[Commercial PC] Announcement on the Windows Secure Boot Certificate Update

Section 1. Background

Microsoft plans to progressively replace the “Secure Boot” certificates used in Windows systems starting in 2026. Secure Boot certificates are designed to prevent malicious software—such as bootkits—from embedding loaders during the startup process, thereby ensuring the integrity of the boot environment.

The currently deployed certificates—“Microsoft Corporation KEK CA 2011” and “Microsoft Windows Production PCA 2011”—are approaching expiration. If they are not updated to the new certificates—“Microsoft Corporation KEK 2K CA 2023” and “Windows UEFI CA 2023”—devices will no longer be able to receive updates for Windows Boot Manager and other critical security components.

To ensure your commercial PC continues to benefit from secure boot protection and ongoing system updates, please follow the guidance below to verify your device status.

 

Section 2. Is My Device Affected?

2.1 Not Affected (New Certificate Supported by Default)

All business PCs shipped in 2024 or later, as well as all future new models, have the new Secure Boot certificate pre-integrated. No manual update is required.

Laptops (NB): The following models, as well as all series launched after 2024.

Model Name
BM3406CGA
BM3606CGA
PM5406CGA
PM5606CGA
BM3406CHA
BM3606CHA
PM3406CHA
PM3606CHA
PM3406CKAZ
PM3406CKA
PM3606CKA
PM1403CDA
PM1503CDA
B5405CCA
B3405CCA
B5605CCA
B3605CCA
P3405CVA
P3605CVA
B5605CVA
B3605CVA
B5405CVA
B3405CVA
BR1204FTA
BR1204CTA
BR1104FTA
BR1104CTA
B1403CTA
B1503CTA
B3402FVA
BM1403CDA
BM1503CDA
B1403CVA
B1503CVA
P1403CVA
P1503CVA
P5405CSA

 

Desktops: The following models, as well as all series launched after 2024.

Model Name
P500SV
V500SV
PM700MK
PM700SK
D900MF
D900SF
T701MF
D700MF
T500MV
P500MV
D700MER
D700ME
X500MA
D701MER
S701TER
D901MDR
D500TER
D700TER
D901SDR
S501MER
PD500TE
G15DS
D800MDR
G16CH
G13CH
S501ME
D500TE
D700TE
G35CA
D900MD
D500SD
D500MD
D700MD
D500TD
D700TD
G15CF
D900MC
D500SC
D700SC
D500TC
D700TC
PD500TC
G10CE
G35CG
GA35DX
D700SF
V500MV
D501MER
D701SER
D501SER
T501MV
D900MDR
D800SDR
D900SDR
S502ME
S502MER
D500MER
D500SER
D700SER
D900SC
D900SD
G35DX
S501MC
S502MD
S500TD
S501MD
S500TC
S500MC
S700SC
D700MC
S500MD
S500SC
S500SD
D701TC
D700SD
D500SE
D500ME
D700SE

 

All-in-One (AIO): The following models, as well as all series launched after 2024.

Model Name
PM640KA
PM670KA

 

2.2 Models That Require an Update

If your model is not listed above, it means the device is currently using the older certificate and will need to be updated.

 

How Do I Get the Update?

For affected models, ASUS has completed submission of the new certificate. The update will be automatically delivered by Microsoft via Windows Update.

 

Recommended action: Go to Settings > Windows Update and make sure automatic updates are enabled.

Automatic installation: The system will automatically download and install the latest security certificate—no manual tools or downloads are required.

 

Section 3. Microsoft Third-Party Secure Boot Certificates: Functionality and Necessity

This section explains Microsoft third-party Secure Boot certificates. If your device needs to run non-Windows environments (e.g., Linux) or third-party hardware (e.g., external GPUs), please review the following.

