Install Secure Boot Certificates on Old PC [Windows]
Modern versions of Windows 11 and even some updated builds of Windows 10 rely heavily on Secure Boot for improved system security. Secure Boot is a feature built into your computer’s UEFI firmware that helps prevent malware, rootkits, and unauthorized operating systems from loading during startup.
In this guide, you will learn exactly how to install Secure Boot certificates on an old Windows PC
What Are Secure Boot Certificates?
Secure Boot certificates are digital security keys stored inside your computer’s UEFI firmware. These keys verify whether the operating system and bootloader are trusted and safe to run.
When your PC starts, the firmware checks these certificates before allowing Windows to boot. If the certificates are outdated, missing, or corrupted, the system may refuse to boot newer operating systems correctly.
Older PCs often shipped with early versions of Secure Boot databases. Because security standards evolve, newer Windows builds may require updated certificates or firmware support.
Installing updated Secure Boot certificates helps your old computer:
- Improve startup security
- Support newer Windows installations
- Pass Windows 11 Secure Boot checks
- Prevent boot-level malware attacks
- Enable modern UEFI protection features
Requirements Before You Start
Before modifying Secure Boot settings, make sure you prepare your computer properly.
You should have:
- A stable power source
- An internet connection
- Your motherboard or laptop model number
- A USB drive if a firmware update is required
- Administrator access to Windows
- A backup of important files
You should also confirm whether your PC supports UEFI mode. Secure Boot does not work with older Legacy BIOS mode.
To check this in Windows: Press Windows + R, Type msinfo32
Press Enter
Inside the System Information window, look for: BIOS Mode
If it says UEFI, your PC supports Secure Boot.
If it says Legacy, you may need to switch the drive format from MBR to GPT before enabling Secure Boot.
Now, we are ready. Let’s install the certificates!
Install Secure Boot Certificates on Old PC [Windows]
![Install Secure Boot Certificates on Old PC [Windows]](https://gadgetsnurture.com/wp-content/uploads/2026/05/Install-Secure-Boot-Certificates-on-Old-PC-Windows-1024x576.jpg)
To install Secure Boot certificates on an old Windows PC, first update the motherboard BIOS or UEFI firmware to the latest version from the manufacturer. Then enter the BIOS settings, enable UEFI mode, and restore or install the default Secure Boot keys. Save the changes and restart the computer. After booting into Windows, verify Secure Boot status using the System Information tool.
Step 1: Check If Your Old PC Supports Secure Boot
The first thing you need to do is confirm that your computer hardware actually supports Secure Boot. Many old PCs released after 2012 include basic UEFI support even if Secure Boot is disabled.
Start by opening the System Information utility.
Press the Windows key and type System Information. Open the app from the search results. Inside the window, look for the following entries:
- BIOS Mode
- Secure Boot State
If BIOS Mode shows UEFI, your computer can likely support Secure Boot certificates. If Secure Boot State says Off, that means the feature is available but currently disabled.
If Secure Boot State says Unsupported, your firmware may need updating.
Write down your motherboard or laptop model information because you may need it later for firmware downloads.
You can usually find the model number in the same System Information window under: System Model
This step is important because attempting to install Secure Boot keys on unsupported hardware may cause startup problems.
Step 2: Update Your BIOS or UEFI Firmware
Outdated firmware is one of the biggest reasons old PCs fail Secure Boot validation.
Manufacturers often release BIOS updates that add newer Secure Boot databases and compatibility fixes for modern Windows versions.
Open your web browser and visit your PC or motherboard manufacturer’s official support website.
Search for your exact model number.
Look for the latest:
- BIOS update
- UEFI firmware update
- Security update
Download the latest firmware version carefully. Most manufacturers provide installation instructions directly on their website. For desktop motherboards, common manufacturers include:
- ASUS
- Gigabyte
- MSI
- ASRock
For laptops, common brands include:
- Dell
- HP
- Lenovo
- Acer
After downloading the firmware file, extract it if necessary.
Some systems allow BIOS updates directly from Windows using a utility tool. Others require copying the file to a USB drive and updating from the BIOS screen.
During the update:
- Do not shut down the PC
- Do not unplug the power cable
- Do not interrupt the process
The computer may restart several times. Once completed, the firmware will usually reset to default settings automatically.
Updating the firmware is often enough to install newer Secure Boot certificates automatically.
