Error 1801 Telling me to update my Secure Boot CA/Keys?


S

Secrios

New member
Local time
4:55 AM
Posts
26
OS
Windows 11
This came up ever since I installed the latest Windows Update today.

TPM Help.webp

Should I be concerned? Should I do anything?
Anyone else getting this?
 
Windows Build/Version
Windows 11 25h2 26200.6899

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Asus
  • Like
Reactions: x_1
This is an informational warning. You have the latest BIOS firmware (v1901) for the X570-Creator WiFi. At some point next year, Windows will force a revocation of the CA 2011 certs. But it's not required at this time.
 

My Computer

System One

  • OS
    Windows 7
I don’t understand why people visit the Event Viewer. The only time I have ever seen it was to work out how to instruct a member on how to use it. It causes mayhem, panic, there’s always blood and someone dies in the end.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2 Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Sin-built 2013
    CPU
    Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz
    Motherboard
    ASUS ROG Maximus VI Formula
    Memory
    32.0 GB of I forget and the box is in storage.
    Graphics Card(s)
    Gigabyte nVidia GeForce GTX 1660 Super OC 6GB
    Sound Card
    Onboard thingy
    Monitor(s) Displays
    5 x LG 25MS500-B - 1 x 24MK430H-B - 1 x Wacom Pro 22" Touch Screen Tablet
    Screen Resolution
    All over the place
    Hard Drives
    Too many to list.
    OS on Samsung 1TB 870 QVO SATA
    PSU
    Silverstone 1500
    Case
    NZXT Phantom 820 Full-Tower Case
    Cooling
    Noctua NH-D15 Elite Class Dual Tower CPU Cooler / 6 x EziDIY 120mm / 2 x Corsair 140mm somethings / 1 x 140mm Thermaltake something / 2 x 200mm Corsair.
    Keyboard
    Corsair K95 / Logitech diNovo Edge Wireless
    Mouse
    Logitech: G402 / G502 / Mx Masters / Mx Air Cordless
    Internet Speed
    2000/500Mbps
    Browser
    All sorts
    Antivirus
    Kaspersky Premium
    Other Info
    ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
    TP-Link BE9300 WiFi 7 Bluetooth 5.4 (Archer TBE550E)
    TP-Link TX201 V1 2.5GB Lan

    Grandstream HT812 - VoIP
    ASUS DSL-AX82U - Mesh
    ASUS RT-AC68U - Mesh
    ASUS RT-BE88U Router

    Brother MFC-L2880DW Printer

    I’m on a horse.
  • Operating System
    Windows 11 Pro 25H2 Build 26200.8524
    Computer type
    Laptop
    Manufacturer/Model
    LENOVO Yoga 7 14IRL8 - 7i EVO OLED 14" Touchscreen i5 12 Core 16GB/512GB
    CPU
    Intel Core 12th Gen i5-1240P Processor (1.7 - 4.4GHz)
    Memory
    16GB LPDDR5 RAM
    Graphics card(s)
    Intel Iris Xe Graphics Processor
    Sound Card
    Optimized with Dolby Atmos®
    Screen Resolution
    QHD 2880 x 1800 OLED
    Hard Drives
    M.2 512GB
    Antivirus
    Defender / Malwarebytes
    Other Info
    …still on a horse.
garlin said:
This is an informational warning. You have the latest BIOS firmware (v1901) for the X570-Creator WiFi. At some point next year, Windows will force a revocation of the CA 2011 certs. But it's not required at this time.
Click to expand...
The crime is they mark stuff like this as an error, not a warning or an informational message!
 

