ASRock > FAQ

FAQ

CPU / Memory / Storage FAQ

General FAQ

Old List

Results:

Question (551): Microsoft will update the Secure Boot certificates. What do I need to do?(3/16/2026)

Question: Microsoft will update the Secure Boot certificates. What do I need to do?(3/16/2026)

Answer:
You only need to follow one of the update methods below and wait for the new Windows Boot Manager to take effect:

Method 1: Update through Windows Update

If Windows Update is turned on and Secure Boot is enabled (see "How to enable Secure Boot”), supported Windows devices will automatically download and install the new Secure Boot certificates and the new Boot Manager.

Since 2024, Microsoft has been rolling out the new Secure Boot database update in phases. All devices with Secure Boot enabled will receive the update automatically before the certificate expires in June 2026.

With default settings, users usually do not need to do anything manually. Just keep Windows Update enabled and wait for the update to install automatically.

Method 2: Manually update the UEFI / BIOS
Note:After updating the BIOS, the system may ask for your BitLocker recovery key to unlock Windows.
You may also choose to turn off Device Encryption and Standard BitLocker Encryption before updating the BIOS, then turn them back on afterward to keep your data safe.

If your device cannot get the update through Windows Update, you can download and install the latest UEFI BIOS from the official website to get the updated Secure Boot certificates.

1. Visit the ASRock official website, search for your motherboard model, and download the latest UEFI BIOS from the support page.

2. Clear the Secure Boot keys.
① After updating the BIOS and rebooting, enter BIOS Setup and go to:
Advanced \ Security > Secure Boot

② If Secure Boot Mode is set to Standard, change it to Custom.

If Secure Boot Mode is set to Standard, change it to Custom.

③ Select Key Management.

④ Select Clear Secure Boot Keys, then choose [Yes].

⑤ Confirm that all UEFI Secure Boot keys (PK, KEK, DB, DBX) have been cleared.

3. Install the default Secure Boot keys.

① After clearing the keys, select Install Default Secure Boot Keys, then choose [Yes].

② Confirm that the Size/Number of Keys for PK / KEK / DB / DBX is not 0, and the Key Source shows [Factory]. This means the Secure Boot key update is complete.

4. How to check the Secure Boot key status?
① In BIOS, go to: Security > Secure Boot > Key Management

② Select Key Exchange Keys (KEK) choose "Details”:

③ Make sure that KEK Management contains:
- Microsoft Corporation KEK 2K CA 2023

④ Select Authorized Signatures (db) choose "Details”:
Microsoft Corporation KEK 2K CA 2023

⑤ Make sure that DB Management contains:
- Microsoft Option ROM UEFI CA 2023
- Microsoft UEFI CA 2023
- Windows UEFI CA 2023
Check that DB Management contains

#SecureBoot #Certificat #Key #Windows #Boot #Manager #BitLocker #PK #KEK #DB #DBX #CA2023 #SecureBootUpdate #SecureBootKeys #SecureBootCertificate #UEFISecureBoot #WindowsUpdate #BootManager #WindowsBootManager