Hi:

This is a peer to peer forum.

We don't work for or represent HP, so no one here can answer your question regarding why your PC was left off the list for receiving a BIOS update to address this new secure boot certificates.

If your notebook has the latest BIOS update installed, you can try the procedure at the link below to force the 2023 secure boot certificate update:

Your Windows Secure Boot Certificates are Expiring Soon: Here's How to Update to the Latest - Make T...

The procedure worked for me on 3 of my Dell PC's.

It may take a couple of days or so for the certificates to actually update.

Apparently, the update is run every 12 hours.

Thank you very much for your reply. It is appreciated.

I know about the registry entries that initiate the secure boot certificate update in Windows PCs. But none of the registry entries does anything in this 2018 M/Y HP Elitebook notebook PC, which has HP Sure Start technology integrated.

I disabled HP Sure Start certificate protection and BIOS settings tamper protection values in BIOS. Still there is no way to install the new Microsoft Windows Secure Boot UEFI CA2023 certificates.

I even tried to import Custom Secure Boot keys in BIOS. But nothing can make this BIOS accept the new certificates. The following screenshot shows "import custom secure boot keys" setting in BIOS. I found necessary .bin files representing new certificates and put them in EFI\HP folder on a USB flash drive formatted in FAT32 file system.

I know a lot about forums. I know this is a peer-to-peer forum. Anyway, I thought there is no wrong in posting my issue in this forum. HP people might have a look into this forum from time to time. Someone knowledgeable enough in HP PCs might also have a look at my post and come up with a viable solution.

Happy computing.

You're very welcome.

I'm having the same issue with my HP 800 G3.

Can't get those new certificates installed.

Yet on two Dell Optiplex 7020 and 3020 business desktop PC's from 2014, the info I posted on that link worked fine.

It also worked for my Optiplex 7050 MT from 2017.

Hi:

Re-visiting this problem...

Apparently, a recent Windows update added a new messaging to W11's security section.

It provides messaging regarding the new secure boot certificate updates.

Since we have the same issue, I checked the messaging in this new section on my two PC's that did not get the new certificates, and this is what it indicates:

Secure boot is on, but your device is affected by a known issue. To reduce risk, Secure Boot certificate updates are temporarily paused while Microsoft and partners work toward a supported resolution. The update will resume automatically once resolved.

This may be why anything we have tried isn't working at this time to install the 2023 secure boot certificates.

See if your notebook is presenting the same message.

Go to Settings>Privacy & Security>Windows Security>Device Security>Secure Boot

Thank you for your taking the time to post this information. My notebook reads the same note.

When I click more information below the note, this takes me to a Microsoft article that dates back to 26 June 2025, August 2025 and July 2025.  Knowledgebase Article no: KB5062710

I haven't noticed this note before. So, let's wait and see what this note will bring to us.

Regards

You're very welcome.

Three of my Dell desktop PC's, two made in 2014 and one made in 2017 received the updates by the easy forced upgrade method we used with the two Powershell commands.

None of these PCs even meet Microsoft's minimum W11 hardware requirements, but I have been running W11 on them for years now.

The one made in 2017 has a BIOS version from 2024, and the two made in 2014 have BIOS versions from 2019.

This is what the message indicates for those three:

Secure boot is on, but your device is using an older boot trust configuration that should be updated. There is not yet enough data to classify your device for automatic update. Visit the link below for more information.

But the Powershell command we used to confirm the updates were installed reports 'True' on all three.

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'

Lastly, this is the message you get when everything is OK, which I received on two HP notebooks, one fully supported for W11 and one where the processor doesn't meet the W11 processor requirements, but was made in 2018:

Secure Boot is on and all required certificate updates have been applied.

No further certificate changes are needed.

The notebook that fully meets the W11 hardware requirements has a BIOS date of October of 2024, and the one made in 2018 has a BIOS date of July 2023.

Both notebooks have the latest BIOS versions installed.

That is why I am not sure that your notebook needs to have a newer BIOS update installed to get the 2023 certificate updates.

My two didn't need a BIOS update and those two PC's got the 2023 Secure Boot certificate updates via Windows Update which was how we were supposed to get them.

I really appreciate your diligent efforts here. Thank you very very much.

I followed the guidelines of HP article for Secure Boot certificate updates: https://support.hp.com/my-en/document/ish_13070353-13070429-16

In FAQ section in the above-mentioned article, HP tells us to check if HP BIOS has the substring SBKPFV3 in it to be able to accept the new certificates.

My HP notebook returns SBKPF. Therefore, HP tells me I cannot install the new certificates unless a BIOS update, for which HP made a recent decision change to not supply update, is installed.

I found a post in HP forums, which I thought could help: https://h30434.www3.hp.com/t5/Business-Notebooks/Enabling-new-UEFI-2023-CA-certificates-in-pre-2018-...

But the title reads pre-2018 HP notebooks. What peculiarities exist in 2018 PCs ?
 

I am not strange to new Microsoft Windows UEFI CA2023 certificate installation work. I made a post in elevenforum.com regarding Secure Boot certificates update about a year ago. It had more than 220K (220.000) hits till now.

https://www.elevenforum.com/t/did-you-manually-update-your-secure-boot-keys.36443/

I updated my desktop PC, which is not compliant with Window 11 system requirements by the way, to UEFI CA 2023 certificates easily. This DIY desktop PC has Asus M/B from late 2014. It now has all the certificates in it, including SVN number of 8.0 and SKUSiPolicy.p7b.

Kind regards

Hi.

I am glad to say that I have applied the procedure delineated here and was successful in updating my notebook to Microsoft Windows Secure Boot certificates CA2023:

Enabling new UEFI 2023 CA certificates in pre-2018 HP comput... - HP Support Community - 9628370

At first I thought that 2018 HP notebooks have some peculiarities when Forum Poster Jupitero wrote in his post:

"For 2018-2023 HP computers this is a very simple process - update your BIOS to the very latest with UEFI 2023 CA certificates and let Windows handle the actual replacement of boot loader automatically, invisible to end users. "

But later it crossed my mind that Jupitero also thought HP would release a BIOS update for 2018 M/Y notebooks, too, as they promised in their article below (This article is modified such that it does not list 2018 M/Y notebooks any longer.):  

https://support.hp.com/my-en/document/ish_13070353-13070429-16

Thanks again for your trying to help me.

HP did something dirty with that page, they let everyone know that some laptops were meant to get a bios update and had the models marked with TBD but instead of releasing the bioses they just removed the devices from the list despite them being purchased in the window when they said they would update them.