Microsoft’s Secure Boot certificate rollover reached its first real deadline in June 2026, and PC makers including Dell, HP, Lenovo, ASUS, Acer, MSI, Samsung, LG, and Microsoft’s Surface team have now published model-specific guidance for updating affected Windows devices. The headline is reassuring for most home users: if your PC is supported, fully patched, and not showing a warning in Windows Security, the transition has probably already happened. The story for older machines, managed fleets, and firmware-constrained systems is messier. Secure Boot’s certificate refresh has become a useful reminder that Windows security is not just a Microsoft problem; it is a supply-chain problem that runs through every BIOS, every OEM support lifecycle, and every forgotten desktop under a desk.
Secure Boot is one of those Windows security features that does its work before most users know anything is happening. It lives in UEFI firmware and checks whether the code involved in starting the system is signed by trusted authorities before Windows gets control. That makes it a first line of defense against bootkits, malicious bootloaders, and other attacks that try to burrow beneath the operating system.
The problem is that the trust chain behind much of that machinery was built on Microsoft certificates issued in 2011. Those certificates were never meant to last forever. The Microsoft Corporation KEK CA 2011 expired on June 24, 2026, the Microsoft UEFI CA 2011 expired on June 27, 2026, and the Microsoft Windows Production PCA 2011 remains scheduled to expire on October 19, 2026.
That staggered timeline is why the June deadline has produced both urgency and confusion. PCs did not suddenly stop booting when the first certificate expired. Instead, the risk is subtler: devices that do not move to the 2023 certificate chain lose the clean path for future boot-level trust updates and revocation protections.
In plain English, an unpatched machine may still turn on, load Windows, and behave normally. But it is increasingly frozen in an old Secure Boot trust world, one where Microsoft and the OEM may no longer be able to update the deepest part of the boot security stack with the same confidence.
That is why the OEM pages matter. Microsoft can define the transition, but Dell, HP, Lenovo, ASUS, Acer, MSI, Samsung, LG, and Surface each have to say which devices can accept it, which BIOS versions are required, and which models have aged out of support. The certificate rollover is not a normal driver update; it is a coordinated handshake between Windows, firmware, and hardware support policy.
For most regular users, the best case has already happened quietly. Windows Update delivered the necessary components, the OEM firmware accepted the new certificates, and Windows Security now shows a green Secure Boot status. Some users may have noticed one or more extra restarts, or a new SecureBoot folder under the Windows directory, but those are side effects of staging trust updates into firmware rather than signs of malware or update failure.
The edge cases are where this becomes an IT story rather than a consumer advisory. Some PCs need a BIOS update before Windows can install the certificates. Some older PCs are no longer in the OEM’s support window. Some firmware implementations may not have enough space or flexibility to accept everything Microsoft wants to write.
That matters because Secure Boot problems are easy to describe badly. A yellow warning in Windows Security can mean “wait for rollout,” “install a BIOS update,” or “your firmware is not ready.” ASUS at least tries to separate those cases rather than dumping users into a generic download portal and hoping for the best.
Lenovo’s documentation is equally important for a different reason: it gives administrators a product-family map. ThinkPad, ThinkCentre, IdeaPad, Legion, Yoga, and other lines are treated as fleet categories rather than as one vague population of “Windows PCs.” The presence of direct BIOS links and version references is exactly what enterprise administrators need when they are trying to remediate thousands of machines without turning every device into a one-off research project.
Lenovo is also explicit about the other half of the bargain. Devices outside the support window do not get firmware updates just because Microsoft’s certificate clock ran out. That will irritate owners of perfectly functional older hardware, but it is consistent with how the industry has treated firmware maintenance for years.
The appeal is obvious. Organizations do not want a certificate migration to strand recovery media, deployment tools, older peripherals, or edge-case boot workflows. Keeping both trust chains present for a period reduces the odds that a perfectly legitimate boot component suddenly looks untrusted to Secure Boot.
But dual trust is not the same as solved trust. The whole reason this rollover exists is that the old certificates are aging out. Keeping legacy certificates around may be operationally convenient, but it also preserves old assumptions. Eventually, the industry has to decide when compatibility stops being a transition strategy and becomes a liability.
