How to Check Secure Boot and BIOS Updates Before Windows Changes in 2026
PC & Desk Setup
Quick Summary
In 2026, a sensible Windows maintenance check is no longer just “run Windows Update and hope”. Microsoft has warned that Secure Boot certificates used by Windows systems start expiring from June 2026, Windows 10 has already left normal support, and many UK households are still running a mix of Windows 11 laptops, older Windows 10 machines, recycled family PCs and work-from-home desktops. Before changing firmware settings or installing BIOS updates, back up important files, save your BitLocker recovery key, check Windows support status, confirm Secure Boot state, identify your exact PC model, and only install firmware from the manufacturer’s own support tool or website. This is a no-shopping checklist for doing that calmly.
Why This Guide Matters Now
Secure Boot is one of those Windows features that most home users ignore until a health-check app, upgrade warning or support article mentions it. It lives below the normal desktop experience, in the slightly spooky basement where firmware, bootloaders and recovery screens hold committee meetings. Most of the time that is fine. You do not need to understand every UEFI setting to use a laptop for banking, homework, gaming, side projects or video calls.
But 2026 has made the boring basement more relevant. Microsoft’s Windows IT guidance says Secure Boot certificates used by Windows systems begin expiring in June 2026, and supported Windows devices need updated certificates to maintain continuity and protection. That does not mean a typical UK home PC will suddenly burst into blue flames on a Tuesday morning. It does mean firmware, Windows Update, device support and recovery readiness deserve a little more attention than usual.
At the same time, Windows 10 normal support ended on 14 October 2025, with consumer Extended Security Updates acting as a temporary bridge into October 2026 for enrolled devices. Many households are now in the messy middle: one Windows 11 laptop, one older Windows 10 machine, a gaming desktop that has not seen a BIOS update since the reign of ancient kings, and perhaps a spare laptop nobody wants to wipe because it might contain “something important”. This guide is for that real-world mix.
This is deliberately non-product-led. There are no Amazon picks because the useful action is maintenance, not buying five random gadgets because a content goblin demanded a basket. Your best tool here is a careful checklist, a backup, and enough patience not to change firmware settings like you are defusing a bomb in a film.
What Secure Boot Actually Does
Secure Boot is a security feature in modern UEFI firmware. Its job is to help make sure the software that starts before Windows is trusted. When a PC boots, it does not immediately jump straight into your desktop. Firmware starts first, then boot components load, then the operating system takes over. Secure Boot checks that early boot code is signed by trusted authorities rather than being tampered with by malware.
For normal home users, the important point is simple: Secure Boot helps protect the early startup chain. It is also one of the requirements associated with modern Windows security expectations and Windows 11 eligibility. If Secure Boot is disabled, misconfigured, or unsupported, you may see warnings in Windows Security, PC Health Check, update prompts or upgrade tools.
Secure Boot is not the same as BitLocker, TPM, antivirus or Windows Update. They are related parts of the wider security picture, but they do different jobs. Secure Boot checks trust during startup. TPM stores security material and helps with device integrity. BitLocker encrypts the drive. Windows Update delivers operating-system and driver fixes. Antivirus watches for threats once the system is running. Confusing them is easy, which is why Windows maintenance sometimes feels like being asked to name five different locks on the same door while the door is already on fire.
Step 1: Back Up Before Touching Firmware
Before checking BIOS settings, changing Secure Boot state or installing firmware updates, back up anything you would be upset to lose. Firmware maintenance is usually routine, but the consequence of a bad day can be higher than a normal app update. Power failure, a wrong update, a failing drive or a BitLocker recovery prompt can turn a simple check into an evening of regret.
Use a boring backup plan. Copy documents, photos, project files, tax records, password-vault exports where appropriate, browser bookmarks, game saves and anything else that matters to an external drive or trusted cloud storage. If you use OneDrive, Google Drive or Dropbox, do not assume every local folder is definitely synced. Open the sync client and check status. A cloud icon is not a backup strategy; it is a tiny symbol of either reassurance or betrayal.
