Act now: Secure Boot certificates expire in June 2026



 Windows IT Pro Blog:

Prepare for the first global large-scale certificate update to Secure Boot.

The Microsoft certificates used in Secure Boot are the basis of trust for operating system security, and all will be expiring beginning June 2026. The way to automatically get timely updates to new certificates for supported Windows systems is to let Microsoft manage your Windows updates, which include Secure Boot. A close collaboration with original equipment manufacturers (OEMs) who provide Secure Boot firmware updates is also essential.

If you haven't yet, begin evaluating options and start preparing for the rollout of updated certificates across your organization in the coming months. Learn about this effort, its impact, and what you as an IT admin should do to help ensure that your Windows devices can receive updates after June 2026 without compromising system security.

Important: While platforms beyond Windows are affected, this article focuses on the solution for Windows systems. Be sure to monitor the Secure Boot certificate rollout landing page for status and guidance updates.
Click to expand...

Recap: Why Secure Boot requires updating​

Secure Boot helps to prevent malware from running early in the startup sequence of a Windows device. Coupled with the Unified Extensible Firmware Interface (UEFI) firmware signing process, Secure Boot uses cryptographic keys, known as certificate authorities (CAs), to validate that firmware modules come from a trusted source.

After 15 years, the Secure Boot certificates that are part of Windows systems will start expiring in June 2026. Windows devices will need new certificates to maintain continuity and protection.
  • Affected: Physical and virtual machines (VMs) on supported versions of Windows 10, Windows 11, Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2012 R2—the systems released since 2012, including the long-term servicing channel (LTSC)
  • Not affected: Copilot+ PCs released in 2025
Note: Affected third-party OS includes MacOS. However, it's outside the scope of Microsoft support. For Linux systems dual booting with Windows, Windows will update the certificates that Linux relies on.
Click to expand...

Secure Boot uses certificate-based trust hierarchy to ensure that only authorized software runs during system startup. At the top of this hierarchy is the Platform Key (PK), typically managed by the OEM or a delegate, which acts as the root of trust. The PK authorizes updates to the Key Enrollment Key (KEK) database, which in turn authorizes updates to two critical signature databases: the Allowed Signature Database (DB) and the Forbidden Signature Database (DBX). This layered structure ensures that only validated updates can modify the system's boot policy, maintaining a secure boot environment. See how it works in Updating Secure Boot keys.

The change: Expiring certificates​

Windows systems released since 2012 might have expiring versions of the certificates listed below. The UEFI Secure Boot DB and KEK need to be updated with the corresponding new certificate versions.

See what new certificates will be available in the coming months to maintain UEFI Secure Boot continuity.

Expiration dateExpiring certificateUpdated certificateWhat it doesStoring location
June 2026Microsoft Corporation KEK CA 2011Microsoft Corporation KEK 2K CA 2023Signs updates to DB and DBXKEK
June 2026Microsoft Corporation UEFI CA 2011 (or third-party UEFI CA)*a) Microsoft Corporation UEFI CA 2023
b) Microsoft Option ROM UEFI CA 2023		a) Signs third-party OS and hardware driver components
b) Signs third-party option ROMs		DB
Oct 2026Microsoft Windows Production PCA 2011Windows UEFI CA 2023Signs the Windows bootloader and boot componentsDB
*You need two new certificates for Microsoft Corporation UEFI CA 2011, which together allow for more granular control.

Microsoft and partner OEMs will be rolling out certificates to add trust for the new DB and KEK certificates in the coming months.

The impact and implications​

The CAs ensure the integrity of the device startup sequence. When these CAs expire, the systems will stop receiving security fixes for the Windows Boot Manager and the Secure Boot components. Compromised security at startup threatens the overall security of affected Windows devices, especially due to bootkit malware. Bootkit malware can be difficult or impossible to detect with standard antivirus software. For example, even today, the unsecured boot path can be used as a cyberattack vector by the BlackLotus UEFI bootkit (CVE-2023-24932).

Every Windows system with Secure Boot enabled includes the same three certificates in support of third-party hardware and Windows ecosystem. Unless prepared, physical devices and VMs will:
  • Lose the ability to install Secure Boot security updates after June 2026.
  • Not trust third-party software signed with new certificates after June 2026.
  • Not receive security fixes for Windows Boot Manager by October 2026.
To prevent this, you'll need to update your organization's entire Windows ecosystem with certificates dated 2023 or newer. This will also help you apply mitigations needed to help secure your systems against the BlackLotus and similar boot-level cyberattacks today.

Take action today​

To begin, bookmark the Secure Boot certificate rollout landing page and take our readiness survey!

Important: Check with your OEMs on the latest available OEM firmware. Apply any available firmware updates to your Windows systems before applying the new certificates. In the Secure Boot flow, firmware updates from OEMs are the foundation for Windows Secure Boot updates to apply correctly.
Click to expand...

