Share via

how do I update the secure boot certificate update?

Tony Cranfield 20 Reputation points
2026-05-27T16:06:49.9833333+00:00

how do I update the secure boot certificate update?

Windows for home | Other | Windows update
0 comments

Answer accepted by question author

EmilyS726 235.7K Reputation points Independent Advisor
2026-05-27T16:40:29.1766667+00:00

Type "Powershell" in the search on the taskbar, and use the "Run as administrator" to launch it. Then run this command 

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).Bytes) -match 'Windows UEFI CA 2023')

And tell me if it returns True or False result.

If it is True, there's no need to update it. If it is false, then yes, it should be updated, but it is not something you typically do manually, and Microsoft's update should address that. Is there any reason you asked this, in case you have a specific context?

Was this answer helpful?

1 person found this answer helpful.
0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest

  1. AI answer

    2026-05-27T16:07:01.8933333+00:00

    To update Secure Boot certificates on Windows devices and stay protected when the 2011 certificates expire, follow these steps:

    1. Review devices
      • Identify devices still using 2011 Secure Boot certificates.
      • Use event logs and registry to check status:
        • Look for Event ID 1801 or Event ID 1795 indicating certificate remediation not applied.
        • Check the registry value UEFICA2023Status under HKEY_LOCAL_MACHINE:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing; it should be set to Updated after remediation.
    2. Update firmware first
      • Install the latest OEM firmware/BIOS/UEFI updates for the device, especially for older models.
      • Firmware updates improve compatibility and reduce the chance of Secure Boot update failures.
    3. Pilot before broad rollout
      • Test on a small set of devices that represent:
        • Multiple OEMs
        • Different firmware versions
        • BitLocker-enabled devices
      • Confirm on the pilot group:
        • Certificates show as updated
        • No boot issues
        • No unexpected or repeated BitLocker recovery prompts
    4. Deploy Secure Boot certificate updates
      • Use one supported method to control the rollout (do not mix methods on the same device):
        • Microsoft Intune
        • Group Policy (GPO)
        • Registry keys
        • Windows Configuration Service Provider (CSP) / WinCS CLI
      • For Azure Virtual Desktop or other managed environments, the same methods apply; allow about 48 hours and one or more restarts for certificates to fully apply.
    5. Verify update completion
      • After deployment and restarts:
        • Confirm UEFICA2023Status is Updated in the registry.
        • Confirm no new Event ID 1801/1795 errors related to missing 2023 Secure Boot certificates.
    6. Understand impact if not updated
      • Devices may still boot and receive regular Windows updates.
      • However, they might not receive future Secure Boot protections for early boot components (such as boot manager), weakening security over time.

    If a device already has expired certificates but can still boot Windows and install updates, the cumulative updates that contain the new Secure Boot certificates can still be applied; the updated certificates are written to firmware following the same guidance above.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.