Share via

Secure Boot

Frank Dalton 0 Reputation points
2026-06-04T19:33:14.4033333+00:00

How do I update secure boot certificate???????????????????????????????????????????????????????????????

Windows for home | Windows 11 | Security and privacy
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ivan B 113.7K Reputation points Independent Advisor
    2026-06-04T20:09:05.7466667+00:00

    Hi,

    In this case, the Secure Boot Key update comes through Windows Update. However, if you don't update via BIOS, it depends on your laptop model or desktop motherboard.

    What is the model of your laptop or the configuration of your desktop computer?

    To check if you have updated your keys, just follow the procedure below:

    Open a PowerShell console and make sure PowerShell is running as an administrator before running the following commands:

    Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot” -Name “AvailableUpdates” -Value 0x40

    Run the following scheduled task as Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

    Restart your computer twice after running these commands to verify that your computer starts with the updated database.

    To verify that the Secure Boot database upgrade was successful, open a PowerShell console and make sure PowerShell is running as an administrator before running the following command: [System.Text.Encoding]::ASCII. GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'

    Check if the result is true;

    If it says true, just wait for the update. If it takes longer than I mentioned and hasn't updated, perhaps the keys are in a BIOS file for update, so you would have to check if the motherboard manufacturer released a BIOS update with the updated keys.

    Credits: https://support.microsoft.com/en-us/topic/scadenza-del-certificato-di-avvio-protetto-di-windows-e-aggiornamenti-della-ca-7ff40d33-95dc-4c3c-8725-a9b95457578e

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Thanks

    Was this answer helpful?

    0 comments

  2. AI answer

    2026-06-04T19:33:32.7066667+00:00

    To update Secure Boot certificates on Windows 11 home devices, follow the supported update flow and let Windows and the OEM firmware handle the certificates rather than trying to edit them manually.

    1. Review device status
      • Identify whether the device is still using 2011 Secure Boot certificates and whether Secure Boot certificate updates have already been applied. This is typically done via inventory methods such as event logs and registry signals, but for a home device the key step is to ensure Windows Update and firmware are current (see steps 2 and 3).
    2. Update OEM firmware (BIOS/UEFI) first
      • Check for and install the latest firmware/BIOS/UEFI update from the PC or motherboard manufacturer.
      • Firmware updates are important because they:
        • Refresh the Secure Boot KEK/DB/DBX with the 2023 certificates where supported.
        • Improve compatibility and reduce the chance of Secure Boot update failures.
    3. Install Windows updates that carry the new Secure Boot certificates
      • In Windows 11, go to Settings → Windows Update and install all available cumulative/security updates.
      • For Microsoft‑managed consumer systems, Secure Boot certificates are delivered through Windows Update and written into firmware when the update and firmware support allow it.
    4. (For IT‑managed or advanced scenarios) use supported deployment methods
      • In managed environments, Secure Boot certificate updates can also be deployed using:
        • Microsoft Intune
        • Registry keys
        • Windows Configuration Service Provider (CSP) / Windows Configuration system
        • Group Policy
      • For detailed deployment patterns, see the Secure Boot playbook referenced in the documentation.
    5. Validate that certificates are updated
      • After firmware and Windows updates:
        • Confirm that Secure Boot is enabled in UEFI.
        • Use event logs and registry signals (as described in the guidance) to verify that the 2023 Secure Boot certificates have been applied and that no further action is required.

    If issues occur (for example, devices still show 2011 certificates or errors in logs), follow the “Resolve secure boot certificate issues” guidance: review the device estate, ensure firmware is current, pilot updates on a small set of devices, then roll out broadly using the supported methods above.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.