Event details

Have questions about how device manufacturers support the Secure Boot certificate update process? Join OEM Secure Boot Office Hours to connect directly with OEMs and get answers to your questions. This interactive session is dedicated to your questions. Find out more about firmware readiness, update timelines, device compatibility, deployment considerations, and how OEM-provided updates fit into the broader Secure Boot certificate update effort. Submit your questions in the comments and hear directly from the manufacturers helping support a secure and seamless update experience.

To help accommodate participants around the world, comments will be open for 12 hours starting at 7:00 AM PDT. Feel free to submit your questions ahead of time, and we encourage you to post early to help ensure they're seen by our experts. The Q&A will wrap up at 7:00 PM PDT, after which comments and replies will be closed.

How do I participate?

Select Add to Calendar to save the date, then click the Attend button to save your spot, receive event reminders, and participate in the Q&A. 

Don't see Attend or Add to Calendar? Sign in to the Tech Community to join the conversation.

There is no on-camera or meeting component to this event. All Q&A will take place in the comments on this page.

 

Heather_Poulsen
Updated Jun 26, 2026

2 Comments

  • Swartz99's avatar
    Swartz99
    Occasional Reader

    For devices that have been offline for an extended period, or newly imaged devices that may have been sitting on a shelf for months, what should we expect regarding the Secure Boot certificate updates?

    My understanding is that the Secure Boot update process will still run once the device is updated, and that devices whose default Secure Boot databases (DB/DBX) still contain the 2011 certificates will ultimately receive the 2023 certificates through the update process. Is that correct?

    Additionally, if a device already ships with the 2023 certificates present in the firmware's default Secure Boot databases, how long should it take before the Windows bootloader transitions from using the 2011 certificate chain to the 2023 certificate chain? Is there a specific trigger or state change required for that transition?

    For example, I have a device where the BIOS shows the 2023 certificates are present, but the bootloader still reports that it is using the 2011 certificates. Is that an expected intermediate state, and if so, what exactly does it indicate about the device's Secure Boot configuration? Or are we overthinking the distinction between the firmware certificates and the active bootloader signing chain?

  • kprz's avatar
    kprz
    Copper Contributor

    For a supported consumer Windows 11 laptop, Windows Security says Secure Boot is on, but the automated Secure Boot certificate update cannot complete because of hardware or firmware limitations and says to contact the manufacturer.

    The OEM support article lists the model as supported for the new Secure Boot certificates, but the device support/download page does not yet show an obvious newer firmware package. Windows Update installed one optional firmware-related update, but the Windows Security warning remains after multiple restarts.

    What is the safest recommended path for users in this situation?

    1. Should they wait for Windows Update / Optional Updates?
    2. Should they contact the OEM even if the model appears on the supported list?
    3. Should they avoid manual BIOS changes unless the OEM gives device-specific instructions?
    4. Is there a Windows Security status message or log location that clearly distinguishes “still waiting for rollout” from “firmware action required”?