How Major PC Makers Are Rapidly Addressing the Windows 11 Secure‑Boot Certificate Update
The Windows 11 UEFI CA 2023 secure‑boot certificate is being rolled out via Windows Update, but successful installation depends on each OEM’s BIOS update, and manufacturers such as ASUS, Lenovo, Dell, HP, MSI, Acer, Samsung, LG and Surface have published detailed guidance, manual steps, and warnings for users.
Microsoft distributes the UEFI CA 2023 Secure‑Boot certificate through Windows Update. The update succeeds only if the device firmware contains a BIOS version that includes the new certificate.
ASUS
ASUS provides separate guidance for consumer and business devices. Most systems receive the certificate automatically via Windows Update. When Windows Security shows a yellow or red Secure‑Boot warning, ASUS supplies PowerShell commands to query the certificate status and a manual registry‑update procedure. Devices released in 2024 and later ship with the 2023 certificate pre‑installed. A Q&A document explains event‑log error codes 1801 through 1808 and their remediation.
https://www.asus.com/us/support/faq/1055903 https://www.asus.com/support/faq/1056827
Lenovo
Lenovo’s guide covers the entire ThinkPad, ThinkCentre, IdeaPad, Legion and Yoga line‑ups. For each supported model Lenovo publishes a direct BIOS download link, eliminating the need to search driver pages. Lenovo states that devices that have reached end‑of‑life will not receive a Secure‑Boot transition BIOS. Enterprise customers can also use the provided Intune and SCCM deployment instructions.
https://support.lenovo.com/us/en/solutions/HT518129
Dell
Dell lists update status per product family (Alienware, Inspiron, XPS, Latitude, OptiPlex, etc.). Platforms whose service ended before 1 January 2026 will not receive a BIOS update (e.g., 2019 Inspiron). Starting at the end of 2024, Dell ships both the 2011 and 2023 certificates on all new platforms, giving mixed‑generation fleets flexibility. Some older XPS desktops encounter update failures because the firmware partition is too small to hold the new certificate.
https://www.dell.com/support/kbdoc/en-in/000347876/microsoft-2011-secure-boot-certificate-expiration
HP
HP separates consumer and commercial paths. Consumer PCs with a qualifying BIOS version receive the update automatically via Windows Update. Commercial PCs must verify that the BIOS version string contains the substring “SBKPFV3”. HP schedules BIOS releases for business PCs launched in 2022‑2023 to be delivered by September 2025, and for 2019‑2021 models by December 2025; devices from 2018 or earlier will not be updated. Early‑2026 BIOS releases caused BitLocker recovery‑key loops and boot failures, which HP has acknowledged and patched.
https://support.hp.com/us-en/document/ish_13070353-13070429-16
MSI
MSI’s policy is based on CPU generation. Laptops with Intel 7‑11 gen or AMD Ryzen 3000H‑5000U receive the certificate automatically via Windows Update. Intel 12 gen and newer AMD Ryzen 5000H + models require a BIOS flash supplied by MSI. MSI advises backing up the BitLocker recovery key before flashing. After a successful update an event‑log entry appears with source “TPM‑WMI” and Event ID 1808.
https://us.msi.com/faq/faq-11305
Acer
Acer’s official guide covers the Aspire, Nitro, Predator and Swift series. BIOS updates were released for some models between 12 June 2026 and 26 June 2026; other models remain “in progress”. Acer also recommends backing up the BitLocker recovery key. Older Acer devices (e.g., Aspire TC‑895 from 2020‑2022) have been reported to stay on a yellow Secure‑Boot warning with no BIOS update available.
https://community.acer.com/en/kb/articles/18840-update-your-secure-boot-certificates-in-june-2026-to-stay-protected
Samsung
Samsung announced on its Korean website that Galaxy Book 3 and older models can update automatically via Windows Update. After the certificate expires the PCs will still boot, but firmware‑level security updates and malware protection will cease.
https://www.samsung.com/sec/support/newsalert/3963
LG
LG provides a guide for the gram series and other PCs. Users are instructed to check Secure‑Boot status in the Windows Security app and, if automatic installation fails, to manually download the BIOS update from the LG support site.
https://www.lg.com/us/support/help-library/lg-pc-windows-secure-boot-certificate-update-troubleshooting-guide-CT00000317-20155021548818
Microsoft Surface
Surface devices receive the 2023 certificate through the standard Windows Update channel as long as they remain within the supported lifecycle. Surface models that are no longer supported will not receive the update.
https://support.microsoft.com/en-US/surface/drivers-firmware/surface-secure-boot-certificates
In summary, enabling Windows Update is sufficient for the majority of PCs. When firmware limitations prevent automatic installation, users should consult the OEM‑specific guide, back up the BitLocker recovery key, and follow the documented BIOS‑flashing procedure only if they are comfortable with firmware updates.
Code example
来源丨
经授权转自
知彼而知己(ID:heu168)
作者
丨
知彼而知己Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
IT Services Circle
Delivering cutting-edge internet insights and practical learning resources. We're a passionate and principled IT media platform.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