Microsoft support is only available for supported client versions of Windows 11 and Windows 10. Once Windows 10 reaches end of support in October 2025, consider getting Extended Security Updates (ESU) for Windows 10, version 22H2 if you're not ready to upgrade.

In the coming months, we expect to update the Secure Boot certificates as part of our latest cumulative update cycle.

The solution that requires the least effort is letting Microsoft manage your Windows device updates, including Secure Boot updates. However, you might need to adopt multiple solutions. Your specific next step depends on the Windows systems and how you manage them.

Enterprise IT-managed systems that send diagnostic data​

No action is required if Windows systems at your organization receive Windows updates from Microsoft and send diagnostic data back to Microsoft. This includes devices that receive updates through Windows Autopatch, Microsoft Configuration Manager, or third-party solutions.

Note: Check that your firewall doesn't block diagnostic data. If it does, please take action to help diagnostic data reach Microsoft.
Click to expand...

Windows diagnostic data and OEM feedback will help us group devices with similar hardware and firmware profiles to gradually release Secure Boot updates to you. This allows us to intelligently monitor the rollout process, proactively pausing, addressing any issues, and continuing as needed. Just keep your devices updated with the latest Windows updates!

Enterprise IT-managed systems that don't send diagnostic data​

Enable Windows diagnostic data and let Microsoft manage your updates by taking the following steps:
  1. Configure your organizational policies to allow at least the “required” level of diagnostic data. You can use Group Policy or mobile device management (MDM) to do this. See how to do this in Group Policy Management Editor for Windows 11 and Windows 10.
  2. Allow Microsoft to manage Secure Boot-related updates for your devices by setting the following registry key:
  • o Registry path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot
  • o Key name: MicrosoftUpdateManagedOptIn
  • o Type: DWORD
  • o DWORD value: 0x5944 (opt in to Windows Secure Boot updates)
We recommend setting this key to 0x5944. It indicates that all certificates should be updated in a manner that preserves the security profile of the existing device. It also updates the boot manager to the one signed by the Windows UEFI CA 2023 certificate. Note: If the DWORD value is 0 or the key doesn't exist, Windows diagnostic data is disabled.

If you prefer not to enable diagnostic data, please take this anonymous readiness survey. Help us assess the needs of environments like yours to create future guidance on managing the update process independently. You'll remain fully in control and responsible to execute and monitor these updates.

Air-gapped devices, such as in government scenarios or manufacturing, are a special case. Because Microsoft cannot manage these updates, we can only offer the following limited support:
  • Recommend known steps or methods for deploying these updates
  • Share data gathered from our rollout stream
When available, look for these resources on the Secure Boot certificate rollout landing page.

Systems with Secure Boot disabled​

Windows cannot update the active variables of the Secure Boot certificates if Secure Boot is disabled.

Important: Toggling Secure Boot on or off might erase the updated certificates. If Secure Boot is on, leave it enabled. Turning it off can reset the settings with defaults, which is not desirable.
Click to expand...

Share these recommendations with individual users:
  1. Press Windows key + R, type msinfo32, and then press Enter.
  2. In the System Information window, look for Secure Boot State.
  3. If it says On, you're good to go!
If Secure Boot is off or unsupported, the device may not receive the new CAs. For these devices, you may choose to enable Secure Boot with this guidance: Windows 11 and Secure Boot.

www.elevenforum.com

Check if Secure Boot is Enabled, Disabled, or Unsupported in Windows 11

This tutorial will show you how to check if Secure Boot is currently enabled, disabled, or unsupported on your Windows 10 or Windows 11 PC. Windows 11 minimum system requirements include your system to be UEFI (Unified Extensible Firmware Interface) and Secure Boot capable. While the...
www.elevenforum.com www.elevenforum.com
www.elevenforum.com

Enable or Disable Secure Boot in Windows 11

This tutorial will show you how to enable or disable Secure Boot on your Windows 10 and Windows 11 PC. Windows 11 minimum system requirements include your system to be UEFI (Unified Extensible Firmware Interface) and Secure Boot capable. While the requirement to upgrade a Windows 10 device to...
www.elevenforum.com www.elevenforum.com

Change management considerations​

Don't wait until June 2026! Updating DB and KEK with new 2023 certificates will help prevent your systems from boot-level security vulnerabilities today.

Get the latest OEM firmware updates and let Microsoft manage your Windows updates to receive Secure Boot updates automatically. Otherwise, help us understand your special case by completing this anonymous readiness survey.

Watch the release notes for Windows 11, version 24H2, version 23H2, and Windows 10 in the coming months to know when these updates are available to you. Stay tuned for additional guidance for the LTSC as needed.

