how to update secure boot keys

Yes. On Windows 11 there are supported, relatively simple ways to update Secure Boot keys, especially for the 2023 certificate updates.

For a home Windows 11 device, the easiest supported options are:

1. Let Windows Update handle it automatically

• Keep Windows fully updated via Settings → Windows Update.
• Microsoft is rolling out Secure Boot certificate and key updates through normal servicing.
• No extra action is required if the device is compatible and up to date.

2. Use the built-in registry-based mechanism (more advanced) If managing the device manually and wanting to explicitly trigger the Secure Boot certificate/key update, use the documented registry keys and scheduled task:

1. Set the update flag

• Open Registry Editor as administrator.
• Go to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot
• Create or set the AvailableUpdates value (REG_DWORD) to: 0x5944 This enables deployment of all relevant Secure Boot updates (new 2023 CA certificates, KEK update, and new boot manager).

2. Monitor update status

• Under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing check:
  • UEFICA2023Status (REG_SZ):
    • NotStarted → update not yet run
    • InProgress → update running
    • Updated → update completed successfully
  • UEFICA2023Error (REG_DWORD):
    • 0 → success
    • non‑zero → an error occurred; check Secure Boot events in Event Logs as described in KB5016061.

3. Let Windows process the update

• Windows runs the Secure-Boot-Update task roughly every 12 hours to process these flags.
• A restart may be required for the new boot manager to take effect, but the update itself does not force a restart; it relies on normal reboots.

3. Use the WinCS API and Secure-Boot-Update task (IT-managed / advanced) For more control (typically for IT-managed or advanced users):

1. Configure Secure Boot update via WinCS

• Use the WinCS CLI (WinCsFlags.exe) to set the Secure Boot configuration flag.
• Example to audit the configuration later (run in elevated Command Prompt):

    WinCsFlags.exe /query --key F33E0C8E002
  

  This shows whether the Secure Boot update flag is enabled and which configuration is active.

2. Trigger the Secure Boot servicing task

• Open PowerShell as administrator and run:

    Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
  

• Restart the device two times after running the task to ensure it boots with the updated database of trusted signatures (DB).

3. Confirm the DB update

• In elevated PowerShell, run:

    [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
  

• If this returns True, the Secure Boot DB has been successfully updated with the 2023 Windows UEFI CA.

4. General guidance

• Before forcing Secure Boot key updates, ensure firmware (BIOS/UEFI) is up to date to reduce the chance of update failures.
• For multiple devices, follow a pilot → broad deployment approach and use one of the supported methods: Intune, registry keys, CSP/WinCS, or Group Policy.

References:

• Windows Configuration System (WinCS) APIs for Secure Boot
• Registry key updates for Secure Boot: Windows devices with IT-managed updates
• Windows Secure Boot Key Creation and Management Guidance
• Update Secure Boot Certificates for Windows Devices