Event details
Have questions about how device manufacturers support the Secure Boot certificate update process? Join OEM Secure Boot Office Hours to connect directly with OEMs and get answers to your questions. This interactive session is dedicated to your questions. Find out more about firmware readiness, update timelines, device compatibility, deployment considerations, and how OEM-provided updates fit into the broader Secure Boot certificate update effort. Submit your questions in the comments and hear directly from the manufacturers helping support a secure and seamless update experience.
To help accommodate participants around the world, comments will be open for 12 hours starting at 7:00 AM PDT. Feel free to submit your questions ahead of time, and we encourage you to post early to help ensure they're seen by our experts. The Q&A will wrap up at 7:00 PM PDT, after which comments and replies will be closed.
OEMs supporting this event will be Acer, Asus, Cisco, Clevo, Dell, Fsas/Fujitsu, Honor, HP, Lenovo, LG, Surface, and Xiaomi.
How do I participate?
Sign in to the Tech Community and post each question in the Comments below. If you have a question for a specific OEM partner, please state the name of the OEM at the start of your question. For example:
[Surface] - My question is.....
There is no on-camera or meeting component to this event. All Q&A will take place in the comments on this page.
50 Comments
- JoshMcWilliams6070Occasional Reader
We have around 3700 devices. Mix of Dell and Lenovo. We started with a script to check for the Secure Boot Cert version to get an idea of how many devices were affected. We then enabled the Intune settings for secure boot to Enable the Initiation of deploying New Secure Boot certificates. Roughly 500 devices have failed this Intune Configuration though. All our devices are Bitlocker enabled. How are others that don't have Intune performing these upgrades without affecting Bitlocker?
We have around 100 devices that are shelved as spares or waiting for repair that may be running pre-2023 what are the expectations when putting these back into circulation?- Jason_Sandys
Microsoft
Hi JoshMcWilliams6070, Can you please expand on "Roughly 500 devices have failed". What exactly does "failed" mean here? Is there an error code shown in Intune for these devices for the Settings Catalog policy?
As for deploying the updated secure boot certs without impacting BitLocker, this is not expected in general. There are caveats and dependencies outside of Microsoft's control here including custom PCR configurations and firmware idiosyncrasies, but the general expectation is that BitLocker should not be impacted, and no recovery should be triggered. This is why we do and have strongly recommended testing representative devices across organizational fleets though to validate that none of these caveats are present and so that you can prepare if they are by ensuring BitLocker recovery keys are stored and available.
For shelved devices, there is nothing special. The same process (Windows Update) will update these devices per your policy or according to the high confidence database once they are back in operation.
- JoshMcWilliams6070Occasional Reader
If Intune provided more details it would be nice. Intune for the Policy setting simply says
State Error
Error Type 2
Error Code 0.
We do have Secure Boot set to
Configure High Confidence Opt Out to Disabled
Configure Microsoft Update Managed Opt In to Enabled
Enable Secureboot Certificate Updates to (Enabled) Initiates the deployment of new Secure Boot certificates and related updates
We've had a few devices after the update require the Bitlocker key to unlock which has slowed down our progress with just 3 people to get all the devices up to date. I think around 30 so far out of around 2800. We have our keys stored and available via Entra, Intune, and our RMM depending on the team supporting the end user after. So its more of a time consuming situation more than a major problem. Since we purchase systems from multiple regions in the world we end up with a high variability between systems. Our small team does its best to try and test on as many different systems as possible during the testing Window.
Our RMM does provide a script to enable the update but since we have seen a small number of devices have the Bitlocker issue I wasn't sure if using Powershell automations in our RMM that triggers if the check script determines it does not have the updated cert. Not sure if it might be more problematic than Intune or if anyone has had an issues.
- Kenny77Copper Contributor
HP
Can we expect firmware updates that includes the Secure Boot certificates for legacy platforms such as EliteBook 840 G5 and G6?
- Juergen_BayerTin Contributor
For EliteBook 840 G6 we have published BIOS version 01.35.02 (sp173290) which allows Microsoft adding the 2023 certificates on this system. For EliteBook 840 G5 (and older systems) which have reached end of service date there's an update package available which manually adds all the 2023 Secure Boot certificates to the KEK and db database. Please keep in mind the this package does not update the default databases. Please contact HP Support to receive the update package.
- Duane_GatlinCopper Contributor
For a list of platforms that have updated BIOS support, please see https://support.hp.com/us-en/document/ish_13070353-13070429-16 for the "HP Business PCs - Prepare for new Windows Secure Boot certificates" article. In particular, see the "List of supported HP Commercial PCs released between 2018 and 2023 and minimum BIOS version" section.
For the HP EliteBook 840 G6, BIOS version 01.33.00 is available from https://ftp.hp.com/pub/softpaq/sp162501-163000/sp162942.exe
Where possible, the latest BIOS posted on https://www.hp.com should be used.
https://ftp.hp.com/pub/softpaq/sp173001-173500/sp173290.exe
sp162942 added support to enable Windows to append the 2023 UEFI CA certificates to the UEFI DB.
sp173290 added support for new BIOS policies that enable selecting specific certificates to be included in the UEFI DB.