Bookmark these additional resources:


 Source:

techcommunity.microsoft.com

Act now: Secure Boot certificates expire in June 2026 - Windows IT Pro Blog

Learn how to update to the new 2023 Secure Boot certificates ahead of June 2026 expiration.
techcommunity.microsoft.com techcommunity.microsoft.com
 
Last edited:
Click to expand...
garlin said:
Windows Update will eventually enforce this change on all W11 PC's (late 2025? before Oct 2026). Right now, the process is optional.

MS delayed its original timeline because some OEM's have needed more time to fix their broken BIOS code. This includes some security and management vendors that install their own code hidden in customers' BIOSes.
Click to expand...
At that point it's an automated process (through Windows Updates) - still not something home users should bother with (still an enterprise issue - since it's the OEMs job + Microsoft). Even so, can't help but wondering: How many OEMs will actually do it? Seeing how keen they are at providing updates for systems that are even 3 year older - after being removed from the production line (replaced by newer models).

Not to mention - coincidentally.... late 2025 - Windows 10 will reach EOL. So this move, could be another nail (biggest one yet) - in that coffin (again, it's hard to say - if even systems officially supporting Windows 11 will be covered by this updates - cause those unsupported - pretty sure won't). Highly convenient situation... for Microsoft and its OEM partners. It's not a secret - that Microsoft quite desperately kept trying to convince/motivate Windows 10 users to move to Windows 11, or that OEMs want more sales.
 

My Computer

System One

  • OS
    WinDOS 23H2
    Computer type
    Laptop
    CPU
    Intel & AMD
    Memory
    SO-DIMM SK Hynix 15.8 GB Dual-Channel DDR4-2666 (2 x 8 GB) 1329MHz (19-19-19-43)
    Graphics Card(s)
    nVidia RTX 2060 6GB Mobile GPU (TU106M)
    Sound Card
    Onbord Realtek ALC1220
    Screen Resolution
    1920 x 1080
    Hard Drives
    1x Samsung PM981 NVMe PCIe M.2 512GB / 1x Seagate Expansion ST1000LM035 1TB
So it's a convenient situation to allow a known UEFI rootkit (which can't be removed) to take over users' PCs?

MS didn't discover Black Lotus, an independent security researcher confirmed its existence and most in the industry didn't think something this technical could exist and bypass all the previous UEFI security measures. Whether non-enterprise users care or not, MS has a big responsibility to make every effort to promote secure computing for its enterprise customers.

When you buy a PC from Dell or HP, there isn't a choice to shop between "secure PC" and "insecure PC".
 

My Computer

System One

  • OS
    Windows 7
strangely I found this in msinfo32 for my PC..
Secure Boot State Off
O_O :(
I don't recall changing any settings..
but I didn't disable it in the BIOS as far as I can recall.

hmmm....

I do run a tight ship on my PCs... so I don't allow anything to download that I don't fully trust..
 

My Computers

System One System Two

  • OS
    Windows 11 Pro (x64)(v24H2)(Build 26100.4484)
    Computer type
    PC/Desktop
    Manufacturer/Model
    [Self-built](custom-build)(June 2020)
    CPU
    AMD Ryzen 9 3900X 12-Core
    Motherboard
    Asus PRIME X570-PRO (BIOS_r5031 [01/13/2025])
    Memory
    32GB, 2x G.Skill 16GB (PC3200)(DDR4-2137)
    Graphics Card(s)
    NVIDIA GeForce RTX 3070 Ti 8GB XC3 model by EVGA
    Sound Card
    Realtek® ALC1220A 8-Channel High Definition Audio CODEC
    Monitor(s) Displays
    24" DELL Gaming Monitor - G2422HS - DisplayPort used
    Screen Resolution
    1920x1080p at 165Hz (16:9 Aspect Ratio)
    Hard Drives
    2TB Samsung 980 Pro (NVMe)(SSD)
    4TB Samsung 990 Pro (NVMe)(SSD)
    2TB Samsung 870 EVO (SSD)

    NVMe 2TB
    -- OS(Win11 Pro x64),
    -- programs,
    -- programming(MS Visual Studios 2022 Community Ed.),
    -- music

    NVMe 4TB
    video game installs.