Dell’s cutoff policy also makes the practical trade-off clear. Platforms whose service life ended before the start of 2026 are generally outside the BIOS update path. That does not necessarily mean those PCs are dead, but it does mean their owners are now living with a security boundary defined by firmware support, not by whether the CPU can still run Windows.
The complication is that HP has also shown how fragile firmware-adjacent updates can feel when they go wrong. Earlier 2026 BIOS updates on some premium commercial HP devices reportedly caused BitLocker recovery loops and boot failures, forcing HP to issue corrected firmware. That does not mean the Secure Boot certificate update is inherently dangerous, but it does show why admins flinch when someone says “just update the BIOS.”
BitLocker is especially sensitive because it treats certain firmware and boot changes as potentially meaningful security events. That is by design. If the machine’s boot environment changes, BitLocker may demand the recovery key before trusting the system again.
For HP users, the practical lesson is straightforward: get the recovery key before touching firmware, verify the corrected BIOS version from HP’s support channel, and do not treat a Secure Boot warning as an invitation to improvise. The fix path exists, but it should be followed in the order HP and Microsoft intend.
Acer’s situation looks more uneven. Its official guide covers supported lines such as Aspire, Nitro, Predator, Swift, Extensa, TravelMate, and Spin, with model tables and BIOS release timing. Some systems already have dated BIOS releases, while others are still marked as being in progress.
The harder part is the gray zone. Owners of some older Acer machines are reportedly seeing yellow warnings without an obvious applicable BIOS update. If those models are not listed in Acer’s official table, users are left waiting to see whether Acer expands support or effectively leaves the machine on the wrong side of the firmware line.
Samsung and LG have taken more compact approaches. Samsung’s notice tells users of Windows 10 and Windows 11 PCs that systems should continue operating, while warning that boot-level security updates and malware mitigations are the issue if the transition is not completed. LG’s guide focuses on Windows Security indicators and model-specific BIOS checks for its gram and other PC lines.
That does not mean every Surface ever made is covered. Older Surface devices that have exited firmware support do not magically re-enter support because a certificate expires. Microsoft’s own hardware follows the same broad logic as the OEMs: active devices get firmware work, retired devices do not.
Still, Surface highlights the advantage of vertical integration. When Microsoft owns the hardware support lifecycle, the firmware delivery mechanism, and the operating system update stack, there are fewer seams where responsibility can blur. The broader PC market offers more choice, more price points, and more form factors, but it also makes coordinated security maintenance harder.
This is not a new trade-off. It is the same bargain Windows users have lived with for decades, now expressed through Secure Boot certificates rather than display drivers or chipset packages.
A yellow warning is not panic territory. It usually means the update is pending, the OEM firmware is not yet ready, or Windows Update has not completed the staged process for that device. A red status is more serious because it points to a firmware incompatibility or a failure state that may require OEM intervention.
If the Secure Boot section is missing entirely, the explanation may be different. Secure Boot might be disabled in firmware, the system may have been installed in an unsupported configuration, or the hardware may not expose the expected modern security reporting. That is common in some Windows 11 bypass installations on older hardware, where the OS can run but the security model is not what Microsoft assumes.
Windows 10 users are not fully outside this story either. Microsoft added Secure Boot certificate status reporting to Windows 10 so that the same basic green, yellow, and red model appears in Windows Security. That is important because many Windows 10 machines remain in service, especially in businesses that have not completed migration to Windows 11.
Those systems are often updated late, rebooted rarely, and documented poorly. They may have BitLocker recovery keys stored in the wrong place, firmware passwords nobody remembers, or BIOS versions several years behind current support. Secure Boot certificate status is just one more thing that exposes whether the organization actually knows what it owns.
For enterprises, this is where the certificate transition becomes a governance test. Intune, Configuration Manager, event logs, registry signals, and OEM inventory tools all matter because the status cannot be assumed from the Windows version alone. A Windows 11 device can still be blocked by firmware readiness. A supported device can still need a BIOS update. A green status on one model says nothing about the machine next to it.
The October 19, 2026, expiration of the Windows Production PCA 2011 also keeps the pressure on. June was not the end of the story; it was the point where the first parts of the old trust chain started aging out in public. Administrators who treat this as a one-week scramble rather than a months-long firmware hygiene campaign will keep finding surprises.
