MSI Global - The Leading Brand in High-end Gaming & Professional Creation | MSI Global - The Leading Brand in High-end Gaming & Professional Creation

Windows Secure Boot certificates update for Motherboard, Desktop PC and All-In-One PC products

LastUpdate : Wed, 25 Mar 2026

Answer

Secure Boot Certificate Update Guide

Secure Boot is a critical security feature designed to prevent unauthorized software from running during the system startup process. As Microsoft’s original 2011 Secure Boot certificate is scheduled to expire in June 2026, it must be replaced with the newer 2023 certificate to ensure that systems can continue receiving security updates for Windows boot components.

Official Reference: Act now: Secure Boot certificates expire in June 2026

________________________________________________________________________________

What happens after the certificate expires?

Even after the original certificate expires, the system will still be able to boot into Windows normally. However, the following impacts may occur:

Security Updates Blocked: The system will no longer be able to receive security updates specifically for the Windows bootloader.

Reduced Startup Security: The system startup phase may become more vulnerable to low-level threats, such as bootkits or other pre-OS malware.

Recovery Limitations: If boot-related files become corrupted in the future, newer recovery media may fail to boot due to Secure Boot certificate mismatches detected by the BIOS. (Applicable to full Desktop PCs, All-In-One PCs, Cubi systems with a pre-installed Windows 11 operation system)

________________________________________________________________________________

How to update Secure Boot certificates on MSI motherboards, Desktop PCs, All-In-One PCs, Cubi systems ?

Please complete one of the following update methods.

(Method 1) Through Windows Automatic Updates:

It is recommended to wait for Windows Update to automatically push the updated certificates. Microsoft expects to complete this process automatically via monthly cumulative updates starting in 2026.

Note: This method requires your operating system to be on Windows 10 (22H2) or Windows 11 version.

(Method 2) Through Manual BIOS Updates:

Go to MSI website to download and update the latest BIOS version.

Here is how to flash BIOS (SOP Download)

MSI® HOW-TO update BIOS using M-FLASH?

[How To] Update BIOS on a BitLocker Enabled system

Warning: Before proceeding, ensure you have a BitLocker recovery key saved. You may be asked for the BitLocker recovery key to enter Windows OS after BIOS flash. Another way is to temporarily disable or suspend BitLocker before updating the bios. It is also recommended to create a full backup of your computer before proceeding.

After BIOS update, run Windows Update to make sure the system has the latest hotfix for Secure Boot.

________________________________________________________________________________

How to verify whether your MSI motherboards, Desktop PCs, All-In-One PCs, Cubi systems has been successfully updated?

You can check the current Secure Boot certificate status using the following methods:

If the MSI motherboards, Desktop PCs, All-In-One PCs, Cubi has been fully updated and the new certificate is active, you can find an entry in Event Viewer → Windows Logs → System with the source “TPM-WMI” and Event ID 1808.

The message will state: “This device has updated Secure Boot CA/keys,” indicating that the new Secure Boot certificate has been successfully applied.

If the MSI motherboards, Desktop PCs, All-In-One PCs, Cubi has been updated to a BIOS version that includes the new certificate, but the certificate has not yet been applied, an entry with source “TPM-WMI” and Event ID 1801 will appear in Event Viewer with the message: “Updated Secure Boot certificates are available on this device but have not yet been applied to the firmware. Review the published guidance to complete the update and maintain full protection.”

In this case, simply open Windows Update and allow Microsoft’s monthly cumulative updates to automatically activate the new certificate.

If the MSI motherboards, Desktop PCs, All-In-One PCs, Cubi is running a BIOS version that does not include the new certificate, or if the model does not provide a BIOS update with the new certificate, an entry with source “TPM-WMI” and Event ID 1801 will appear with the message: “Need to update Secure Boot CA/keys.”

In this case, open Windows Update and wait for Microsoft’s monthly cumulative updates to automatically install the new certificate.