Share via

how to manually/force apply updated secure boot certificates without a firmware update?

Catherine 25 Reputation points
2026-03-03T05:07:51.22+00:00

Is there a way to manually apply or force apply the certificates to existing firmware. I computer manufacturer (Acer) has stated they do not plan to release updated bios for my model. In event viewer, I get the message updated security certificates are available for this computer but not yet applied to firmware". I would rather stay out of the bios boot menu if possible as it's a scary place knowing you could easily mess things up, I've seen another post where I could go into bios and in secure boot area choose "Restore Factory Keys" OR "Reset to Setup Mode" but on mine (Acer Predator PHN16-71) the closest option I see for this is "Restore Secure Boot To Factory Defaults". Is that the same thing? I'm so worried about making my computer not boot but want to be secure. Probably just missed the update - got computer in end of 2023, confirmed certificates have not yet been applied.

Windows for home | Windows 11 | Security and privacy

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-03-03T05:08:08.8766667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Windows can apply the updated Secure Boot certificates to existing firmware without requiring a BIOS/firmware update, as long as the device can boot Windows and install updates.

    Key points from the documented behavior:

    1. Expired or missing certificates can still be updated from Windows
      Even if the existing Secure Boot certificates are expired or not yet applied, the cumulative updates that contain the new 2023 Secure Boot certificates can still be installed, and Windows can write the updated certificates into firmware by following the published deployment guidance. This applies to devices that can boot Windows and install updates.
    2. Do not disable Secure Boot or rely on firmware reset as the primary method
      Disabling Secure Boot or randomly changing firmware options is not recommended. Disabling Secure Boot significantly reduces protection and is not the supported workaround for certificate expiration or update issues.
    3. How to check if the 2023 certificates are already applied
      Use the documented registry-based status check: 
         (Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing' -Name 'UEFICA2023Status').UEFICA2023Status
      If the status shows Updated, no further action is needed.
    4. How to force/apply the updated certificates from Windows (no BIOS menu required)
      The supported way to push the new certificates into the Secure Boot DB from Windows is:
      1. Make sure the latest cumulative update that includes the Secure Boot changes is installed (for example, the July 8, 2025 servicing update or later, as required by the mitigation guidance).
      2. From an elevated Command Prompt, set the registry flag and trigger the Secure Boot update task: 
              reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x40 /f
      Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
      3. If Virtual Secure Mode features (Credential Guard, Device Guard, Windows Hello, etc.) are enabled, a restart may be required.
      4. After the task runs and the system has restarted (twice is recommended in the Secure Boot servicing guidance), verify that the DB has been updated by running this PowerShell command as Administrator: 
              [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
        If it returns True, the updated 2023 certificate is present in the Secure Boot DB and the update was successful.
    5. If Windows reports that certificates are updated but not applied to firmware
      When Event Viewer shows that Secure Boot certificates have been updated but are not yet applied to firmware, Windows will continue to attempt to apply them on subsequent restarts. If the firmware returns an error during DB/DBX/KEK update, an error event (such as Event ID 1795 or 1801 from TPM-WMI) is logged. In that case:
      • Windows will retry on the next restart.
      • If errors persist, the guidance is to contact the device manufacturer to see if a firmware update is available. However, even without a new BIOS, as long as the firmware supports Secure Boot variable updates, the Windows-side process above is the correct method.
    6. Virtual machines and similar environments
      For completeness: in virtualized environments, either the platform provider updates the virtual firmware, or Windows applies the certificates through the same Secure Boot update mechanism, if the virtual firmware supports it.
    7. Impact if certificates remain unapplied
      If the device reaches certificate expiration without the new certificates applied, it will still boot and operate normally, and standard Windows updates will continue to install. However, new Secure Boot and Boot Manager protections, early-boot vulnerability fixes, and some third‑party components that rely on updated Secure Boot trust will not be available, so protection is reduced over time.

    In summary, the supported way to “force” application of the updated Secure Boot certificates without entering firmware setup is to:

    • Ensure the latest cumulative updates are installed.
    • Use the documented registry flag and Secure-Boot-Update scheduled task from an elevated session.
    • Reboot (twice if needed) and verify with Get-SecureBootUEFI db that Windows UEFI CA 2023 is present.

    No manual BIOS key reset is required for this process, and Secure Boot should not be disabled.

    References:

    1 person found this answer helpful.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.