Windows Secure Boot certificate expiration and certificates updates
Since Windows began supporting Secure Boot, most Windows devices have used a series of Microsoft certificates in the UEFI Secure Boot database. These earlier certificates will start expiring gradually from 2026. To maintain boot security and trust chain integrity, systems need to be updated to the 2023 version of Microsoft certificates.
If your system currently has Secure Boot enabled, please ensure these certificates are updated before they expire in mid-2026.
Microsoft recommends completing the Secure Boot certificates update through Windows update:
For most users, the needed updates will be delivered automatically through Windows Updates with no user action required.
Whether the updates were successfully received can be verified though the Windows Security App, as described in Secure Boot certificate update status in the Windows Security app.
When「Windows Update」is enabled and the system has Secure Boot activated (please refer to how to enable Secure Boot), supported Windows devices will automatically download and apply the new Secure Boot certificates and new Boot Manager at the appropriate time.
The new Secure Boot database update has been rolled out in phases to devices with Secure Boot enabled since 2024 and will automatically complete the device update before the certificate expires in June 2026.
[Enable Windows Update to obtain new certificates] 
Q&A
Question 1: How to check the status of UEFI Secure Boot Keys?
Answer: Please refer to the following steps:
1. Enter PowerShell in the Windows system search box
In the search results, click on the Windows PowerShell icon and select Run as Administrator
2. Confirm that Key Exchange Key (KEK) includes "Microsoft Corporation KEK 2K CA 2023"
Enter [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI KEK).bytes) -match 'Micorsoft Corporation KEK 2K CA 2023'
If True appears, it means it includes "Microsoft Corporation KEK 2K CA 2023"
3. Confirm that Signature Databases (DB) includes "Windows UEFI CA 2023"
Enter [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
If True appears, it means it includes "Windows UEFI CA 2023"
4. Confirm that Signature Databases (DB) includes " Microsoft UEFI CA 2023"
Enter [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Microsoft UEFI CA 2023'
If True appears, it means it includes " Microsoft UEFI CA 2023"
Question 2: What happens if my device does not obtain a new Secure Boot certificate before the old certificate expires?
Answer: After the security boot certificate expires, devices that have not yet received the new 2023 certificate can still start and operate normally, and standard Windows updates will continue to be installed. However, these devices will not be able to obtain new security protections during the early boot process, including updating Windows boot administrators, secure boot databases, revocation lists, or mitigating measures for newly discovered boot level vulnerabilities.
Over time, this limits the device's protection against emerging threats and may affect scenarios that rely on secure boot trust, such as BitLocker hardening or third-party boot loaders. Most Windows devices will automatically receive updated credentials, and many OEM manufacturers will also provide firmware updates when needed. Keeping the device updated at all times helps ensure that it can continue to receive the complete security protection designed for safe boot up.
Question 3: What are the effects of turning off the secure boot device?
Answer: Devices that turn off secure boot will not receive new secure boot credentials in the firmware. Therefore, they will still be vulnerable to boot layer malware (such as bootkits) as secure boot protection is not enforced.
Question 4: After resetting the firmware to the default settings, the device stopped booting - what happened? How should I fix it?
Answer: If Windows has already used the 2023 signed boot manager, but the firmware is reset to the default value that does not include the Windows UEFI CA 2023 certificate, secure boot will block the boot process.
You can refer to the FAQ:
[Notebook] Troubleshooting - Secure Boot Violation Error at Startup
[Desktop] Troubleshooting - 「Secure Boot Violation」 Appears at Startup
Question 5: If the Secure Boot certificate of my device has expired, can I still receive an updated certificate?
Answer: Yes. Even if the existing credentials have expired, cumulative updates containing new secure boot credentials can still be applied. If the device can start Windows and install updates, the updated credentials can be written into the firmware according to the published deployment guidelines. Most devices will automatically receive these updates, but some systems may require additional firmware updates.
Question 6: What should I do if I find a TPM WMI error message (Event ID: 1801) in the Event Viewer?
Answer: The reason for this error message is that the secure boot credentials have been updated, but have not yet been applied to the device firmware.
Please continue with Windows Update and check if there have been updates to KB5079473 or later from the Update history.
Windows 11, version 25H2 update history.
Question 7: What should I do if I find a TPM WMI error message (Event ID: 1802) in the Event Viewer?
Answer: The reason for this error message is that the boot update is deliberately blocked because the device conforms to known firmware or hardware conditions, which prevents the update from completing safely.
Please report the issue through the ASUS service center.
Question 8: What should I do if I find a TPM WMI error message (Event ID: 1803) in the Event Viewer?
Answer: The reason for this error message is that the device cannot find the Key Exchange Key (KEK) signed by PK.
Please report the issue through the ASUS service center.
Ref:
Windows Secure Boot certificate expiration and CA updates - Microsoft Support
Secure Boot certificate update status in the Windows Security app
Frequently asked questions about the Secure Boot update process - Microsoft Support
Secure Boot DB and DBX variable update events - Microsoft Support
Windows 11, version 25H2 update history - Microsoft Support