3.1 Microsoft 3rd Party Certificate Overview

Original CertificateUpdated CertificateDescription
Microsoft Corporation UEFI CA 2011Microsoft UEFI CA 2023

This is an optional certificate used “during the boot process” to sign third-party applications or operating systems (such as Linux) executed outside of the Windows environment.

It is not required if such use cases are not applicable.

Microsoft Option ROM UEFI CA 2023This is an optional certificate used “during the boot process” to sign the Option ROMs of the external hardware.   
If the third-party hardware (such as an external GPU) is not essential during the system boot process, this certificate is not applicable.

 

3.2 If Microsoft 3rd Party Certificates Are Required, Please Refer to the Following Instructions

Note: If your commercial computer has Windows BitLocker enabled, kindly suspend it in advance by following the instructions below before performing any Secure Boot operations.

 

Section 4. Checking BIOS Certificate Status and Determining Updates

Devices shipped in 2026 already include these certificates. You may enter BIOS Setup (press F2 during startup) to verify or configure third-party certificate options.

 

Furthermore, you may refer to Section 8.3 to verify whether the 3rd party certificates are present. If they are not included, please update the BIOS to the latest version and follow Section 5. SOP 1: Update Secure Boot Certificates.

 

If the required 3rd party certificates still do not appear, please proceed to Section 6. SOP 2: Add Secure Boot Certificates.

 

In the event that resetting the Secure Boot keys results in the following screen appearing when booting into Windows, kindly follow Section 7. SOP 3: Restore Secure Boot Certificates.

 

References

  1. https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance?view=windows-11
  2. https://support.microsoft.com/en-us/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e

 

Section 5. SOP 1: Update Secure Boot Certificates

Pre-Operation Notes:

  1. It is strongly recommended to back up all data on your computer in advance to prevent any potential data loss during the manual update process.
  2. If BitLocker is enabled, please ensure it is suspended prior to proceeding with the following steps. Once the process is complete, BitLocker may be re-enabled.
  3. Failure to suspend BitLocker may result in a lockout scenario. In cases where BitLocker cannot automatically unlock the encrypted Windows drive, a recovery key will be required. This key is a 48-digit numeric code that allows you to regain access to your hard drive. Should you be unfamiliar with the procedures outlined below, please contact us for assistance.

If you need to retrieve your BitLocker recovery key, please refer to the article: How to Retrieve Your BitLocker Recovery Key.

 

Procedure Steps

  1. Power on or restart the system, then press F2 to enter the BIOS setup.   
    Press F7 to switch to Advanced Mode, then navigate to Security > Secure Boot (or directly Security > Secure Boot).   
  2. Select Key Management.   
  3. Select Authorized Signatures (db).   
  4. Choose Update.   
  5. Select Yes.   
      
    Note: Selecting “Yes” will restore the corresponding certificates to their factory default settings. Any certificates previously added by the system or user will be removed.
  6. Select Details to verify that the Authorized Signatures (db) certificates have been successfully updated.   
  7. Press F10 to Save & Exit.
  8. If BitLocker was previously suspended, please ensure it is re-enabled.

 

Section 6. SOP 2: Add Secure Boot Certificates
6.1 Add Microsoft UEFI CA 2023
  1. Download the Microsoft UEFI CA 2023: https://go.microsoft.com/fwlink/?linkid=2239872, and save it to the root directory of a USB drive (e.g., “D:\microsoft uefi ca 2023.crt”).
  2. Power on or restart the system, then press F2 to enter the BIOS setup.   
    Press F7 to switch to Advanced Mode, then navigate to Security > Secure Boot (or directly Security > Secure Boot).   
  3. Select Key Management.   
  4. Select Authorized Signatures (db).   
  5. Choose Append.   
  6. Select No.   
  7. Select the USB Drive.   
  8. Locate and select the file in the root directory: “microsoft uefi ca 2023.crt”.
  9. Select Public Key Certificate, then press Enter on the GUID confirmation screen.   
  10. Select Yes.   
  11. Verify that Microsoft UEFI CA 2023 is listed under Authorized Signatures (db).   
  12. Press F10 to Save & Exit.
  13. If BitLocker was previously suspended, please ensure it is re-enabled.