That is not a scandal, but it is a design reality. Modern Windows security increasingly depends on components below Windows: TPMs, UEFI variables, boot managers, revocation databases, firmware update capsules, and OEM support policies. The operating system can report the problem, but it cannot always cure the platform.
This also explains why some users experience extra restarts. Writing security material into firmware is not the same as installing a Notepad update. The system may need to stage files, reboot, run a scheduled task, write variables, reboot again, and then verify that the new trust state actually persisted.
The advice to back up the BitLocker recovery key before BIOS updates should not be treated as boilerplate. It is the difference between a routine firmware maintenance window and a Monday morning lockout.
ASUS and Lenovo show the benefits of detailed guidance. Dell shows the operational value of a compatibility bridge. HP shows why firmware delivery must be treated cautiously. Acer illustrates the anxiety created when official model lists do not cover machines users still rely on. Samsung and LG show the minimal viable version of vendor communication.
For buyers, this should become part of the long-term value calculation. A PC’s useful life is no longer defined only by CPU speed, RAM capacity, or whether Windows still runs acceptably. Firmware support is security support. Once that support ends, the machine may continue working, but it increasingly does so outside the current trust model.
That is uncomfortable for enthusiasts who pride themselves on keeping hardware alive. It is also uncomfortable for businesses that stretch refresh cycles. But Secure Boot is designed to make trust explicit, and explicit trust has an expiration date.
The Secure Boot Deadline Was Never Just a Date on Microsoft’s Calendar
Secure Boot is one of those Windows security features that does its work before most users know anything is happening. It lives in UEFI firmware and checks whether the code involved in starting the system is signed by trusted authorities before Windows gets control. That makes it a first line of defense against bootkits, malicious bootloaders, and other attacks that try to burrow beneath the operating system.The problem is that the trust chain behind much of that machinery was built on Microsoft certificates issued in 2011. Those certificates were never meant to last forever. The Microsoft Corporation KEK CA 2011 expired on June 24, 2026, the Microsoft UEFI CA 2011 expired on June 27, 2026, and the Microsoft Windows Production PCA 2011 remains scheduled to expire on October 19, 2026.
That staggered timeline is why the June deadline has produced both urgency and confusion. PCs did not suddenly stop booting when the first certificate expired. Instead, the risk is subtler: devices that do not move to the 2023 certificate chain lose the clean path for future boot-level trust updates and revocation protections.
In plain English, an unpatched machine may still turn on, load Windows, and behave normally. But it is increasingly frozen in an old Secure Boot trust world, one where Microsoft and the OEM may no longer be able to update the deepest part of the boot security stack with the same confidence.
Microsoft Can Push the Keys, but Firmware Still Holds the Door
Microsoft’s plan has been to roll out replacement 2023 Secure Boot certificates through Windows Update. That sounds simple until it hits the reality of the PC ecosystem. Windows can stage the update, run scheduled tasks, and report status, but the final write lands in UEFI firmware — and firmware is where every manufacturer’s design choices matter.That is why the OEM pages matter. Microsoft can define the transition, but Dell, HP, Lenovo, ASUS, Acer, MSI, Samsung, LG, and Surface each have to say which devices can accept it, which BIOS versions are required, and which models have aged out of support. The certificate rollover is not a normal driver update; it is a coordinated handshake between Windows, firmware, and hardware support policy.
For most regular users, the best case has already happened quietly. Windows Update delivered the necessary components, the OEM firmware accepted the new certificates, and Windows Security now shows a green Secure Boot status. Some users may have noticed one or more extra restarts, or a new SecureBoot folder under the Windows directory, but those are side effects of staging trust updates into firmware rather than signs of malware or update failure.
The edge cases are where this becomes an IT story rather than a consumer advisory. Some PCs need a BIOS update before Windows can install the certificates. Some older PCs are no longer in the OEM’s support window. Some firmware implementations may not have enough space or flexibility to accept everything Microsoft wants to write.
ASUS and Lenovo Show What Good OEM Guidance Looks Like
ASUS deserves credit for publishing some of the clearest consumer-facing material in this cycle. Its guidance separates consumer and commercial PCs, explains the Windows Security warning states, and gives advanced users a way to verify the presence of the KEK and DB certificates. It even documents the event log errors that can appear when the update pipeline fails.That matters because Secure Boot problems are easy to describe badly. A yellow warning in Windows Security can mean “wait for rollout,” “install a BIOS update,” or “your firmware is not ready.” ASUS at least tries to separate those cases rather than dumping users into a generic download portal and hoping for the best.
