Share via

How to update secure boot certificate Windows 11 pro

Anonymous
2026-05-29T13:59:53.9866667+00:00

Hello,

I have a windows laptop bought in 2025 with windows 11 pro and in device security i have the message that the security boot certificate has to be updated.
What is the procedure for this process? User's image

Windows for home | Windows 11 | Security and privacy

Locked Question. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

Answer accepted by question author

DaveM121 884.5K Reputation points Independent Advisor
2026-05-29T14:38:44.29+00:00

Microsoft only started rolling out the Secure Boot Certificates updates in May, most likely, you have already received the update even though you see that notification in the Settings app.

1

Open the Settings App.

Go to Windows updates - Update History.

Scroll down to the 'Other Updates' section.

Do you see the 'Secure Boot Allowed Signature Database (DB)' update listed there?

2

Click your Start Button, then just type powershell, then right click PowerShell and select 'Run as Administrator'

Paste this command into PowerShell and press Enter.

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).Bytes) -match 'Windows UEFI CA 2023')

What is returned from that command, is it True or False?

Was this answer helpful?

2 people found this answer helpful.
0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest

  1. AI answer

    2026-05-29T14:00:24.73+00:00

    On a Windows 11 Pro laptop bought in 2025, Secure Boot certificate updates are normally delivered automatically through Windows Update and, when needed, through OEM firmware (UEFI/BIOS) updates. The message being seen indicates the device is still using the older 2011 Secure Boot certificates and needs to move to the 2023 certificates.

    Follow these steps:

    1. Make sure the OS is supported and fully updated
      1. Open Settings → Windows Update.
      2. Ensure Windows updates are not paused.
      3. Select Check for updates and install all available updates, including cumulative updates and any optional security updates.
      4. Restart the device as many times as required until Windows Update reports that the system is up to date.
    2. Confirm Secure Boot is enabled
      1. Press Windows + R, type msinfo32, and press Enter.
      2. In System Information, verify Secure Boot State shows On.
      3. If it is not On, do not change firmware settings yet; first check with the device manufacturer for guidance, because firmware must already contain the latest Secure Boot configuration.
    3. Allow Microsoft-managed update to run (for home/Pro devices) On supported Windows 10/11 systems that share diagnostic data and are not IT‑managed, Microsoft attempts to update Secure Boot certificates automatically. Keeping Windows Update enabled and the device on a supported Windows 11 version is usually sufficient. Over time, the device should receive the new 2023 Secure Boot certificates through standard updates.
    4. If the message persists after staying fully updated
      • Check the OEM support site for this specific laptop model and install any available UEFI/BIOS or firmware updates, as these can include Secure Boot configuration updates.
      • After applying firmware updates, run Windows Update again to pick up any remaining Secure Boot–related updates.

    For IT‑managed or enterprise devices, administrators can use Intune, Group Policy, registry keys, or CSP-based deployment following the Secure Boot playbook and mitigation guidance, but for a personal Windows 11 Pro laptop the supported path is to stay on a supported OS version, keep Windows Update enabled, and apply OEM firmware updates when offered.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?