What you’ll need#
- Windows 10 (build 19041+) or Windows 11 (any build)
- UEFI firmware with Secure Boot enabled
- Administrator account access
- Basic understanding of PowerShell and Windows Update
- 500 MB free disk space for certificate updates
- Active internet connection for Windows Update
Overview#
Microsoft is deprecating older Secure Boot certificates in June 2026, requiring all Windows users to update their boot security certificates. This guide walks you through checking your current certificate status and installing the updated certificates to maintain system security and avoid boot failures.
Step 1 — Verify Secure Boot status and current certificate version#
Before updating, confirm Secure Boot is enabled and check your certificate version. Administrator rights required.
Confirm-SecureBootUEFI
Get-SecureBootPolicy | Select-Object -Property Version, PublisherIf the first command returns True, Secure Boot is active. The second command shows your current certificate version. Versions below 2024.1 need updating.
Step 2 — Check for available certificate updates via Windows Update#
Microsoft distributes Secure Boot certificate updates through Windows Update as KB5012170 (Windows 11) or KB5012653 (Windows 10).
$Session = New-Object -ComObject Microsoft.Update.Session
$Searcher = $Session.CreateUpdateSearcher()
$Updates = $Searcher.Search("KB5012170 OR KB5012653").Updates
$Updates | Select-Object Title, IsInstalledIf IsInstalled shows False, the update is available but not installed. If nothing returns, your system may already be current.
Step 3 — Install the Secure Boot certificate update#
Run Windows Update manually to install the certificate package. Administrator PowerShell required.
Install-Module PSWindowsUpdate -Force -SkipPublisherCheck
Import-Module PSWindowsUpdate
Get-WindowsUpdate -KBArticleID KB5012170 -Install -AcceptAll -AutoRebootFor Windows 10, replace KB5012170 with KB5012653. The system will download approximately 250 MB and require a restart. The restart triggers the UEFI firmware update process.
Step 4 — Apply certificates during the firmware update phase#
After the restart, your system will display a blue screen labeled “Updating firmware” for 3-10 minutes. Do not power off. The UEFI firmware applies the new Secure Boot certificates during this phase. Once complete, Windows boots normally.
Step 5 — Verify the updated certificate installation#
After booting, confirm the new certificates are active. Administrator PowerShell required.
Get-SecureBootPolicy | Select-Object Version, Publisher, TimeStamp
Get-SecureBootUEFI -Name db | Select-Object -ExpandProperty Bytes | Measure-ObjectThe Version should now show 2024.1 or later, and the TimeStamp should reflect a recent date. The database (db) should contain more than 8000 bytes.
Step 6 — Enable Secure Boot DBX updates for ongoing protection#
Configure Windows to automatically apply Secure Boot revocation list (DBX) updates going forward.
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot" /v "EnableDBXUpdates" /t REG_DWORD /d 1 /fThis registry setting ensures future certificate revocations are applied automatically through Windows Update, maintaining protection against compromised boot loaders.
Testing it works#
Verify complete certificate compliance with Microsoft’s 2026 requirements using the Secure Boot verification tool.
$Policy = Get-SecureBootPolicy
$Policy.Version -ge [version]"2024.1" -and $Policy.Publisher -eq "Microsoft Corporation"Expected output:
TrueAdditionally, check Event Viewer for successful certificate application:
Get-WinEvent -LogName System | Where-Object {$_.Id -eq 4103 -and $_.Message -like "*Secure Boot*"} | Select-Object -First 1You should see an event confirming “Secure Boot database updated successfully” within the last hour.
Common issues#
Error: “Confirm-SecureBootUEFI : Cmdlet not supported on this platform” Your system uses legacy BIOS instead of UEFI. Secure Boot certificates only apply to UEFI systems. Check your motherboard manual for converting from legacy BIOS to UEFI mode, or verify your firmware is in UEFI mode via
msinfo32(look for “BIOS Mode: UEFI”).Update installs but certificate version remains unchanged after restart Windows Update installed the package but your UEFI firmware rejected it due to incompatibility. Update your motherboard firmware to the latest version from the manufacturer’s website, then retry the certificate update. Some systems manufactured before 2015 may not support the new certificate format.
System fails to boot after certificate update with “Secure Boot Violation” error A peripheral device or boot loader is signed with a revoked certificate. Boot into your UEFI firmware settings (usually F2 or Del during startup), temporarily disable Secure Boot, boot Windows, then update all storage controller and graphics card firmware before re-enabling Secure Boot.
Next steps#
After updating certificates, explore the Windows Defender Application Control (WDAC) policies to supplement Secure Boot with runtime code integrity. Use Get-CIPolicy to examine current policies. Consider implementing custom Secure Boot policies with Set-SecureBootUEFI for enterprise environments. Monitor the Microsoft Security Response Center for future certificate updates, and review the UEFI Forum’s Secure Boot specifications at uefi.org for deeper understanding of the certificate chain validation process.