Lenovo’s documentation is equally important for a different reason: it gives administrators a product-family map. ThinkPad, ThinkCentre, IdeaPad, Legion, Yoga, and other lines are treated as fleet categories rather than as one vague population of “Windows PCs.” The presence of direct BIOS links and version references is exactly what enterprise administrators need when they are trying to remediate thousands of machines without turning every device into a one-off research project.
Lenovo is also explicit about the other half of the bargain. Devices outside the support window do not get firmware updates just because Microsoft’s certificate clock ran out. That will irritate owners of perfectly functional older hardware, but it is consistent with how the industry has treated firmware maintenance for years.
Dell’s Dual-Certificate Strategy Buys Time, Not Permanence
Dell’s published approach is notable because it leans into coexistence. Newer platforms have been shipping with both 2011 and 2023 certificates, and Dell has extended that strategy across factory shipments. For enterprise customers managing mixed fleets, that dual-certificate posture offers breathing room.The appeal is obvious. Organizations do not want a certificate migration to strand recovery media, deployment tools, older peripherals, or edge-case boot workflows. Keeping both trust chains present for a period reduces the odds that a perfectly legitimate boot component suddenly looks untrusted to Secure Boot.
But dual trust is not the same as solved trust. The whole reason this rollover exists is that the old certificates are aging out. Keeping legacy certificates around may be operationally convenient, but it also preserves old assumptions. Eventually, the industry has to decide when compatibility stops being a transition strategy and becomes a liability.
Dell’s cutoff policy also makes the practical trade-off clear. Platforms whose service life ended before the start of 2026 are generally outside the BIOS update path. That does not necessarily mean those PCs are dead, but it does mean their owners are now living with a security boundary defined by firmware support, not by whether the CPU can still run Windows.
HP’s Cautionary Tale Is BitLocker, Not Secure Boot Itself
HP’s guidance splits consumer and commercial machines, and the commercial side is especially granular. It identifies minimum BIOS versions and uses platform markers that tell Windows Update whether a machine is ready to receive the new certificates. That is the kind of plumbing enterprise administrators appreciate, even if it is invisible to ordinary users.The complication is that HP has also shown how fragile firmware-adjacent updates can feel when they go wrong. Earlier 2026 BIOS updates on some premium commercial HP devices reportedly caused BitLocker recovery loops and boot failures, forcing HP to issue corrected firmware. That does not mean the Secure Boot certificate update is inherently dangerous, but it does show why admins flinch when someone says “just update the BIOS.”
BitLocker is especially sensitive because it treats certain firmware and boot changes as potentially meaningful security events. That is by design. If the machine’s boot environment changes, BitLocker may demand the recovery key before trusting the system again.
For HP users, the practical lesson is straightforward: get the recovery key before touching firmware, verify the corrected BIOS version from HP’s support channel, and do not treat a Secure Boot warning as an invitation to improvise. The fix path exists, but it should be followed in the order HP and Microsoft intend.
Acer, MSI, Samsung, and LG Reveal the Uneven Middle of the PC Market
MSI’s guidance is divided by processor generation, which is a useful proxy for how different platforms handle the update. Some older systems can receive the transition through Windows Update without a new MSI BIOS flash, while newer models depend on BIOS packages that contain the 2023 certificates. MSI also points users toward Event Viewer confirmation, which is exactly the kind of low-level verification enthusiasts like.Acer’s situation looks more uneven. Its official guide covers supported lines such as Aspire, Nitro, Predator, Swift, Extensa, TravelMate, and Spin, with model tables and BIOS release timing. Some systems already have dated BIOS releases, while others are still marked as being in progress.
The harder part is the gray zone. Owners of some older Acer machines are reportedly seeing yellow warnings without an obvious applicable BIOS update. If those models are not listed in Acer’s official table, users are left waiting to see whether Acer expands support or effectively leaves the machine on the wrong side of the firmware line.
Samsung and LG have taken more compact approaches. Samsung’s notice tells users of Windows 10 and Windows 11 PCs that systems should continue operating, while warning that boot-level security updates and malware mitigations are the issue if the transition is not completed. LG’s guide focuses on Windows Security indicators and model-specific BIOS checks for its gram and other PC lines.
