Windows 11 24H2 Upgrade Guide For Secure Boot 2026 Compliance
Why end-of-life Windows versions cannot receive the 2023 certificate update — and exactly how to upgrade machines whose CPU is technically unsupported.
Microsoft only ships the Secure Boot 2023 certificate update through supported Windows 11 servicing channels. If a machine is sitting on Windows 10, Windows 11 21H2, or Windows 11 22H2, the certificate update will never arrive — those branches are out of support and will not receive the relevant cumulative updates. Upgrading to a supported Windows 11 build is therefore not optional for Secure Boot 2026 compliance; it is the prerequisite.
The complication is that Microsoft tightened the Windows 11 hardware compatibility check in 24H2, blocking the upgrade on machines with 7th-generation Intel CPUs and earlier even when those machines have TPM 2.0 and Secure Boot enabled. The good news: for Secure Boot certificate purposes, the bypasses below are stable, well-documented, and fully supported by Microsoft as long as you accept the unsupported state warning.
| Windows Version | Status | Receives 2023 Cert? |
|---|---|---|
| Windows 11 21H2 | EOL Oct 2023 | No |
| Windows 11 22H2 | EOL Oct 2024 | No |
| Windows 11 23H2 | Supported | Yes |
| Windows 11 24H2 | Supported | Yes |
| Windows 11 25H2 | Supported | Yes |
Try Windows Update First
On supported hardware, Settings → Windows Update will offer the feature update directly. Click Download and install. This is always the cleanest path. Only move on if the update is not offered after 48 hours of the device being online and idle.
Installation Assistant With Registry Bypass
For machines where Windows Update refuses to offer 24H2 because of CPU compatibility, set this single registry key, then run the Windows 11 Installation Assistant from Microsoft's site:
reg add "HKLM\SYSTEM\Setup\MoSetup" /v AllowUpgradesWithUnsupportedTPMOrCPU /t REG_DWORD /d 1 /fThis is Microsoft's own documented bypass. The machine will display a one-time unsupported state warning and otherwise upgrade normally.
ISO Upgrade Method
Download the official Windows 11 ISO from Microsoft, mount it (right-click → Mount in Windows 10/11), and run setup.exe from the mounted drive. Choose Keep personal files and apps. The MoSetup registry key from Step 2 must already be set.
Nuclear LabConfig Bypass For Clean Installs
For clean installs from boot media on hardware that fails even the Installation Assistant check, press Shift+F10 at the first setup screen and apply all four LabConfig keys:
reg add HKLM\SYSTEM\Setup\LabConfig /v BypassTPMCheck /t REG_DWORD /d 1 /f
reg add HKLM\SYSTEM\Setup\LabConfig /v BypassSecureBootCheck /t REG_DWORD /d 1 /f
reg add HKLM\SYSTEM\Setup\LabConfig /v BypassRAMCheck /t REG_DWORD /d 1 /f
reg add HKLM\SYSTEM\Setup\LabConfig /v BypassCPUCheck /t REG_DWORD /d 1 /fNote: BypassSecureBootCheck disables the install-time check, not the runtime feature. You still want Secure Boot enabled in firmware after install for the 2023 cert update to apply.
Verify BIOS / UEFI Settings
After upgrade, reboot into UEFI firmware setup. Confirm three things: TPM 2.0 is enabled (sometimes labeled fTPM, PTT, or Intel Platform Trust Technology), Secure Boot is enabled, and the boot mode is UEFI — not Legacy / CSM. Save and exit.
Hardware Replacement Path
For machines with truly incompatible firmware — no TPM 2.0, no UEFI mode, or pre-7th-gen CPUs in regulated environments where bypasses are not acceptable — replacement is the only path. See our hardware replacement guide for current compatible models.
PC Health Check "Unsupported CPU" Error
The PC Health Check app blocks 7th-generation Intel and earlier with the message "This PC must support a supported processor." This is purely a soft check — the underlying Windows 11 24H2 kernel runs fine on those CPUs. The MoSetup registry key in Step 2 is Microsoft's officially documented way to override this check for in-place upgrades. For clean installs, use the LabConfig keys in Step 4.