Microsoft Confirms Secure Boot Certificate Updates Are Blocked on Some Windows 11 PCs
Microsoft has acknowledged that Secure Boot certificate updates are failing or being blocked on certain Windows 11 PCs due to known issues. The company is collaborating with PC manufacturers to develop a patch, but users may still need to take action if certificates are blocked for other reasons.
Details on the Known Issues
In an updated support document first highlighted by Windows Latest, Microsoft revealed that it has paused the rollout of Secure Boot updates on some PCs due to potential issues. Affected devices now display a detailed error message in the Windows Security app:

Previously, users were advised to contact their device manufacturers if their Secure Boot certificates were outdated. The Windows Security app now also provides warnings about new issues identified by Microsoft that could interfere with Secure Boot updates.
“Devices in this group are affected by a known issue. To reduce risk, Secure Boot certificate updates are temporarily paused while Microsoft and partners work toward a supported resolution,” the company stated.
Secure Boot certificates issued in 2011 or earlier have expired, and Microsoft has been working to replace them with new certificates issued in 2023. While eligible PCs are expected to automatically receive updated certificates through Windows Update, this process is not universal. Some devices, even those with supported hardware, may face delays due to configuration or compatibility issues.
Challenges with Older Hardware
Ed, a veteran journalist at Windows Latest, noted that older Windows PCs often suffer from firmware problems that leave them unprepared for these updates. Microsoft has explained that modern hardware is already using the 2023 Secure Boot certificates. However, for devices with Secure Boot disabled or those with faulty firmware, updates could be problematic.
To check your Secure Boot status, navigate to Windows Security > Device security > Secure Boot. If the status indicates that Secure Boot is enabled and certificates are applied, no further action is needed. However, if it only states "Secure Boot is on" without confirming the certificate status, further investigation may be required.

OEM-Specific Issues
HP recently confirmed that Secure Boot updates are being unintentionally blocked on some of its PCs. In a support document, HP stated that it had begun rolling out an updated BIOS to prepare for the Secure Boot deadline in June. Unfortunately, some PCs encountered issues, such as being stuck at a BitLocker screen, which caused Secure Boot certificate installations to fail.
HP noted that “Microsoft’s 2023 certificates may fail to properly apply on the computer when this BitLocker issue occurs.”

Microsoft has since worked with OEMs to identify devices or firmware configurations where Secure Boot certificate updates could lead to complications. Affected devices require a firmware update, but since it is not yet available, Microsoft has temporarily blocked Secure Boot updates to mitigate risks.
Why Some PCs Are Not Receiving Secure Boot 2023 Certificates
According to Microsoft, most PCs have already received the Secure Boot certificates via Windows Update. In some cases, however, potential compatibility issues prevent Windows Update from delivering the 2023 Secure Boot update.
For older devices, Windows may indicate that Secure Boot is enabled but also warn that the device will not receive the certificate update due to hardware or firmware limitations. OEMs often deprioritize firmware updates for older or less popular models, leaving some devices unsupported.

Microsoft advises users to check their OEM’s Secure Boot support page for details on firmware updates. Many OEMs, including HP, have quietly updated their documentation to acknowledge Secure Boot issues and the lack of necessary firmware updates for older models.
The Importance of Secure Boot 2023 Certificates
Secure Boot is a security feature integrated into a computer’s UEFI firmware. It ensures that only verified software runs during the boot process, blocking unauthorized or malicious programs. The 2023 Secure Boot certificates are crucial for processing updates to the Secure Boot DBX (Forbidden Signature Database), which identifies compromised or vulnerable bootloaders.

Microsoft emphasizes that users should not disable Secure Boot, even if they are not receiving updates, as doing so would compromise system security. An expired Secure Boot certificate does not immediately render a PC inoperable, and the impact for most users is negligible. However, updated certificates are essential for ensuring long-term security and compatibility.
Conclusion
Secure Boot remains a critical component of Windows 11’s security architecture. While Microsoft continues to address compatibility issues with OEMs, affected users can monitor their device's status through the Windows Security app and consult their OEM’s support channels for further assistance. Updated certificates are necessary to maintain a secure boot environment, but the lack of immediate updates is not a catastrophic issue for most users.