    #3 FILE Server!
    PSU
    Thermaltake TOUGHPOWER DPS G RGB Titanium Certified 1250Watt
    Case
    Corsair Graphite Series 780T Full Tower PC Case
    Cooling
    AMD Wraith cooler (stock) & 3x Corsair case fans
    Keyboard
    Alienware Low Profile RGB Mechanical USB Gaming Keyboard - AW510K - Lunar Light
    Mouse
    Redragon M602 RGB Wired USB Gaming mouse
    Internet Speed
    2,100Mbps Download, 300Mbps Upload
    Browser
    Firefox & Google Chrome
    Antivirus
    n/a aka "ABOVE TOP SECRET!" lol ;)
    Other Info
    My System is the ULTIMATE GAMING RIG ^_^
    TP-Link BE9300 Tri-Band Wi-Fi 7 Wireless 2.5Gigabit Router
    Model Archer BE550 (v1.6)
    Arris SB8200 Cable Modem
    Nvidia GFX Drivers: (v576.80)
    Realtek UAD Drivers: (v6.0.9838.1)
    Realtek LAN Drivers:(v1125.25.50.2025)(2025-05-20)
    Intel LAN Drivers: (v14.01.22.00)(2025-04-22)
  • Operating System
    Windows 11 Pro x64
    Computer type
    Laptop
    Manufacturer/Model
    DELL G15 Ryzen edition, model 5515
    CPU
    AMD Ryzen 7 5800H
    Motherboard
    DELL G15 Ryzen edition
    Memory
    16GB DDR4
    Graphics card(s)
    Ryzen 7 5800H integrated AMD Radeon Graphics and Nvidia GeForce 3060 6GB
    Sound Card
    Realtek ALC3254 with Nahimic 3D Audio for Gamers
    Monitor(s) Displays
    built-in
    Screen Resolution
    1920x1080
    Hard Drives
    512GB NVMe SSD, 1TB Samsung 970 EVO NVMe SSD
    PSU
    unkown
    Case
    laptop
    Keyboard
    built-in
    Mouse
    Logitech B100 USB
    Internet Speed
    2,100Mbps download, 300Mbps upload
    Browser
    Firefox & Google Chrome
Melchior said:
strangely I found this in msinfo32 for my PC..
Secure Boot State Off
O_O :(
I don't recall changing any settings..
but I didn't disable it in the BIOS as far as I can recall.
Click to expand...

You disabled it four or five years ago:

Melchior said:
but I have Secure boot disabled in the BIOS...
since it can cause more headaches then its worth...
Click to expand...
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop

My Computers

System One System Two

  • OS
    Windows 11 Pro (x64)(v24H2)(Build 26100.4484)
    Computer type
    PC/Desktop
    Manufacturer/Model
    [Self-built](custom-build)(June 2020)
    CPU
    AMD Ryzen 9 3900X 12-Core
    Motherboard
    Asus PRIME X570-PRO (BIOS_r5031 [01/13/2025])
    Memory
    32GB, 2x G.Skill 16GB (PC3200)(DDR4-2137)
    Graphics Card(s)
    NVIDIA GeForce RTX 3070 Ti 8GB XC3 model by EVGA
    Sound Card
    Realtek® ALC1220A 8-Channel High Definition Audio CODEC
    Monitor(s) Displays
    24" DELL Gaming Monitor - G2422HS - DisplayPort used
    Screen Resolution
    1920x1080p at 165Hz (16:9 Aspect Ratio)
    Hard Drives
    2TB Samsung 980 Pro (NVMe)(SSD)
    4TB Samsung 990 Pro (NVMe)(SSD)
    2TB Samsung 870 EVO (SSD)

    NVMe 2TB
    -- OS(Win11 Pro x64),
    -- programs,
    -- programming(MS Visual Studios 2022 Community Ed.),
    -- music

    NVMe 4TB
    video game installs.

    #3 FILE Server!
    PSU
    Thermaltake TOUGHPOWER DPS G RGB Titanium Certified 1250Watt
    Case
    Corsair Graphite Series 780T Full Tower PC Case
    Cooling
    AMD Wraith cooler (stock) & 3x Corsair case fans
    Keyboard
    Alienware Low Profile RGB Mechanical USB Gaming Keyboard - AW510K - Lunar Light
    Mouse
    Redragon M602 RGB Wired USB Gaming mouse
    Internet Speed
    2,100Mbps Download, 300Mbps Upload
    Browser
    Firefox & Google Chrome
    Antivirus
    n/a aka "ABOVE TOP SECRET!" lol ;)
    Other Info
    My System is the ULTIMATE GAMING RIG ^_^
    TP-Link BE9300 Tri-Band Wi-Fi 7 Wireless 2.5Gigabit Router
    Model Archer BE550 (v1.6)
    Arris SB8200 Cable Modem
    Nvidia GFX Drivers: (v576.80)
    Realtek UAD Drivers: (v6.0.9838.1)
    Realtek LAN Drivers:(v1125.25.50.2025)(2025-05-20)
    Intel LAN Drivers: (v14.01.22.00)(2025-04-22)
  • Operating System
    Windows 11 Pro x64
    Computer type
    Laptop
    Manufacturer/Model
    DELL G15 Ryzen edition, model 5515
    CPU
    AMD Ryzen 7 5800H
    Motherboard
    DELL G15 Ryzen edition
    Memory
    16GB DDR4
    Graphics card(s)
    Ryzen 7 5800H integrated AMD Radeon Graphics and Nvidia GeForce 3060 6GB
    Sound Card
    Realtek ALC3254 with Nahimic 3D Audio for Gamers
    Monitor(s) Displays
    built-in
    Screen Resolution
    1920x1080
    Hard Drives
    512GB NVMe SSD, 1TB Samsung 970 EVO NVMe SSD
    PSU
    unkown
    Case
    laptop
    Keyboard
    built-in
    Mouse
    Logitech B100 USB
    Internet Speed
    2,100Mbps download, 300Mbps upload
    Browser
    Firefox & Google Chrome
Kees said:
Please write in English, because this is an English forum!

