Windows Secure Boot Update Before Expiry

Windows Secure Boot certificates are reaching their End of Life starting June 2026.
If you have not updated your UEFI CA certificates, your PC's boot-level security is about to expire.

This repository provides a simple guide and a ready-to-use .reg file to manually trigger the update — no advanced IT skills required.

🔴 Deadlines

Phase	Date	What Expires
Initial	June 2026	Microsoft Corporation KEK CA 2011 & UEFI CA 2011
Final enforcement	October 2026	Windows Production PCA 2011 (bootloader signing cert)

📖 Official Microsoft source: Act now: Secure Boot certificates expire in June 2026

✅ Step 1 — Check If You Are Already Updated

Open PowerShell as Administrator and run:

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'

True = You are already updated. Nothing more to do! ✅
False = Continue to Step 2 below.

🛠️ Step 2 — Apply the Update (Two Options)

Option A — Use the `.reg` File (Easiest)

Download Boot-Certificate-Available-Updates.reg from this repository
Double-click the file
Click Yes when prompted by Windows
Continue to Step 3

Option B — PowerShell Command (Manual)

Open PowerShell as Administrator and run:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f

▶️ Step 3 — Activate the Update

Open PowerShell as Administrator and run:

Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

🔁 Step 4 — Restart Windows Twice

This is the most important step. You must restart your PC two times for the update to fully apply.

✅ Step 5 — Verify the Update

After restarting twice, open PowerShell as Administrator and run the check again:

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'

True = Successfully updated! ✅
False = Repeat from Step 2 or check Microsoft's official guidance.

📝 Note on Registry Key Names

Microsoft's official documentation references this value as MicrosoftUpdateManagedOptIn in enterprise scenarios.
The key used here, AvailableUpdates, applies the same registry path and hex value (0x5944) and produces the same result for home and manual update scenarios.

📁 Files in This Repository

File	Description
`Boot-Certificate-Available-Updates.reg`	Ready-to-use registry file to trigger the Secure Boot certificate update
`Windows-Secure-Boot-is-EXPIRING-Do-This-Before-June-2026.txt`	Plain-text guide with all steps

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Windows Secure Boot Update Before Expiry

🔴 Deadlines

✅ Step 1 — Check If You Are Already Updated

🛠️ Step 2 — Apply the Update (Two Options)

Option A — Use the `.reg` File (Easiest)

Option B — PowerShell Command (Manual)

▶️ Step 3 — Activate the Update

🔁 Step 4 — Restart Windows Twice

✅ Step 5 — Verify the Update

📝 Note on Registry Key Names

📁 Files in This Repository

🔗 References

About

Uh oh!

Releases

Packages

Uh oh!

Contributors

Uh oh!

Name		Name	Last commit message	Last commit date
Latest commit History 2 Commits
Boot-Certificate-Available-Updates.reg		Boot-Certificate-Available-Updates.reg
README.md		README.md
Windows-Secure-Boot-is-EXPIRING-Do-This-Before-June-2026.txt		Windows-Secure-Boot-is-EXPIRING-Do-This-Before-June-2026.txt

Folders and files

Latest commit

History

Repository files navigation

Windows Secure Boot Update Before Expiry

🔴 Deadlines

✅ Step 1 — Check If You Are Already Updated

🛠️ Step 2 — Apply the Update (Two Options)

Option A — Use the .reg File (Easiest)

Option B — PowerShell Command (Manual)

▶️ Step 3 — Activate the Update

🔁 Step 4 — Restart Windows Twice

✅ Step 5 — Verify the Update

📝 Note on Registry Key Names

📁 Files in This Repository

🔗 References

About

Resources

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Contributors

Uh oh!

Option A — Use the `.reg` File (Easiest)

Packages