If this is a family PC, ask whether other user accounts hold files. Many older laptops have several profiles from years of household archaeology. Check Desktop, Documents, Downloads and Pictures for each account you can access. If the PC belongs to work, stop and follow the employer’s process instead. Do not improvise firmware changes on managed kit unless you enjoy awkward conversations with IT.
Step 2: Save Your BitLocker Recovery Key
If BitLocker or Device Encryption is enabled, save the recovery key before changing boot settings or firmware. This is the step people skip because everything has always booted fine. Then a firmware update changes something, Windows asks for the recovery key, and the room temperature drops by six degrees.
On Windows 11, open Settings, go to Privacy & security, then Device encryption or BitLocker settings depending on your edition. On some systems you can also search the Start menu for “BitLocker”. If encryption is on, check where the recovery key is stored. Many consumer devices save it to the Microsoft account used during setup. Go to the official Microsoft account recovery-key page from a browser you trust, sign in, and confirm the device name and key are present. Print it or store it in a secure password manager if that is how you manage household recovery information.
Do not save the only copy of the recovery key on the encrypted drive itself. That is like hiding the spare key inside the locked house and congratulating yourself on tidiness. If you cannot find the recovery key, pause before making firmware changes. Sort the key problem first.
Step 3: Check Windows Version and Support Status
Press Windows key, type winver, and run it. Note whether the device is Windows 10 or Windows 11 and which version it reports. For Windows 11, also check Settings, Windows Update, Update history, and whether feature updates or servicing warnings are waiting. Microsoft’s lifecycle page lists Windows 11 Home and Pro version 24H2 as ending servicing on 13 October 2026, so even “new Windows” still needs version awareness. Support is not a one-time achievement; it is a treadmill with branding.
If the machine is still on Windows 10, be clear about its status. Normal Windows 10 support ended on 14 October 2025. If it is enrolled in Extended Security Updates, treat that as a temporary bridge rather than a fresh decade of life. If it is not receiving security updates, avoid using it for email, shopping, banking, password management or sensitive household admin. For a broader decision path, read our guide on what to do with a Windows 10 PC that cannot upgrade to Windows 11 in 2026.
If the device can upgrade to Windows 11 but has been putting it off, check compatibility again after updates. Some systems fail eligibility because TPM or Secure Boot is disabled in firmware even though the hardware supports it. Others are genuinely unsupported. Do not force a workaround blindly. Your goal is a supported, stable machine, not a heroic upgrade story that becomes your new hobby against your will.
Step 4: Check Secure Boot State in Windows
The safest first check is inside Windows. Press Start, type System Information, and open it. In the System Summary view, look for BIOS Mode and Secure Boot State. BIOS Mode should normally say UEFI on modern Windows 11-capable hardware. Secure Boot State may say On, Off, or Unsupported depending on the machine and configuration.
If Secure Boot is already On, you probably do not need to change anything manually. Focus on Windows Update, manufacturer firmware updates, backups and recovery readiness. If it says Off, do not immediately dive into firmware and flip switches. First identify why it is off. Some custom-built PCs, older upgraded installs, dual-boot setups, specialist hardware, or legacy Windows installations may have reasons. Some simply had it disabled years ago by someone following a forum post with the confidence of a Victorian ghost.
If Secure Boot is Unsupported, the device may be too old, running in legacy BIOS mode, or configured in a way that cannot use it without deeper changes. At that point, be careful. Converting boot modes or changing partition layouts is outside a casual five-minute maintenance task. If the PC is old enough to lack normal Secure Boot support, it is likely also part of the bigger Windows 10 exit decision.
Step 5: Identify the Exact PC Model
Firmware updates are model-specific. “Dell laptop”, “HP desktop”, “Lenovo ThinkPad” or “some gaming motherboard” is not precise enough. You need the exact model, service tag, serial number or motherboard name. On branded laptops and desktops, check Settings, System, About, the manufacturer support app, or the label on the underside or rear. For custom desktops, open System Information and look for BaseBoard Manufacturer and BaseBoard Product.
