Microsoft’s long-running Secure Boot certificate transition has moved from background plumbing to a practical maintenance item for Windows PCs. According to Windows Latest, major OEMs including Dell, HP, Lenovo, ASUS, Acer, MSI, Samsung, LG and Microsoft Surface have now published guidance for customers as the original Microsoft Secure Boot certificates from 2011 expire or approach expiration. For most supported consumer PCs, this should be a routine Windows Update and firmware update story. For IT teams and anyone managing older hardware, it is also a reminder to check support status before the next reboot window.
What is changing
Secure Boot is the UEFI feature that helps a PC verify trusted boot components before Windows starts. The important point is not that Windows suddenly stops working when an old certificate date passes. The operational risk is that unsupported or unpatched systems may lose the normal path for future boot-level trust updates, including revocations and malware mitigations.
Windows Latest reports three key certificate milestones: the Microsoft Corporation KEK CA 2011 expired on June 24, 2026, the Microsoft UEFI CA 2011 expired on June 27, 2026, and the Microsoft Windows Production PCA 2011 is scheduled for October 19, 2026. Microsoft has been distributing replacement 2023 certificates through Windows Update, but OEM firmware readiness still matters. In plain English: Windows can deliver part of the fix, but your PC vendor may need to provide a BIOS or firmware update that allows the new certificates to be applied cleanly.
What PC owners should do first
Start with the least risky path. Install the latest Windows cumulative updates, then check your PC maker’s support app or support website for BIOS and firmware updates. Before applying firmware updates, save your BitLocker recovery key if BitLocker or device encryption is enabled. A BIOS update can legitimately change measurements used during boot, and a prepared recovery key is the difference between a routine maintenance event and a locked-out morning.
Then open Windows Security and review Device security. Treat the Secure Boot panel as a green-yellow-red checkpoint: green generally means the updated certificates are in place, yellow suggests the update is pending or waiting on firmware readiness, and red points to a compatibility issue that needs vendor-specific guidance. If Secure Boot is missing entirely, Secure Boot may be disabled in firmware or the system may be running on unsupported hardware or an unsupported installation path.
Vendor guidance varies by model and support window
The most useful takeaway from the OEM guidance is that there is no single universal BIOS version for every PC. Lenovo’s documentation reportedly lists product families such as ThinkPad, ThinkCentre, IdeaPad, Legion and Yoga with BIOS versions and deployment notes. Dell’s guidance covers lines including XPS, Latitude, OptiPlex, Precision, Inspiron, Alienware and others, while also applying a support cutoff for older platforms. HP splits consumer and commercial guidance, with commercial devices depending on minimum BIOS identifiers before Windows Update can complete the certificate step.
ASUS appears to provide detailed consumer and commercial instructions, including checks for Windows Security warnings and a manual path using Microsoft’s scheduled Secure Boot update task where appropriate. MSI divides its advice by processor generation, with some older laptop platforms handled automatically through Windows Update and newer systems receiving BIOS updates. Acer has published a model table for Aspire, Nitro, Predator, Swift, Extensa, TravelMate and Spin devices, but some older systems may still be waiting for explicit coverage. Samsung and LG have also posted support notices explaining the Windows Update path and troubleshooting approach for their PC lines. Microsoft Surface devices are simpler in one sense because firmware and Windows updates come from Microsoft, but only Surface models still inside firmware support should be expected to receive the transition normally.
Enterprise checklist
For managed fleets, this should be handled as a firmware compliance project rather than a user education email alone. Inventory models, BIOS versions, Secure Boot status and BitLocker escrow health before broad rollout. Pilot the update on representative hardware, including at least one device from each OEM family and age band. Confirm that recovery keys are escrowed in Entra ID, Active Directory or your chosen management platform. If you deploy through Intune, Configuration Manager or another endpoint tool, stage firmware updates separately from high-pressure patch deadlines so help desks can distinguish BitLocker prompts, repeated reboots and genuine failures.
Older PCs are the uncomfortable edge case. OEMs commonly stop firmware work when a model reaches end of service life, and Windows Latest notes that vendors such as Dell, HP and Lenovo define support boundaries in their own documentation. If a device cannot receive the required firmware support, do not assume a registry workaround is a long-term security strategy. Mark it for replacement planning or isolate it according to your organization’s risk rules.
Bottom line
Most everyday Windows 10 and Windows 11 users on supported hardware probably need only Windows Update, the latest OEM firmware and a quick Windows Security check. Enthusiasts and administrators should be more deliberate: back up BitLocker keys, verify the specific model page, install the required BIOS update, and recheck Secure Boot status after the necessary restarts. The transition is not a reason to panic, but it is exactly the kind of firmware maintenance that becomes painful when ignored until a security warning, help-desk ticket or recovery-key prompt appears.
Source: Windows Latest