MicrosoftI would like to ask about Secure Boot certificate updates on consumer devices that no longer receive firmware updates.
I am using an ASUS ROG Strix G17 (G712LW) with the latest available BIOS (version 314). Secure Boot is enabled, set to Standard mode, and factory keys are present (PK/KEK/DB all from factory).
However, my system does not contain the "Windows UEFI CA 2023" certificate. Running checks via PowerShell confirms that the updated certificate is not present.
I have also attempted to trigger certificate deployment using the AvailableUpdates registry key (0x5944), but no changes were applied after reboot.
Based on the Secure Boot playbook, it seems that certificate updates depend on firmware support. In this case, the OEM has not released any newer BIOS versions.
My question is:
Is there any supported method for standalone (non-Intune, non-domain) consumer systems to receive updated Secure Boot certificates if firmware does not provide them?
Or are such systems effectively unable to migrate to the new Windows UEFI CA 2023 trust chain?
Thank you.
