Event details
Have questions about how device manufacturers support the Secure Boot certificate update process? Join OEM Secure Boot Office Hours to connect directly with OEMs and get answers to your questions. This interactive session is dedicated to your questions. Find out more about firmware readiness, update timelines, device compatibility, deployment considerations, and how OEM-provided updates fit into the broader Secure Boot certificate update effort. Submit your questions in the comments and hear directly from the manufacturers helping support a secure and seamless update experience.
To help accommodate participants around the world, comments will be open for 12 hours starting at 7:00 AM PDT. Feel free to submit your questions ahead of time, and we encourage you to post early to help ensure they're seen by our experts. The Q&A will wrap up at 7:00 PM PDT, after which comments and replies will be closed.
OEMs supporting this event will be Acer, Asus, Cisco, Clevo, Dell, Fsas/Fujitsu, Honor, HP, Lenovo, LG, Surface, and Xiaomi.
How do I participate?
Sign in to the Tech Community and post each question in the Comments below. If you have a question for a specific OEM partner, please state the name of the OEM at the start of your question. For example:
[Surface] - My question is.....
There is no on-camera or meeting component to this event. All Q&A will take place in the comments on this page.
50 Comments
- Heather_Poulsen
Community Manager
Office Hours are now closed. Thanks for joining today's event.
- ShapalapaOccasional Reader
HP - Why was the transition process so difficult for you?
There was a bunch of misleading information regarding the compatibility of the new Secure Boot 2023 certificates, not to mention it was a nightmare to install on my EliteBook 840 G6
While documentation says the minimum BIOS version is 01.33.00, it is actually not the case as I was stuck constantly in Under Observation - More Data Needed and only made progress once the dreaded 01.35.01 BIOS was released which then later gave me the new KEK 2023 key through Windows Update and then caused me to get stuck in that BitLocker loop until I discovered that the 3 toggles that are vital for the transition to complete were disabled by default.
Another thing that you quietly sweeped under the rug is the compatible devices. Before it stated on your website that 2018 and newer devices ere supported (ZBook 14u G5, ProBook 650 G4 etc) until they were silently omitted from your website after the fact that you realized there wasn't enough NVRAM storage for the devices. The "HP has developed a solution to allow you to update your system manually" adds insult to injury.
The whole seamless transition is nothing but a myth because I was ready to toss my laptop out from how much this process was taking me to finally complete.
- pbormetOccasional Reader
Dell
I have had fairly decent luck with our Dell fleet accepting the new certificate. With exception of the Optiplex 5000s that are being particularly resistant and will not update the registry when the command is given. - Heather_Poulsen
Community Manager
Three hours remaining in today's Office Hours session. We are actively monitoring this chat and will close comments at 7:00 p.m. PDT.
- Swartz99Tin Contributor
[Duplicate]
Any.
Will there come a day when a device on 2011 certs would never be able to update to the 2023 certs? - Swartz99Tin Contributor
Any OEM, is there going to be a date where a device that still has 2011 certs will never be able to update to the 2023 certs?
- Dan_Pandre
Microsoft
Answer for Surface: Every model which is currently eligible for an update will still be eligible for it later, and Windows Update is the easiest way to get these KEK updates. A more involved process is also documented at https://support.microsoft.com/en-US/surface/drivers-firmware/surface-secure-boot-certificates
Surface models that originally launched with Windows 8 are not eligible. This means Surface Pro 3, Surface 3, and older devices.
Surface models that launched in 2024 or later do not need these updates and shipped with the 2023 certificates already present.
- Juergen_BayerTin Contributor
HP's answer: On HP commercial platforms from 2019 and newer, the latest BIOS version includes updated Secure Boot UEFI variables for the default databases, with the 2023 certificates added. After installing this BIOS version, the active Secure Boot databases can be reinitialized to include the 2023 certificates. As a result, these devices will always be capable of having the Secure Boot 2023 certificates present in the Secure Boot active databases.
