I recommend to update the BIOS to latest version, see if it helps.
security boot
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(156.8, 92%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWX%3C/text%3E%3C/svg%3E)
Wizzz XD
0
Reputation points
how to fix security boot is on but does not support the automated secure boot certificate due to hardware or firmware limitations
Windows for home | Windows 11 | Security and privacy
3 answers
Sort by: Most helpful
-
Kapil Arya 37,826 Reputation points Volunteer Moderator2026-06-14T10:48:15.0266667+00:00 -
DaveM121 891K Reputation points Independent Advisor2026-06-14T05:57:04.53+00:00 You cannot manually update the Secure Boot Certificates yourself, that will be applied by Windows udpates automatically, Microsoft have only started releasing the updates in the May and June updates and they indicate they will continue to release the certificate updates over the next few months.
Go to the support page for your PC on the manufacturers website, to ensure you have installed all available BIOS and Firmware updates
-
AI answer
2026-06-14T05:23:22.6566667+00:00 "Not Supported - Known Limitation" in a Secure Boot certificate report means the device’s hardware or firmware cannot use the automated Secure Boot certificate update path. There is no supported way to make such a device use the automatic update mechanism.
For a home Windows 11 device, the practical options are:
- Keep Secure Boot on for protection
- Secure Boot still helps prevent malicious bootloaders from running.
- The limitation only affects the automated certificate update path, not normal day‑to‑day use.
- Manually manage firmware/UEFI updates
- Check the PC or motherboard manufacturer’s support site for:
- BIOS/UEFI firmware updates
- Any Secure Boot–related updates or guidance
- Apply any recommended firmware updates that mention Secure Boot or UEFI security.
- Plan for long‑term security
- After the older Secure Boot–related certificates expire, devices that don’t get updated certificates will still boot and receive normal Windows updates, but they will no longer receive new boot‑level security protections (for example, updates to Windows Boot Manager, Secure Boot databases, or revocation lists).
- For long‑term security, consider:
- Working with the OEM to see if a firmware update or manual certificate update path is available.
- If the OEM confirms no support, planning to move to newer hardware that supports the updated Secure Boot certificate path.
- Do not try to force certificate changes
- Guidance for managed environments explicitly warns not to force untrusting old certificates without validating firmware support, because the device might fail to boot.
- On a home device with this limitation, avoid unsupported tools or scripts that claim to “fix” Secure Boot certificates; they can leave the PC unbootable.
If the device is critical and the OEM offers no path to support the new certificates, the only complete fix is replacement with hardware that fully supports the updated Secure Boot certificate mechanism.
References:
AI-generated content may be incorrect. Read our transparency notes for more information.