![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(316.8, 79%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Windows 11 is warning that Secure Boot certificates cannot be updated automatically because of a firmware or configuration limitation. To restore a fully protected, automatically updatable Secure Boot state, use the following steps.
- Make sure the device is fully updated
- In Windows, go to Settings > Windows Update and install all available updates, including any optional quality or firmware updates offered through Windows Update.
- This ensures the system has the latest Secure Boot certificate logic and Boot Manager updates. Recent updates (for example KB5074110 and later cumulative updates) include changes that help transition devices from the older 2011 Secure Boot certificates to the newer 2023 certificates so they keep working after the June 2026 expirations.
- Update device firmware (UEFI/BIOS)
- Out‑of‑date firmware is a common reason Secure Boot certificates cannot be updated.
- Go to the PC or motherboard manufacturer’s support site and install the latest UEFI/BIOS firmware for the exact model.
- After updating firmware, restart the device and confirm Secure Boot is still enabled.
- Ensure Secure Boot is properly enabled in UEFI
- From Windows, select Start > Power > hold Shift and select Restart.
- Choose Troubleshoot > Advanced options > UEFI Firmware Settings and restart into firmware.
- In the firmware menus (location varies by OEM):
- Confirm Boot mode is set to UEFI (not Legacy/CSM).
- Confirm Secure Boot is Enabled (not just “Available”).
- If there is a Secure Boot mode or OS type, set it to the Windows‑specific or “Standard”/“Default” mode recommended by the OEM.
- Reset Secure Boot keys to factory defaults (if available) If the device has accumulated non‑standard keys or an OEM customization that blocks the new certificates, resetting to factory defaults can allow Windows to apply the updated certificates.
- In the UEFI firmware menus, locate the Secure Boot section.
- Look for an option such as Reset to factory keys, Restore factory keys, or similar.
- If there are both Clear and Reset options, use Reset, not Clear. The goal is to restore the OEM’s default Secure Boot variables, not to remove them.
- Save changes and reboot into Windows.
After this reset, Windows can again rely on the OEM’s standard Secure Boot configuration, which is designed to accept the updated Microsoft Secure Boot certificates that replace the expiring 2011 certificates.
- Let Windows apply the new Secure Boot certificates With firmware updated, Secure Boot enabled, and keys reset to defaults, Windows can update the Secure Boot certificates as part of normal updating.
- Keep the device connected to the internet and powered on so Windows Update can deliver the certificate and Boot Manager updates.
- If the device is managed (work or school), the administrator might use Intune, Group Policy, or CSP/registry‑based methods to push the Secure Boot certificate updates across devices. In that case, no additional local action is required beyond ensuring Secure Boot and firmware are correctly configured.
- If the device fails to boot after changes (recovery path) In rare cases, mis‑matched keys or Boot Manager versions can cause a “Secure Boot violation” or prevent Windows from starting after certificate or firmware changes.
If that happens:
- Enter UEFI firmware and turn off Secure Boot temporarily.
- If supported, reset Secure Boot keys to factory defaults (again, prefer “Reset” over “Clear”).
- Boot into Windows and repair the EFI boot files if needed, using the documented recovery procedure:
- Open an elevated Command Prompt.
- Run:
-
mountvol s: /s -
del s:\*.*/f /s /q -
bcdboot %systemroot% /s S:
-
- Restart the device.
- Once Windows boots normally, go back into UEFI and re‑enable Secure Boot.
This recovery flow restores a clean, current Boot Manager and Secure Boot configuration so that the updated certificates can be used safely.
- Ongoing considerations
- Secure Boot certificates originally issued in 2011 begin expiring in June 2026. Devices that remain on outdated firmware or non‑default Secure Boot configurations may eventually fail to boot securely or at all.
- Keeping both Windows and firmware up to date, and avoiding unnecessary customizations to Secure Boot keys, ensures the device continues to receive and use the updated certificates automatically.
If, after these steps, the warning persists but the device still boots normally, contact the device manufacturer with details of the message. They may need to provide a firmware update or guidance specific to that model so it can fully support the updated Secure Boot certificate chain.
References:
- Windows 11 and Secure Boot
- Update Secure Boot Certificates for Windows Devices
- How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932
- KB5074110: Setup Dynamic Update for Windows 11, version 24H2 and 25H2: January 29, 2026
- Secure boot
- Windows devices for home users, businesses, and schools with Microsoft-managed updates
- Secure the Windows boot process
- July 8, 2025—KB5062553 (OS Build 26100.4652)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 72%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)