Surface Gets the Cleanest Story Because Microsoft Owns the Whole Stack
Surface devices are the simplest case in this ecosystem because Microsoft controls both the Windows update path and the firmware update path. Surface Pro, Surface Laptop, Surface Book, and Surface Studio models still inside their firmware support windows can receive the necessary updates through the normal Surface and Windows servicing pipeline. There is no second company to wait for.That does not mean every Surface ever made is covered. Older Surface devices that have exited firmware support do not magically re-enter support because a certificate expires. Microsoft’s own hardware follows the same broad logic as the OEMs: active devices get firmware work, retired devices do not.
Still, Surface highlights the advantage of vertical integration. When Microsoft owns the hardware support lifecycle, the firmware delivery mechanism, and the operating system update stack, there are fewer seams where responsibility can blur. The broader PC market offers more choice, more price points, and more form factors, but it also makes coordinated security maintenance harder.
This is not a new trade-off. It is the same bargain Windows users have lived with for decades, now expressed through Secure Boot certificates rather than display drivers or chipset packages.
The Green Checkmark Is the New Firmware Health Signal
For users, the first stop is now Windows Security. Open Device Security and look for the Secure Boot section. A green state means the 2023 certificates are applied and no immediate action is required.A yellow warning is not panic territory. It usually means the update is pending, the OEM firmware is not yet ready, or Windows Update has not completed the staged process for that device. A red status is more serious because it points to a firmware incompatibility or a failure state that may require OEM intervention.
If the Secure Boot section is missing entirely, the explanation may be different. Secure Boot might be disabled in firmware, the system may have been installed in an unsupported configuration, or the hardware may not expose the expected modern security reporting. That is common in some Windows 11 bypass installations on older hardware, where the OS can run but the security model is not what Microsoft assumes.
Windows 10 users are not fully outside this story either. Microsoft added Secure Boot certificate status reporting to Windows 10 so that the same basic green, yellow, and red model appears in Windows Security. That is important because many Windows 10 machines remain in service, especially in businesses that have not completed migration to Windows 11.
The Forgotten Machines Are the Ones That Will Define the Hangover
The most interesting Secure Boot failures will not happen on shiny 2025 laptops. They will happen on the machines nobody inventories carefully: reception desks, lab PCs, point-of-sale terminals, conference room systems, offline imaging boxes, and that one aging tower connected to a specialty device nobody wants to replace.Those systems are often updated late, rebooted rarely, and documented poorly. They may have BitLocker recovery keys stored in the wrong place, firmware passwords nobody remembers, or BIOS versions several years behind current support. Secure Boot certificate status is just one more thing that exposes whether the organization actually knows what it owns.
For enterprises, this is where the certificate transition becomes a governance test. Intune, Configuration Manager, event logs, registry signals, and OEM inventory tools all matter because the status cannot be assumed from the Windows version alone. A Windows 11 device can still be blocked by firmware readiness. A supported device can still need a BIOS update. A green status on one model says nothing about the machine next to it.
The October 19, 2026, expiration of the Windows Production PCA 2011 also keeps the pressure on. June was not the end of the story; it was the point where the first parts of the old trust chain started aging out in public. Administrators who treat this as a one-week scramble rather than a months-long firmware hygiene campaign will keep finding surprises.
The Patch Is Automatic Until It Isn’t
The most useful way to think about the Secure Boot rollover is as an automatic update with a firmware escape hatch. If the PC is new enough, supported enough, and already running the right BIOS, Windows Update should handle it. If any of those assumptions fail, the burden shifts back to the user, the administrator, or the OEM.That is not a scandal, but it is a design reality. Modern Windows security increasingly depends on components below Windows: TPMs, UEFI variables, boot managers, revocation databases, firmware update capsules, and OEM support policies. The operating system can report the problem, but it cannot always cure the platform.
This also explains why some users experience extra restarts. Writing security material into firmware is not the same as installing a Notepad update. The system may need to stage files, reboot, run a scheduled task, write variables, reboot again, and then verify that the new trust state actually persisted.
The advice to back up the BitLocker recovery key before BIOS updates should not be treated as boilerplate. It is the difference between a routine firmware maintenance window and a Monday morning lockout.
