Share via

Secure boot using old boot Trust config

Flyer1000 0 Reputation points
2026-05-29T17:01:43.48+00:00

Win 11 25H2 26200.8524 updated 5/26. Before this Secure boot was ok and data base was up to date. The next day, my motherboard failed and I replaced it with the same Gigabyte model (Z890) and it works fine now.

I now get this message in Security: Secure boot is on but your devise is using an older boot trust configuration that should be updated. There is not yet enough data to classify your device for automatic update.

Since I read there is a June deadline for some (a lot??) of certificates is there a way for me to update this or do I have to wait and if so, how long? While I was talking to Microsoft about reactivation because of Motherboard swap I brought this up and they didn't think it was a problem. Is it?

Thanks for any help with this.

Windows for home | Windows 11 | Security and privacy
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. EmilyS726 240.4K Reputation points Independent Advisor
    2026-05-29T19:13:33.3933333+00:00

    Microsoft’s own guidance for the exact message you quoted says the device “might need additional validation before the update can proceed automatically.” For the simpler “older boot trust configuration” message, Microsoft says to make sure Windows is fully updated and restart if prompted. Microsoft also says most consumer PCs will receive this automatically through Windows Update. So, I think it is ok to just give it some time and wait for the updates to roll out.

    https://support.microsoft.com/en-us/topic/secure-boot-certificate-update-status-in-the-windows-security-app-5ce39986-7dd2-4852-8c21-ef30dd04f046

    Was this answer helpful?

  2. AI answer

    2026-05-29T17:02:02.8333333+00:00

    The message indicates that Secure Boot is enabled but the system is still using the older 2011 Secure Boot certificates instead of the newer 2023 certificates that are being rolled out ahead of the June 2026 expiration.

    Key points from current guidance:

    1. What happens if the old certificates are still in use after they expire
      • Devices that do not get the new 2023 Secure Boot certificates will continue to start and operate normally, and standard Windows updates will continue to install.
      • However, they will no longer receive new security protections for the early boot process, including:
        • Windows Boot Manager updates
        • Secure Boot database and revocation list updates
        • Mitigations for newly discovered boot-level vulnerabilities.
      • Over time, this reduces protection against emerging threats and can affect scenarios that rely on Secure Boot trust (for example BitLocker hardening or some third‑party bootloaders).
    2. How the update is normally delivered for home Windows 11 devices
      • For Windows 10/11 Home, Pro, and Education devices that get updates directly from Microsoft (typical home PCs), the new 2023 certificates are delivered automatically via Windows Update.
      • The rollout is gradual and continues through June 2026, starting with Home and Pro systems.
      • The message about “not yet enough data to classify your device for automatic update” means the device has not yet been placed into the group that receives the Secure Boot certificate update automatically, not that something is broken.
    3. Whether this is a problem right now
      • As long as the device is on a supported version of Windows 11 and continues to receive normal Windows Updates, it will keep working and remain generally secure.
      • The risk is long‑term: if the certificates are still not updated by the time the old ones expire (starting June 2026), the device will lose future boot‑level security updates, not basic functionality.
      • Current guidance explicitly states that devices in this state will still boot and install updates, but with degraded Secure Boot protection after expiration.
    4. What can be done now
      • For home devices updated directly from Microsoft, the primary action is to keep Windows fully up to date and allow time for the automatic Secure Boot certificate update to be applied.
      • The update depends on:
        • Running a supported Windows version.
        • The device being eligible in Microsoft’s rollout (which is staged and data‑driven).
      • There is no separate, user‑facing manual tool in the provided guidance for home users to force the Secure Boot certificate update.
    5. When to be concerned
      • If the device is still showing this message as the June 2026 timeframe approaches, then action will be needed to ensure the Secure Boot databases (DB, DBX) and KEK are updated to the 2023 certificates.
      • For customer/IT‑managed systems, Microsoft provides detailed guidance for applying the new certificates and managing Secure Boot revocations, but that guidance is targeted at admins and organizations.

    Summary for this scenario:

    • The motherboard replacement with the same model can result in the firmware using the older Secure Boot defaults.
    • The message is expected in that case and does not indicate an immediate functional problem.
    • Continue installing all Windows Updates; the system is expected to receive the new 2023 Secure Boot certificates automatically before the 2011 certificates expire, as part of the ongoing rollout through June 2026.
    • The real impact only appears if the certificates are still not updated after expiration, at which point boot‑level security protections stop updating, though the device will still boot and receive regular OS updates.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.