Applies To
Windows 10 Windows 10, version 1607, all editions Win 10 Ent LTSC 2019 Win 10 IoT Ent LTSC 2019 Windows 10 IoT Core LTSC Windows 10 Enterprise LTSC 2021 Windows 10 IoT Enterprise LTSC 2021 Windows 10, version 22H2, all editions Windows 11 Home and Pro, version 21H2 Windows 11 Enterprise Multi-Session, version 21H2 Windows 11 Enterprise and Education, version 21H2 Windows 11 IoT Enterprise, version 21H2 Windows 11 Home and Pro, version 22H2 Windows 11 Enterprise Multi-Session, version 22H2 Windows 11 Enterprise and Education, version 22H2 Windows 11 IoT Enterprise, version 22H2 Windows 11 SE, version 23H2 Windows 11 Home and Pro, version 23H2 Windows 11 Enterprise and Education, version 23H2 Windows 11 Enterprise Multi-Session, version 23H2 Windows 11 SE, version 24H2 Windows 11 Enterprise and Education, version 24H2 Windows 11 Enterprise Multi-Session, version 24H2 Windows 11 Home and Pro, version 24H2 Windows 11 IoT Enterprise, version 24H2 Windows Server 2012 ESU Windows Server 2012 R2 ESU Windows Server 2016 Windows Server 2019 Windows Server 2022 Windows Server 2025

Original Publish Date: June 29, 2026

KB ID: 5105943

Introduction 

Microsoft is rolling out updated Secure Boot certificates to Windows devices to maintain protection against evolving boot-level threats. Most devices receive these updates automatically through Windows Update. This article explains why some devices are blocked from updating Secure Boot certificates, what this means, and what actions you can consider. 

Note: For general Secure Boot troubleshooting guidance for IT professionals, see the Secure Boot troubleshooting guide.

A quick Secure Boot summary 

Secure Boot is a Windows feature that checks the PC each time it starts. Before Windows loads, Secure Boot verifies that the software about to run is signed by a trusted source. If the signature isn’t recognized, the PC won’t start that software. This blocks a major class of malware that might attempt to load before Windows starts. 

To protect your device, Secure Boot is designed so that only the original equipment manufacturer (OEM) can authorize changes to your PC at this root level.  

Why you might not have received a full update 

The Windows Security app is the easiest way to check whether your device’s Secure Boot status is up to date, or whether a firmware update from the manufacturer is required. 

On the vast majority of PCs, the full set of Secure Boot certificates install automatically through Windows Update. Some devices require a firmware update from the PC manufacturer before you can install the necessary Secure Boot updates. Many OEMs are actively releasing these firmware updates through their standard update channels. If a firmware update is required, check your OEM’s Secure Boot support page for next steps. 

In some cases, Windows Security might indicate that Secure Boot certificate updates are temporarily paused or blocked by displaying one of these messages: 

Screenshot of Windows Security warning that Secure Boot certificate updates are paused

Message

Action Required

Devices in this group are affected by a known issue. To reduce risk, Secure Boot certificate updates are temporarily paused while Microsoft and partners work toward a supported resolution. Contact your device manufacturer for assistance. 

A firmware update is required but might not yet be available. When it becomes available, the firmware update will be released and installed through your OEM's standard update channel. Check your device manufacturer's Secure Boot support page for next steps.

Screenshot of Windows Security warning that Secure Boot certificate updates are blocked

Message

Action Required

Secure Boot is on, but your device does not support the automated Secure Boot certificate update due to hardware or firmware limitations. Contact your device manufacturer for assistance. 

Your PC model might no longer be supported by the OEM, or the OEM might no longer be able to provide the firmware updates needed to update your device's Secure Boot trust configuration. Check your OEM’s Secure Boot support page to confirm whether your device is out of support or whether a firmware update is available.

What happens if you can't install the new Secure Boot certificates?

If your device reaches the expiration date without the new certificates, it will continue to start and operate normally. Standard Windows updates will still be installed. However, as new security updates are released that address threats to the early boot process, your device won’t be able to receive them and won’t get the latest protections. 

Over time, as new threats emerge, a device in this expired state becomes progressively less protected.  Features that rely on Secure Boot—such as device encryption or certain startup software—might also stop working properly if they require updated security protection. 

What continues to work 

  • The device continues to start normally.

  • Windows updates—feature and quality updates, including monthly security updates—continue to install, except for boot‑related security components that require updated certificates (see the list below).

  • Everyday tasks such as using apps, networking, and browsing remain unchanged.

  • Secure Boot remains enabled and continues to provide protection against previously known threats.

What no longer works 

  • New Secure Boot and Boot Manager protections can’t be applied.

  • Newly discovered malicious or vulnerable bootloaders might not be blocked. Protection against future threats may gradually differ from fully updated devices.

  • Some non-Microsoft components that rely on Microsoft Secure Boot trust might fail to update if they require newer certificate entries.

If your device can’t install the new Secure Boot certificates, this results in a gradual reduction in long-term security—not an immediate risk or system failure. Continue to follow standard security practices, including staying current with Windows updates.

Important: Disabling Secure Boot is not recommended. Doing so reduces protections and results in a less secure state than leaving the current configuration unchanged.

Resources

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center