Microsoft is busy renewing Secure Boot certificates in Windows. Here is how to check if your PC has been updated automatically or not.
The device used for this manual is set in Dutch. The text has been automatically translated. The exact name of settings may differ on your device.
Since November last year, Microsoft has been warning that Secure Boot certificates in Windows are set to expire. This will happen starting in June. Most users will hardly notice anything, as Microsoft has been automatically renewing the certificates for some time now.
If this doesn’t happen—for example, because you still need to install additional updates—you risk losing the security feature. But how do you know if Secure Boot is being renewed in time? You can easily check this using the Windows Security app.
What does Secure Boot do?
Secure Boot jumps into action every time you start your Windows PC. The feature checks signatures to block untrusted software. To find out if it is activated on your device, you can search for Secure Boot State in System Information.
The current Secure Boot certificate expires in June. According to Microsoft, it is a ‘normal procedure’ to update certificates from time to time to meet modern security standards. For most Windows devices, the certificate will be renewed automatically and on time through an update. Without a valid certificate, Secure Boot will not function properly.
How do you check if Secure Boot has been updated?
If you’d rather be safe than sorry, check before June to see if your PC has been updated. We’ll show you how below.
-
Step 1: Windows Security
Through the Windows Security system app, you can check important security information about your device. The app also alerts you to potential risks and how to resolve them. Starting this month, Microsoft will add a new indicator for Secure Boot to the Device security menu.
-
Step 2: Green, yellow, or red
Like a traffic light, the indicator takes on three colors. Here is what each color means:
- Green: You don’t need to do anything. Secure Boot is fully up to date on your device.
- Yellow: The certificate cannot be renewed automatically. You may first need to install firmware updates from your PC manufacturer.
- Red: The certificate has expired and your device cannot receive updates.
Windows 10 users are more likely to see a red indicator starting in June. Microsoft is making no exceptions and is only renewing Secure Boot on supported Windows versions. In this case, you have two options: register for the ESU program or accept the risk.
-
Step 3: Manually renewing Secure Boot
Don’t want to wait for an update? You can also manually update the Secure Boot certificate via the Command Prompt. Type the command reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f followed by Start-ScheduledTask -TaskName “\Microsoft\Windows\PI\Secure-Boot-Update”.
To complete the installation, you must fully reboot Windows twice.