This one still doesn't seem to be getting a lot of notice - the original 2011 set of Secure Boot bios certificates on PCs start expiring in June, which will start causing (hopefully minor) issues for anyone with an older PC who hasn't upgraded to the newer 2023 set which are then good to 2053.

The process has turned out to be slightly complicated by varying amounts of bios/uefi functionality and OEM updates often being thin on the ground.

Now I've been aware of this for a while but keep forgetting about it, and there's sure to be some bit of kit that'll have issues.

Would have forgotten about it except I was looking at something on my laptop today, needed to look at the logs, and saw logged TPM messages about how it had the updates but they weren't applied. For some reason I'd assumed it had just done it but no. And not the simplest process once you find it - set a registry key, then run a scheduled task (if enabled), look at event logs to see what happened, reboot a couple of times. All went smoothly in the end but despite all sorts of scripts & other stuff having been installed by updates the whole thing is basically invisible *even if you're aware of it* and needed manual intervention, with the instructions not the easiest to find; got further asking AI than I did with the official instructions.

The update process does have the possibility to royally fk your PC if it goes wrong depend on what your machine is like, especially if you have encryption/Bitlocker turned on when updating.


The whole situation is so incredibly low key, deliberately so, it could almost have a Beware of the Leopard sign - guess built in breaking obsolescence isn't something anyone wants to talk about.



Anyway the date is looming and you might be oblivious to a lurking unapplied fix on your PC. I know I was, and I've know about the general issue for ages.

Thing is >90% of people are going to be oblivious and even competent people aren't going to know, and even fewer will pick up how to fix it.

For something that hits so many home users it's been utterly mishandled and weirdly under reported. And the technical process is opaque and fragile. Almost like everyone has just hoped it will go away if they ignore it.

I found it wasn't exactly straightforward for me to find or apply and I like to think I'm competent with most of this stuff, the non techies have no chance.

The average user will just go and buy a new laptop.
More landfill for us, more profits for them (bad simile but you know what I mean).

Or (and this is fairly typical of the quality/ease of the process) got to Event Viewer, Windows Logs, System and look for an error from TPM-WMI, or run C:\Windows\SecureBoot\ExampleRolloutScripts\Detect-SecureBootCertUpdateStatus.ps1 in an Admin Powershell or Powershell ISE and look for green in the Certificate Update Summary at the end.

Easy stuff...

Any newer PC should hopefully be fine already, but anything 2023 or older definitely needs checking. Not sure when it really got rolled out, even fairly new stuff can need sorting.

Run Device Security to see if Secure Boot is enabled.

My work PC tells me its on and there is an issue...


Clicking on "Learn more" takes me to here where it tells me...

"Most Windows devices will receive the updated certificates automatically, and many OEMs provide firmware updates when needed."

So basically, keep your device up to date and you'll probably be OK

Yup, my secure boot is enabled so I'm affected (on this laptop - others still to check)

I had to enable scripts to run, but after this, yes, I have geen in the summary at the end, in that all of the 'updated' words are green.

Many thanks to both for explaining the process.