MSI Global - The Leading Brand in High-end Gaming & Professional Creation | MSI Global - The Leading Brand in High-end Gaming & Professional Creation

[Product Information] Windows Secure Boot certificates update

LastUpdate : Mon, 02 Mar 2026

Answer

Secure Boot Certificate Update Guide

Secure Boot is a critical security feature designed to prevent unauthorized software from running during the system startup process.

As Microsoft’s original 2011 Secure Boot certificate is scheduled to expire in June 2026, it must be replaced with the newer 2023 certificate to ensure that systems can continue receiving security updates for Windows boot components.

Official Reference: Act now: Secure Boot certificates expire in June 2026

________________________________________________________________________________

What happens after the certificate expires?

Even after the original certificate expires, the system will still be able to boot into Windows normally. However, the following impacts may occur:

Security Updates Blocked: The system will no longer be able to receive security updates specifically for the Windows bootloader.

Reduced Startup Security: The system startup phase may become more vulnerable to low-level threats, such as bootkits or other pre-OS malware.

Recovery Limitations: If boot-related files become corrupted in the future, newer recovery media may fail to boot due to Secure Boot certificate mismatches detected by the BIOS.

________________________________________________________________________________

How to update Secure Boot certificates on MSI laptops?

The update method depends on the processor generation and platform support. MSI provides the following update paths:

1. Models with Intel 12th Gen / AMD Ryzen 5000H and newer processors

MSI has been progressively releasing BIOS versions containing the new certificates for this generation (and later) models.

Go to the MSI Official Support Page to download and update to the latest BIOS that includes the description: "Update Secure Boot Key: Windows UEFI CA 2023 & Microsoft UEFI CA 2023".

Certificate Activation: After updating the BIOS, it is recommended to wait for Windows Update to automatically activate the certificates; if there is a need for early update, you may also refer to Microsoft guidelines for manual activation (see point 3 below).

2. Models with Intel 7th-11th Gen / AMD Ryzen 3000H-5000U processors

These models primarily undergo certificate transition through system-side security updates.

It is recommended to wait for Windows Update to automatically push the updated certificates. Microsoft expects to complete this process automatically via monthly cumulative updates starting in 2026.

Note: This method requires your operating system to be on Windows 10 (22H2) or Windows 11 version.

If there is a need for early update, you may also refer to the Microsoft official guide to manually apply the certificate update (see point 3 below).

3. Manual Registry Update (Advanced Users / IT Administrators)

For early testing or unified IT management, refer to the Registry update method explained by Microsoft:

Reference: Updating the Secure Boot keys: Windows devices with IT managed updates

________________________________________________________________________________

How to verify whether your MSI laptop has been successfully updated?

You can check the current Secure Boot certificate status using the following methods:

If the laptop has been fully updated and the new certificate is active, you can find an entry in Event Viewer → Windows Logs → System with the source “TPM-WMI” and Event ID 1808.

The message will state: “This device has updated Secure Boot CA/keys,” indicating that the new Secure Boot certificate has been successfully applied.

If the laptop has been updated to a BIOS version that includes the new certificate, but the certificate has not yet been applied, an entry with source “TPM-WMI” and Event ID 1801 will appear in Event Viewer with the message: “Updated Secure Boot certificates are available on this device but have not yet been applied to the firmware. Review the published guidance to complete the update and maintain full protection.”

In this case, simply open Windows Update and allow Microsoft’s monthly cumulative updates to automatically activate the new certificate.

If you would like to clear Event ID 1801 immediately, please refer to Update Method 3 mentioned above.

If the laptop is running a BIOS version that does not include the new certificate, or if the model does not provide a BIOS update with the new certificate, an entry with source “TPM-WMI” and Event ID 1801 will appear with the message: “Need to update Secure Boot CA/keys.”

In this case, open Windows Update and wait for Microsoft’s monthly cumulative updates to automatically install the new certificate.

Reference:[How To] Update BIOS on a BitLocker Enabled system