Select Language:
Most people will likely never need to worry about Secure Boot certificates. They reside deep within your PC’s firmware, quietly doing their job since 2011 without requiring much attention. However, that silent operation is coming to an end. The original certificates are set to expire in June 2026. While Microsoft automates updates for many systems, a significant number of PCs may miss the notifications entirely. Here’s how you can check if your device is up to date—and what steps to take if it’s not.
Step 1: Verify if Your PC Has the Updated Certificates
Before doing anything else, find out whether your system already has the current certificates installed. The fastest way is through PowerShell.
Open the Start menu, type PowerShell, right-click on it, and select Run as administrator. When the window opens, copy and paste the following command exactly as shown, then press Enter:
powershell
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023’)
You’ll receive a response—either True or False. A True indicates your PC already has the latest 2023 certificates, and no further action is needed. A False signals your system is still running on the outdated certificates that are due to expire, and you’ll need to proceed with the next steps.
Step 2: Run Windows Update and Check for Firmware Updates
If your system shows False, the first move is to update Windows and look for any firmware updates provided by your PC manufacturer. Open Settings, navigate to Windows Update, and check for updates. The latest certificates are often delivered through routine updates, so it’s worth ensuring your system is fully current.
If updates don’t resolve the issue, especially on older hardware, the next step might require support from your device’s manufacturer. Visit their support website—such as Dell, HP, Lenovo, ASUS, or others—and search for firmware or BIOS updates specific to your model.
Step 3: If Firmware Updates aren’t Available, Try the Manual Registry Method
In cases where an official firmware update isn’t available but your PC supports a supported version of Windows 11, Microsoft provides a workaround that bypasses the need for BIOS updates.
Open Command Prompt as an administrator and run this command:
cmd
reg add HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecureboot /v AvailableUpdates /t REG_DWORD /d 0x40 /f
Start-ScheduledTask -TaskName “MicrosoftWindowsPISecure-Boot-Update”
You will need to restart your computer a couple of times. After rebooting, run the initial PowerShell check again to confirm the new certificates are in place.
Important Note for Windows 10 Users: Microsoft has indicated that unsupported versions of Windows 10 will not receive the new Secure Boot certificates. If you’re running Windows 10 without an Extended Security Update (ESU) subscription, the above methods won’t work. The only way to stay current is to enroll in ESU before October 14, 2026, which will give you access to the update and some extra time before the certificates expire. Upgrading to Windows 11 might also be an option if your device supports it.
Taking these steps will help ensure your PC remains compatible and secure as the expiration date for these certificates approaches.
ChatGPT
Perplexity
Gemini AI
Grok AI
