Recently, a batch of Secure Boot certificates first issued by Microsoft for Windows devices in 2011 have officially expired. Major PC manufacturers around the world are updating certificates for user devices and strengthening security protection during the boot stage by pushing new versions of BIOS firmware. To help end users complete this transition, brands such as ASUS, Dell, HP, Lenovo, MSI, and Acer have released detailed operation guides and are gradually providing new certificates through Windows updates or official website BIOS packages.

According to information released by ASUS, its consumer PCs will automatically receive secure boot certificate updates through Windows Update. Users can also use PowerShell to manually check to confirm whether the new certificate has been installed. If it has not been updated yet, users can follow the ASUS official guide to execute the preset Secure‑Boot‑Update scheduled task to complete the installation of the latest certificate. Lenovo provides direct BIOS download links for different product lines on its official website, covering ThinkPad, ThinkCentre, IdeaPad, Legion, Yoga and other series. It also makes it clear that some older models that have stopped supporting will no longer receive BIOS updates containing new Secure Boot certificates.

Dell stated that devices with an end-of-service date earlier than January 1, 2026 will not receive this certificate update. The update is mainly for newer Alienware, Inspiron, XPS, Latitude, OptiPlex, Precision, Vostro and Wyse series products. HP differentiates between consumer and enterprise users: Consumer PCs will get new certificates through Windows Update, while enterprise devices will need to meet the minimum BIOS version requirement that contains the SBKPFV3 substring in the SMBIOS Type 1 field to receive updates. At the same time, HP also pointed out that some models released in 2018 and earlier cannot be upgraded to a BIOS that includes the new certificate.

MSI’s strategy is to push new certificates through Windows Update for devices equipped with Intel’s 7th to 11th generation Core processors or AMD Ryzen 3000H to 5000U processors; while platforms using Intel’s 12th generation or later, Ryzen 5000H and later processors require users to flash the BIOS. MSI’s official website has launched a download page for BIOS update packages for compatible devices, allowing users to obtain and upgrade by model. Acer is pushing BIOS updates to its Aspire, Nitro, Predator, Swift, Extensa, TravelMate and Spin series of compatible devices through Windows Update. Some devices have completed certificate updates between June 12 and June 26, and the remaining models are expected to complete the push in the near future.

On its own Surface product line, Microsoft has released a special Secure Boot certificate update guide, confirming that all Surface Pro, Surface Laptop, Surface Book and Surface Studio models that are still in the support cycle will obtain the 2023 version of the certificate through Windows updates. For devices that have exceeded the scope of support, Microsoft will no longer provide relevant updates in accordance with established software life cycle policies. Microsoft has also previously emphasized that the expiration of the Secure Boot certificate itself will not affect the daily functionality of the device, and PCs that have not been updated can still run normally and receive regular security patches.

However, if the device is not updated to the latest certificate in time, it may not be able to enable some of the latest security protection mechanisms designed for the early boot stage, theoretically increasing the risk of encountering attacks such as bootkits, firmware layer rootkits, and boot sector viruses. In the context that major OEMs have begun to push BIOS and certificate updates intensively, the industry generally recommends that users follow the official guidelines issued by each brand to confirm the support status of their devices and complete the update as soon as possible to ensure that the security during the boot and boot process is not weakened by certificate expiration.