Share via

How to manually update Secure Boot certificates in Windows 11 ?

Vivek Singh 186 Reputation points
2026-03-19T19:12:38.92+00:00

Hi guys… I have recently kept my Windows 11 updates paused because I bought a Steam offline account. I want to manually update the Secure Boot certificate on my PC if I might have missed the recent update. Please tell me step by step how to update it manually in case I have missed that update.

Windows for home | Windows 11 | Windows update
0 comments
Answer accepted by question author
  1. VARADHARAJAN K 9,676 Reputation points Volunteer Moderator
    2026-03-20T17:41:50.08+00:00

    @vivek singh

    Method 1

    open cmd prompt with an admin rights and below the following

    step 1

    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f

    Powershell -command Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

    restart system

    step 2

    reg query HKLM\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates

    If you see the value of AvailableUpdates becomes 0x4100,, then again type below

    Powershell -command Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

    restart system.

    Method 2

    BY installing latest bios from computer manufacturer

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Ivan B 105.6K Reputation points Independent Advisor
    2026-03-19T19:52:35.7333333+00:00

    Hi,

    In some cases, you need to update the BIOS if it doesn't arrive via Windows Update to update the keys, assuming you're following the process to receive all updates through Windows Update.

    If you want to confirm if you had a BIOS update with the updated keys, please let me know if it's a laptop or desktop. If possible, could you provide the laptop model or your desktop configuration?

    Thanks

  2. Q&A Assist
    2026-03-19T19:12:59.47+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Secure Boot certificates on supported Windows 11 devices are normally updated through regular Windows Update; there is no separate consumer UI to “manually” install only the Secure Boot certificates.

    For a home Windows 11 PC, the practical way to ensure the Secure Boot certificates are current is:

    1. Turn Windows Update back on and install all available cumulative updates for Windows 11.
    2. Reboot when prompted, and if another cumulative update appears, install it and reboot again.

    On supported Windows versions, these cumulative updates can:

    • Deliver the new 2023 Secure Boot certificates.
    • Write them into firmware if the device’s firmware supports Secure Boot updates.

    If updates were paused and the Secure Boot certificate update was missed, installing the latest cumulative updates is sufficient; the Secure Boot update can still be applied even if existing certificates are expired, as long as Windows can boot and install updates.

    If the device is organization‑managed (IT/enterprise scenario), administrators should follow Microsoft’s Secure Boot certificate update guidance referenced in the documentation, which covers using the Windows Secure Boot certificate expiration and CA updates process to apply the new certificates and any required firmware changes.

    For virtual machines, the hypervisor provider (for example, Azure, Hyper‑V, VMware) may also update the virtual firmware; long‑running VMs can receive the certificates through Windows Update if the virtual firmware supports Secure Boot updates.

    Secure Boot should not be disabled to work around certificate issues; keeping Windows Update enabled and current is the supported method to stay protected.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.