New Secure Boot Certificates for Older Computers

And here's a good way to check if your Secure boot certificates are up to date in the Windows Security app.

Check for Secure Boot Cert Updates

Excellent find, pelaird.

Thanks for your reply, tbrandt. I hope that's true.

Straight from the horses mouth:

The impact of Secure Boot certificate expiration

"Microsoft is updating the Secure Boot certificates originally issued in 2011 to ensure Windows devices continue to verify trusted boot software. These older certificates begin expiring in June 2026. Devices that haven’t received the newer 2023 certificates will continue to start and operate normally, and standard Windows updates will continue to install. However, these devices will no longer be able to receive new security protections for the early boot process, including updates to Windows Boot Manager, Secure Boot databases, revocation lists, or mitigations for newly discovered boot level vulnerabilities.

"Over time, this limits the device’s protection against emerging threats and may affect scenarios that rely on Secure Boot trust, such as BitLocker hardening or third-party bootloaders. Most Windows devices will receive the updated certificates automatically, and many OEMs provide firmware updates when needed. Keeping your device current with these updates helps ensures it can continue receiving the full set of security protections that Secure Boot is designed to provide."

reference Microsoft Article

I have no idea how to resolve this issue. It's very confusing. When I check on it, it says my computer has the old Boot certificate but how do I update it?

Windows 10 or 11? Full version from winver.exe?

Windows Update should automatically install the new certificate.

To check if it has been installed using PowerShell:

1) Open PowerShell as an administrator.

2) Enter this command exactly. (I recommend copy and paste.)

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

If the 2023 certificate is active it will return: True

If the 2023 certificate is not active, it will return: False

You can also check the Registry at:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing

Look for UEFICA2023Status in the right hand column, and it should say Updated in the Data Value.

Thanks a lot pelarid. The PowerShell method is what I did. The information came back: True.

Awesome! Your good to go.  

I'm certain that if I did that the result would be "What on earth is Windows 7?"

Cheers pelaird.

Tried Both Methods and All Is Good For Me.(I Knew I Had To Check This Sooner Or Later)

Doc is not happy.

Ouch! Have you run the most recent Windows Update?

Yes, I have. After some research and msinfo32, I'm planning to get into the BIOS and change Secure Boot to 'on'. Although there's an updated BIOS out there, I'm a tad chicken to flash mine, as I don't plan on adding new devices, etc.

Doc, I have updated my BIOS many times without incident, just make sure to create an Image Backup before you update. It's possible the new certificates are already present in the update. Check with your OEM for the BIOS to see if they are included.

Also, it just may require Secure Boot to be turned on the the certificates to be updated by Windows Update, but if you haven't had Secure Boot turned on, you probably don't need the new certificates anyway.

Turned out just great! Turned Secure Boot on in BIOS and it says it's on, but in regedit says it's off. 

Check the System Info.

Says it's off.

But Bios says it's on:

This isn't in the User mode and I'm out of my depth here. Wish the MS wonks would drop a word here. I doubt it'll update on its own. My mother board is Gigapixel bios version F20a which is outdated. Maybe updating would give me a new key. Who knows? Sure as heck, not me.

I think you mean Gigabyte F20 BIOS. Check the Gigabyte web site for a guide, or submit a support ticket for help.

Have you tried clicking the Help button?

No, I haven't as of yet. A part of me just wants this to go away. And it's F20a...at least that's what my machine said...but it's shady. Not to be trusted.

Found this on how to enable Secure boot and TPM for Gigabyte motherboards. The image on this page looks like whet you are showing above.

https://www.gigabyte.com/Support/Consumer/FAQ/4395

Hope this helps.

Thanks, pelaird. I'm on W11, though. I will look at it, though.

Sorry to hear that.   

It doesn't matter that you are running Windows 11, the instructions will still work even though it mentions Windows 10. The BIOS doesn't really care what Operating System is installed. Everything it does takes place prior to handing over to the OS.

Let's hope.