Once you have the exact model, use the manufacturer’s own support page or update utility. For example, large PC makers often provide support-assistant tools that identify the machine and suggest BIOS, firmware and driver updates. Motherboard vendors provide model pages with BIOS downloads. Avoid random driver sites. Avoid “BIOS update” downloads from search ads. Avoid anything that claims to fix all firmware problems with one magical utility. That way lies malware, confusion, and possibly a toolbar from 2008 rising from the grave.
Read the update notes before installing. Look for mentions of security fixes, Secure Boot, firmware stability, TPM, BitLocker, CPU microcode, boot compatibility or Windows 11 support. You do not need to understand every technical line, but you should know whether the update is relevant and whether the vendor has special instructions.
Step 6: Update Windows Before BIOS, Then Pause
A calm order helps. First, install normal Windows updates and restart until Settings shows the device is up to date. Then check the manufacturer tool or support page for BIOS and firmware updates. Do not stack every possible update at once. If something breaks, you want to know which change probably caused it.
When updating BIOS or firmware, plug in the laptop, make sure the battery has charge, close other apps, and do not interrupt the process. For desktops, avoid starting a firmware flash during a thunderstorm, power wobble or moment when someone might trip over the plug. Yes, that sounds dramatic. No, it is not worth testing.
After the firmware update completes, restart, sign in, and check basics: Wi-Fi, keyboard, trackpad or mouse, display, sleep/wake, external monitors and BitLocker status. Then check System Information again for Secure Boot State. If something changed, document it. A small note with date, BIOS version and Secure Boot state can save time later.
When You Should Not Change Secure Boot Yourself
There are cases where the best home-user move is to stop at checking and documentation. Do not casually change Secure Boot settings if the PC dual-boots Linux, runs specialist boot tools, belongs to work, uses unusual disk encryption, has important legacy hardware, or already behaves unreliably. Secure Boot changes can affect how operating systems and bootloaders start. They are manageable when planned, but irritating when discovered at 11pm after “just one quick setting”.
If you rely on a dual-boot Linux setup, read the distribution’s current Secure Boot guidance before changing firmware. If you use external boot media for backups, recovery or cloning, test whether it still boots after changes. If the PC is a custom gaming desktop with years of BIOS tweaks, take photos of current firmware pages before changing anything. The goal is reversibility.
For a household laptop used mainly for browser, schoolwork, email and video calls, keeping Secure Boot on and firmware current is usually sensible. For a tinkering machine, lab box or Linux project, the right answer may be more nuanced. Know which kind of machine you are dealing with before you let the settings goblin drive.
Secure Boot and BIOS Readiness Checklist
Use this checklist before making changes:
- Back up important files from every user account.
- Confirm cloud-sync tools have actually finished syncing.
- Check whether BitLocker or Device Encryption is enabled.
- Save the BitLocker recovery key somewhere you can access from another device.
- Run winver and note Windows version and edition.
- Open System Information and record BIOS Mode and Secure Boot State.
- Identify the exact PC model, service tag or motherboard model.
- Use only the manufacturer’s official support page or update tool.
- Install normal Windows updates before firmware updates.
- Plug in power and avoid interrupting BIOS updates.
- After updating, check Secure Boot State, BitLocker status and everyday device functions.