The Certificate Rollover Has Turned OEM Support Pages Into Security Infrastructure
The Secure Boot transition has produced a rare moment where OEM support pages are not just customer-service paperwork. They are part of the security boundary. Whether a manufacturer publishes exact model tables, BIOS versions, cutoff dates, and troubleshooting steps now directly affects whether users can maintain boot-level protection.ASUS and Lenovo show the benefits of detailed guidance. Dell shows the operational value of a compatibility bridge. HP shows why firmware delivery must be treated cautiously. Acer illustrates the anxiety created when official model lists do not cover machines users still rely on. Samsung and LG show the minimal viable version of vendor communication.
For buyers, this should become part of the long-term value calculation. A PC’s useful life is no longer defined only by CPU speed, RAM capacity, or whether Windows still runs acceptably. Firmware support is security support. Once that support ends, the machine may continue working, but it increasingly does so outside the current trust model.
That is uncomfortable for enthusiasts who pride themselves on keeping hardware alive. It is also uncomfortable for businesses that stretch refresh cycles. But Secure Boot is designed to make trust explicit, and explicit trust has an expiration date.
The Secure Boot Checklist That Actually Matters Now
The practical path is narrower than the noise around it suggests. Users do not need to delete folders, disable Secure Boot, or blindly flash BIOS files from random search results. They need to verify status, apply supported updates, and understand when a device has aged out of vendor care.- Check Windows Security first, because a green Secure Boot status means the 2023 certificate transition has already completed on that device.
- Install the latest Windows cumulative update and the latest OEM BIOS or firmware package before assuming a yellow warning is permanent.
- Save the BitLocker recovery key before any BIOS update, especially on business laptops and premium systems with device encryption enabled.
- Use the OEM’s dedicated Secure Boot certificate page rather than a generic driver search whenever model-specific guidance is available.
- Treat unsupported older PCs as operational exceptions, because they may continue to boot while losing the ability to receive future boot-level trust updates.
- Keep watching the October 19, 2026, Windows Production PCA 2011 deadline, because the Secure Boot transition is not finished simply because June has passed.
References
- Primary source: Windows Latest
Published: 2026-06-29T04:34:10.952367
Loading…
www.windowslatest.com - Official source: learn.microsoft.com
Update Secure Boot Certificates for Windows Devices - Windows Client | Microsoft Learn
Update your Windows devices to maintain Secure Boot protection with 2023 certificates before they expire in June 2026.learn.microsoft.com - Official source: microsoft.com
Prepare your servers for Secure Boot certificate updates | Microsoft Windows Server Blog
The original Secure Boot certificates introduced in 2011 are approaching the end of their planned lifecycle, with expirations beginning in late June 2026.
www.microsoft.com
- Related coverage: asus.com
Loading…
www.asus.com - Related coverage: pcworld.com
This new notification in Windows 11 tells you whether everything is secure
Windows 11's April update made it easy to check your Secure Boot certificate status ahead of the June 2026 expiration deadline.
www.pcworld.com
- Related coverage: windowscentral.com
Microsoft warns Secure Boot certificates will expire in 2026 | Windows Central
After 15 years, the original Secure Boot certificates that keep your PC secure during boot are expiring. Here's what you need to know.www.windowscentral.com
- Related coverage: tomshardware.com
Microsoft is refreshing Secure Boot certificates to plug security holes before they happen — if you bought a PC last year, you should be set | Tom's Hardware
Be sure to keep Windows 11 systems updated to get refreshed security certificates.www.tomshardware.com - Related coverage: pcgamer.com
Secure Boot certificates used by anti-cheat software are set to expire in June but new ones are already in the mail | PC Gamer
You shouldn't have to worry about expired certificates if you keep your PC up-to-date.www.pcgamer.com - Related coverage: techradar.com
Microsoft confirms why Windows 11 updates might be weird right now, and look like they're failing — but it's nothing to worry about | TechRadar
You'll need to be patient with updates packing Secure Boot changes, thoughwww.techradar.com - Related coverage: tomsguide.com
Windows 10 users warned to upgrade now or risk a ‘degraded security state’ as Microsoft ends Secure Boot support | Tom's Guide
Support for Windows 10 officially ended in October 2025, and Microsoft says devices that don’t upgrade could enter a degraded security state — leaving them vulnerable to threats. Here’s what it means for your PC and how to protect it.www.tomsguide.com