- Cliff_HughesTin Contributor
I tried running the Get-SecureBootRolloutStatus.ps1 it errors out that rollout has not been started. It seems it is relying on the other rollout PowerShell. What if I am just testing a single or a few machines? I just want to get the current status of the devices; I found that the Detect-SecureBootCertUpdateStatus.ps1 can be run without needing to do anything else to get status on a device or devices.
- Prabhakar_MSFT
Microsoft
Hello Cliff_Hughes​ , Get-SecureBootRolloutStatus.PS1 requires that you have initiated the Secure boot certificate roll out in your enterprise. You are correct that Detect-SecureBootCertUpdateStatus.ps1 can be run independently. though we included all scripts in both client and server editions of windows, not all scripts are applicable. On Client devices, you just need to run Detect-SecureBootCertUpdateStatus.ps1 for the individual device status. At enterprise level, you will need to configure the rollout or aggregation reporting that will help get the overall status in an HTML report.
More details can be found at Sample Secure Boot E2E Automation Guide | Microsoft Support . This guide explains how to deploy the scripts for monitoring and rollout in your enterprise.
- epoch71Copper Contributor
HP - BIOS upgrades and Bitlocker.
We have 7000+ mostly HP Elitebooks/ZBooks from G7 to current.
With the latest BIOS releases for these models, in our testing when we attempt to force the cert installs (AvailableUpdates 0x5944) we receive a Bitlocker recovery.If we set the 4 SecureBoot BIOS settings in your article https://support.hp.com/us-en/document/ish_14914515-14914500-16 we get a Bitlocker recovery.
We're struggling to proceed in the face of a potential multi-thousand Bitlocker recovery tsunami.
Any advice would be most welcome.
- Juergen_BayerTin Contributor
Hi epoch71​
Ensure that the latest BIOS is installed on your devices. The latest BIOS version is always available as a SoftPaq or through the HP Client Management Script Library (CMSL) command. Windows Update may not provide the latest BIOS version.
Do not change any of the new 2023 certificate-related BIOS settings. The recommendation published in the article applies to earlier BIOS versions.
If you follow these steps, you should not see a BitLocker recovery key prompt.
- epoch71Copper Contributor
Hi. We are using the latest BIOS, as delivered via HPIA.
Yet Bitlocker recovery is still triggered (without the cert-related BIOS settings).
- E.g. Elitebook 640 G10 BIOS V75 01.12.01 - Bitlocker recovery triggered when enabling certs via AvailableUpdates 0x5944 reg key
- Yet if we revert to V75 01.11.00 - no Bitlocker recovery triggered.
Reverting BIOS version on 1000s of devices would be incredibly disruptive.
- Swartz99Tin Contributor
Dell and HP, Do you know when all of your Enterprise models will have BIOS's with the 2023 certs in the Default DB's?
We use HP G8's and newer, including EliteBook 8 Gi1 and Dell Latitude 7*** and Dell Pro13/14/16 plus's- Marcus_MolnerCopper Contributor
For Dell systems, please refer to this Dell KB article: https://www.dell.com/support/kbdoc/en-us/000347876/microsoft-2011-secure-boot-certificate-expiration, which contains the most up-to-date list of supported platforms and the corresponding BIOS versions that include the 2023 Secure Boot certificates in the default Secure Boot database.
- Juergen_BayerTin Contributor
All HP G8 models and newer will have the 2023 certs in the default db if the BIOS is upgraded to the latest version (available as SoftPaq and per Client Management Script Library CMSL command).
- Heather_Poulsen
Community Manager
Office Hours are underway and we are actively monitoring this chat. Please keep your questions coming.
- RAJUMATHEMATICSMSCIron Contributor
Why sir my comment is not visible , i posted with photos
- Heather_Poulsen
Community Manager
RAJUMATHEMATICSMSC​ - I think the spam filter caught your post due to the number of screenshots as those can contain identifiable information. I have approved the post and will route to the right members of the team to review.