
Microsoft Pauses Secure Boot Certificate Updates for Some Windows PCs
Microsoft has temporarily halted the rollout of new Secure Boot 2023 certificates for a number of Windows 10 and Windows 11 devices after identifying compatibility issues on certain hardware, including several HP systems.
The pause means affected PCs cannot currently receive the updated Secure Boot certificates required to replace Microsoft’s legacy certificates that began expiring on June 24, 2026.
Why the Rollout Has Been Paused
According to Microsoft, most Windows PCs automatically receive the new Secure Boot certificates through Windows Update.
However, some devices require a BIOS or UEFI firmware update from the computer manufacturer before the certificates can be installed safely.
Microsoft says many OEMs are already releasing these firmware updates through their normal update channels, but affected users will need to wait until their manufacturer provides the necessary firmware.
Warning Messages Users May See
Windows Security may display one of two messages if your PC is affected:
1. Temporary Pause
“Devices in this group are affected by a known issue. To reduce risk, Secure Boot certificate updates are temporarily paused while Microsoft and partners work toward a supported resolution. Contact your device manufacturer for assistance.”
2. Hardware Limitation
“Secure Boot is on, but your device does not support the automated Secure Boot certificate update due to hardware or firmware limitations. Contact your device manufacturer for assistance.”
If either message appears, the Secure Boot update cannot currently be installed until compatible firmware becomes available.
You Can’t Force the Update
Unlike normal Windows updates, the Secure Boot certificate installation cannot be manually forced if your device has been blocked.
Users must wait for their PC manufacturer—such as HP or another OEM—to release a firmware update that enables compatibility with the Secure Boot 2023 certificates.
What Happens If Your Certificates Expire?
Microsoft says affected PCs will continue to boot and function normally even after the old certificates expire.
Users will still receive regular Windows updates, but there is an important limitation:
- Future boot-level security updates that rely on the new Secure Boot certificates cannot be installed.
- Protection against emerging threats such as bootkits and rootkits will gradually become less effective.
- Features that depend on Secure Boot, including device encryption and certain startup security mechanisms, may eventually stop functioning correctly.
Risk Is Low—for Now
Microsoft emphasizes that the immediate risk remains relatively low, as systems with expired certificates will continue operating normally.
However, the security impact will grow over time as Microsoft releases new protections that require the updated Secure Boot certificate chain. Until firmware updates become available from affected PC manufacturers, users have little choice but to wait for Microsoft and its hardware partners to complete the rollout.

