Windows Secure Boot Certificate Update

Action is required before June 2026 to avoid potential security and compatibility issues on Windows devices with expired boot certificates.

Microsoft has announced that important Windows Secure Boot certificates used to protect the startup process of Windows devices will begin expiring in June 2026. To maintain device security and compatibility, systems must receive updated Secure Boot certificates.

What is Secure Boot and what is changing

Secure Boot helps protect Windows devices from low-level malware and unauthorized software during startup. Microsoft is replacing older Secure Boot certificates issued in 2011 with newer certificates issued in 2023.

Which machines are affected:

The following systems are most likely to require attention:

  • Windows 10 devices
  • Older Windows 11 devices that have not been regularly updated
  • Devices that rarely connect to the corporate network or VPN
  • Systems with outdated BIOS/UEFI firmware
  • Older laptops/desktops or custom-built PCs

Most fully patched Windows 11 systems should receive these updates automatically through Windows Update.

What you need to do as soon as possible:

  1. Run Windows Updates, install and restart your computer
    - Leave your device powered on after updates.
    - Some Secure Boot updates are applied during reboot and startup.

  2. Do not disable Secure Boot in BIOS/UEFI
    - Disabling Secure Boot may prevent the new protections from being applied correctly.
  3. Let us know if your device:
  • fails to boot,
  • repeatedly asks for BitLocker recovery keys,
  • cannot complete updates,
  • or shows Secure Boot warnings.
How to check if your device has updates / or has been updated:

Please ensure all the latest Windows Updates are properly installed on your workstation.

To check for Windows Updates on your computer, please click the following link:

Check for Windows Updates
Advanced users can verify the new certificate by opening PowerShell as Administrator and running:

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'

If the result is TRUE, the updated 2023 certificate is installed.

What happens if you do not do this update:

Devices that do not receive the updated certificates may eventually:

  • Lose some Secure Boot protections
  • Encounter boot or update issues in future Windows releases
  • Become more vulnerable to advanced boot-level attacks
How to Evaluate Secure Boot Status After Updating:

  1. Press Start Button

  2. Type: msinfo32

  3. Open “System Information

  4. Look for:
    • BIOS Mode → UEFI or Legacy
    • Secure Boot State → On / Off / Unsupported
Please reach out to UITS for additional support on Secure Boot if needed. 
Thank you.

 

 

Known Devices Not in Scope for 2023 Secure Boot Certificate Updates

Microsoft’s 2023 Secure Boot certificate rollout is intended for most modern Windows 10/11 devices shipped since about 2012, but certain older or unsupported platforms are excluded from receiving BIOS/UEFI firmware updates with the new certificates. 

Dell’s Published “Out-of-Scope” List

Dell has explicitly stated that the following models do not have planned BIOS updates with the 2023 certificates, meaning they will continue to use the original 2011 certificates.

Alienware Models:

  • Alienware 13 R2, Area-51m R2, 13 R3, Aurora R5, 15 R2, Aurora R6, 15 R3, Aurora R7, 15 R4, Aurora R8, 17, M14X R2, 17 R2, m15 R3, 17 R3, m15 R4, 17 R4, m17 R3, 17 R5, m17 R4, Area 51, m17X, Area-51M, m18X R2

  • ChengMing 3980 Tower, 3988 Edge Gateway, Dell Edge Gateway 3000 OEM, Dell Edge Gateway 3000

  • Embedded Box PC PC 5000, OEM G-Series Dell G3 3579, G5 Desktop 5000, G3 3590, G5 Desktop 5090, G3 3779, G7 7588, G5 5500, G7 7590, G5 5587, G7 7790, G5 5590, Dell G15 5521

  • Dimension 2100, 8200, 2300, 8300, 3000, 9200, 3100C, L__c, 4100, L__cx, 4300, L__cxe, 4600, L__r, 8100

  • Inspiron 1100, 5410, 14 3452, 5415, 14 3467, 5418, 14 5439, 5480, 14 5458, 5481, 14 5459, 5482, 15 3552, 5485, 15 3558, 5485, 2-in-1 15 3565, 5488, 15 3567, 5490, 15 3573, 5490 All in One Inspiron

Other OEMs:

  • Latitude, OptiPlex, Precision, Vostro, XPS (some older models)

  • Embedded Box PC PC 5000 OEM

  • Dell G-Series desktops and laptops (many G3/G5/G7 models)

  • Dimension series desktops (many 2xxx/3xxx/4xxx/8xxx/9xxx models)

  • Inspiron series (many 1xxx/5xxx/14xxx/15xxx/54xxx/548xxx/549xxx models)

 

If your system shipped before 2020, or it is in the following list, there is no plan for BIOS updates with the 2023 certificates included.

More Information about Secure Boot from Dell (Including Specific PC Models) is available here: https://www.dell.com/support/kbdoc/en-us/000378734/microsoft-2011-secur…