Event id 1801 Secure Boot Certificate on Windows 11 in my fleet

Hello Olson,

The reason you are still seeing 1801 events is that the certificate update process is staged. Devices log the event when the system detects the old certificate but has not yet fully applied the new one. Microsoft confirmed that this is expected behavior during the rollout and that the certificate replacement is bundled into cumulative updates, not a separate manual patch. If your fleet is patched monthly, the updates are already present, but the event will continue to appear until the certificate rotation completes across firmware and OS layers.

The critical point is June 2026. That is when the legacy Secure Boot certificates officially expire. If a device has not received the 2023 certificate update by then, it may fail Secure Boot validation, potentially preventing secure startup. Microsoft has published guidance that IT teams must ensure devices are updated before that date. KB5065790 (September 2025 preview) explicitly reminded administrators of this deadline.

To directly answer your concern: Event ID 1801 is not harmful in itself, but it is a signal that certificate rotation is in progress. It cannot be ignored long-term. After June 2026, unpatched systems will face boot issues. Microsoft’s official stance is that cumulative updates already contain the fix, and no manual intervention is required unless your environment blocks Secure Boot updates. If you want confirmation, Microsoft’s documentation on Secure Boot certificate expiration and KB5032610 explicitly states that the 2023 certificate is included in all future cumulative updates.

I hope this information is helpful. Please let me know if you need further information. Feel free to accept the answer for give it a thump to if my assistant is helpful. Thank you.

Event ID 1801 in this context is related to the Secure Boot certificate transition from the 2011 certificates to the newer 2023 certificates that must be in place before the older ones begin expiring in June 2026.

Key points from Microsoft guidance:

1. What is happening and why

• Secure Boot uses certificates stored in firmware to verify trusted boot software.
• The existing Secure Boot certificates issued in 2011 start expiring in June 2026.
• Microsoft is rolling out new 2023 Secure Boot certificates so devices can continue to receive security protections for the early boot process.
• This affects Windows devices broadly, including business and school devices, not just home users.

2. What happens if devices do not get the 2023 certificates

• Devices without the newer 2023 certificates will continue to start and operate normally.
• Standard Windows updates will continue to install.
• However, those devices will no longer be able to receive new security protections for the early boot process, including:
  • Updates to Windows Boot Manager
  • Secure Boot databases and revocation lists
  • Mitigations for newly discovered boot-level vulnerabilities
• Over time, this reduces protection against emerging threats and can affect scenarios that rely on Secure Boot trust (for example BitLocker hardening or third‑party bootloaders).

3. Is this benign / what happens after June 2026

• It is not a functional “break” of Windows after June 2026: devices will still boot and receive normal Windows updates.
• It is a security exposure over time if the certificates are not updated, because the device will not be able to consume future Secure Boot–related mitigations and boot‑level security updates.
• Microsoft explicitly calls out that this “limits the device’s protection against emerging threats” if the new certificates are not applied.

4. How updates are delivered

• For most devices, the new certificates are delivered automatically via Windows Update and, where needed, OEM firmware updates.
• For Surface devices, Microsoft states that this has already happened through Surface updates via Windows Update for most users, or will happen through regular Windows security updates.
• Recent cumulative updates (for example Windows 11 24H2 KB5062553 and KB5063878) include prominent notes about the Secure Boot certificate expiration and direct admins to the central guidance article “Windows Secure Boot certificate expiration and CA updates” for preparation steps.

5. What to do for an organization seeing Event ID 1801

• Treat Event ID 1801 as a signal that the Secure Boot certificate update process is not yet fully completed on those devices.
• Follow the organizational guidance in the Secure Boot certificate expiration article referenced by recent cumulative updates to:
  • Review which devices have received the 2023 certificates.
  • Plan and apply the required OS and firmware updates so that all managed devices get the new certificates before June 2026.
• For devices where automatic mechanisms do not complete the update, Microsoft provides additional tooling (for example WinCS APIs and related CLI/PowerShell workflows referenced in Q&A) that can be used to inspect and apply the updated certificates, but those details are in the linked Secure Boot guidance.

6. Summary for risk and planning

• Event ID 1801 does not mean the OS will stop working after June 2026.
• It does mean that, if left unaddressed, those devices will miss future Secure Boot / boot‑manager security protections, which is a security risk rather than a functional one.
• Microsoft’s recommendation is to proactively update certificates in advance of June 2026 using the guidance in the Secure Boot certificate expiration documentation and the cumulative update notes.

References:

• Windows devices for home users, businesses, and schools with Microsoft-managed updates
• Windows Secure Boot certificate expiration and CA updates
• Surface Secure Boot Certificates
• July 8, 2025—KB5062553 (OS Build 26100.4652)
• August 12, 2025—KB5063878 (OS Build 26100.4946)
• why don't i have the 2023 secure boot keys - Microsoft Q&A
• Secure Boot certificates have been updated but are not yet applied - Microsoft Q&A