Secure Boot is a built-in security feature available in modern UEFI-based systems. It helps protect your computer from unauthorized bootloaders, rootkits, and low-level malware during startup. Many older PCs either do not have Secure Boot enabled or may not contain the required Secure Boot certificates needed for newer versions of Windows.
When installing Windows 11 or updating system firmware, users often face errors related to missing Secure Boot keys or certificates. Fortunately, you can manually install Secure Boot certificates on an older PC if your motherboard firmware supports UEFI mode.
This guide explains the complete process to check Secure Boot compatibility, prepare the required files, enter BIOS or UEFI firmware, and install the Secure Boot certificates safely.
So let’s start!
Types of Secure Boot Certificates Database
Secure Boot relies on digital keys stored inside the motherboard firmware. These keys verify that only trusted operating systems and bootloaders can start during boot. The main Secure Boot databases include:
- PK (Platform Key) controls ownership of Secure Boot settings.
- KEK (Key Exchange Keys) manages updates to allowed or blocked signatures.
- db (Allowed Signature Database) contains trusted operating system signatures.
- dbx (Forbidden Signature Database) contains blocked or revoked signatures.
If these keys are missing or corrupted, Secure Boot may fail to activate even when the hardware supports it.
Install Secure Boot Certificates on Old PC [Windows]
If your older Windows PC supports UEFI firmware but Secure Boot is not properly configured, you can manually install Secure Boot certificates by following these steps:
- Check whether your PC supports UEFI and Secure Boot
- Download or locate the required Secure Boot certificate files
- Format a USB drive to FAT32
- Copy the Secure Boot keys to the USB drive
- Enter the system BIOS or UEFI firmware
- Switch the system from Legacy Mode to UEFI Mode
- Open the Key Management section
- Install the Secure Boot certificates manually
- Save the changes and restart the computer
- Verify Secure Boot status in Windows
These steps allow older compatible PCs to properly support Secure Boot for newer Windows installations and enhanced startup protection.
Step 1: Check Whether Your Old PC Supports UEFI and Secure Boot
The first step is verifying whether your old computer actually supports Secure Boot. Many systems manufactured after 2012 include UEFI firmware support, even if Secure Boot is disabled.
Start your computer and enter Windows normally. Press Windows + R to open the Run dialog box. Type msinfo32 and press Enter.
The System Information window will appear. Look for the following entries:
- BIOS Mode should display UEFI.
- Secure Boot State may show Off, Unsupported, or Disabled.
If BIOS Mode says Legacy, your system is currently running in traditional BIOS mode. In that case, Secure Boot cannot work until you switch the system to UEFI mode.
If Secure Boot State shows Unsupported, your motherboard likely does not support Secure Boot certificates at all.
Many older ASUS, Gigabyte, MSI, Dell, Lenovo, and HP motherboards support Secure Boot after a BIOS update. You may need to install the latest firmware version from the manufacturer.
Step 2: Backup Important Data Before Modifying Firmware Settings
Changing boot settings always carries some risk. Incorrect BIOS changes may prevent Windows from starting correctly.
Before continuing, create a complete backup of your important files, including:
- Documents
- Photos
- Videos
- Game saves
- System recovery files
You can use an external hard drive or cloud storage service for safety.
It is also smart to create a Windows recovery drive. Search for Create a recovery drive in Windows Search and follow the on-screen instructions.
This step ensures you can recover the operating system if something goes wrong during the Secure Boot setup process.
Step 3: Download or Locate Secure Boot Certificate Files
To install Secure Boot certificates manually, you need the correct key files. Some motherboard manufacturers provide default Secure Boot keys directly inside the BIOS, while others require manual installation using external files.
Common Secure Boot certificate file formats include: .auth, .esl, .cer, & .bin
You can usually obtain these certificates from:
- Your motherboard manufacturer’s support page
- Official firmware update packages
- Microsoft Secure Boot deployment resources
Some BIOS firmware interfaces also include an option called: Install Default Secure Boot Keys
If this option exists, you may not need external certificate files at all.
Be careful when downloading Secure Boot certificates from unofficial websites. Incorrect or modified keys can cause boot failures and security problems.
Step 4: Prepare a FAT32 USB Drive
Most UEFI firmware interfaces only recognize USB drives formatted using the FAT32 file system.
Insert a USB flash drive into your computer. Open File Explorer, right-click the USB drive, and choose Format.
Select: File System: FAT32
Leave the remaining settings at default values and click Start.
After formatting is complete, copy the Secure Boot certificate files to the root directory of the USB drive. Avoid placing them inside folders because some firmware interfaces cannot detect nested directories.
