@RadcompTech @Jeanluc39 We needed the diagnostics file to understand what kind of impact we are looking at, that said, the last update I received is that we are working on new BIOS update and should be available shortly, you will be notified if you subscribe to this page: Click here

Thanks for such a quick response. I am Frenchy. I used ImageDiags 5.0.0.28 and the result was successful in all tests, no problems on my PC. My question is how to resolve this certificate expiration problem including that of secure boot and ending in 06/2026...! My HP Pavilion 17-ab400nf win10 64bits has also the Microsoft ESU extension to benefit from security updates and others for one more year. I don't want to find myself in 06/2026 and notice that my PC no longer starts due to lack of this secure boot with the revoked certificate. I subscribed to the page you indicated in your post. I hope that HP find a solution for his customers. THANKS.

Hi @Jeanluc39,

I'm glad to hear that your HP Pavilion has passed all the diagnostic tests with ImageDiags. Addressing your concern about certificate expiration, especially regarding secure boot, is crucial to ensuring your system remains operational after 06/2026.

Stay Updated: Continue to keep your system up to date with regular Windows Updates and HP software updates using tools like the HP Support Assistant. This ensures you receive any necessary patches or updates to certificates.
Monitor for BIOS Updates: HP periodically releases BIOS updates that can include updates to certificates used in secure boot. Regularly check for BIOS updates through the HP Support Assistant or HP's official support website tailored for your HP Pavilion 17-ab400nf.
Consult Support Resources: As you are approaching the certificate expiry date, it is prudent to consult HP's support resources and forums. They can provide step-by-step guidance and announcements related to secure boot certificates.

Backup and Prepare for Transitions: Back up important data regularly. In advance of the expiration date, you might want to explore alternatives, such as updating your machine or considering newer technologies that handle certificate updates more dynamically.

Remaining aware and proactive about future security protocols and updates will reduce the risk of running into issues once the current certificates expire. Always ensure critical updates from both HP and Microsoft are applied on time.

@Raj_05  Hello from France. Big thanks for all these explanations, I will follow all your advice. I therefore hope that this transition from 06/2026 will go smoothly with regard to these certificates and especially that of secure boot. THANKS.

I have been working through this certificate update for over a year now in hopes of remediating the Black Lotus vulnerability. I have been using the registry key to install the new certificate on workstations and laptops, and HP computers have been very hit-or-miss. For example, I was able to install the new certificate on almost 100% of 860 G11 notebooks (over 1000 in total), but only on 8% of 860 G9s (over 1200 total). Throwing BIOS versions into the mix gets even more confusing - I've seen instances where computers with an older BIOS revision will have the new certificate, while the same model running a newer BIOS will have trouble installing it. To be fair, we have been doing BIOS updates ad-hoc, but are looking into incorporating a process to update affected computers for this issue.

The majority of our computers are HP, and I'm very concerned about June.

Good morning. Thank you for this response and I am also concerned about these certificate issues. for June 2026. I hope we will have concrete responses from HP.

@MGuelde

I can't speak directly to your issue, but Microsoft did note a special exemption for HP devices with SureStart enabled. They stated that we cannot update the secure boot certificates ourselves and HP will revert the change via the firmware. Thus for some models, we necessarily require a BIOS update from HP to allow the new 2023 CAs.

Microsoft has several pages related to this topic, they recently mentioned this one in the 365 Weekly Digest email this week: https://support.microsoft.com/en-us/topic/secure-boot-certificate-updates-guidance-for-it-profession...

Thanks for the reply. I've had success with installing the certificate on a number of HPs following the instructions at How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-..., specifically step one of the Mitigation deployment guidelines section. You make a good point about the SureStart blocking the certificate installation, and I'm sure that's part of the problem. My main concern is this information came from articles written in 2023, and as far as I know there hasn't been any further communications from HP on what to do to prepare, other than "update BIOS and hope everything goes well in the future". Compare that with Dell, who has articles specifying what BIOS versions their computers need to be at for compliance.

I agree, I'm concerned HP is waiting until the last minute when this issue has had years to come to a resolution. Shoot, today I noticed that the Rufus ISO burning tool has an option to enforce the 2023 CA on any installation now! Even the open-source guys are already fixing this!

I linked that article as Microsoft just reposted it in the 365 Weekly Digest in a post dated  October 15th.