Windows 11 Secure Boot update

Question

Windows 11 Secure Boot Update has not been installed via normal Update Process how to manually update

Answer 1

Hi,

In this case, the Secure Boot Key update comes through Windows Update. However, if you don't update via BIOS, it depends on your laptop model or desktop motherboard.

What is the model of your laptop or the configuration of your desktop computer?

To check if you have updated your keys, just follow the procedure below:

Open a PowerShell console and make sure PowerShell is running as an administrator before running the following commands:

Imposta la chiave di registro su Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot” -Name “AvailableUpdates” -Value 0x40

Run the following scheduled task as Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Restart your computer twice after running these commands to verify that your computer starts with the updated database.

To verify that the Secure Boot database upgrade was successful, open a PowerShell console and make sure PowerShell is running as an administrator before running the following command: [System.Text.Encoding]::ASCII. GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'

Check if the result is true;

If it says true, just wait for the update. If it takes longer than I mentioned and hasn't updated, perhaps the keys are in a BIOS file for update, so you would have to check if the motherboard manufacturer released a BIOS update with the updated keys.

Credits: https://support.microsoft.com/en-us/topic/scadenza-del-certificato-di-avvio-protetto-di-windows-e-aggiornamenti-della-ca-7ff40d33-95dc-4c3c-8725-a9b95457578e

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Thanks

Answer 2

To manually install the Windows 11 Secure Boot–related (Safe OS / WinRE) update when it does not arrive through Windows Update, use the Microsoft Update Catalog and, if needed, add it to Windows RE manually.

1. Identify the correct KB for the Windows 11 version
   • For Windows 11 23H2: KB5069341, KB5072543, or KB5073454 (Safe OS Dynamic Updates for 23H2).
   • For Windows 11 24H2 / Windows Server 2025: KB5063689, KB5070186, or KB5077180.
   • For Windows 11 25H2: KB5070186 or KB5077180.
   • For Windows 11 26H1: KB5077178. These Safe OS Dynamic Updates include improvements to the Windows recovery environment (WinRE) and are part of the preparation for Secure Boot certificate changes.
2. Download the update from Microsoft Update Catalog
   1. Open the Microsoft Update Catalog page for the appropriate KB:
      • KB5069341: https://www.catalog.update.microsoft.com/Search.aspx?q=KB5069341
      • KB5072543: https://www.catalog.update.microsoft.com/Search.aspx?q=KB5072543
      • KB5073454: https://www.catalog.update.microsoft.com/Search.aspx?q=KB5073454
      • KB5063689: https://www.catalog.update.microsoft.com/Search.aspx?q=KB5063689
      • KB5070186: https://www.catalog.update.microsoft.com/Search.aspx?q=KB5070186
      • KB5074108: https://www.catalog.update.microsoft.com/Search.aspx?q=KB5074108
      • KB5077178: https://www.catalog.update.microsoft.com/Search.aspx?q=KB5077178
      • KB5077180: https://www.catalog.update.microsoft.com/Search.aspx?q=KB5077180
   2. Choose the package that matches the system version and architecture (for most home systems: Windows 11 x64).
   3. Download the .msu file to the PC.
3. Install the update manually (standard OS)
   1. Double‑click the downloaded .msu file.
   2. Follow the on‑screen prompts to install.
   3. Restart the device when prompted.
4. Manually add the package to Windows RE (if required) If the goal is specifically to ensure WinRE/Safe OS is updated (for example, to align with Secure Boot certificate changes) and the package needs to be injected into WinRE:
   1. Follow the steps in “Add an update package to Windows RE”:
      • See: https://learn.microsoft.com/windows-hardware/manufacture/desktop/add-update-to-winre?view=windows-11
   2. That article walks through:
      • Mounting the WinRE image.
      • Adding the downloaded Safe OS update package.
      • Committing changes and re‑enabling WinRE.
5. Review Secure Boot certificate guidance Since Secure Boot certificates used by most Windows devices start expiring in June 2026, review and follow the preparation steps in “Windows Secure Boot certificate expiration and CA updates” to ensure the device remains able to boot securely:
   • https://support.microsoft.com/topic/7ff40d33-95dc-4c3c-8725-a9b95457578e

After installing the correct Safe OS Dynamic Update and applying any required certificate updates, Secure Boot–related servicing for Windows 11 and WinRE will be up to date on the device.

---

References:

• KB5069341: Safe OS Dynamic Update for Windows 11, version 23H2: November 11, 2025
• KB5074108: Safe OS Dynamic Update for Windows 11, versions 24H2 and 25H2: January 13, 2026
• KB5070186: Safe OS Dynamic Update for Windows 11, version 24H2 and 25H2, and Windows Server 2025: November 11, 2025
• KB5073454: Safe OS Dynamic Update for Windows 11, version 23H2: January 13, 2026
• KB5077178: Safe OS Dynamic Update for Windows 11, version 26H1: February 10, 2026
• KB5077180: Safe OS Dynamic Update for Windows 11, versions 24H2 and 25H2: February 10, 2026
• KB5072543: Safe OS Dynamic Update for Windows 11, version 23H2: December 9, 2025
• KB5063689: Safe OS Dynamic Update for Windows 11, version 24H2 and Windows Server 2025: July 22, 2025