For select older platforms like the HP EliteBook 840 G5, see the "Support for HP Commercial PCs outside of service life" section. HP support can provide a script upon request to append the UEFI CA 2023 certificates to the UEFI DB for older platforms, such as the HP EliteBook 840 G5.
- Checker-KPOccasional Reader
HP
I have about 700 systems that are HP G9 and G10s 840 EliteBooks . They have the bios version 1.12.00 and 1.18.00 and they February 2026 date. These systems do not seem to be updating. I see they are under observation more data needed. So on a few In the bios I have checked 3 of the settings in bios - Windows UEFI CA 2023, Microsoft Option ROM UEFI CA 2023, and Microsoft UEFI CA 2023 on a few test systems. On one I had all 4 checked which included the Enable MS UEFI CA key. I put the 5944 in the registry and when I use powershell commands it shows that the 3 certs are updated except for the KEK on all of them. When I put 5944 in the registry it will say in Progress but after a reboot it goes back not started and 0 for available updates . I thought maybe it was the bios so we updated the bios on 1 to 1.18.01 and it still has not updated the KEK. Are they the issue? I know in one of the systems I tested with that had 1.12.00 I was able to get everything updated but that is it.- Checker-KPOccasional Reader
HP
I have updated 1 to latest bios and nothing changed as stated above - 1.18.01 and I did run the commands and it just told me what I knewmodel : HP EliteBook 840 14 inch G10 Notebook PC
SMBIOSBIOSVersion : V70 Ver. 01.12.00
I just want to make sure these aren't the ones being blocked which I read in an article that some of the HP updates are being blocked.
- Juergen_BayerTin Contributor
Latest BIOS version for 840 G9 is 1.18.01 and for 840 G10 is 01.12.01. We strongly recommend updating the BIOS to the latest version available. As mentioned, with the latest BIOS versions there are new BIOS settings which allow the BIOS taking control of these new 2023 Secure Boot certificates. Best practice is to leave these new BIOS settings untouched and let first Windows Update add the 2023 certificates to the Secure Boot databases. MS UEFI CA key is related to the 2011 3rd party certificate and if enabled, Microsoft Update process will add the two 2023 3rd party certificates to the db database. If the 2023 KEK certificates is not added, you can try putting 0x4 in the registry which explicitly updates the KEK although 0x5944 should have taken care of the KEK update.
- Duane_GatlinCopper Contributor
I am not familiar with the KEK not being updated on HP commercial PCs.
What is the output of these PowerShell commands:
gwmi win32_computersystem | fl model
gwmi win32_bios | fl SMBIOSBIOSVersion
The Secure Boot certificates can be updated by Windows Update (once sufficient data is collected) or by using the 0x5944 registry value and rebooting twice. Windows will append the "Microsoft Corporation KEK 2K CA 2023" to the currently active KEK.
When installing a recent BIOS update, the BIOS will update KEKDefault and DBDefault.
The "Reset Secure Boot keys to factory defaults" BIOS action/setting can be used to copy the defaults to the currently active KEK/DB.
Before using the BIOS action, BitLocker should be suspended to avoid triggering BitLocker recovery being triggered due to a change in the PCR7 BitLocker protector.
After an update to a recent BIOS update, there are BIOS policies (settings) to enable which specific certificates are included in the UEFI DB.
For additional information, see https://support.hp.com/us-en/document/ish_13070353-13070429-16 for the "HP Business PCs - Prepare for new Windows Secure Boot certificates" article. Included are a list of models, a description of each of the related BIOS policies (settings), and other information.
Please update to the latest available BIOS from www.hp.com. If the issue recurs, please contact HP support so that a support case can be opened.
- SimoneTacTin Contributor
DELL
We're in process to update firmware on our "DELL" fleet, while the majority of the devices already have the certificates updated via Intune.
For devices still on old firmware versions, what are the major risks of keeping them with older firmware but with certificates updated?
What's the best option to manage DELL firmware updates via Intune, giving the user the option to delay reboot ?- Marcus_MolnerCopper Contributor
Updating certificates alone is supported, but the risk of staying on older firmware leaves devices without the latest firmware improvements, security fixes, and recovery capabilities. The recommended Dell patch also automatically updates the certs to match the certs from Windows Update (https://www.dell.com/support/kbdoc/en-us/000390990/secure-boot-transition-faq#General).
A management method through Intune is to deploy and manage Dell Command | Update (DCU) with Intune software deployment, and then subsequently https://www.dell.com/support/manuals/en-us/command-update/admx_rg/settings-control?guid=guid-51412b32-2987-4237-a28f-158d5d0dd83d&lang=en-us, which also provides options for user-controlled reboot deferrals.
- salmankhan1Occasional Reader
I have verified that the affected devices have the latest 2023 Secure Boot certificate in the database, Secure Boot is enabled, and TPM is updated and functioning correctly. However, these devices are still showing a "Secure Boot Status = Unknown".
