Back
How To Guide

Windows Secure Boot Certificate Update Guide

By Andy Chu | April 30,2026

Laptops

I. Introduction: Secure Boot and the Need for Update

Secure Boot is a critical security feature designed to prevent unauthorized software from running during the system startup process. As Microsoft’s original 2011 Secure Boot certificate is scheduled to expire in June 2026, it must be replaced with the newer 2023 certificate to ensure that systems can continue receiving security updates for Windows boot components.

Official Reference: Act now: Secure Boot certificates expire in June 2026

II. Impacts of Certificate Expiry

Even after the original certificate expires, the system will still be able to boot into Windows normally. However, the following impacts may occur:

  • Security Updates Blocked: The system will no longer be able to receive security updates specifically for the Windows bootloader.
  • Reduced Startup Security: The system startup phase may become more vulnerable to low-level threats, such as bootkits or other pre-OS malware.
  • Recovery Limitations: If boot-related files become corrupted in the future, newer recovery media may fail to boot due to Secure Boot certificate mismatches detected by the BIOS.

III. How to Update Secure Boot Certificates on MSI Laptops

For most users, the required updates can be delivered automatically through Windows Update with no additional user action. The specific method depends on your processor generation:

1. Models with Intel 7th-11th Gen / AMD Ryzen 3000H-5000U Processors

These models primarily undergo certificate transition through system-side security updates.

  • Recommended Method: Wait for Windows Update to automatically push the updated certificates. Microsoft expects to complete this process automatically via monthly cumulative updates starting in 2026.
    1. Note: This method requires your operating system to be running Windows 11 or to be enrolled in the Windows 10 Consumer Extended Security Updates (ESU) program.
  • Early Update: If there is a need for an early update, you may also refer to the Microsoft official guide to manually apply the certificate update (see point 3 below).

2. Models with Intel 12th Gen / AMD Ryzen 5000H and Newer Processors

MSI has been progressively releasing BIOS versions containing the new certificates for this generation (and later) models.

  • Update BIOS: Go to the MSI Official Support Page to download and update to the latest BIOS that includes the description: "Update Secure Boot Key: Windows UEFI CA 2023 & Microsoft UEFI CA 2023".
    1. Note: Before starting to update the BIOS, please save the BitLocker recovery key first.
  • Certificate Activation: After updating the BIOS, it is recommended to wait for Windows Update to automatically activate the certificates. If there is a need for early activation, you may refer to Microsoft guidelines for manual activation (see point 3 below).

Reference: [How To] Update BIOS on a BitLocker Enabled system

3. Manual Registry Update (Advanced Users / IT Administrators)

For early testing or unified IT management, refer to the Registry update method explained by Microsoft.

Reference: Updating the Secure Boot keys: Windows devices with IT managed update

IV. Verification: How to Check Update Status

You can verify whether the update was successfully received through Windows Security Center. For more details, please refer to Secure Startup Credential Update Status in the Windows Security Center application.

Alternatively, you can check the current certificate status in the Event Viewer (Windows Logs → System, Source: “TPM-WMI”):

  • Status: Fully Updated and Active (Event ID 1808)
    Message: “This device has updated Secure Boot CA/keys,” indicating that the new Secure Boot certificate has been successfully applied.
  • Status: BIOS Updated, Certificate Not Applied (Event ID 1801)
    Message: “Updated Secure Boot certificates are available on this device but have not yet been applied to the firmware. Review the published guidance to complete the update and maintain full protection.”
    Action: Open Windows Update to allow Microsoft’s monthly cumulative updates to automatically activate the new certificate. To clear Event ID 1801 immediately, refer to Update Method 3.
  • Status: BIOS Version Does Not Include New Certificate (Event ID 1801)
    Message: “Need to update Secure Boot CA/keys.”
    Action: Open Windows Update and wait for Microsoft’s monthly cumulative updates to automatically install the new certificate.

Related Blogs

What Is a Fleet? More Businesses Qualify Than You Think

May 29,2026

What Is a Fleet? More Businesses Qualify Than You Think

MSI EVSE Most business owners don't think of themselves as fleet owners or managers. However, a fleet is simply any [...]
Building a Maintenance Revenue Stream from AC Charging Installations

May 15,2026

Building a Maintenance Revenue Stream from AC Charging Installations

MSI EVSE Most installers treat EV charger installation as a one-time job. The ones building recurring revenue offer annual inspection [...]
MSI Memory Extension Mode: Boost Your Intel Core Ultra 7 270K Plus Gaming Performance in One Click

May 13,2026

MSI Memory Extension Mode: Boost Your Intel Core Ultra 7 270K Plus Gaming Performance in One Click

Just picked up an Intel Core Ultra 7 Plus and want better gaming performance? Reducing memory latency is one of the [...]

Subscribe to Our Blog

Stay up to date with the latest hardware, tips and news

Please check the box if you would like to receive our latest news and updates.By clicking here, you consent to the processing of your personal data by [Micro-Star International Co., LTD.] to send you information about [MSI’s products, services and upcoming events]. Please note that you can unsubscribe from the MSI Newsletters here at any time.

Further details of our data processing activities are available in the MSI Privacy Policy