Windows Secure Boot certificate expiration and certificates updates | Official Support

ASUS Support FAQ

FAQ

Windows Secure Boot certificate expiration and certificates updates

Since Windows began supporting Secure Boot, most Windows devices have used a series of Microsoft certificates in the UEFI Secure Boot database. These earlier certificates will start expiring gradually from 2026. To maintain boot security and trust chain integrity, systems need to be updated to the 2023 version of Microsoft certificates.

If your system currently has Secure Boot enabled, please ensure these certificates are updated before they expire in mid-2026.

What You Need to Do?
You only need to complete one of the following update methods and wait for the new Windows Boot Manager:

(Method I) Via Windows Automatic Update

When「Windows Update」is enabled and the system has Secure Boot activated (please refer to how to enable Secure Boot), supported Windows devices will automatically download and apply the new Secure Boot certificates and new Boot Manager at the appropriate time.

The new Secure Boot database update has been rolled out in phases to devices with Secure Boot enabled since 2024 and will automatically complete the device update before the certificate expires in June 2026.

Users with default settings typically do not need additional manual operations.

[Enable Windows Update to obtain new certificates]

(Method II) Manually Update UEFI BIOS

Notice: After updating the BIOS, you may be prompted to enter the BitLocker recovery key to unlock and access the operating system. For detailed steps, please refer to this article: How to Find the BitLocker Key.
You can also disable Device Encryption and Standard BitLocker Encryption before updating the BIOS, and then re-enable encryption after the BIOS update to protect your data security. For detailed steps, please refer to this article: Introduction to Device Encryption and Standard BitLocker Encryption.

For Motherboard

You can also download and update to the latest version of UEFI BIOS from the ASUS official website to obtain the updated Secure Boot certificates.

This method is more suitable for advanced users familiar with the BIOS update process or systems that cannot normally receive updates through Windows Update.

1. To download and update to the latest version of UEFI BIOS from the ASUS official website, you can refer to: How to Update BIOS

2. Clear Secure Boot Keys
2.1After updating the BIOS and restarting the system, re-enter BIOS Setup, go to Advanced\Boot > Secure Boot.

If Secure Boot Mode is Standard, change it to Custom.

2.2 Click Key Management.

2.3 Execute "Clear Secure Boot Keys".

Click [Yes].

2.4 Confirm that all UEFI Secure Boot keys (PK, KEK, DB, DBX) have been cleared successfully.

3. Install Default Secure Boot Keys
3.1 After clearing Secure Boot Keys, execute "Install Default Secure Boot Keys."

Click [Yes].

3.2 Check that the Size/Number of Keys for PK/KEK/DB/DBX is not 0 and the Key Source is [Default]. The UEFI Secure Boot Keys update process is then complete.

Q&A
Question 1: How to Check UEFI Secure Boot Keys Status?
Answer: Please follow these steps:
1. On the BIOS page, go to Advanced\Boot > Secure Boot > Key Management.
2. Select the following items respectively and then select "Delete Keys":
➢ KEK Management
➢ DB Management

3. Select "No" in the prompt window. (Note: This operation is only for displaying Key information; selecting "Yes" will delete the Key.)

4. Confirm that KEK Management contains "Microsoft Corporation KEK 2K CA 2023".

5. Confirm that DB Management contains both "Microsoft UEFI CA 2023" and "Windows UEFI CA 2023".

For Notebook

You may also download and update the UEFI BIOS to the latest version from the official ASUS website to obtain the updated Secure Boot certificates.
This method is more suitable for advanced users who are familiar with the UEFI BIOS update process.
1. Download and update the UEFI BIOS to the latest version from the official ASUS website. You can refer to: How to update BIOS in Windows.
2. Reset To Setup Mode
2.1 After updating the BIOS, restart the system and re-enter BIOS Setup. Go to Advanced\Boot > Secure Boot.
2.2 Click Key Management.

2.3 Perform "Reset To Setup Mode".

2.4 Click [Yes].

2.5 Confirm that all UEFI Secure Boot keys (PK, KEK, DB, DBX) have been successfully cleared.

3. Restore Factory Keys
3.1 Perform "Restore Factory Keys".

3.2 Click [Yes].

3.3 Check that the Size/Number of Keys for PK/KEK/DB/DBX is not zero.
The UEFI Secure Boot Keys update process is now complete.

Q&A
Question 1: How do I check the status of UEFI Secure Boot Keys?
Answer: Please follow these steps:
1. On the BIOS page, go to Advanced\Boot > Secure Boot > Key Management.
2. Select each of the following items and then click “Details”:
➢ Key Exchange Keys (KEK)
➢ Authorized Signatures (db)

3. Confirm that Key Exchange Keys (KEK) includes "Microsoft Corporation KEK 2K CA 2023".

4. Confirm that Authorized Signatures (db) includes both "Microsoft UEFI CA 2023" and "Windows UEFI CA 2023".

For AIOT

Users can download and update to the latest version of the UEFI BIOS from the official ASUS website to obtain the updated Secure Boot certificates. This method is more suitable for advanced users familiar with the BIOS update process, or for systems that are unable to receive updates properly through Windows Update.

Download and update to the latest version of the UEFI BIOS from the official ASUS AIoT website. For instructions, you can refer to:
1. Download and update to the latest version of the UEFI BIOS from the official ASUS AIoT website. For instructions, you can refer to: How to Update BIOS
2. Install Default Secure Boot Keys:
2.1 After updating the BIOS, restart the system. Re-enter the BIOS Setup utility and navigate to Security > Secure Boot.

2.2 If the Secure Boot Mode is set to Custom, please change it to Standard.

2.3 Click OK (to apply "Install factory default in Key Management")

2.4 Click Expert Key Management.

2.5 Verify that the Size/Number of Keys for PK, KEK, DB, and DBX are not zero.

Q&A
Question 1: How can I check the status of the UEFI Secure Boot Keys to confirm that the 2023 Microsoft certificates have been installed?
Answer: Please follow the steps below:

1. If Secure Boot Mode is set to Standard, change it to Custom.

2. Click OK.

3. Click Expert Key Management.

4. Select Key Exchange Key (KEK) > Details.

5. Verify that KEK Management includes "Microsoft Corporation KEK 2K CA 2023".

6. Select Authorized Signatures (db) > Details.

7. Verify that DB Management contains all of the following: "Windows UEFI CA 2023", "Microsoft UEFI CA 2023", and "Microsoft Option ROM UEFI CA 2023".

Was this information helpful?

Yes No

Contact Support

If you need more help, see our solutions to get support.

Above information might be partly or entirely quoted from exterior websites or sources. please refer to the information based on the source that we noted. Please directly contact or inquire the sources if there is any further question and note that ASUS is neither relevant nor responsible for its content/service
This information may not suitable for all the products from the same category/series. Some of the screen shots and operations could be different from the software versions.
ASUS provides the above information for reference only. If you have any questions about the content, please contact the above product vendor directly. Please note that ASUS is not responsible for the content or service provided by the above product vendor.
Brand and product names mentioned are trademarks of their respective companies.

ASUS Support FAQ