Step 3: Enter BIOS or UEFI Settings
After updating the firmware, you need to access the BIOS or UEFI settings screen.
Restart your computer. As the PC starts, repeatedly press the BIOS access key. Common keys include:
- F2
- Delete
- F10
- Esc
Some laptops display the correct key briefly during startup. Once inside the firmware menu, look for tabs such as:
- Boot
- Security
- Authentication
- Advanced
Every motherboard brand uses a different interface, so the exact wording may vary slightly.
Take your time and avoid changing unrelated settings.
The goal here is to prepare the system for Secure Boot certificate installation.
Step 4: Enable UEFI Boot Mode
Secure Boot only works in UEFI mode.
If your system still uses Legacy Boot or CSM mode, Secure Boot cannot function properly.
Inside the BIOS settings, locate the boot configuration section. Find an option called:
- Boot Mode
- CSM Support
- Legacy Support
- UEFI/Legacy Boot
- Change the setting to:
- UEFI Only
Disable any Legacy or CSM options if available.
Some firmware menus automatically unlock Secure Boot options after disabling Legacy mode.
Save the settings temporarily and remain inside the BIOS if possible.
If your Windows installation was created in Legacy mode using an MBR disk, the system may fail to boot after switching to UEFI.
In that case, you may need to convert the drive from MBR to GPT using Windows tools before enabling Secure Boot.
Modern Windows installations generally work best with GPT and UEFI.
Step 5: Install or Restore Secure Boot Certificates
This is the most important part of the process.
Once UEFI mode is enabled, locate the Secure Boot section inside the BIOS. You may see options like:
- Install Default Keys
- Restore Factory Keys
- Reset Secure Boot Keys
- Load Secure Boot Certificates
- Restore PK Keys
These options reinstall the manufacturer’s official Secure Boot certificates into the motherboard firmware.
Choose the option that restores or installs the default keys. The firmware will usually install:
- Platform Key (PK)
- Key Exchange Keys (KEK)
- Signature Database (db)
- Forbidden Signature Database (dbx)
These certificates help verify trusted operating systems and block malicious bootloaders.
On many systems, simply selecting Install Default Secure Boot Keys completes the process instantly.
After installing the keys, enable the Secure Boot option itself.
Change the setting from Disabled to Enabled. Some systems also provide Secure Boot modes, such as:
- Standard
- Custom
Choose Standard unless you specifically need custom certificates. Save all settings before exiting the BIOS.
Step 6: Restart and Boot Into Windows
After saving the Secure Boot settings, restart your computer normally.
The first boot may take slightly longer than usual because the firmware is rebuilding startup verification data.
If Windows boots successfully, that means the Secure Boot certificates were installed correctly.
If the PC fails to boot, return to BIOS settings and verify:
- UEFI mode is enabled
- Secure Boot keys were installed correctly
- The storage drive uses GPT format
- Legacy mode is disabled
In rare cases, older Windows installations may require repair after changing Secure Boot settings.
Do not panic if the system restarts once or twice during the first startup.
That behavior is normal after firmware modifications.
Step 7: Verify Secure Boot Status in Windows
Once you are back inside Windows, confirm that Secure Boot is working properly.
Press Windows + R> Type: msinfo32> Press Enter.
Inside System Information, look for: Secure Boot State
If everything was configured properly, it should now say: On
Also confirm: BIOS Mode: UEFI
These two values confirm that Secure Boot certificates are active and functioning correctly.
You can now safely install newer Windows versions and use modern security protections.
FAQs
Is Secure Boot Required for Windows 11?
Yes, Windows 11 officially requires Secure Boot support for installation on supported hardware.
Can I Install Secure Boot on Any Old PC?
Not always. The motherboard must support UEFI firmware. Very old systems with only Legacy BIOS cannot use Secure Boot.
Will Installing Secure Boot Delete My Files?
Normally, no. Installing Secure Boot certificates does not erase personal files. However, backing up your important data before changing firmware settings is strongly recommended.
What Happens If Secure Boot Is Disabled?
Your PC can still boot Windows, but it loses an important layer of startup security protection.
Is It Safe to Update BIOS Firmware?
Yes, if done carefully using official firmware files from the manufacturer. Avoid interrupting the update process.
Do I Need Internet Access During Installation?
Internet access is only needed for downloading BIOS updates or firmware files.
Can Secure Boot Improve Security?
Yes. Secure Boot helps block bootkits, rootkits, and unauthorized operating systems from loading during startup.