Troubleshooting Table
| What you see | Likely meaning | Practical next step |
|---|---|---|
| Secure Boot State: On | Secure Boot is enabled | Leave it on, keep Windows and firmware updated, and save recovery keys |
| Secure Boot State: Off | Supported but disabled, or configured unusually | Check model guidance before enabling; back up and save BitLocker key first |
| Secure Boot State: Unsupported | Old hardware, legacy boot mode or incompatible configuration | Treat as part of a wider Windows support and replacement decision |
| BitLocker asks for a recovery key after update | Firmware or boot state changed enough to trigger protection | Enter the saved recovery key, then review BitLocker and firmware status |
| Manufacturer tool offers a BIOS update | Vendor has newer firmware for your exact model | Read notes, plug in power, close apps and update only when you have time |
| Windows 10 shows no normal updates | Device may be outside normal support unless enrolled in ESU | Check ESU status and plan migration, repurpose, Linux, resale or recycling |
| PC Health Check says Windows 11 blocked | TPM, Secure Boot, CPU or other requirement not met | Check firmware settings and official compatibility before assuming the PC is doomed |
How This Fits a Wider Home PC Tidy-Up
Secure Boot readiness is not an isolated chore. It sits beside the other unglamorous jobs that keep a home PC from becoming a haunted appliance: backups, account recovery, password hygiene, sensible updates, drive health, cooling, dust control and knowing when old hardware has earned retirement. A PC can be secure on paper and still miserable to use if the SSD is failing, the fan is clogged, or the owner has forgotten every account password since 2017.
If an older machine is staying in service, pair this check with practical desk reliability work. Our guide on stopping a laptop overheating in a UK home office helps with thermal issues, while the cable chaos guide keeps power and peripherals less fragile. If the device is leaving the house, use the Windows 10 laptop wipe-and-sell guide before handing it to a buyer, relative or recycling route.
For printers, scanners and awkward peripherals, also check compatibility before wiping the old PC. A working household setup can depend on one ancient driver nobody wants to admit is important. The guide on checking whether an old printer will still work with Windows 11 covers that side of the migration.
Common Mistakes to Avoid
The first mistake is treating BIOS updates like normal app updates. Firmware updates are not scary when done correctly, but they deserve more preparation. Back up, plug in, read notes, and do them when you can wait. Do not start one because you have six minutes before a Teams call. The machine knows. It can smell urgency.
The second mistake is changing Secure Boot because a forum comment said “just enable it”. That may be correct for a straightforward Windows 11 laptop. It may be wrong for a dual-boot desktop, old legacy install or encrypted machine without a recovery key. Check before changing.
The third mistake is assuming Windows 10 being “fine yesterday” means it is fine indefinitely. Unsupported systems can still boot, browse and print. That does not mean they are a good place for sensitive daily life. If Windows 10 is still part of your household, give it a defined job, a defined support status and a defined exit plan. Limbo is not a strategy; it is just procrastination with a login screen.
Final Verdict
The right response to 2026 Secure Boot and Windows support changes is not panic-buying a new laptop or randomly hammering firmware settings. It is a calm readiness check: back up, save BitLocker recovery information, confirm Windows version, check Secure Boot state, identify the exact model, use official firmware sources, update in a controlled order, and document the result.
If your PC is modern, supported and already has Secure Boot on, this may be a twenty-minute maintenance job. If it is older, unsupported or oddly configured, the check may reveal a bigger decision: upgrade properly, use ESU temporarily, repurpose with a different operating system, or wipe and move it on. Either way, you will be making the decision with evidence rather than vibes, which is generally healthier for both computers and humans. The void may still be inevitable, but your BIOS settings do not have to join it today.
Editorial Notes
This guide was selected after lightweight UK-focused trend research across current tech coverage, Microsoft lifecycle guidance, Reddit/community chatter, smart-meter and home-network interest, and seasonal buying intent. Candidate areas included smart-meter troubleshooting and energy dashboards, Wi-Fi 7 and Digital Voice home-network readiness, and Windows 10/Secure Boot maintenance. The Windows Secure Boot checklist won because PC & Desk Setup was among the least-recently-used categories, the topic is timely after Microsoft’s June 2026 Secure Boot certificate guidance, and it offers useful non-product-led maintenance advice rather than another Amazon-heavy kit list.
Review Freshness
Last reviewed: 2 June 2026
Update cadence: Monthly while 2026 Windows support, Secure Boot certificate rollout and major OEM firmware guidance continue to evolve.