I'm seeking some clarity on the expiration of the Microsoft 2011 Secure Boot certificates. We primarily use Dell machines, and while I've read through the documentation, it's left me a bit puzzled. From what I gather, Microsoft is rolling out a fix through Windows Updates and also collaborating with third-party vendors to update BIOS with the new certificate. But do I need to do both (the Windows Update and the BIOS update) to effectively resolve the issue? I've seen indications that the Windows Update can help but isn't a permanent fix since toggling the Secure Boot on and off could lead to the certificate being removed. I'd appreciate any insights on this.
4 Answers
By the way, if you're not using Secure Boot at all and just running virtual servers, this KB might not apply to you directly. It seems like Microsoft is really due for an FAQ on all this to clear things up!
It’s definitely a bit confusing! From what I’ve seen, newer machines appear to come with the new Secure Boot certificate already. So, while Windows Update plays a role, it’s not the only way to get the new certificate in place. You'll need Secure Boot enabled, the latest BIOS (ideally), and the July 2025 Cumulative Update or later, plus some registry tweaks and a scheduled task. It's manageable with PowerShell if you’re into automation!
Got it! So it sounds like there's a lot to check off. Thanks for clarifying that!
I wouldn’t stress too much about the 2023 certificate. The bigger concern is the old 2011 one in the dbx; that could prevent secure boot mode from working properly. Just keep an eye on updates and test your systems once everything rolls out.
Anyone else find that as long as Secure Boot isn't enabled, it doesn’t impact the boot process? If you remain off that feature, you won't face issues related to the certs at all.
Exactly! It’s less of a worry if Secure Boot isn’t in use.
That's a good point! We don't use Secure Boot on all our systems, so maybe it won't be as big of an issue for us.