed support article covering its entire product lineup, including Alienware, Inspiron, XPS, Latitude, OptiPlex, Precision, Vostro, Wyse, and IoT devices.

  • Devices with End of Service Life status before January 1, 2026, will not receive the BIOS update.
  • Dell has adopted a dual-certificate strategy, shipping both 2011 and 2023 certificates on all new platforms since late 2024.
  • Community threads document user experiences, highlighting specific issues like firmware partition limits on older models.

HP Secure Boot Certificate Update Guide

HP divides its guidance for Secure Boot updates into two categories:

  • Consumer PCs: Updates are delivered via Windows Update, provided the device has the required minimum BIOS version installed.
  • Commercial PCs: Users must check a detailed list of supported platforms and ensure the BIOS version includes the SBKPFV3 substring.

HP warns that some of its early 2026 BIOS updates caused BitLocker recovery loops and boot failures. Corrected BIOS versions are available on HP’s support site.

Microsoft Surface Devices

Microsoft Surface devices receive both firmware and Windows updates directly from Microsoft, streamlining the Secure Boot update process. Supported models such as Surface Pro, Surface Laptop, and Surface Studio will automatically receive updates through the standard update pipeline.

MSI Secure Boot Certificate Update Guidelines

MSI divides its guidance by processor generation:

  • Older laptops with Intel 7th to 11th Gen or AMD Ryzen 3000H-5000U processors automatically receive updates through Windows Update without needing BIOS flashes.
  • Newer platforms with Intel 12th Gen or AMD Ryzen 5000H and above require BIOS updates, available through MSI’s support portal. MSI recommends saving the BitLocker recovery key before flashing the BIOS.

Acer Secure Boot Certificate Update Guide

Acer’s official guide is available on its knowledge base, with updates arriving automatically via Windows Update for supported models. Acer strongly advises users to back up their BitLocker recovery keys before initiating updates.

Some older models, such as the Aspire TC-895 series, have been reported as unsupported, leaving users with yellow warnings and no available BIOS update.

Samsung Secure Boot Certificate Update Guide

Samsung has published guidance in Korean, confirming that while older Galaxy Book models will continue to function after certificate expiration, boot-level security updates will cease. Samsung recommends using Windows Update for the transition.

LG Secure Boot Certificate Update Guide

LG’s guide focuses on its gram and other PC lines, advising users to check the Windows Security app for status indicators and download BIOS updates if automatic certificate installation fails.

How to Verify Secure Boot Certificate Status

You can check your device’s Secure Boot status via the Windows Security app:

  • Green Checkmark: Certificates are up-to-date, and no action is needed.
  • Yellow Warning: Update is pending, either due to a delay in Windows Update or a required BIOS update.
  • Red Icon: Indicates firmware incompatibility.

For unsupported hardware, the Secure Boot section may be missing from Device Security. In such cases, users can refer to PowerShell commands for manual verification.

Final Notes

Microsoft pushed 2023 certificates to all eligible devices as of June 2026. If you have installed the June 2026 Patch Tuesday update, your system is likely already updated. Regular users can rely on the Windows Security app for status updates, while advanced users can use PowerShell for manual checks.

Windows 10 users are not left behind, as the May 2026 update (KB5087544) introduced Secure Boot certificate status reporting, ensuring parity with Windows 11.

For the latest updates, ensure your system is running the most recent updates and monitor your OEM’s support page for any additional instructions or firmware releases.

Recommended Products
Windows 11 Enterprise LTSC 2024 CD Key Global
Windows 11 Enterprise LTSC 2024 CD Key Global
Related ArticlesMore
Microsoft reveals Windows 11 taskbar feature that Windows 10 never had, two ways to shrink in testingMicrosoft reveals why Windows 11 keeps saying a file is in use after you close the app, plus the fixMicrosoft begins rolling out a faster File Explorer on Windows 11, and no, it's not preloadingWindows 11's Low Latency Performance Boost Rolls Out to More PCs, Accelerating Start Menu and NotificationsMicrosoft warns Windows 11 recovery feature uses up to 50GB of storage, but for a good causeMicrosoft just killed Windows 11's forced updates with new calendar pause, here's how to delay them foreverWindows 11 26H2 is just 174KB, which is 0.003% of 24H2’s size. Here’s howMicrosoft is killing Windows 11's worst Bluetooth bugs, AirPods and Beats now work better8 Inbox Windows 11 Apps Are Getting a Major Update, Here's a Closer LookWindows 11 KB5095093 out with several features, direct download links for offline installer (.msu)
Live Chat
0