Hot Take Your Windows Secure Boot Certificates are Expiring Soon: Here’s How to Update to the Latest

[lokamoka820]

Open PowerShell as administrator again and run the following command:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f

This command will edit the Registry to deploy the 2023 certificates. The 0x5944 Bitmask in the command actually runs six different instructions to make your PC ready to install Windows UEFI CA 2023.

Now, to activate the instructions the above command made, you need to run the following command in PowerShell:

Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

This command will run essential jobs for Windows to install the certificates on the next boot, like checking compatibility or moving new certificates from the WinSxS folder to the staging area. You might notice your PC freezing a bit as the command runs.

The most important step is to restart Windows twice. You must restart the PC, not shut down and start again. If you have Fast Startup enabled, a simple shutdown won’t clear the memory, which is required for these changes to take effect.

Your Windows Secure Boot Certificates are Expiring Soon: Here's How to Update to the Latest - Make Tech Easier

Microsoft is taking its time with the boot certificate rollout, but you don't have to. Activate the latest UEFI CA 2023 right now.

www.maketecheasier.com

 

[Bot]

Your Windows Secure Boot Certificates are Expiring Soon: Here's How to Update to the Latest - Make Tech Easier

Microsoft is taking its time with the boot certificate rollout, but you don't have to. Activate the latest UEFI CA 2023 right now.

www.maketecheasier.com

Those commands are not “random hacks” in the sense that Microsoft itself documents this exact mechanism (the Secure-Boot-Update scheduled task + the SecureBoot\AvailableUpdates bitmask) for deploying the Windows UEFI CA 2023 certificate and related Secure Boot updates. ([support.microsoft.com](https://support.microsoft.com/en-au/topic/registry-key-updates-for-secure-boot-windows-devices-with-it-managed-updates-a7be69c9-4634-42e1-9ca1-df06f43f360d?utm_source=openai))

What’s correct in that quote

• Setting HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\AvailableUpdates to 0x5944 is a documented “deploy all needed certificates + update to the Windows UEFI CA 2023-signed boot manager” trigger. ([support.microsoft.com](https://support.microsoft.com/en-au/topic/registry-key-updates-for-secure-boot-windows-devices-with-it-managed-updates-a7be69c9-4634-42e1-9ca1-df06f43f360d?utm_source=openai))
• Running Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update" is also documented by Microsoft to force the processing immediately (otherwise it normally runs on a schedule). ([support.microsoft.com](https://support.microsoft.com/en-au/topic/registry-key-updates-for-secure-boot-windows-devices-with-it-managed-updates-a7be69c9-4634-42e1-9ca1-df06f43f360d?utm_source=openai))
• “Restart (not shutdown)” advice is generally sound on Windows when Fast Startup is enabled, because Restart performs a full reboot path. (Microsoft’s guidance focuses on reboot timing/state changes rather than “always reboot twice,” but rebooting is indeed part of completion.) ([support.microsoft.com](https://support.microsoft.com/en-au/topic/registry-key-updates-for-secure-boot-windows-devices-with-it-managed-updates-a7be69c9-4634-42e1-9ca1-df06f43f360d?utm_source=openai))

What’s missing / where the blog oversimplifies

• Microsoft’s own step-by-step indicates you may need to watch the AvailableUpdates value transition (for example to 0x4100) and run the task again after reboot, rather than a universal “restart twice no matter what.” ([support.microsoft.com](https://support.microsoft.com/en-au/topic/registry-key-updates-for-secure-boot-windows-devices-with-it-managed-updates-a7be69c9-4634-42e1-9ca1-df06f43f360d?utm_source=openai))
• This is boot-chain related work. While the registry change itself is just a trigger, Secure Boot key/db updates and boot manager changes can cause boot issues on some edge cases (firmware quirks, unusual configurations). Microsoft’s documentation includes status/error tracking via additional registry values and event logs for troubleshooting. ([support.microsoft.com](https://support.microsoft.com/en-au/topic/registry-key-updates-for-secure-boot-windows-devices-with-it-managed-updates-a7be69c9-4634-42e1-9ca1-df06f43f360d?utm_source=openai))

Safer approach (especially for home users)
If your PC is not managed by an organization, the safest default is: keep Windows fully updated and let Microsoft deliver the Secure Boot certificate/boot manager updates through normal servicing unless you have a specific reason to force-trigger it (enterprise testing, controlled rollout, etc.). Microsoft is actively messaging the June 2026 Secure Boot certificate-expiration timeline and provides a “playbook” for deployment methods. ([techcommunity.microsoft.com](https://techcommunity.microsoft.com/blog/windows-itpro-blog/act-now-secure-boot-certificates-expire-in-june-2026/4426856?utm_source=openai))

If someone chooses to do it anyway (risk-reduction checklist)

• Make sure you have a recovery option ready (Windows recovery drive / install media) and have BitLocker recovery keys backed up if BitLocker is enabled.
• Follow Microsoft’s official procedure and validation steps (including checking Secure Boot DB contents / boot manager signing) rather than relying only on a third-party blog.
• On managed systems, do not do this manually—follow IT guidance (these updates can be centrally controlled). ([support.microsoft.com](https://support.microsoft.com/en-au/topic/registry-key-updates-for-secure-boot-windows-devices-with-it-managed-updates-a7be69c9-4634-42e1-9ca1-df06f43f360d?utm_source=openai))

Sources

• Registry key updates for Secure Boot: Windows devices with IT-managed updates - Microsoft Support
• How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support
• Secure Boot playbook for certificates expiring in 2026
• Act now: Secure Boot certificates expire in June 2026 - Windows IT Pro Blog

 

[Victor M]

Tried the blog's method. Ran the test. It said false I am not using the latest. Set the registry, executed the schedule task. Rebooted twice. Ran the test again and it said true. Works fine on my test box.

 

[Sampei.Nihira]

Tried the blog's method. Ran the test. It said false I am not using the latest. Set the registry, executed the schedule task. Rebooted twice. Ran the test again and it said true. Works fine on my test box.

I prefer to wait for the update via Windows Update.