The machines in our environment have the latest Windows Security updates installed, which includes the latest fixes for Secure Boot. In System Information, Secure Boot  is 'On'.

From everything I've researched so far, in order for Windows 2023 certificates to work in conjunction with our hardware, the BIOS/firmware will require updating to support this.

I appreciate everything the other guy said and all his input, however, at the moment, we don't see it as a Windows OS issue.

Using a bootable USB with a Linux distro, we inspected one of our Windows machines with mokuitil and the results showed the dbx and kek are still using 2011 certs. And that was after updating to a new BIOS version that was released only in August.

In further tests using Linux, we manually updated the machine based db and kek to the 2023 version. This isn't our desired method but it might have to be our Plan B.

@nonsequitur777 

Aside from the important points you mentioned, is there anything else we should consider before the certificate expires on June 26?
I assume Microsoft will continue sending updates regarding this certificate issue.

Hello, I manage IT for thousands of EliteBooks and ProBooks.

When is HP going to address this SecureBoot CA expiration? We need a firmware update before June, 2026 or the old 2011 CA will expire and our PCs will no longer boot. This is an HP OEM issue that needs addressed by HP, there is nothing we can do on the OS side, Microsoft has a specific exemption listed on their FAQ regarding HP devices with SureStart, which is basically every Elite/Pro/Z model of desktops and laptops.

When is HP going to acknowledge this update is impending and give us details on when/how to upgrade our firmware? If Microsoft enforces the 2011 CA revocation then our PCs will stop booting.

@Riddle_Decipher,

On our (HP Community Expert) end, the SecureBoot CA expiration issue is heating up -please provide some feedback, please.

Kind Regards,

NonSequitur777

CC: @Paul_Tikkanen 

If anyone else is curious, here is the official Microsoft post relating to this issue: https://support.microsoft.com/en-us/topic/how-to-manage-the-windows-boot-manager-revocations-for-sec...

There is an exemption outlined for HP that reads:

HP devices with Sure Start Security: These devices need the latest firmware updates from HP to install the mitigations. The mitigations are blocked until the firmware is updated. Install the latest firmware update from HPs support page — [Link straight to HP Support site]

Hi, thanks for your feedback, it helps too much for this issue.

But I'm confused. Let me know if I'm wrong, please, I'm not expert in this field, but I'm looking to know what to do and prevent risk.

On the side of NonSequitur777, I understand that if the equipment has these characteristics, we should be fine

• UEFI mode is enabled (no Legacy boot).

• Secure Boot is turned On in BIOS (even if the PowerShell string search shows False).

• TPM 2.0 is present and enabled.

And the side of RadcompTech response, the new HP firmware for protection against certificate expiration is not yet ready and no protections at all.

Am I correct?

I'll be curious what HP has to say on this matter, but my own understanding is that you are correct for now BlackskyStar.

We are protected today so long as TPM 2.0 is enabled and devices are set to UEFI / Secure Boot.

However in June, there will be a certificate revocation and all devices with the 2011 Certificate Authority will then cease to boot without applying a firmware update from HP.

Thankfully there are still about 8 months before this going into place, but it would be nice if HP would come up with a response rather than waiting til the last minute. This has been a known upcoming issue since Microsoft announced it back in 2023 due to a common vulnerability & exposure report (CVE-2023-24932).

I hope this helps clear it up for the community, we just need an official response from HP hopefully with some dates or a list of affected model numbers that need updated.

@NonSequitur777 Thanks for highlighting this!

We understand that we are experiencing issues related to system firmware and security, involving TPM firmware version conflicts, BIOS updates, and Secure Boot configurations. These types of problems can affect system stability, and application performance, especially on AMD-based systems where specific AMD TPM firmware updates are necessary to resolve attestation failures.

To diagnose this thoroughly and to help us work on a permanent solution, we need you to generate a detailed diagnostic report using the HP ImageDiags tool. This tool collects comprehensive information about your system’s hardware, software, BIOS, security settings, and logs that are essential for our technical team to analyse the root cause and recommend the correct fix.

Please follow these steps carefully to produce and share the diagnostic report:

• Temporarily disable your antivirus software to avoid any interruptions during the process.
• Download the HP ImageDiags tool, choosing version 4.x or 5.x, from the official HP link: https://ftp.hp.com/pub/caps-softpaq/cmit/support/HP_ImageDiags.html
• Extract the downloaded file and run the setup executable with administrator privileges.
• Follow the onscreen instructions to complete the diagnostic process, which usually takes about 30 to 40 minutes.

Once completed, save the generated report file and share it with me on a private message (to ensure your private information is secure and not shared in public) and we can begin the detailed analysis and work on resolving your issue effectively.

Your cooperation is vital and greatly appreciated, as this data allows us to provide the most accurate and timely assistance.

@Riddle_Decipher

I think this is a broader issue than just the single diagnostic report from one single workstation.

HP has not publicly addressed the Secure Boot Certificate Authority revocations which are scheduled for June, 2026.

We need to know which BIOS/firmware versions have the updated 2023 CA / Secure Boot certificates before we can know if we are mitigated or not. The Windows side of things is easy enough to check with a couple of powershell commands.

For example on my own HP Z2 G9 Workstation, I still have the 2011 CA in my boot sector. If I force the registry to use the new 2023 CA and add the 2011 CA to the DBX, then my PC will stop booting. This isn't an issue to be fixed on my end, this is a firmware issue to be fixed by HP at scale. Microsoft has said this is the responsibility of the OEM.