"Secure boot is using an older boot trust configuration" means the device is still relying on the older 2011 Secure Boot certificates and hasn’t fully moved to the newer 2023 Secure Boot trust configuration.
To update it, follow these principles from the Secure Boot guidance:
- Make sure Windows and firmware are fully updated
- Install all current Windows updates on the device.
- Check the PC or motherboard manufacturer’s support site for the latest UEFI/BIOS (firmware) updates and install them. Firmware updates improve compatibility with the new Secure Boot certificates and reduce the chance of boot issues.
- Let Windows apply the new Secure Boot certificates
- Supported, in‑support Windows versions receive the new 2023 Secure Boot certificates through Windows Update when possible.
- Devices that share diagnostic data with Microsoft and are managed via Microsoft cloud services are updated automatically in most cases.
- If the device is IT‑managed, have the admin update Secure Boot
- For customer/IT‑managed devices, the IT department can apply the Secure Boot certificate and revocation updates across validated devices by following the enterprise guidance in “Windows Secure Boot certificate expiration and CA updates” and related playbooks.
- This includes updating trust anchors and boot components, then applying revocations so older vulnerable boot managers are no longer trusted.
- Do not manually change Secure Boot firmware defaults
- The Secure Boot active variables are updated through the OS.
- Firmware default values are controlled by the OEM. The guidance is not to change or overwrite Secure Boot configuration in firmware unless the OEM has released a firmware update that changes the defaults to the new certificates.
- Understand what happens if the update is not done
- If the older 2011 certificates are allowed to expire (starting June 2026) without the new 2023 certificates in place, the PC will still boot and receive normal Windows updates, but it will no longer receive new boot‑level security protections (Windows Boot Manager updates, Secure Boot database/revocation updates, or mitigations for new boot‑level vulnerabilities).
- Over time, this reduces protection against emerging threats and can affect scenarios that rely on Secure Boot trust (for example BitLocker hardening or some third‑party bootloaders).
If the device is home‑managed (not by an organization), the practical steps are:
- Keep Windows fully up to date.
- Install any available firmware/BIOS updates from the OEM.
- Avoid changing Secure Boot keys or databases manually in firmware.
If the message persists and the device is managed by an organization, the IT department should follow Microsoft’s Secure Boot certificate expiration and CVE‑2023‑24932 mitigation guidance to complete the transition to the 2023 certificates.
References:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 40%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMS%3C/text%3E%3C/svg%3E)