Translated by Deepl:
Use this script to install automatically.
Click to expand...
Sorry I used the translator but copied it the wrong way.

Tested on several windows servers, it worked.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Asus
    CPU
    Intel Core i7 13700ks
    Motherboard
    Asus B660M Plus D4
    Memory
    DDR4 32GB
    Graphics Card(s)
    Asus Dual RTX 4060 TI
    Monitor(s) Displays
    ASUS VG32V
    Screen Resolution
    2560 x 1440
Here's what I get:
Code: 
Secure Boot: ENABLED

EFI DB Certificates
-------------------
    Microsoft Windows Production PCA 2011
    Windows UEFI CA 2023
    Microsoft Corporation UEFI CA 2011
    Microsoft UEFI CA 2023

EFI DBX Certificates
--------------------

AvailableUpdates: 0x402
-----------------------
    Install the updated certificate definitions to the DBX.

EFI Files
---------
Boot Manager [Microsoft UEFI CA 2023] on Disk 0 is allowed.

What's this part on about:
Code: 
AvailableUpdates: 0x402
    Install the updated certificate definitions to the DBX.

I realize the 2011 certificates should move to the DBX list, but what's this trying to tell me?

Also, how would I move the old certificates to the DBX list to ban them?
 

My Computer

System One

  • OS
    Windows 11 Pro 24H2
    Computer type
    Laptop
    Manufacturer/Model
    HP
    CPU
    Intel Ultra 7 155H
    Memory
    16gb
    Graphics Card(s)
    Intel Arc integrated
    Hard Drives
    SSD
garlin said:
So it's a convenient situation to allow a known UEFI rootkit (which can't be removed) to take over users' PCs?
Click to expand...
Black Lotus is based on a vulnerability discovered and patched in 2022 - only added to UEFI Revocation List (DBX) on May 9, 2023. Yet, they wait 3 years - till Windows 10 goes EOL - to finally address it for all Windows User (supposedly around 1.5 billion systems)? How come, it's only ok to be concerned now - but not in this past 3 years? So YES, it's highly convenient. Since Windows 10 won't get the update - so all the systems that don't officially support Windows 11 24H2 - are conveniently left behind. Thus, forcing them to upgrade (humongous win for OEMs) - while most of the upgraded systems will obviously come with Windows 11 (aside from those switching to Apple - or giving up on computers - in favor of Smartphones and Tablets).

garlin said:
MS didn't discover Black Lotus, an independent security researcher confirmed its existence and most in the industry didn't think something this technical could exist and bypass all the previous UEFI security measures. Whether non-enterprise users care or not, MS has a big responsibility to make every effort to promote secure computing for its enterprise customers.
Click to expand...

ESET was the first to cover it:

www.welivesecurity.com

BlackLotus UEFI bootkit: Myth confirmed

ESET researchers are the first to publish an analysis of BlackLotus, the first in-the-wild UEFI bootkit capable of bypassing UEFI Secure Boot.
www.welivesecurity.com

And again, as explained in their article:
  • It exploits a more than one year old vulnerability (CVE-2022-21894) to bypass UEFI Secure Boot and set up persistence for the bootkit. This is the first publicly known, in-the-wild abuse of this vulnerability.
  • Although the vulnerability was fixed in Microsoft’s January 2022 update, its exploitation is still possible as the affected, validly signed binaries have still not been added to the UEFI revocation list. BlackLotus takes advantage of this, bringing its own copies of legitimate – but vulnerable – binaries to the system in order to exploit the vulnerability
Microsoft had/has a responsibility for all Windows Users (be it 10 or 11 - while both are still supported to this date) - not just its enterprise customers (who have their own IT personnel).
garlin said:
When you buy a PC from Dell or HP, there isn't a choice to shop between "secure PC" and "insecure PC".
Click to expand...
Can't follow you logic. Latest systems don't have this issues - slightly older (still sold as refurbished) supporting Win 24H2 should be patched. The only ones affected - are not sold by any major OEM brand since their Windows support ends with Windows 10. Again, have no idea where you're going with that - in relation with what i said.
 

