For most PC users, Secure Boot certificates are a behind-the-scenes feature, quietly ensuring that only trusted software loads during the boot process. These certificates have been an integral part of PC firmware since their introduction in 2011, managing the security of devices without drawing much attention. However, all of this will change as the original certificates are set to expire in June 2026. With Microsoft pushing updates to many systems automatically, a significant number of users may remain unaware of their PC’s status. In this article, we will guide you through checking your Secure Boot certificate status and updating it as necessary.
Step 1: Check whether your PC already has the updated certificates
The first step is to determine if your PC already has the updated certificates installed. The quickest method to do this is through PowerShell. Here’s how:
Open the Start menu, type PowerShell, and select Run as administrator. Once opened, enter the following command exactly as shown and press Enter:
Shimul Sood / Digital Trends
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023’)
The output will return either True or False. If it returns True, your PC is equipped with the updated 2023 certificates, and you are good to proceed without worry. If it returns False, your machine is still running with the old certificates, which necessitates further action.
Step 2: Run Windows update and check for OEM firmware updates
If you received a False response, the next step is to check for updates through Windows Update. For most users running Windows 11, the new certificates are delivered through regular updates, so there might already be a pending update available.
Shimul Sood / Digital Trends
If running updates doesn’t resolve the issue, especially on older systems, you might need to visit the support site of your PC’s manufacturer—be it Dell, HP, Lenovo, ASUS, or another brand—to check for firmware updates specific to your model. While not all manufacturers will support older models, it is worthwhile to verify options available to you.
Step 3: If firmware isn’t an option, try the manual registry method
If your OEM doesn’t provide a firmware update but your PC can run a supported version of Windows 11, a documented workaround exists that allows you to bypass BIOS adjustments entirely. Here’s how:
Open Command Prompt as an administrator and input the following command:
Shimul Sood / Digital Trends
reg add HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecureboot /v AvailableUpdates /t REG_DWORD /d 0x40 /f Start-ScheduledTask -TaskName “MicrosoftWindowsPISecure-Boot-Update”
After executing this command, you should restart your PC a couple of times. Once your device is back up, run the PowerShell check from Step 1 again to verify that the new certificates have successfully been applied.
A note for Windows 10 users: If you are using Windows 10 and do not have an Extended Security Update (ESU) subscription, please note that unsupported versions of Windows won’t receive the updated certificates. If upgrading to Windows 11 is not an option for you, enrolling in the ESU before the October 14, 2026, deadline is your best route to receive the certificate updates. It’s worth considering if you need more time before making the jump to the latest operating system.
For more detailed instructions and assistance, you can visit the source Here.
Image Credit: www.digitaltrends.com