My Computers

System One System Two

  • OS
    Win 11 Pro 25H2, Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14500
    Motherboard
    Gigabyte B760M G P WIFI
    Memory
    64GB DDR4
    Graphics Card(s)
    GeForce RTX 4060
    Sound Card
    Chipset Realtek
    Monitor(s) Displays
    LG 45" Ultragear, Acer 24" 1080p
    Screen Resolution
    5120x1440, 1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 3D NAND NVMe M.2 SSD (O/S)
    Silicon Power 2TB US75 NVMe PCIe Gen4 M.2 2280 SSD (backup)
    Crucial BX500 2TB 3D NAND (2nd backup)
    Seagate 4TB Ironwolf, rotating HDD archive files
    External off-line backup Drives: 2 NVMe 4TB drives in external enclosures
    PSU
    Thermaltake Toughpower GF3 750W
    Case
    LIAN LI LANCOOL 216 E-ATX PC Case
    Cooling
    Lots of fans!
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
  • Operating System
    Win 11 Pro 25H2, Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14400
    Motherboard
    Gigabyte B760M DS3H AX
    Memory
    32GB DDR5
    Graphics card(s)
    Intel 700 Embedded GPU
    Sound Card
    Realtek Embedded
    Monitor(s) Displays
    27" HP 1080p
    Screen Resolution
    1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 eD NAND PCIe SSD
    Samsung EVO 990 2TB NVMe Gen4 SSD
    Samsung 2TB SATA SSD
    PSU
    Thermaltake Smart BM3 650W
    Case
    Okinos Micro ATX Case
    Cooling
    Fans
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
gunrunnerjohn said:
The crime is they mark stuff like this as an error, not a warning or an informational message!
Click to expand...
If Windows logs Event 1801/TPM-WMI as a Warning now, and then it's changed to Error – someone who's filtering on event logs is going to miss the switch.
 

My Computer

System One

  • OS
    Windows 7
garlin said:
This is an informational warning. You have the latest BIOS firmware (v1901) for the X570-Creator WiFi. At some point next year, Windows will force a revocation of the CA 2011 certs. But it's not required at this time.
Click to expand...
How was you able to deduce this is only informational?
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Asus
If you have not been following along, MS has been trying to inform users of the upcoming Secure Boot migration which is underway. The messaging will be more common and visible in the upcoming months.

As a two part problem, the existing CA 2011 Secure Boot signing certs have been abused to sign UEFI rootkit malware and will eventually expire anyway in 2026. MS needs to simultaneously ban the use of CA 2011-signed boot code, and get your UEFI to trust CA 2023 signing certs for the next generation of Windows boot files.

At this stage of the process, they're encouraging users to download the latest UEFI firmware whenever possible. Your motherboard has the latest (per ASUS's website). This should add the CA 2023 signing certs to be in parallel with CA 2011.

The next step is to revoke the CA 2011 certs. Currently in the migration plan, it's optional and early adopters can do this. If you don't do anything, MS will take more active steps next year to finish the update process.

There's three ElevenForum threads going on (in parallel) about the Secure Boot migration process. If you feel that you need to take action now to prevent your PC from being exposed to Black Lotus UEFI malware, then you can revoke the CA 2011 certs today. But that also requires you to update the boot files on any Windows install ISO or boot USB media you're using.

Did you manually update your Secure Boot Keys ?

Hi. Current Microsoft Secure Boot Keys will expire in 2026. Therefore, it may be advisable to update the keys manually in advance. I did the update and it was successful. If you have bitlocker enabled, you are advised to save your bitlocker keys. You will need them after the secure boot key...
www.elevenforum.com www.elevenforum.com
www.elevenforum.com

Updating Microsoft Secure Boot keys before expiration in June 2026

https://techcommunity.microsoft.com/event/windowsevents/ask-microsoft-anything-secure-boot---may-2026/4513524 UPDATE 4/02: https://support.microsoft.com/en-us/topic/secure-boot-certificate-update-status-in-the-windows-security-app-5ce39986-7dd2-4852-8c21-ef30dd04f046 UPDATE 2/10...
www.elevenforum.com www.elevenforum.com
www.elevenforum.com

Act now: Secure Boot certificates expire in June 2026

UPDATE: https://www.elevenforum.com/t/updating-microsoft-secure-boot-keys-before-expiration-in-june-2026.22477/ Windows IT Pro Blog: Prepare for the first global large-scale certificate update to Secure Boot. The Microsoft certificates used in Secure Boot are the basis of trust for operating...
www.elevenforum.com www.elevenforum.com
 

My Computer

System One

  • OS
    Windows 7
No problem with secure boot and revocation of old certificates "CA 2011".

Screenshot 2025-10-15 045251.webp


Screenshot 2025-10-15 045334.webp


Screenshot 2025-10-15 045723.webp
 

My Computer

System One

  • OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    CPU
    Intel Core i5 12th generation
    Motherboard
    GIGABYTE
    Memory
    16GB
    PSU
    750W
@garlin
I now have a new BIOS update. What does the text in the red box mean? Is it related to updating the secure boot keys?

Screenshot 2025-10-15 050509.webp
 

My Computer

System One

  • OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    CPU
    Intel Core i5 12th generation
    Motherboard
    GIGABYTE
    Memory
    16GB
    PSU
    750W
antspants said:
I don’t understand why people visit the Event Viewer
Click to expand...
I agree with you.

