Is your Secure Boot Certificate set to expire in 2026? Here’s how you can manually install the 2023 Secure Boot Certificate in simple steps.
Recently, I showed you how to check whether your Secure Boot Certificate is about to expire in 2026. If your certificate is about to expire, that means it was issued in 2011, and you need to update it to the one issued in 2023. Generally, Windows handles it via Windows Updates. However, if you want to be absolutely sure and don’t want to leave anything to chance, you can manually install the latest Secure Boot Certificate released in 2023. That way, you can update the existing Secure Boot Certificate. In this quick and easy guide, I will show you how do it in simple steps. Let’s get started.
Before You Start
- Administrator rights are required to update the Secure Boot Certificate.
- You are required to reboot your computer two or more times to finish installing the Secure Boot Certificate.
- Make sure secure boot is enabled.
- Create a full system backup before making changes. That way, if something goes wrong, you can quickly restore it to a known-good state.
- Before proceeding, double-check your Secure Boot Certificate expiration.
Install 2023 Secure Boot Certificate – Update Secure Boot Certificate
- Right-click on the Start button.
- Select the “Terminal (Admin)” option.
- Run the following command.
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f - Next, run the following command trigger a scheduled task.
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update" - Close the Terminal window.
- After that, restart your computer.
- After restarting, log in to your system and restart your computer again.
- That is it. With that, you’ve installed the latest Secure Boot Certificate.
Detailed Steps (With Screenshots)
First, we need to open the Terminal with admin rights. To do that, either right-click the Start button on the taskbar or press the “Windows key + X” shortcut. Next, select the “Terminal (Admin)” option.
In the Terminal window, the first thing you should do is add a DWORD value. To do that, run the following command.
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f
After executing the above command, run the following second command. It will trigger a scheduled task to update the certificate.
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
Once the command is executed, close the Terminal window. Next, reboot your computer. After your computer starts, log in, then restart the PC a second time.
After you restart your computer twice, you are done installing the latest Secure Boot Certificate. You can verify it by running the following command in the admin terminal window.
The output should say “True“. If it says “False”, the new certificate wasn’t installed. You might have to try again.
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
That is all. It is that simple to install the latest Secure Boot Certificate in Windows 11. If you have any questions or need help, comment below. I’ll be happy to assist.
