As you may or may not know, Microsoft’s original Secure Boot certificates, issued in 2011, begin expiring in late June 2026. Most Windows machines will receive these updated certificates automatically. It should be noted, in some cases where administrative update procedures, like WSUS, are in place you may find that this update will need to be applied manually. Below is a simple batch script that will check whether the certificate has been applied or allow you to apply it if not. In order for the script to run properly, at least the November 2025 Update rollup must be applied first as this contains the update servicing framework. Lastly on some machines the script will need to be run twice to properly apply the update.
@ECHO OFF
ECHO.
REM Check SecureBoot Status
ECHO Checking SecureBoot Certificate Status ---
FOR /F "delims=" %%V IN ('powershell -Command "[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'"') DO (SET "status=%%V")
ECHO.
REM Report SecureBoot Status
ECHO SecureBoot Update Has Occured: %status% ---
ECHO.
REM Set Status for testing
REM SET status=False
REM Close is SecureBoot Already Updated
IF %status%==True GOTO Updated
color 0C
ECHO Update SecureBoot Certificates?:
ECHO 1 = Yes, Update Now!
ECHO 2 = No, Maybe Later :(
ECHO.
set /p input="Enter Selection: "
ECHO.
IF "%input%"=="1" GOTO Update
IF "%input%"=="2" GOTO End
GOTO End
REM Secureboot Already Updated
:Updated
color 0A
ECHO SecureBoot Has Already Been Updated ---
ECHO.
GOTO End
REM Set Update Framework
:Update
ECHO Activating SecureBoot Certifcate Update ---
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f
schtasks /run /tn "\Microsoft\Windows\PI\Secure-Boot-Update"
ECHO.
ECHO SecureBoot Update Applied ... Rebooting Now ---
shutdown /r /t 10
REM Close Script
:End
ECHO Automagically Closing in 10 Seconds ---
TIMEOUT /T 10 /NOBREAK > NUL