EventViewer was not designed to assist the user [judging by its interface] and its provenance has never been explained.
There is no documentation to tell us whether an error event is temporary [to act as an internal trigger for a repeat operation for which successful completion is not recorded] or not.

It can be very useful when investigating [real] fault symptoms but I never regard an entry in Event vwr to be sufficient reason to initiate a fault investigation.
I have quite a few Custom views set up ready for the things I look in Event vwr most frequently [but several of them have never proved to be useful].
EventVwr Custom views.webp


Denis
 

My Computer

System One

  • OS
    Windows 11 Home x64 Version 25H2 Build 26200.8037
Margarita said:
@garlin
I now have a new BIOS update. What does the text in the red box mean? Is it related to updating the secure boot keys?
Click to expand...
No. Those are UEFI features unrelated to Secure Boot.

Pre-boot DMA prevents other UEFI-level devices (that have a smart onboard controller) from snooping UEFI's memory. VT-d and IOMMU are HW features that speed up virtualization when Window enables Core Integrity.
 

My Computer

System One

  • OS
    Windows 7
It's a small world, isn't it. Just after reading this thread, I stumbled across a similar one.
Try3 said:
I see lots of 1796 EventIDs.
Mine are all annotated with the fact that Secure boot is currently disabled on my computer.

What evidence have you got that there is anything to be fixed?
I have studied this thread and there is nothing to indicate that any response is required at all.

Event viewer was not designed for our benefit and there is no documentation to explain its various entries.
I firmly believe that Event viewer can be a useful tool in investigating faults that have [operational] symptoms but the existence or otherwise of an entry in Event viewer is not sufficient reason to launch a fault investigation let alone take any action.
Click to expand...


All the best,
Denis
 

My Computer

System One

  • OS
    Windows 11 Home x64 Version 25H2 Build 26200.8037
garlin said:
No. Those are UEFI features unrelated to Secure Boot.

Pre-boot DMA prevents other UEFI-level devices (that have a smart onboard controller) from snooping UEFI's memory. VT-d and IOMMU are HW features that speed up virtualization when Window enables Core Integrity.
Click to expand...
Ok, thank you, BIOS has been successfully updated.
 

My Computer

System One

  • OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    CPU
    Intel Core i5 12th generation
    Motherboard
    GIGABYTE
    Memory
    16GB
    PSU
    750W
garlin said:
There's three ElevenForum threads going on (in parallel) about the Secure Boot migration process. If you feel that you need to take action now to prevent your PC from being exposed to Black Lotus UEFI malware, then you can revoke the CA 2011 certs today. But that also requires you to update the boot files on any Windows install ISO or boot USB media you're using.
Click to expand...
And some nice guy conveniently provided a simple batch file to update the boot files on USB boot disks. :giggle: (y)
 

My Computers

System One System Two

  • OS
    Win 11 Pro 25H2, Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14500
    Motherboard
    Gigabyte B760M G P WIFI
    Memory
    64GB DDR4
    Graphics Card(s)
    GeForce RTX 4060
    Sound Card
    Chipset Realtek
    Monitor(s) Displays
    LG 45" Ultragear, Acer 24" 1080p
    Screen Resolution
    5120x1440, 1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 3D NAND NVMe M.2 SSD (O/S)
    Silicon Power 2TB US75 NVMe PCIe Gen4 M.2 2280 SSD (backup)
    Crucial BX500 2TB 3D NAND (2nd backup)
    Seagate 4TB Ironwolf, rotating HDD archive files
    External off-line backup Drives: 2 NVMe 4TB drives in external enclosures
    PSU
    Thermaltake Toughpower GF3 750W
    Case
    LIAN LI LANCOOL 216 E-ATX PC Case
    Cooling
    Lots of fans!
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
  • Operating System
    Win 11 Pro 25H2, Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14400
    Motherboard
    Gigabyte B760M DS3H AX
    Memory
    32GB DDR5
    Graphics card(s)
    Intel 700 Embedded GPU
    Sound Card
    Realtek Embedded
    Monitor(s) Displays
    27" HP 1080p
    Screen Resolution
    1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 eD NAND PCIe SSD
    Samsung EVO 990 2TB NVMe Gen4 SSD
    Samsung 2TB SATA SSD
    PSU
    Thermaltake Smart BM3 650W
    Case
    Okinos Micro ATX Case
    Cooling
    Fans
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
Will Microsoft see to it these certificates will be resolved painlessly with their own updates?
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Asus
The general answer is yes. Especially since you have an up-to-date BIOS. Other users with older PC's that haven't received BIOS updates to address the Secure Boot issue will have problems that need to be solved manually.
 

