Windows Secure Boot Certificate Expiration and Update Guidelines
Windows Secure Boot Certificate Expiration and Update Guidelines
Since the introduction of Secure Boot support in Windows, the majority of Windows devices have utilized the same series of Microsoft certificates within the UEFI Secure Boot database. These legacy certificates are scheduled to expire under a rolling timeline starting in 2026. To maintain boot security and ensure the integrity of the chain of trust, systems must be updated to the 2023 version of the Microsoft certificates.
If Secure Boot is currently enabled on your system, please ensure the certificate update is completed prior to the mid-2026 expiration deadline.
Microsoft Recommendation: Updating Secure Boot Certificates via Windows Update
For the majority of users, the required updates will be deployed automatically through Windows Update, requiring no manual intervention. To verify whether the update has been successfully applied, users can check the Windows Security app, specifically under the section titled "Secure Boot Certificate Update Status in the Windows Security App."
When Windows Update is enabled and Secure Boot is active, supported Windows devices will automatically download and apply the new Secure Boot certificates and updated Boot Manager at an appropriate time.
The phased rollout of the new Secure Boot database updates for enabled devices commenced in 2024. All affected devices are expected to complete the update automatically before the certificate expiration deadline in June 2026.
Q&A
Q1: How do I check the UEFI Secure Boot Keys status?
Step-1 : Please refer to the following steps:
In the OS, open PowerShell with administrative privileges.
Step-2 : Verify that the Key Exchange Key (KEK) includes "Microsoft Corporation KEK 2K CA 2023".
Input:
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI KEK).bytes) -match 'Microsoft Corporation KEK 2K CA 2023'
If "True" appears, it means "Microsoft Corporation KEK 2K CA 2023" is included.
Step-3 : Verify that the Signature Database (db) includes "Windows UEFI CA 2023".
Input:
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
If "True" appears, it means "Windows UEFI CA 2023" is included.
Step-4 : Verify that the Signature Database (db) includes "Microsoft UEFI CA 2023".
Input:
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Microsoft UEFI CA 2023'
If "True" appears, it means "Microsoft UEFI CA 2023" is included.
Q2: What will happen if my device does not receive the new Secure Boot certificates before the legacy certificates expire?
A:
After the Secure Boot certificates expire, devices that have not yet received the new 2023 certificates will still boot and operate normally, and standard Windows updates will continue to install. However, these devices will be unable to receive new security protections during the early boot process, including updates to the Windows Boot Manager, Secure Boot databases, revocation lists, or mitigations against newly discovered boot-level vulnerabilities.
Over time, this limits the device's protection against emerging threats and may impact scenarios relying on Secure Boot trust, such as BitLocker hardening or third-party bootloaders. The majority of Windows devices will automatically receive the updated certificates, and many OEMs will provide firmware updates as needed. Keeping your device up to date helps ensure it continues to receive the full security protections intended by the Secure Boot design.
Q3: What are the implications for devices with Secure Boot disabled?
A:
Devices with Secure Boot disabled will not receive the new Secure Boot certificates in their firmware. Consequently, they remain vulnerable to boot-level malware, such as bootkits, as Secure Boot protection is not being enforced.
Q4: After resetting my firmware to default settings, the device stopped booting—what happened, and how do I fix it?
A:
If Windows is already utilizing the 2023-signed Boot Manager, but the firmware is reset to defaults that do not include the Windows UEFI CA 2023 certificate, Secure Boot will block the boot process.
Please refer to the following FAQ links:
[Notebook] Troubleshooting - Secure Boot Violation Error at Startup | Official Support | ASUS
[Desktop] Troubleshooting - "Secure Boot Violation" Appears at Startup | Official Support | ASUS
Q5: If the Secure Boot certificates on my device have already expired, can I still receive the updated certificates?
A:
Yes. Even if the existing certificates have expired, cumulative updates containing the new Secure Boot certificates can still be applied. As long as the device can boot into Windows and install updates, the updated certificates can be written to the firmware in accordance with the published deployment guidelines. The majority of devices will receive these updates automatically, though some systems may require an additional firmware update.
Q6: What should I do if a TPM-WMI error message (Event ID: 1801) is found in the Event Viewer?
A:
This error message occurs because the Secure Boot certificates have been updated but have not yet been applied to the device firmware. Please proceed with Windows Update and check the update history to confirm whether the system has been updated to KB5079473 or a newer version.
Windows 11, version 25H2 update history
Q7: What should I do if a TPM-WMI error message (Event ID: 1802) is found in the Event Viewer?
A:
This error message occurs because the boot update is being intentionally blocked because the device meets known firmware or hardware conditions that prevent the update from being completed safely. Please report the issue through the ASUS Service Center.
Q8: What should I do if a TPM-WMI error message (Event ID: 1803) is found in the Event Viewer?
A:
This error message occurs because the device cannot find a Key Exchange Key (KEK) signed by the PK. Please report the issue through the ASUS Service Center.
Q9: The legacy signature has expired, and Microsoft is gradually issuing new bootloaders with a new signature. Therefore, when Secure Boot is enabled, the BIOS needs to use CA 2023 for authentication, otherwise, it will be impossible to enter the new version of Windows. What does this mean? How should I handle it?
