A question about secure boot certificate update 2023

[pantera_8156b02d9]

Yesterday i received in security app the status of secure boot 2023 update( security app - device security - secure boot) and it's green tick with e message:
"Secure Boot is on, but your device is using an older boot trust configuration that should be updated. There is not yet enough data to classify your device for automatic update. Visit the link below for more information."
(Your device might need additional validation before the update can proceed automatically. )
I did a few checks in powershell a month ago and all db ,db Default, Kek keys showed as "True". Also checked in registry 'Windows Uefi Ca 2023 capable' shows a value of 2, which means new certificates should be applied and booting with them according to info i read. I also have event 1801 "Certificates are available on this device ,but not yet applied..." I read that restore keys to factory default in bios can solve all that, but i'm afraid i might mess something, since i don't have any experience with bios and my system is working perfectly fine. My PC is from late 2024 so as far as i know devices 2024 and onwards should be covered. So i'm confused , since there isn't much time till June, should i do something or just wait Microsoft to get more validation of my device and update it?

 

[Alan J T]

Updating the BIOS should help resolve the problem. It will automatically reset the TPM keys, allowing Windows to update the certificates

 

[pantera_8156b02d9]

Updating the BIOS should help resolve the problem. It will automatically reset the TPM keys, allowing Windows to update the certificates

I read that many people with bios up to date have the same thing as me, so for now i wouldn't do that, as system works perfectly fine with current one and don't want to risk. Think i'll most likely reset the keys manually rather than updating bios.

 

[Alan J T]

Then go into BIOS to the Secure boot setting and load the default keys

But your BIOS will need to be updated

Windows Secure Boot Key Creation and Management Guidance

Windows Secure Boot Key Creation and Management Guidance

learn.microsoft.com

 

[plutomate]

MSI Global - The Leading Brand in High-end Gaming & Professional Creation

World-leading gaming laptop brand - MSI, offers unrivaled gaming experience: from thin & light to

www.msi.com

It says it can be done via windows update, too.
Did you reset the TPM as Alan told? Like open TPM.msc, clear TPM and re-enable it. I'm not sure if it affects windows activation though.

 

[pantera_8156b02d9]

MSI Global - The Leading Brand in High-end Gaming & Professional Creation

World-leading gaming laptop brand - MSI, offers unrivaled gaming experience: from thin & light to

www.msi.com

It says it can be done via windows update, too.
Did you reset the TPM as Alan told? Like open TPM.msc, clear TPM and re-enable it. I'm not sure if it affects windows activation though.

I already got very detailed information from the source - Microsoft support. All i have to do is just wait and keep Windows up to date. Here's the explanation for anyone confused and having the same status as me:

"The low - level checks (Powershell verification of DB/DB Default/KeK and Windows2023capable =2 ) confirm that the 2023 certificates are already present and actively used at boot,but the security app is still showing " Older boot trust" because Microsoft's cloud side validation of your specific device model, firmware version and update stage has not yet been finalized. When the classification data is incomplete, the app intentionally reports a conservative warning rarher than "up to date" even though the actual Secure Boot trust chain is correct.
This is why you also see "Event ID 1801" 'Certificates available,but not yet applied' it reflects a transitional reporting state, not the real enforcement state in firmware.
Once Microsoft completes backened validation and updates the device's classification , the security app status will automatically align with what your checks are already showing, without any action required from you. The message you are seeing is about status synchronization and reporting, not about missing protection. As long as your checks continue to confirm DB/KEK and WindowsUefica2023Capable = 2 you are already in good and safe state - The UI will catch up automatically.
Since the 2023 Secure Boot keys are already present and being used, a Bios update is not required to resolve the message you are seeing in Windows Security.
Bios updates are generally only needed if the OEM explicitly states they are required to add missing secure boot certificates or fix a firmware bug.
The reason Windows security app shows "Old boot trust" is a known and expected mismatch not an actual regression in your secure boot configuration.
The Windows security app message and the Even ID 1801 "Certificates available, but not yet applied" reflect Microsoft's phased validation and telemetry - based classification process, not a missing certificate or misconfiguration."