My Computer

System One

  • OS
    Windows 7
Hi everyone.

Need some help this below error message is from the VM on Hyper V. Please help me with this
I got the same TPM- wmi error but my log message is this -

Secure Boot CA/keys need to be updated. This device signature information is included here.
DeviceAttributes:
Bucketid:
BucketConfidenceLevel:
UpdateType: 0
HResult: The system cannot find the file specified.
 

My Computer

System One

  • OS
    Windows
    Computer type
    Laptop
    Manufacturer/Model
    HP
Same error here this morning.

However, I have the latest version of the motherboard BIOS. There is no newer version on the Asus website.

At the end of the message in the details, it says “the operation was successful,” which contradicts the event classified as an error.

Does that mean everything is fine and that a future Windows update will fix this ?

1761896239065.webp
1761896484488.webp
 

My Computer

System One

  • OS
    Windows 11
Windplay87 said:
Same error here this morning.
Click to expand...
Make sure Diagnostics Reporting is enabled, and that your Windows system is starting up in Secure Boot mode. Microsoft will push out updated keys in the next few weeks or months using a phased and scheduled roll-out.

You don't need the updates now, and won't need them until Microsoft concludes revoking trust in the 2011 keys and commences allowing only 2023 signed boot managers to start Windows in Secure Boot, probably not before mid-year next but it may happen for some earlier since this IS a gradual and phased roll out.

OR... read through the below thread to get ideas how to manually update them ahead of time.

If you don't use Secure Boot now and never intend to then just ignore the whole thing.

Did you manually update your Secure Boot Keys ?

Hi. Current Microsoft Secure Boot Keys will expire in 2026. Therefore, it may be advisable to update the keys manually in advance. I did the update and it was successful. If you have bitlocker enabled, you are advised to save your bitlocker keys. You will need them after the secure boot key...
www.elevenforum.com www.elevenforum.com
 
Last edited:

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 5800X
    Motherboard
    Gigabyte B550M Aorus Pro
    Memory
    GSkill 3200, 2x8GB
    Graphics Card(s)
    MSI RX 6800 XT Gaming Z
    Sound Card
    on-board Realtek
    Monitor(s) Displays
    MSI 180hz
    Screen Resolution
    1440p
    Hard Drives
    Samsung 980 Pro, Samsung 870 Evo, generic PCIe NVME, WD 1TB 2.5" laptop spinner
    PSU
    Corsair RM 650
    Case
    mATX
    Cooling
    BeQuiet 240mm AIO and a bunch of case fans
    Keyboard
    one that clacks softly
    Mouse
    logitech
    Internet Speed
    bunches of bps
    Browser
    Firefox
    Antivirus
    Windows' own
  • Operating System
    Win11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 1700
    Motherboard
    GA-AB350M G-3
    Memory
    16GB DDR4
    Graphics card(s)
    RX-480
    Sound Card
    In-Built Realtek
    Monitor(s) Displays
    Samsung
    Screen Resolution
    1440p
    Hard Drives
    NVME/SSD's
    PSU
    Thermaltake BX1 550W
    Case
    Some junky thing
    Cooling
    ThermalTake Assassin(?)
    Browser
    FF/Edge
    Antivirus
    Whatever Windows does
    Other Info
    Secure Boot enabled updated to 2023 CA keys, TPM2.0 enabled with system drive Bitlocker'd.
You must log in or register to reply here.

Similar threads

Solved garlin's PowerShell scripts for updating Secure Boot CA 2023
105 106 107
Replies
2K
Views
172K
garlin
G
Solved Secure Boot keys need updating. TPM-WMI Event Log Error 1801
Replies
6
Views
18K
garlin
G
Error 1801 Attempted Remediation Causes Windows Hang
Replies
6
Views
2K
wwhenderson
W
  • Sticky
  • Article Article
Updating Microsoft Secure Boot keys before expiration in June 2026
26 27 28
Replies
556
Views
108K
Phirevixen
P
Windows keeps logging me out of my account and telling me to sign back in
Replies
4
Views
39K
glasskuter
glasskuter

Latest Support Threads

Latest Tutorials

Back
Top Bottom