Additional info:  My system is an HP ENVY Desktop - 750-435st CTO purchased in 2017. 

HP will not release a BIOS update for your PC for the 2023 Secure Boot Certificates according to this document from HP:

HP PCs - Prepare for new Windows Secure Boot certificates | HP® Support

See this link for what will happen due to not updating to the 2023 Secure Boot Certificates:

Windows Secure Boot certificate expiration and CA updates - Microsoft Support

Thanks, Paul.  It looks like HP and Microsoft have locked my keys in their car.

Too bad; this PC is still blazing fast (for its day), so its disheartening to see them abandoning it.  They will also orphan its Windows 10 operating system in October without an escape plan, so I guess I'll either rely on Norton to guard the city walls going forward or buy a new system.

I see that Microsoft Learn has posted an alternative method for forcing an old BIOS to update itself with the 2023 certificate:

https://learn.microsoft.com/en-us/answers/questions/5804878/how-to-manually-force-apply-updated-secu...

What's your opinion of this alternative method?  Other than the system not accepting the update (which just leaves me right where I am), are there any dangers to trying this that you can see?

You're very welcome.

That is extremely interesting.

I may give it a try since I have several PC's I can experiment with.

Looks easy enough to do...run one command line.

BTW, if you are interested in running W11 on your PC as is, it should run W11 25H2 just fine.

Watch this video:

How to Install Windows 11 25H2 on Unsupported PCs (New Easiest Method)

All my PC going back to those with Intel 2nd gen core processors are running W11 25H2.

Runs fine on all of them.

Thanks for testing that, Paul.  I will try it on my HP 750-435st.  It sounds harmless, at least, and Windows Update will either eventually recognize the change and provide the new cert or it won't.  If it works, there's one less vulnerability to worry about; if not, no harm, no foul.  I've reviewed the variety of ways people have found to install Win11 on unsupported hardware. They sound easy enough, but two things worry me about them:  1) Microsoft says they will refuse to send updates to an unsupported Windows 11 machine (true or false?), which pretty much leaves us where we'll be in October on Windows 10 anyway, and 2) since neither HP nor Microsoft have tested Win 11 on my hardware configuration, if Win 11 refuses to play well with one of my components, my list of workarounds will be slim or none.  So, I suspect there's a new system in my future.  Thanks again for rolling up your sleeves on this one, Paul.  Much appreciated.

You're very welcome.

W11 should run just fine on your PC.

I have been running W11 on all of my unsupported PC's since it first came out in 2021.

The only thing is that starting with W11 24H2, the processor has to support SSE 4.2 which means the PC has to have an Intel 1st gen core processor or newer.

I don't know what the oldest AMD processor is that supports SSE 4.2. but given the fact that the Intel 1st gens came out in 2010, AMD processors are probably similar.

If a driver is missing, normally the W10 drivers work fine.

I'm using W7 drivers on some of my ancient PC's running W11 that weren't even supported for W10.

W11 will get every update that a fully qualified W11 PC will get, except for one thing...any new build release that comes out.

So, what I used to do was to use a procedure similar to the one in the video each October when Microsoft normally releases the new builds, and kept my PC's up to date that way.

Well, the good news is that starting with this last build (25H2), Microsoft made it ridiculously easy to upgrade any PC to the new build.

It's called an 'Enablement package.'

A fully qualified W11 PC gets it via Windows update.

One that isn't does not.

When W11 25H2 came out and I was on 24H2, I ran the W11 25H2 enablement package and it updated my PC's to W11 25H2 in minutes.

KB5054156: Feature update to Windows 11, version 25H2 by using an enablement package - Microsoft Sup...

You download the file from the Microsoft update catalog and run it.

I read that going from W11 25H2>26H2 will use the same type of enablement file for 26H2 when it is released.

Windows 11 26H2 Explained: Enablement Package, Copilot Upgrades, Gaming Mode, and Major System Impro...

Basically, what happens is that Microsoft installs the files needed during the year via cumulative updates and whatnot.

When 26H2 comes out, you would download and run the W11 26H2 enablement package, and it updates the W11 25H2 OS to 26H2 as long as your PC is up to date with all of the monthly W11 updates released on 'Patch Tuesday.'

We are literally talking in minutes--like less than 5.

Each build is fully supported for two years after the release date, which means that 25H2 is good until October-November of 2027, 26H2 will be fully supported up to October-November of 2028 and so on until 2031 when W11 goes out of support.

That is why I am running W11 on my unsupported PC's.

It was a 'no brainer.'

If in the unlikely event your PC has issues with W11, you can easily go back to W10 within 10 days of upgrading to W11, as long as you don't delete the W11 upgrade files or Windows.old folder.

Option 1.

How to Downgrade from Windows 11 to Windows 10

---

@Paul_Tikkanen wrote:

...

I restarted the PC twice, checked for Windows updates, nothing installed but the Windows defender definition update.

 

I ran the Powershell command as administrator and got the 'False' report.

 

So, either this won't work on an older PC, or it will take some time for Windows update to send the updated Secure boot keys to the PC.

 

I'm thinking the former to be true.

 

---

I tried to update Z620 using those procedures, and also got a False report. It might be that the older BIOSes don't even have enough code in the BIOS  to allow loading the new certificates.

Good point. It is possible that the BIOS key field simply isn't long enough to hold the new Secure Boot certificate string. Machine-level programmers don't have a lot of memory to work with, so they hate to waste precious bytes on extra parameter space just in case the BIOS might need it some day.  Of course, that wouldn't matter if they'd just release a new BIOS with a long enough field, right? Sadly, that ship has sailed.