My Computer

System One

  • OS
    WinDOS 23H2
    Computer type
    Laptop
    CPU
    Intel & AMD
    Memory
    SO-DIMM SK Hynix 15.8 GB Dual-Channel DDR4-2666 (2 x 8 GB) 1329MHz (19-19-19-43)
    Graphics Card(s)
    nVidia RTX 2060 6GB Mobile GPU (TU106M)
    Sound Card
    Onbord Realtek ALC1220
    Screen Resolution
    1920 x 1080
    Hard Drives
    1x Samsung PM981 NVMe PCIe M.2 512GB / 1x Seagate Expansion ST1000LM035 1TB
I'm never going to convince the diehard skeptics. That's not my goal. I'm here to explain to the general audience why things are where they are. If you're going to quote me, I'll quote you back.
 

My Computer

System One

  • OS
    Windows 7
If facts and common sense goes against your logic - you switch to insults, interesting (that says all for me).
 

My Computer

System One

  • OS
    WinDOS 23H2
    Computer type
    Laptop
    CPU
    Intel & AMD
    Memory
    SO-DIMM SK Hynix 15.8 GB Dual-Channel DDR4-2666 (2 x 8 GB) 1329MHz (19-19-19-43)
    Graphics Card(s)
    nVidia RTX 2060 6GB Mobile GPU (TU106M)
    Sound Card
    Onbord Realtek ALC1220
    Screen Resolution
    1920 x 1080
    Hard Drives
    1x Samsung PM981 NVMe PCIe M.2 512GB / 1x Seagate Expansion ST1000LM035 1TB
believe it or not this update can be done in Ubuntu as it was a firmware update that updated the secure boot and TPM.
i updated the wife's and my system several months ago as i have Ubuntu installed on a 100GB partition on both systems.
its the best Windows repair tool there is and i can boot into Ubuntu even if the Windows EFI/boot partition goes wrong.

this is most likely a post that will be of no help to anyone, but.
best of luck, Steve ..
 

My Computers

System One System Two

  • OS
    Win 11 24H2 Home
    Computer type
    PC/Desktop
    Manufacturer/Model
    HP 24" AiO
    CPU
    Ryzen 7 5825u
    Motherboard
    HP
    Memory
    64GB DDR4 3200
    Graphics Card(s)
    Ryzen 7 5825u
    Sound Card
    RealTek
    Monitor(s) Displays
    24" HP AiO
    Screen Resolution
    1920 x 1080 @60 Hz
    Hard Drives
    1TB WD Blue SN580 M2 SSD Partitioned.
    2x 1TB USB HDD External Backup/Storage.
    PSU
    90W external power brick
    Case
    24" All in One
    Cooling
    Default Air Cooling
    Keyboard
    HP WiFi UK extended
    Mouse
    HP WiFi 3 Button
    Internet Speed
    1GB full fibre
    Browser
    Vivaldi & Thunderbird
    Antivirus
    AVG Internet Security
    Other Info
    Mainly Open Source Software
  • Operating System
    Ubuntu 22.04.5 LTS
    Computer type
    Laptop
    Manufacturer/Model
    Dell 13" Latitude 2017
    CPU
    i5 7200u
    Motherboard
    Dell
    Memory
    16GB DDR4
    Graphics card(s)
    Intel
    Sound Card
    Intel
    Monitor(s) Displays
    13" Dell Laptop
    Hard Drives
    250GB Crucial 2.5" SSD
    Mouse
    Generic WiFi 3 button
    Internet Speed
    WiFi only
    Browser
    Vivaldi
    Antivirus
    ClamAV TK
    Other Info
    Mainly Open Source Software
My main dektop PC shows this -

Screenshot 2025-06-28 162149.webp

But the other 3 PCs, including a new Dell laptop purchased less than a year ago, show this

Screenshot 2025-06-28 162423.webp

The only difference is the main laptop has not been clean-installed since W10 days, but the other three have all been clean-uinstalled to 24H2 in the last year. I don't understand why the 2023 certificates are missing from these.
 

My Computers

System One System Two

  • OS
    Windows 11 Home 24H2 RP
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self-build
    CPU
    Intel I3-10100
    Motherboard
    MSI H410M-PRO
    Memory
    16 GB
    Graphics Card(s)
    Nvidia GT 1030
    Sound Card
    Motherboard default
    Monitor(s) Displays
    Philips 27 inch
    Screen Resolution
    1920x1080
    Hard Drives
    Samsung EVO 970 NVMe SSD 256 Gb
    Samsung QVO 870 SATA SSD 2 Tb
    PSU
    ATX 450W
    Keyboard
    Logitech
    Mouse
    Logitech Wireless
    Internet Speed
    930 Mb down / 120 Mb up
    Browser
    Edge
    Antivirus
    Windows Defender
    Other Info
    Microsoft Office 2021 Plus
  • Operating System
    Windows 11 Home
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self-build
    CPU
    Intel i3-8100
    Motherboard
    Gigabyte Z370 D3
    Memory
    16 Gb
    Graphics card(s)
    Nvidia GT 720
    Sound Card
    Motherboard default
    Monitor(s) Displays
    Philips 27-inch
    Screen Resolution
    1920x1080
    Hard Drives
    Samsung 960 NVMe SSD 256 Gb
    Seagate 2 Tb HDD
    PSU
    ATX 450W
    Keyboard
    Microsoft
    Mouse
    Logitech Wireless
    Internet Speed
    930 Mb down / 120 Mb up
    Browser
    Edge
    Antivirus
    Windows Defender

