How to fix Secure Boot “older boot trust configuration” warning on Windows 11

• Microsoft is rolling out updated Secure Boot certificates before the current certificates expire in June 2026.
• The “older boot trust configuration” warning usually does not mean Secure Boot is broken or that the PC is currently unsafe.
• Some systems are waiting for Microsoft to validate hardware and firmware compatibility before automatically applying the certificates.
• Installing Windows updates, optional firmware updates, and newer UEFI (BIOS) versions can help systems receive updated certificates more quickly.

On Windows 11, if you recently opened the Windows Security app and saw the warning Secure Boot is on, but your device is using an older boot trust configuration that should be updated to remain serviceable or Secure Boot is on, but your device is using an older boot trust configuration that should be updated. There is not yet enough data to classify your device for automatic update, you are not alone. I started seeing these messages on one of my test systems, and I have also received a number of emails from concerned users. At first glance, they looked more serious than they actually are.

These warnings are related to Microsoft’s rollout of updated Secure Boot certificates, which are required before the current certificates expire in June 2026. Without the updated certificates, some systems could eventually experience boot problems or become more vulnerable to boot-level malware such as rootkits.

The good news is that, in most cases, these warnings do not mean Secure Boot is broken or that your computer is currently at risk. Usually, the operating system is waiting for Microsoft to validate your hardware and firmware configuration before automatically applying the newer Secure Boot certificates.

Related

How to install the 2023 Secure Boot certificates on Windows 11 (and 10) before the 2026 expiration

In this guide, I’ll explain what the warning means and the steps I recommend to ensure your Windows 11 device receives the updated Secure Boot certificates.

• What does the “older boot trust configuration” warning mean?
• Fix the older boot trust configuration warning on Windows 11
• Pureinfotech’s Take

What does the “older boot trust configuration” warning mean?

Microsoft is currently deploying new Secure Boot certificates through Windows Update because the existing certificates on many computers will expire in June 2026.

Normally, the Windows Security app displays one of these messages to communicate to the user the current state of the Secure Boot certificates:

Secure Boot is on and all required certificate updates have been applied. No further certificate changes are needed.

This green message means that the system is fully updated with the latest certificates and boot components.

Secure Boot is on, but your device does not support the automated Secure Boot certificate update due to hardware or firmware limitations. Contact your device manufacturer for assistance.

The yellow message indicates that an update is pending or limited by compatibility constraints.

Secure Boot is on, but this device can no longer receive required updates for the Windows boot experience.

Finally, the red message indicates that the system cannot apply the required updates and requires intervention.

Other confusing messages

While researching these messages, I also noticed Windows Security can display additional messages but slightly different warnings depending on the rollout status of the updated Secure Boot certificates.

Secure Boot is on, but your device is using an older boot trust configuration that should be updated to remain serviceable.

This first message usually means your computer still needs the newer Secure Boot certificates, but the system has already classified the device for the update rollout.

Action: In this situation, the update may already be downloaded or scheduled to install automatically through Windows Update. Typically, keeping the system updated and installing the latest firmware updates is enough.

Secure Boot is on, but your device is using an older boot trust configuration that should be updated. There is not yet enough data to classify your device for automatic update.

This second message is more specific and indicates Microsoft has not yet fully validated your hardware or firmware configuration for automatic deployment.

In other words, the system is still waiting for Microsoft’s backend systems to determine whether your device is ready for the updated certificates.

Action: This does not necessarily mean your PC is unsupported or incompatible. It usually means that Microsoft is still gathering telemetry and validation data. Your firmware version may not yet be approved, or the rollout may not yet have reached your hardware model.

Fix the older boot trust configuration warning on Windows 11

If your computer is showing either of these Secure Boot warnings, I recommend following several steps to ensure your device receives the updated certificates correctly.

Install the latest system updates

The first thing you should do is make sure Windows 11 is fully updated since Microsoft is distributing the new Secure Boot certificates through Windows Update.

To install Windows 11 updates manually, follow these steps:

1. Open Settings on Windows 11.

2. Click on Windows Update.

3. (Optional) Check the “Get the latest updates as soon as they’re available” toggle switch to download updates before they roll out automatically to everyone.

4. Click the Check for updates button.

   

5. (Optional) Click the “Download and install” option to apply a preview of an upcoming update of Windows 11.

   Quick note: Optional updates usually include non-security changes that Microsoft plans to release in the next Patch Tuesday rollout.

