2.1 Not Affected (New Certificate Supported by Default)

All business PCs shipped in 2024 or later, as well as all future new models, have the new Secure Boot certificate pre-integrated. No manual update is required.

Laptops (NB): The following models, as well as all series launched after 2024.

Desktops: The following models, as well as all series launched after 2024.

All-in-One (AIO): The following models, as well as all series launched after 2024.

2.2 Models That Require an Update

If your model is not listed above, it means the device is currently using the older certificate and will need to be updated.

How Do I Get the Update?

For affected models, ASUS has completed submission of the new certificate. The update will be automatically delivered by Microsoft via Windows Update.

Recommended action: Go to Settings > Windows Update and make sure automatic updates are enabled.

Automatic installation: The system will automatically download and install the latest security certificate—no manual tools or downloads are required.

This section explains Microsoft third-party Secure Boot certificates. If your device needs to run non-Windows environments (e.g., Linux) or third-party hardware (e.g., external GPUs), please review the following.

3.1 Microsoft 3rd Party Certificate Overview

3.2 If Microsoft 3rd Party Certificates Are Required, Please Refer to the Following Instructions

Note: If your commercial computer has Windows BitLocker enabled, kindly suspend it in advance by following the instructions below before performing any Secure Boot operations.

Devices shipped in 2026 already include these certificates. You may enter BIOS Setup (press F2 during startup) to verify or configure third-party certificate options.

Furthermore, you may refer to Section 8.3 to verify whether the 3rd party certificates are present. If they are not included, please update the BIOS to the latest version and follow Section 5. SOP 1: Update Secure Boot Certificates.

If the required 3rd party certificates still do not appear, please proceed to Section 6. SOP 2: Add Secure Boot Certificates.

In the event that resetting the Secure Boot keys results in the following screen appearing when booting into Windows, kindly follow Section 7. SOP 3: Restore Secure Boot Certificates.

References

1. https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance?view=windows-11
2. https://support.microsoft.com/en-us/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e

Pre-Operation Notes:

1. It is strongly recommended to back up all data on your computer in advance to prevent any potential data loss during the manual update process.
2. If BitLocker is enabled, please ensure it is suspended prior to proceeding with the following steps. Once the process is complete, BitLocker may be re-enabled.
3. Failure to suspend BitLocker may result in a lockout scenario. In cases where BitLocker cannot automatically unlock the encrypted Windows drive, a recovery key will be required. This key is a 48-digit numeric code that allows you to regain access to your hard drive. Should you be unfamiliar with the procedures outlined below, please contact us for assistance.

If you need to retrieve your BitLocker recovery key, please refer to the article: How to Retrieve Your BitLocker Recovery Key.

Procedure Steps

1. Power on or restart the system, then press F2 to enter the BIOS setup.   
   Press F7 to switch to Advanced Mode, then navigate to Security > Secure Boot (or directly Security > Secure Boot).   
   
2. Select Key Management.   
   
3. Select Authorized Signatures (db).   
   
4. Choose Update.   
   
5. Select Yes.   
     
   Note: Selecting “Yes” will restore the corresponding certificates to their factory default settings. Any certificates previously added by the system or user will be removed.
6. Select Details to verify that the Authorized Signatures (db) certificates have been successfully updated.   
   
7. Press F10 to Save & Exit.
8. If BitLocker was previously suspended, please ensure it is re-enabled.

1. Download Windows UEFI CA 2023: https://go.microsoft.com/fwlink/?linkid=2239776, and save it to the root directory of a USB drive (e.g., “D:\windows uefi ca 2023.crt”).
2. Power on or restart the system, then press F2 to enter the BIOS setup.   
   Press F7 to switch to Advanced Mode, then navigate to Security > Secure Boot (or directly Security > Secure Boot).   
   
3. Select Key Management.   
   
4. Select Authorized Signatures (db).   
   
5. Choose Append.   
   
6. Select No.   
   
7. Select the USB drive.
8. Locate and select the file stored in the root directory: “windows uefi ca 2023.crt”.
9. Select Public Key Certificate, then press Enter on the GUID confirmation screen.   
   
10. Select Yes.   
    
11. Verify that Windows UEFI CA 2023 is now listed under Authorized Signatures (db).   
    
12. Press F10 to Save & Exit.
13. If BitLocker is enabled, ensure that you have your BitLocker recovery key readily available.

How to Verify UEFI Secure Boot Key Status? The following procedures do not affect the status of Windows BitLocker.

8.1 Preliminary Steps

Enter PowerShell in the Windows search bar.

From the search results, right-click Windows PowerShell and select Run as Administrator.

8.2 Verifying Microsoft Windows Secure Boot Certificates

1. Confirm that the Key Exchange Key (KEK) includes “Microsoft Corporation KEK 2K CA 2023”.  
   Execute: [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI KEK).bytes) -match 'Microsoft Corporation KEK 2K CA 2023'  
   A result of True indicates that the "Microsoft Corporation KEK 2K CA 2023" certificate is present.  
   
2. Confirm that the Signature Databases (DB) includes "Windows UEFI CA 2023".  
   Execute: [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'  
   A result of True indicates that the "Windows UEFI CA 2023" certificate is present.  
   

8.3 Verifying Microsoft 3rd Party Secure Boot Certificates

1. Confirm that the Signature Databases (DB) includes "Microsoft UEFI CA 2023".  
   Execute: [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Microsoft UEFI CA 2023'  
   A result of True indicates that the "Microsoft UEFI CA 2023" certificate is present.  
   
2. Confirm that the Signature Databases (DB) includes "Microsoft Option ROM UEFI CA 2023".  
   Execute: [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Microsoft Option ROM UEFI CA 2023'  
   A result of True indicates that the "Microsoft Option ROM UEFI CA 2023" certificate is present.