My Computer

System One

  • OS
    Windows 11 Pro 64bit (release preview channel)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Asus
    CPU
    i5 8400
    Motherboard
    ROG STRIX Z370-H GAMING
    Memory
    16 GB DDR4
    Graphics Card(s)
    RTX 3060 Ti
    Sound Card
    On Board
    Monitor(s) Displays
    Acer VG242Y P
    Screen Resolution
    1080p
    Hard Drives
    Intel 660p SSD
    PSU
    800w
    Internet Speed
    150 Mbps
For home computers I've NEVER bothered with secure boot -- some of these security systems are just getting bonkers --I suspect a lot of it is I.T pros getting increasingly afraid of A.I replacing them are just getting security things so complex that they are needed to untangle ordinary people's machines. I mean c'mon peeps -- who even bothers or cares about rootkits etc on DOMESTIC machines these days -- you are far more likely to get scammed than attacked by malware. Just ensure that WD is up to date.More than sufficient.

You can install windows 11 without secure boot simply by using dism /Apply-Image.

Cheers
jimbo
 

My Computer

System One

  • OS
    Windows XP,10,11 Linux (Fedora 42&43 pre-release,Arch Linux)
    Computer type
    PC/Desktop
    CPU
    2 X Intel i7
    Screen Resolution
    4KUHD X 2
Warre1 said:
I have this output. I wonder why some people here have Microsoft UEFI CA 2023 but not me.
Click to expand...
I don't know what output you have because you did not attach an output. Anyway, you should follow the guidelines here and you will have everything: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support

Please follow Steps 1, 2, and 3 under the Mitigation Deployment Guidelines section and you will have everything. I did not do step 4 yet.

Please reboot your PC as advised between steps and check. This is to make certain that the mitigations are applied at every step correctly. Otherwise, you may end up with a PC that cannot boot at all.

Hope this helps.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro build 26200.5651 (Dev)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Built
    CPU
    Intel i7-4790
    Motherboard
    Asus H97 Pro Gamer with add-on TPM1.2 module
    Memory
    Teams DDR3-1600
    Graphics Card(s)
    MSI Nvidia GeForce GTX 1050Ti
    Sound Card
    Realtek ALC1150
    Monitor(s) Displays
    LG Flatron E2250
    Screen Resolution
    1920 by 1080 pixels
    Hard Drives
    Crucial NVMe PCIe M2 500 GB (Windows 11 v.24H2); Samsung SSD Evo 870 500 GB (Windows 11 v.24H2);
    PSU
    Corsair HX850
    Case
    Gigabyte Solo 210
    Cooling
    Zalman CNPS7X Tower
    Keyboard
    Microsoft AIO Wireless (includes touchpad)
    Mouse
    HP S1000 Plus Wireless
    Internet Speed
    200 Mb fiber optic
    Browser
    Chrome; MS Edge
    Antivirus
    Windows Defender
  • Operating System
    MacOS 12 Monterey
    Computer type
    Laptop
    Manufacturer/Model
    Apple Macbook Air
    CPU
    Intel Core i5
    Memory
    8 GB
    Graphics card(s)
    Intel integrated
    Screen Resolution
    1440 by 900 pixels
    Hard Drives
    128 GB
    Keyboard
    Built-in
    Mouse
    Microsoft Wireless
    Internet Speed
    802.11 ac
    Browser
    Chrome; Safari
    Antivirus
    N/A
suatcini54 said:
I don't know what output you have because you did not attach an output. Anyway, you should follow the guidelines here and you will have everything: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support

Please follow Steps 1, 2, and 3 under the Mitigation Deployment Guidelines section and you will have everything. I did not do step 4 yet.

Please reboot your PC as advised between steps and check. This is to make certain that the mitigations are applied at every step correctly. Otherwise, you may end up with a PC that cannot boot at all.

Hope this helps.
Click to expand...
I meant your image in message #7 in this thread. (I can see link to that attachment in my post)
So I have Windows UEFI CA 2023 but not Microsoft UEFI CA 2023. I followed those steps last year.
 