6. Click the Restart now button.

Once you complete the steps, any available update with the new Secure Boot certificates will download and install automatically on Windows 11.

Install the latest optional updates

I also recommend checking for optional updates because some firmware and driver updates are delivered separately from the monthly security updates.

To install optional updates manually on Windows 11, follow these steps:

1. Open Settings.

2. Click on Windows Update.

3. Click the Advanced options page.

4. Click the Optional updates setting under the “Additional options” section.

   

5. Click the category to reveal the available optional updates. For example, Driver updates.

6. Check the optional updates you want to install on Windows 11.

   

7. Click the “Download and install” button.

After you complete the steps, Windows Update will install the available updates on your computer.

Update the UEFI firmware

While troubleshooting this issue on one of my systems, I noticed the warning remained until I installed a newer BIOS update from the motherboard manufacturer.

To check the UEFI version on Windows 11:

1. Open Start.

2. Search for System Information, and click the top result to open the app.

   Quick tip: Alternatively, you can also use the “Windows key + R” keyboard shortcut to open the Run command, type “msinfo32,” and click “OK” to open System Information.

3. Click on System Summary.

4. Check the BIOS Mode information to determine whether the system is using UEFI.

   

5. Check the BIOS Version/Date information to confirm the UEFI version on Windows 11 and the installation date.

To find out if there is an update available for the BIOS, follow the steps mentioned above to identify your device’s “System Manufacturer” and “System Model,” then use that information to check your manufacturer’s support website to confirm whether a newer update is available.

Usually, you need to locate the page for your motherboard (or the device model for branded devices like Dell or HP) and then check for a section with information on the BIOS or UEFI update. This is an example of BIOS updates available for an ASRock X399 motherboard.

On the page, you will see links to download the update and to the specific instructions for updating the UEFI for this particular board. 

If there is a new update, check the latest version against the version installed on your device. If the version is greater than the one you have, you should download the update.

Although there’s a standard approach to updating the UEFI/BIOS, each brand has its own way of building its firmware. As a result, it’s critical to find and use the instructions outlined by your manufacturer.

Usually, you only have to download the installer, double-click the executable (.exe) file, and follow the on-screen instructions. However, before the update, make sure to close any running applications and, if you are working on a laptop, ensure it’s plugged into a power source. Although it is often safe to update your system’s Unified Extensible Firmware Interface, doing so can make the computer unusable if the computer loses power or you interrupt the process.

Other times, you will need to create a bootable media containing the ROM files that you can use to start the computer and apply the update.

Enable diagnostic data on Windows 11

Microsoft says some Secure Boot certificate deployment methods use diagnostic data to help validate hardware and firmware compatibility before automatically rolling out the update to devices.

To enable diagnostic data on Windows 11:

1. Open Settings.

2. Click on Privacy & security.

3. Click the Diagnostics & feedback page.

4. Turn on the “Send optional diagnostic data” toggle switch.

   

While Microsoft primarily references this process in the context of Controlled Feature Rollouts, Windows 11 Home and Pro devices may also benefit from enabling diagnostic data, as it can help the company to classify systems for automatic deployment more quickly.

Pureinfotech’s Take

I think Microsoft could have communicated these Secure Boot warnings much better because the wording makes the situation sound far more critical than it actually is. When I first saw the message on one of my test systems, my immediate reaction was that something had failed with Secure Boot or that the computer was no longer protected properly. After digging deeper, it became clear that this is mostly part of Microsoft’s staged rollout process for the newer certificates.

At the same time, I understand why the company is being cautious. Secure Boot updates interact directly with firmware, and pushing changes too aggressively across thousands of hardware configurations could easily create boot issues on unsupported or outdated systems. We’ve seen similar slow rollouts before with feature updates, driver deployments, and even firmware-related fixes, where Microsoft prefers to collect telemetry first before expanding availability.

For most people, I don’t think this is something worth panicking over right now. If your computer is fully updated and Secure Boot is enabled, there’s a good chance the newer certificates will eventually install automatically. However, this situation also highlights why keeping the UEFI firmware updated still matters on Windows 11, especially as the company continues tying more security features to modern hardware requirements.

Personally, I would avoid forcing workarounds or modifying firmware settings unless you actually know what you’re doing. In my experience, waiting for the rollout while keeping Windows Update and firmware up to date is usually the safest approach.

Did you notice any of these messages on your PC? Did you receive any other message? Let me know in the comments.