According to a TechRadar review, Microsoft has paused the rollout of updated Secure Boot certificates for some Windows 11 PCs that are experiencing firmware compatibility issues. This affects devices using certificates issued in 2011 which are now expired, causing an update block until manufacturers provide necessary firmware patches.

  • Firmware constraints block Secure Boot certificate updates on some Windows 11 PCs
  • Older or unsupported devices face gradual security reduction without immediate failure
  • OEM firmware updates needed for full Secure Boot protection with latest certificates

Product angle

The source review highlights that Microsoft’s Secure Boot update for Windows 11 PCs has encountered a halt for certain devices relying on outdated firmware or OEM support. Secure Boot is crucial for verifying authentic software before booting Windows, helping prevent boot-level malware infections, but older devices with expired certificates issued in 2011 are unable to update to the new 2023 certificate. This blocking approach is a preventive measure to avoid installation failures and mitigate risks while awaiting OEM firmware patches.

Microsoft’s collaboration with hardware manufacturers aims to release BIOS or firmware updates that enable affected devices to install the new certificates smoothly. Devices without available updates may experience a gradual decrease in security over time, though regular Windows updates can continue and basic Secure Boot protections remain intact. The review advises users to proactively check their Secure Boot certificate status and OEM support channels to assess device readiness.

Best for / avoid if

This update and associated protections are best suited for users with mid-to-latest generation Windows 11 PCs that receive regular OEM firmware updates, allowing seamless Secure Boot certificate installations. Enterprises and security-conscious consumers relying on this mechanism will benefit from ongoing manufacturer support ensuring up-to-date boot security.

Users of older devices or those no longer supported by OEMs should be cautious. Since these systems might not receive necessary firmware updates, they could face a growing security gap over time. Such users need to consider alternative security strategies or system upgrades, as relying on Windows’ Secure Boot without current certificates may not ensure maximum protection against evolving boot-level threats.

Pricing and alternatives to check

Microsoft distributes Secure Boot certificate updates as part of its regular Windows Update service at no additional cost, integrated within the Windows 11 OS ecosystem. Consequently, there is no separate pricing structure for maintaining Secure Boot certificates, and users should ensure that all available Windows updates are consistently applied to maintain system protections.

For devices unable to update certificates due to firmware limitations, users should explore OEM support websites for potential BIOS or firmware upgrades that might restore full Secure Boot compatibility. Alternatives include upgrading to newer hardware models from manufacturers that support ongoing firmware patching or considering third-party security solutions aimed at complementary layers of boot-time protection, though these may involve additional costs and configuration complexity.

Source assisted: This briefing began from a discovered source item from TechRadar Software. Open the original source.
Review disclosure: Review-watch pages are buyer briefings unless clearly labelled as hands-on SignalDesk reviews. Affiliate, sponsor or free-access relationships should be disclosed on the page. Read the review methodology.
How SignalDesk reports: feeds and outside sources are used for discovery. Public briefings are edited to add context, buyer relevance and attribution before they are published. Read the standards

Related briefings