1. Summary / Purpose
This Knowledge Base article outlines Microsoft’s Secure Boot certificate updates and evaluates their impact on SecureDoc (SD) pre-boot authentication.
This document also provides results from QA testing conducted on Windows 10 and 11 environments.
2. Issue
Microsoft has published updates related to Secure Boot certificate changes:
Secure Boot Certificate updates: Guidance for IT professionals and organizations
https://support.microsoft.com/en-us/topic/secure-boot-certificate-updates-guidance-for-it-professionals-and-organizations-e2b43f9f-b424-42df-bc6a-8476db65ab2fWindows Secure Boot certificate expiration and CA updates
https://support.microsoft.com/en-us/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e
Question: Do we need to take any action for SecureDoc with respect to these Secure Boot certificate changes?
3. Applies To
SecureDoc versions prior to 9.2
SecureDoc 9.2
Windows 10 / 11 devices with Secure Boot enabled
4. Impact Assessment
4.1 SecureDoc Versions Before 9.2
Status: Pending further testing and validation.
Additional analysis is required to confirm compatibility with Microsoft Secure Boot CA changes.
Note: Further ongoing testing …Pending
4.2 SecureDoc Version 9.2
SecureDoc 9.2 pre-boot is signed using the 2011 Secure Boot certificate.
Based on validation results:
SecureDoc 9.2 continues to boot successfully even after the 2011 certificate expiration.
Systems boot normally with Secure Boot enabled.
Functionality is unaffected even after Secure Boot CA certificate updates.
Conclusion: SecureDoc 9.2 does not require changes or updates to remain functional with Microsoft’s updated Secure Boot certificate policies.
5. Environment
Operating Systems: Windows 10, Windows 11
Secure Boot: Enabled
Hardware: Dell Latitude 7490, Microsoft Surface Pro 7, Lenovo ThinkPad P50s, Lenovo ThinkPad E15 Gen 4, HP EliteBook 830 G9
SecureDoc Version: 9.2.000.291
6. QA Validation Testing
6.1 Objective
Validate SecureDoc 9.2 behavior when:
Secure Boot is enabled
BIOS system date exceeds certificate expiration
Secure Boot CA certificates are updated
6.2 Test Case 1: BIOS Date Advanced to September 1, 2026
Test Steps:
Enable Secure Boot
Deploy SecureDoc and confirm successful pre-boot login
Change BIOS date to September 1, 2026
Save and reboot
Validate SecureDoc pre-boot loads successfully and user login works
Devices Tested:
Device | SES Build | OS Version | SWE/HWE | Result |
|---|---|---|---|---|
Dell Latitude 7490 | 9.2.000.291 | Windows 11 24H2 Pro (26100.7623) | HWE | Pass |
Microsoft Surface Pro 7 | 9.2.000.291 | Windows 11 24H2 Pro (26100.7462) | SWE | Pass |
Lenovo ThinkPad P50s | 9.2.000.291 | Windows 10 22H2 Pro (19045.6456) | HWE | Pass |
ThinkPad E15 Gen 4 | 9.2.000.291 | Windows 11 23H2 Ent (22631.6491) | HWE | Pass |
HP EliteBook 830 G9 | 9.2.000.291 | Windows 11 25H2 Pro (26200.7623) | HWE | Pass |
Outcome: SecureDoc 9.2 boots normally even with a future-dated BIOS beyond certificate expiry.
6.3 Test Case 2: Secure Boot CA Certificate Updated + Future BIOS Date
SecureDoc pre-boot login loads successfully — Pass
User is able to authenticate and boot into Windows — Pass
Outcome: SecureDoc 9.2 remains fully operational after Secure Boot CA updates.
7. Conclusion
SecureDoc 9.2 is not impacted by Microsoft Secure Boot certificate expiration or CA updates.
No action required for SecureDoc 9.2 clients.
SecureDoc versions prior to 9.2 remain in testing and will be updated when results become available.
Referencing:
SD-52811 & SD-52809
8. Revision History
Date | Version | Author | Description |
|---|---|---|---|
2026-02-25 | 1.0 | Viet Nguyen | Initial KB creation |
2026-02-25 | 1.1 | Viet Nguyen | Added screenshots, corporate formatting, and revision history |
|
|
|
|