Safely eject the USB drive after copying the files.
Step 5: Enter BIOS or UEFI Firmware Settings
Now you need to access your motherboard firmware settings.
Restart the computer and repeatedly press the BIOS access key during startup. Common keys include:
- Delete
- F2
- F10
- ESC
The correct key depends on your motherboard or laptop manufacturer.
Once inside the firmware menu, switch to Advanced Mode if your BIOS opens in simplified mode.
Modern firmware interfaces usually contain sections such as:
- Boot
- Security
- Authentication
- Advanced
The Secure Boot settings are normally located inside one of these categories.
Step 6: Disable Legacy Boot and Enable UEFI Mode
Secure Boot only functions when the system uses pure UEFI mode.
Locate the boot settings section and find options such as:
- CSM Support
- Legacy Boot
- Launch CSM
If enabled, disable these options.
Next, make sure the system boot mode is set to: UEFI Only
Switching from Legacy mode to UEFI may prevent older Windows installations from booting if they were installed using MBR partition style. In some cases, you may need to convert the system disk from MBR to GPT.
Windows includes a built-in tool called MBR2GPT for this purpose.
After enabling UEFI mode, save the settings temporarily and return to BIOS if necessary.
Step 7: Open the Secure Boot Key Management Section
Now navigate to the Secure Boot configuration area.
Depending on your motherboard manufacturer, the section may be called:
- Secure Boot
- Key Management
- Secure Boot Control
- Authentication Keys
Inside this section, you may see options such as:
- Install Default Keys
- Clear Secure Boot Keys
- Enroll Keys
- Restore Factory Keys
If your firmware includes an automatic option like Install Default Secure Boot Keys, select it first because it is the easiest and safest method.
Many systems instantly populate the required PK, KEK, db, and dbx databases automatically.
If automatic installation is unavailable, continue with manual certificate installation.
Step 8: Install the Secure Boot Certificates Manually
Insert the prepared FAT32 USB drive into the computer.
Inside the Key Management section, choose the option to enroll or import keys.
You may need to install certificates individually in this order:
- Platform Key (PK)
- Key Exchange Key (KEK)
- Allowed Database (db)
- Forbidden Database (dbx)
Select the appropriate file from the USB drive for each category.
The firmware may display confirmation messages asking whether you trust the certificate. Confirm each installation carefully.
Do not interrupt the process while keys are being written to firmware memory.
Some systems restart automatically after certificate enrollment.
Step 9: Enable Secure Boot Properly
After the certificates are installed successfully, return to the Secure Boot settings page.
Locate the option labeled: Secure Boot
Change its status from: Disabled to Enabled
Some firmware interfaces also include Secure Boot operating modes, such as:
- Standard
- Custom
For beginners, choose Standard mode because it uses default Microsoft-approved settings.
Save all BIOS changes before exiting.
Your computer will now restart using Secure Boot protection.
Step 10: Verify Secure Boot Status in Windows
After Windows loads successfully, verify that Secure Boot is functioning correctly.
Press Windows + R, type msinfo32, and press Enter again.
Inside the System Information window, check the following entries:
- BIOS Mode: UEFI
- Secure Boot State: On
If Secure Boot State displays On, the installation process was successful.
You can also verify Secure Boot using Windows Security settings.
Open: Windows Security > Device Security > Secure Boot
This section confirms whether Secure Boot is active on the system.
Faqs
Can I install Secure Boot certificates on every old PC?
No. The motherboard must support UEFI firmware and Secure Boot functionality. Older systems using traditional BIOS only cannot support Secure Boot.
Is Secure Boot required for Windows 11?
Windows 11 officially requires Secure Boot support, although some installations bypass this requirement. Enabling Secure Boot improves system security significantly.
Will enabling Secure Boot delete my files?
Normally, no. However, incorrect firmware changes may prevent Windows from booting. Always create backups before modifying BIOS settings.
What happens if Secure Boot keys are corrupted?
The system may fail to boot trusted operating systems correctly. Reinstalling the factory Secure Boot keys usually fixes the issue.
Can I disable Secure Boot later?
Yes. You can return to BIOS settings and disable Secure Boot anytime if needed for compatibility reasons.
What is the difference between BIOS and UEFI?
Traditional BIOS is an older firmware technology with limited security features. UEFI is the modern replacement that supports Secure Boot, larger drives, and faster startup.
Do I need internet access during installation?
No. The Secure Boot certificates are installed locally through BIOS or UEFI firmware using a USB drive.