A:
Since the legacy signature (CA 2011) has expired, Microsoft is progressively issuing a new version of the Boot Loader (Boot Manager) using a new signature. Consequently, when Secure Boot is enabled, the BIOS must have the CA 2023 certificate built-in to perform the verification, otherwise, the system will not be able to boot into the new version of Windows. Older versions of Windows are not affected by this and will continue to boot normally.
The specific impacts are as follows:
· Secure Boot Enabled: If the firmware (KEK / DB) has not built-in or received the new 2023 certificates, new security updates for boot components will fail to apply once the CA 2011 certificates expire (gradually starting from June 2026). Furthermore, certain third-party Option ROMs or GOPs signed exclusively with CA 2011 might be blocked, which in the worst-case scenario, could result in a "black screen" or boot failure.
· Secure Boot Disabled: The UEFI BIOS will not validate signatures, so the expiration of the certificates will not affect the boot process. Standard Windows Updates will generally remain unaffected as well (though the system will lack Secure Boot protection and its updateability).
Please note: The routine OS update mechanism does not rely on the UEFI certificate chain. This transition impacts the update and trust of "pre-boot components" (such as BootMgr, db, dbx, etc.). If the certificates are not replaced with the new ones after CA 2011 expires, the system will no longer be able to obtain security patches for these pre-boot components, essentially reducing the serviceability and security of Secure Boot.
Recommended Actions:Microsoft advises that for the vast majority of devices, the CA 2023 update can be applied automatically via Windows Update. If your system has not updated automatically, please refer to the table below to select the appropriate remediation action based on your specific environment and requirements:
Secure Boot Certificate Update Remediation Actions and Deployment Scenarios:
User Requirements | Recommended Actions | Remarks |
Deploy via BIOS Update | Update BIOS | Please refer to the attachment to confirm the corresponding BIOS version. SOP Reference: SOP_of_UEFI_Secure_Keys_Update_Process_via_BIOS_Update |
Deploy via Windows Update (Without BIOS Update) | Embed ASUS PK in BIOS | 1. Submit the new KEK (ASUS sign) to Microsoft. 2. KEK and DB will be automatically updated via Microsoft online services. Please refer to the attachment to confirm the corresponding BIOS version. |
Deploy via Windows Update and Retain Current AMI PK Configuration (Without BIOS Update) | Embed AMI PK in BIOS and Retain PK Configuration | 1. Submit the new KEK (AMI sign) to Microsoft. 2. KEK and DB will be automatically updated via Microsoft online services. Note: This deployment path has restrictions; please contact technical support to verify applicability. |
Deploy via Windows Update and Change to ASUS PK (Without BIOS Update) | Embed AMI PK in BIOS and Plan to Change to ASUS PK | 1. Execute SecureBootUtility.exe to change the PK to ASUS PK. 2. Submit the new KEK (ASUS sign) to Microsoft. 3. KEK and DB will be automatically updated via Microsoft online services. Please refer to the attachment to confirm the corresponding BIOS version. SOP Reference: SOP - SecureBootUtility |
Deploy Manually (Without Windows Update) | Embed ASUS PK in BIOS | Manually update KEK and DB using the secureboot2023_helper_v1.0.8 tool. Please refer to the attachment to confirm the corresponding BIOS version. SOP Reference: SOP - secureboot2023_helper |
Deploy Manually and Retain Current AMI PK Configuration | Embed AMI PK in BIOS and Retain PK Configuration | Manually update KEK and DB using the secureboot2023_helper_v1.0.8 tool. Please refer to the attachment to confirm the corresponding BIOS version. SOP Reference: SOP - secureboot2023_helper |