 

6.2 Add Microsoft Option ROM UEFI CA 2023
  1. Download Microsoft Option ROM UEFI CA 2023: https://go.microsoft.com/fwlink/?linkid=2284009, and save it to the root directory of a USB drive (e.g., “D:\microsoft option rom uefi ca 2023.crt”).
  2. Power on or restart the system, then press F2 to enter the BIOS setup.   
    Press F7 to switch to Advanced Mode, then navigate to Security > Secure Boot (or directly Security > Secure Boot).   
  3. Select Key Management.   
  4. Select Authorized Signatures (db).   
  5. Choose Append.   
  6. Select No.   
  7. Select the USB Drive.
  8. Locate and select the file stored in the root directory: “microsoft option rom uefi ca 2023.crt”.
  9. Choose Public Key Certificate, then press Enter at the GUID confirmation screen.   
  10. Select Yes.   
  11. Verify that Microsoft Option ROM UEFI CA 2023 is now listed under Authorized Signatures (db).   
  12. Press F10 to Save & Exit.
  13. If BitLocker was previously suspended, please ensure it is re-enabled.

 

Section 7. SOP 3: Restore Secure Boot Certificates
  1. Download Windows UEFI CA 2023: https://go.microsoft.com/fwlink/?linkid=2239776, and save it to the root directory of a USB drive (e.g., “D:\windows uefi ca 2023.crt”).
  2. Power on or restart the system, then press F2 to enter the BIOS setup.   
    Press F7 to switch to Advanced Mode, then navigate to Security > Secure Boot (or directly Security > Secure Boot).   
  3. Select Key Management.   
  4. Select Authorized Signatures (db).   
  5. Choose Append.   
  6. Select No.   
  7. Select the USB drive.
  8. Locate and select the file stored in the root directory: “windows uefi ca 2023.crt”.
  9. Select Public Key Certificate, then press Enter on the GUID confirmation screen.   
  10. Select Yes.   
  11. Verify that Windows UEFI CA 2023 is now listed under Authorized Signatures (db).   
  12. Press F10 to Save & Exit.
  13. If BitLocker is enabled, ensure that you have your BitLocker recovery key readily available.

 

Section 8. PowerShell Certificate Verification Method

How to Verify UEFI Secure Boot Key Status? The following procedures do not affect the status of Windows BitLocker.

8.1 Preliminary Steps

Enter PowerShell in the Windows search bar.

From the search results, right-click Windows PowerShell and select Run as Administrator.

 

8.2 Verifying Microsoft Windows Secure Boot Certificates

  1. Confirm that the Key Exchange Key (KEK) includes “Microsoft Corporation KEK 2K CA 2023”.  
    Execute: [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI KEK).bytes) -match 'Microsoft Corporation KEK 2K CA 2023'  
    A result of True indicates that the "Microsoft Corporation KEK 2K CA 2023" certificate is present.  
  2. Confirm that the Signature Databases (DB) includes "Windows UEFI CA 2023".  
    Execute: [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'  
    A result of True indicates that the "Windows UEFI CA 2023" certificate is present.  

 

8.3 Verifying Microsoft 3rd Party Secure Boot Certificates

  1. Confirm that the Signature Databases (DB) includes "Microsoft UEFI CA 2023".  
    Execute: [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Microsoft UEFI CA 2023'  
    A result of True indicates that the "Microsoft UEFI CA 2023" certificate is present.  
  2. Confirm that the Signature Databases (DB) includes "Microsoft Option ROM UEFI CA 2023".  
    Execute: [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Microsoft Option ROM UEFI CA 2023'  
    A result of True indicates that the "Microsoft Option ROM UEFI CA 2023" certificate is present.