Share via

Secure Boot certificates have been updated but are not yet applied

Wilson T 225 Reputation points
2025-12-09T05:17:43.8733333+00:00

Hello,

User's image

What's this? Do I need to take any action about it or just leave it alone?

Thanks very muchπŸ˜€

Windows for home | Windows 11 | Performance and system failures
Answer accepted by question author
  1. Alexandr S 104.6K Reputation points Independent Advisor
    2025-12-09T06:03:24.0433333+00:00

    Hello, Wilson T.

    If the OS is stable, you can ignore these messages. Judging by the information from the screenshot, they relate to updates from Lenovo (the manufacturer of your PC).

    P.S. Even on a fully functional PC and a working OS, there are always similar messages in the Event Viewer. This is the normal behavior of the log collector.

    1 person found this answer helpful.
Answer recommended by moderator
  1. John Westfield 90 Reputation points
    2025-12-25T20:58:31.54+00:00

    With the optional update from October 28 (KB5067036), Microsoft introduced a CLI tool for the WinCS API. Install https://support.microsoft.com/en-us/topic/windows-configuration-system-wincs-apis-for-secure-boot-d3e64aa0-6095-4f8a-b8e4-fbfda254a8fe

    Now install this PowerShell-Module: 

    Install-Module UEFIv2 -Force

    You can list now the certificates: 

    Get-UEFISecureBootCerts db | select SignatureSubject


    Get-UEFISecureBootCerts kek | select SignatureSubject

    Certificates which are updated are listed here:

    https://support.microsoft.com/en-us/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e

    WinCsFlags is going to update ALL FOUR certificates listed. Also the one stored in KEK.

    Now set the update configuration: 

    WinCsFlags.exe /apply --key "F33E0C8E002"

    Now, run the Scheduled Task Secure-Boot-Update.

    Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

    Reboot twice and check again for the certificates and the Event-Log.

    If all is updated, you can set back the update configuration:

    WinCsFlags.exe /apply --key "F33E0C8E001"

    5 people found this answer helpful.

7 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Dean Wortmier 15 Reputation points
    2026-02-14T19:35:51.6466667+00:00

    STOP!

    May not be an issue. Check your BIOS for your type of boot. If you are using the LEGACY boot, then you're not using the secure boot or the these keys anyway and so updating is NOT necessary. Life goes on, albeit with a once per month error in the event log.

    DO NOT CHANGE from Legacy Boot to Secure Boot because this will require a reinstall of Windows, and I'm pretty sure you don't want to do that.

    1 person found this answer helpful.
  2. Daniel Nikolov 0 Reputation points
    2025-12-20T04:06:27.3866667+00:00
  3. Edward エ ド γƒ― ド γ‚’ デ γ‚£ パ ッ γƒˆ ラ γƒΌ Adiputra 0 Reputation points
    2025-12-19T02:31:50.02+00:00

    i have same issue. after update windows 11 (os build 26100.7462) if im launch delta force always green screen and im check event viewer show problem source TPM-WM and event id: 1801.

    general description
    Secure Boot certificates have been updated but are not yet applied to the device firmware. Review the published guidance to complete the update and ensure full protection. This device signature information is included here.

    DeviceAttributes: BaseBoardManufacturer:ASRock;FirmwareManufacturer:American Megatrends International, LLC.;FirmwareVersion:L2.33

    please microsoft fix that!

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.