What could be the possible causes for Secure Boot status being reported as Unknown despite meeting all the expected prerequisites? Possible areas to investigate include device reporting, inventory synchronization, certificate validation, firmware compatibility, WMI/MDM data collection, or backend data processing issues.
- Prabhakar_MSFT
Microsoft
Hi salmankhan1 , Good Morning... Are you using Autopatch reporting or Intune remediations for getting the overall secure boot update status. Can you execute
C:\Windows\SecureBoot\Scripts\Get-SecureBootRolloutStatus.ps1 from Admin powershell prompt and check what is the status reported? This script collects complete Secure Boot status and prints it on console.
- Heather_Poulsen
Community Manager
Welcome to this special edition of Secure Boot Office Hours! Joining us in the virtual office today are representatives from Acer, Asus, Cisco, Clevo, Dell, Fsas/Fujitsu, Honor, HP, Lenovo, LG, Surface, and Xiaomi.
You are welcome to post multiple questions throughout today's event, but please post one question per comment. To help ensure the right OEM sees your question, please put the name of the OEM at the start of your question. - RAJUMATHEMATICSMSCIron Contributor
I have windows 11 build no 26200.8875 with b760m motherboard, In previous version bios relased on april 28th 2026 with updates certificates
confidentiallevel was High Confidence
After upgrading to latest bios released june 11th 2026,
confidentiallevel was setted to No Data Observed - Action Required
Why this changes happened in windows ?
Please explain
Thanking you
Varadharajan K
- Prabhakar_MSFT
Microsoft
The confidence data is based on device firmware version. When your device was high confidence rated, the fw version that was on the device is in the high confidence rating. However, when firmware is updated, the bucket ID drifts and it gets a new bucket ID. That bucket ID is still not yet marked as high confidence so the device now shows as No Data Observed - Action Required because the data for newest firmware version is not yet available in the confidence data.
If your device is already up-to-date with the certs, you can ignore this confidence rating. When a new firmware update is deployed, this data drift is expected.
You can execute the script
C:\Windows\SecureBoot\Scripts\Detect-SecureBootCertUpdateStatus.ps1 to get the latest status of secure boot certificate updates
- Swartz99Tin Contributor
For devices that have been offline for an extended period, or newly imaged devices that may have been sitting on a shelf for months, what should we expect regarding the Secure Boot certificate updates?
My understanding is that the Secure Boot update process will still run once the device is updated, and that devices whose default Secure Boot databases (DB/DBX) still contain the 2011 certificates will ultimately receive the 2023 certificates through the update process. Is that correct?
Additionally, if a device already ships with the 2023 certificates present in the firmware's default Secure Boot databases, how long should it take before the Windows bootloader transitions from using the 2011 certificate chain to the 2023 certificate chain? Is there a specific trigger or state change required for that transition?
For example, I have a device where the BIOS shows the 2023 certificates are present, but the bootloader still reports that it is using the 2011 certificates. Is that an expected intermediate state, and if so, what exactly does it indicate about the device's Secure Boot configuration? Or are we overthinking the distinction between the firmware certificates and the active bootloader signing chain?
- Prabhakar_MSFT
Microsoft
Hello Swartz99 Good Morning... You are correct. Soon the device is updated to latest Windows Patches, the certificates will be automatically updated if the device is classified as High Confidence. Else, you need to take action to test and deploy the certificates by following deployment guidance at https://aka.ms/getsecureboot
If the device already ships with the 2023 certificates, the boot loader will be automatically switched to 2023 signed version as soon as latest windows patches are deployed. Are you still observing 2011 Boot loader on the system even after all of latest windows updates deployed? To confirm the device has been updated, you can run the following powershell script from Administrator prompt.
C:\Windows\SecureBoot\Scripts\Get-SecureBootRolloutStatus.ps1
This script dumps complete status of the Secure Boot certificate and update completeness for your system
- Swartz99Tin Contributor
Thanks for the reply Prabhakar_MSFT! My device is currently on build 26100.4652. I am going to move it to our Test Autopatch ring and try and get yesterday patch on it and see if the Boot loader updates.
I also do not have a SecureBoot folder in my C:\Windows folder. is that because of the older build i am currently on?
- kprzCopper Contributor
For a supported consumer Windows 11 laptop, Windows Security says Secure Boot is on, but the automated Secure Boot certificate update cannot complete because of hardware or firmware limitations and says to contact the manufacturer.
The OEM support article lists the model as supported for the new Secure Boot certificates, but the device support/download page does not yet show an obvious newer firmware package. Windows Update installed one optional firmware-related update, but the Windows Security warning remains after multiple restarts.
What is the safest recommended path for users in this situation?
- Should they wait for Windows Update / Optional Updates?
- Should they contact the OEM even if the model appears on the supported list?
- Should they avoid manual BIOS changes unless the OEM gives device-specific instructions?
- Is there a Windows Security status message or log location that clearly distinguishes “still waiting for rollout” from “firmware action required”?
- Heather_Poulsen
Community Manager
kprz - Can you clarify which OEM so they can reply to your questions?