Share via

I cannot update my secure boot

C.M. Nissen 0 Reputation points
2026-06-14T19:08:49.0133333+00:00

I cannot update my secure boot. Windows security keeps turning off. I just did a BitLocker offline scan of my computer, but it says I need to update my secure boot certificates. I downloaded them and installed them, but nothing has changed. My BitLocker offline scan did find a severe Trojan, but it was quarantined and removed.

Windows for home | Windows 11 | Security and privacy

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sin-D 10,315 Reputation points Microsoft External Staff Moderator
    2026-06-15T01:48:36.01+00:00

    Hi C.M. Nissen,

    I understand the situation, thank you for the detailed description. This looks like a Secure Boot certificate update not being applied at firmware level, especially since Windows Security keeps reverting.

    Have you already tried the Q&A Assist suggestions? In addition, could you confirm:

    • Your device model (e.g., Dell/HP or custom-built PC)?
    • Does “Secure Boot State” in msinfo32 show On or Off?

    In the meantime, please try the following:

    1, Verify Secure Boot state in BIOS

    Windows can report outdated status if firmware keys didn’t apply.

    1. Restart your PC > enter BIOS/UEFI (usually F2, DEL, ESC)
    2. Go to “Secure Boot” section
    3. Check:
    • “Secure Boot” = Enabled
    • Look for option like “Key Management” or “Restore Factory Keys”

    If available, choose “Restore/Install factory default keys”, then save and reboot

    2, Re‑sync Secure Boot status in Windows

    After reboot:

    1. Press Windows + R > type msinfo32
    2. Check:
      • “Secure Boot State” = On
      • “BIOS Mode” = UEFI

    If Secure Boot shows Off or unsupported, the certificate update will not apply.

    3, Temporarily suspend BitLocker (before retry)

    To avoid conflicts during updates:

    1. Search “Manage BitLocker”
    2. Click “Suspend protection”
    3. Restart the device once

    Then retry the certificate update / Windows update again.

    4, Make sure firmware is fully up to date

    Even if Windows is updated, OEM firmware tools may be required.

    Check your device manufacturer’s support page and install:

    • Latest BIOS/UEFI update
    • Any “security firmware” updates

    If you're on a prebuilt (Dell, HP, Lenovo), use their update utility.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".    

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Was this answer helpful?

    0 comments

  2. AI answer

    2026-06-14T19:09:01.92+00:00

    Updating Secure Boot certificates is a firmware-level change, and several things can prevent the update from taking effect even if the package was installed in Windows.

    Use the following checks and steps:

    1. Confirm whether the certificates are actually updated
      • Check for common indicators that the device is still on 2011 certificates:
        • Secure Boot certificate status shows “not updated” in whatever tool or report is being used.
        • In Event Viewer → Windows Logs → System, look for Event ID 1801 or 1795 indicating the Secure Boot certificate remediation has not applied.
        • In the registry, the value UEFICA2023Status is not set to Updated.
      • If these indicators are present, the firmware has not accepted or applied the new 2023 Secure Boot certificates.
    2. Update firmware (UEFI/BIOS) first
      • Many Secure Boot certificate issues are caused by outdated firmware that cannot handle the newer certificates or larger signatures.
      • Install the latest UEFI/BIOS/firmware update from the device or motherboard OEM, then reboot.
      • After updating firmware, reapply the Secure Boot certificate update from Windows and reboot again.
    3. Pilot and test before assuming success
      • After applying the update and rebooting, verify:
        • Windows boots normally without Secure Boot errors.
        • No repeated BitLocker recovery prompts or boot loops.
        • Secure Boot status and logs no longer show the device as “not updated.”
    4. Use a supported deployment method for the certificate update
      • Ensure the Secure Boot certificate update is applied using one of the supported mechanisms:
        • Microsoft Intune
        • Registry-based deployment
        • Windows Configuration Service Provider (CSP) / Windows configuration system
        • Group Policy
      • For step-by-step deployment guidance and playbook details, follow the guidance in the Secure Boot playbook referenced in the documentation.
    5. If firmware blocks the Secure Boot update
      • Some firmware actively blocks Secure Boot updates or cannot handle the new certificates.
      • In that case:
        • Work with the device OEM to obtain a firmware update that supports the 2023 Secure Boot certificates.
        • Do not force removal or untrusting of 2011 certificates until the firmware is confirmed to boot correctly with the new certificates.
    6. If the device cannot be updated before certificate expiration
      • If the 2011 Secure Boot certificates expire and the device still has not received the 2023 certificates:
        • The device will generally continue to boot and install standard Windows updates.
        • However, it will no longer receive new boot-level security protections, including updates to Windows Boot Manager, Secure Boot databases, revocation lists, or mitigations for new boot vulnerabilities.
      • It is strongly recommended to complete the Secure Boot certificate update as soon as possible to restore full boot-level protection.
    7. Interaction with BitLocker
      • When Secure Boot certificates or firmware are changed, some devices may:
        • Prompt for BitLocker recovery (sometimes repeatedly) if PCR7 binding or platform validation changes.
      • Before applying Secure Boot/DBX updates on BitLocker-protected systems, consider temporarily suspending BitLocker protectors for the required reboot cycles using manage-bde as documented, then re-enabling after updates and reboots complete, to avoid unnecessary recovery prompts.
    8. If Secure Boot still will not update
      • If, after firmware updates and reapplying the Secure Boot certificate update, the device still:
        • Logs Event ID 1801/1795 indicating failure, or
        • Shows Secure Boot certificate status as not updated, then the next steps are:
        • Engage the OEM for firmware-level support (some OEM firmware simply cannot accept the new certificates without a vendor fix).
        • Follow the detailed troubleshooting guidance and OEM Secure Boot pages referenced in the documentation for blocked or postponed Secure Boot updates.

    The Trojan that was quarantined and removed is separate from the Secure Boot certificate update process. However, keeping Secure Boot certificates current is important to maintain protection against future boot-level malware.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.