My Computer

System One

  • OS
    Windows 11 Pro 64bit (release preview channel)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Asus
    CPU
    i5 8400
    Motherboard
    ROG STRIX Z370-H GAMING
    Memory
    16 GB DDR4
    Graphics Card(s)
    RTX 3060 Ti
    Sound Card
    On Board
    Monitor(s) Displays
    Acer VG242Y P
    Screen Resolution
    1080p
    Hard Drives
    Intel 660p SSD
    PSU
    800w
    Internet Speed
    150 Mbps
Warre1 said:
I have this output. I wonder why some people here have Microsoft UEFI CA 2023 but not me.
Click to expand...
If you have the system you listed as your computer - that's cause it's older than 2023 (above certificates were released in May 2023) and was never patched.
 

My Computer

System One

  • OS
    WinDOS 23H2
    Computer type
    Laptop
    CPU
    Intel & AMD
    Memory
    SO-DIMM SK Hynix 15.8 GB Dual-Channel DDR4-2666 (2 x 8 GB) 1329MHz (19-19-19-43)
    Graphics Card(s)
    nVidia RTX 2060 6GB Mobile GPU (TU106M)
    Sound Card
    Onbord Realtek ALC1220
    Screen Resolution
    1920 x 1080
    Hard Drives
    1x Samsung PM981 NVMe PCIe M.2 512GB / 1x Seagate Expansion ST1000LM035 1TB
neves said:
If you have the system you listed as your computer - that's cause it's older than 2023 (above certificates were released in May 2023) and was never patched.
Click to expand...

My main system is older than 2023 and is fully patched and has the 2023 certificates. My other two desktop systems are older than this (one 8th generation intel) and all are fully patched but don't have these. The Dell laptop is a new July 2024 purchase, and also missing the 2023 certificates.

I think it's to do with these 3 having been clean installed to 24H2. Perhaps I'll wait for an up-to-date 25H2 ISO to appear and redo the clean install.
 

My Computers

System One System Two

  • OS
    Windows 11 Home 24H2 RP
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self-build
    CPU
    Intel I3-10100
    Motherboard
    MSI H410M-PRO
    Memory
    16 GB
    Graphics Card(s)
    Nvidia GT 1030
    Sound Card
    Motherboard default
    Monitor(s) Displays
    Philips 27 inch
    Screen Resolution
    1920x1080
    Hard Drives
    Samsung EVO 970 NVMe SSD 256 Gb
    Samsung QVO 870 SATA SSD 2 Tb
    PSU
    ATX 450W
    Keyboard
    Logitech
    Mouse
    Logitech Wireless
    Internet Speed
    930 Mb down / 120 Mb up
    Browser
    Edge
    Antivirus
    Windows Defender
    Other Info
    Microsoft Office 2021 Plus
  • Operating System
    Windows 11 Home
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self-build
    CPU
    Intel i3-8100
    Motherboard
    Gigabyte Z370 D3
    Memory
    16 Gb
    Graphics card(s)
    Nvidia GT 720
    Sound Card
    Motherboard default
    Monitor(s) Displays
    Philips 27-inch
    Screen Resolution
    1920x1080
    Hard Drives
    Samsung 960 NVMe SSD 256 Gb
    Seagate 2 Tb HDD
    PSU
    ATX 450W
    Keyboard
    Microsoft
    Mouse
    Logitech Wireless
    Internet Speed
    930 Mb down / 120 Mb up
    Browser
    Edge
    Antivirus
    Windows Defender
RFS said:
My main system is older than 2023 and is fully patched and has the 2023 certificates. My other two desktop systems are older than this (one 8th generation intel) and all are fully patched but don't have these. The Dell laptop is a new July 2024 purchase, and also missing the 2023 certificates.

I think it's to do with these 3 having been clean installed to 24H2. Perhaps I'll wait for an up-to-date 25H2 ISO to appear and redo the clean install.
Click to expand...

Is the Dell Laptop a newer Model (released in 2024)? Which model is that, btw?

The Secure Boot certificates are part of the UEFI firmware. As far as i know - a clean install of Windows, even 24H2, does not modify DBX entries directly.
 

My Computer

System One

  • OS
    WinDOS 23H2
    Computer type
    Laptop
    CPU
    Intel & AMD
    Memory
    SO-DIMM SK Hynix 15.8 GB Dual-Channel DDR4-2666 (2 x 8 GB) 1329MHz (19-19-19-43)
    Graphics Card(s)
    nVidia RTX 2060 6GB Mobile GPU (TU106M)
    Sound Card
    Onbord Realtek ALC1220
    Screen Resolution
    1920 x 1080
    Hard Drives
    1x Samsung PM981 NVMe PCIe M.2 512GB / 1x Seagate Expansion ST1000LM035 1TB
You must log in or register to reply here.

Similar threads

  • Article Article
Updating Microsoft Secure Boot keys
4 5 6
Replies
106
Views
22K
THEBOSS619
THEBOSS619
  • Article Article
Revoking vulnerable Windows boot managers
2
Replies
24
Views
7K
Warre1
Warre1

Latest Support Threads

Latest Tutorials

Back
Top Bottom