MSI Global - The Leading Brand in High-end Gaming & Professional Creation

[Product Information] Windows Secure Boot certificates update

LastUpdate : Wed, 28 Jan 2026

Answer

Secure Boot Certificate Update Guide

Secure Boot is a critical security feature designed to prevent unauthorized software from running during the system startup process.

As Microsoft’s original 2011 Secure Boot certificate is scheduled to expire in June 2026, it must be replaced with the newer 2023 certificate to ensure that systems can continue receiving security updates for Windows boot components.

Official Reference: Act now: Secure Boot certificates expire in June 2026

________________________________________________________________________________

What happens after the certificate expires?

Even after the original certificate expires, the system will still be able to boot into Windows normally. However, the following impacts may occur:

Security Updates Blocked: The system will no longer be able to receive security updates specifically for the Windows bootloader.

Reduced Startup Security: The system startup phase may become more vulnerable to low-level threats, such as bootkits or other pre-OS malware.

Recovery Limitations: If boot-related files become corrupted in the future, newer recovery media may fail to boot due to Secure Boot certificate mismatches detected by the BIOS.

________________________________________________________________________________

How to update Secure Boot certificates on MSI laptops

The update method depends on the processor generation and platform support. MSI provides the following update paths:

Method 1: BIOS Update

For models equipped with Intel 12th Gen or AMD Ryzen 5000H and newer processors, MSI provides BIOS updates that include the new Secure Boot certificates.

> Steps:

Visit the MSI official support page and download the latest BIOS for your model.

Confirm that the BIOS release notes include: “Update Secure Boot Key: Windows UEFI CA 2023 & Microsoft UEFI CA 2023.”

After the BIOS update is completed, the system will automatically write the new certificates into the firmware.

Method 2: Windows Update

For models equipped with Intel 7th–11th Gen or AMD Ryzen 3000H–5000U processors, Microsoft will deliver the new certificates through Windows Update.

> Steps:

Ensure that Windows Automatic Updates are enabled.

Microsoft plans to distribute the new Secure Boot certificates through monthly cumulative updates starting in 2026.

Note: This method requires Windows 10 (22H2) or Windows 11.

Method 3: Manual Registry Update (Advanced Users / IT Administrators)

For early validation or centralized IT management scenarios, Secure Boot certificates can be applied manually via registry updates.

Official Reference: Registry key updates for Secure Boot: Windows devices with IT-managed updates

________________________________________________________________________________

How to verify whether your MSI laptop has been successfully updated?

You can check the current Secure Boot certificate status using the following methods:

Fully Updated and Activated

If the laptop has been fully updated and the new certificate is active, you can find an entry in Event Viewer → Windows Logs → System with the source “TPM-WMI” and Event ID 1808.

The message will state: “This device has updated Secure Boot CA/keys,” indicating that the new Secure Boot certificate has been successfully applied.

BIOS Updated, but Certificate Not Yet Applied

If the laptop has been updated to a BIOS version that includes the new certificate, but the certificate has not yet been applied, an entry with source “TPM-WMI” and Event ID 1801 will appear in Event Viewer with the message: “Updated Secure Boot certificates are available on this device but have not yet been applied to the firmware. Review the published guidance to complete the update and maintain full protection.”

In this case, simply open Windows Update and allow Microsoft’s monthly cumulative updates to automatically activate the new certificate.

Update Required (Older BIOS or Legacy Models)

If the laptop is running a BIOS version that does not include the new certificate, or if the model does not provide a BIOS update with the new certificate, an entry with source “TPM-WMI” and Event ID 1801 will appear with the message: “Need to update Secure Boot CA/keys.”

In this case, open Windows Update and wait for Microsoft’s monthly cumulative updates to automatically install the new certificate.

Reference: [How To] Update BIOS on a BitLocker Enabled system