Deploy Manually and Change to ASUS PK | Embed AMI PK in BIOS and Plan to Change to ASUS PK | 1. Execute SecureBootUtility.exe to change the PK to ASUS PK. 2. Update KEK and DB using the secureboot2023_helper_v1.0.8 tool. Please refer to the attachment to confirm the corresponding BIOS version. SOP Reference 1: SOP - SecureBootUtility SOP Reference 2: SOP - secureboot2023_helper |
For more technical support information, please refer to the following official Microsoft documentation:
Windows Secure Boot certificate expiration and CA updates - Microsoft Support
Appendix: Secure Boot Tools and Standard Operating Procedure (SOP) Download List
Purpose / Item | Tool & Document Name | Download Link / Reference |
Update KEK / DB | secureboot2023_helper_v1.0.8 Tool | secureboot2023_helper_v1.0.8.zip |
Update PK | SecureBootUtility.exe Tool | SecureBootUtility.zip |
Verify & List KEK / DB | SecureBootValidate.exe Tool | SecureBootKeyValidate.zip |
Standard Operating Procedure | secureboot2023_helper SOP Guide | SOP_secureboot2023_helper_20251112.pdf |
Standard Operating Procedure | SecureBootUtility SOP Guide | Secure Boot variable更新_en.pdf |
Standard Operating Procedure | Update KEK/DB via BIOS Update SOP Guide | Server_SOP_of_UEFI_Secure_Keys_Update_Process_via_ |
Appendix: Supported BIOS Versions for Secure Boot CA 2023 Certificate Update
Platform | Project Name | BIOS version | Remark |
Z11 | Z11PA-D8-ASUS | 7106 |
|
Z11PA-U12-ASUS | 7001 |
| |
Z11PG-D16-ASUS | 7202 |
| |
Z11PG-D24-ASUS | 7203 |
| |
Z11PH-D12-ASUS | 7004 |
| |
Z11PP-D24-ASUS | 7203 |
| |
Z11PR-D16-ASUS | 6902 |
| |
Z11PR-D16-DC-ASUS | 6901 |
| |
Pro-WS-C621-64L-SAGE-ASUS | 7301 |
| |
Pro-WS-C621-64L-SAGE-10G-ASUS | 7301 |
| |
WS-C621E-SAGE-ASUS | 7201 |
| |
P11 | P11C-C-ASUS-4L | 7001 |
|
P11C-E-ASUS-4L | 7001 |
| |
P11C-I-ASUS | 7001 |
| |
P11C-I-ASUS-NGFF2280 | 7001 |
| |
P11C-M-ASUS-4L | 7001 |
| |
P11C-M-ASUS-10G-2T | 7001 |
| |
P11C-X-ASUS | 7001 |
| |
Z12 | Z12PG-16-ASUS | 1203 |
|
Z12PH-D16-ASUS | 0901 |
| |
Z12PP-D32-ASUS | 1503 |
| |
P12 | P12R-E-10G-2T-ASUS | 1801 |
|
P12R-E-ASUS | 1801 |
| |
P12R-I-ASUS | 1801 |
| |
P12R-M-10G-2T-ASUS | 1801 |
| |
P12R-M-ASUS | 1801 |
| |
Z13 | Z13PE-D16-ASUS | 2502 |
|
Z13PG-D16-V2-ASUS | 2502 |
| |
Z13PG-D32-ASUS | 2502 |
| |
Z13PH-D16-ASUS | 2502 |
| |
Z13PH-D16-OCP-ASUS | 2502 |
| |
Z13PH-U8-ASUS | 2502 |
| |
Z13PN-D32-ASUS | 2502 |
| |
Z13PN-D32-B200-ASUS | 0201 |
| |
Z13PN-D32-G3-ASUS | 0101 |
| |
Z13PP-D32-ASUS | 2502 |
| |
Z13PP-U8-2U-ASUS | 2502 |
| |
Z13PP-U8-ASUS | 2502 |
| |
Z13PP-U16-ASUS | 0304 |
| |
P13 | P13R-E-ASUS | 2004 |
|
P13R-I-ASUS | 2102 |
| |
P13R-M-10G-2T-ASUS | 2201 |
| |
P13R-M-ASUS | 2201 |
| |
Z14 | Z14PG-D32-ASUS | 0603 |
|
Z14PH-D24-ASUS | 0405 |
| |
Z14PN-D24-ASUS | 0102 |
| |
Z14PN-D32-N-ASUS | 0301 |
| |
Z14PP-D32-ASUS | 0701 |
| |
Rome | KNPP-D32-R-ASUS | 5302 |
|
KNPA-U16-R-ASUS | 5302 |
| |
KRPA-U16-ASUS | 5302 |
| |
KRPG-U8-ASUS | 5302 |
| |
KMPP-D32-R-ASUS | 1702 |
| |
KMPA-U16-R-ASUS | 1702 |
| |
KMPG-D32-R-ASUS | 1702 |
| |
KMPG-U8-R-ASUS | 1702 |
| |
Milan | KRPA-U16-M-ASUS | 2202 |
|
KRPG-U8-M-ASUS | 2202 |
| |
KMPP-D32-ASUS | 2202 |
| |
KMPA-U16-ASUS | 2202 |
| |
KMPN-U16-ASUS | 2202 |
| |
KMPG-D32-ASUS | 2202 |
| |
KMPG-U8-ASUS | 2202 |
| |
K14(Genoa) | K14PP-D24-ASUS | 2304 |
|
K14PA-U12-ASUS | 2304 |
| |
K14PA-U24-ASUS | 2304 |
| |
K14PG-D24-ASUS | 2304 |
| |
K14PG-U12-ASUS | 2304 |
| |
K14PH-D24-ASUS | 2304 |
| |
K14PN-D24-ASUS | 0604 |
| |
K14PN-D24-A-ASUS | 0702 |
| |
| K15PG-D24-G-ASUS | 0203 |
|
| K15PP-D24-G-ASUS | 0303 |
|
S14(Siena) | S14NA-U12-ASUS | 0902 |
|
K15(Turin) | K14PA-U24-T-ASUS | 1002 |
|
K14PG-U12-T-ASUS | 0302 |
| |
K14PH-D24-T-ASUS | 0402 |
| |
K14PN-D24-A-T-ASUS | 0502 |
| |
K15PG-D24-ASUS | 1102 |
| |
K15PH-U12-ASUS | 0502 |
| |
K15PN-D24-ASUS | 0202 |
| |
K15PP-D24-ASUS | 1002 |
|