Act now: Secure Boot certificates expire in June 2026


UPDATE:
www.elevenforum.com

Updating Microsoft Secure Boot keys before expiration in June 2026

https://techcommunity.microsoft.com/event/windowsevents/ask-microsoft-anything-secure-boot---may-2026/4513524 UPDATE 4/02: https://support.microsoft.com/en-us/topic/secure-boot-certificate-update-status-in-the-windows-security-app-5ce39986-7dd2-4852-8c21-ef30dd04f046 UPDATE 2/10...
www.elevenforum.com www.elevenforum.com


 Windows IT Pro Blog:

Prepare for the first global large-scale certificate update to Secure Boot.

The Microsoft certificates used in Secure Boot are the basis of trust for operating system security, and all will be expiring beginning June 2026. The way to automatically get timely updates to new certificates for supported Windows systems is to let Microsoft manage your Windows updates, which include Secure Boot. A close collaboration with original equipment manufacturers (OEMs) who provide Secure Boot firmware updates is also essential.

If you haven't yet, begin evaluating options and start preparing for the rollout of updated certificates across your organization in the coming months. Learn about this effort, its impact, and what you as an IT admin should do to help ensure that your Windows devices can receive updates after June 2026 without compromising system security.

Important: While platforms beyond Windows are affected, this article focuses on the solution for Windows systems. Be sure to monitor the Secure Boot certificate rollout landing page for status and guidance updates.
Click to expand...

Recap: Why Secure Boot requires updating​

Secure Boot helps to prevent malware from running early in the startup sequence of a Windows device. Coupled with the Unified Extensible Firmware Interface (UEFI) firmware signing process, Secure Boot uses cryptographic keys, known as certificate authorities (CAs), to validate that firmware modules come from a trusted source.

After 15 years, the Secure Boot certificates that are part of Windows systems will start expiring in June 2026. Windows devices will need new certificates to maintain continuity and protection.
  • Affected: Physical and virtual machines (VMs) on supported versions of Windows 10, Windows 11, Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2012 R2—the systems released since 2012, including the long-term servicing channel (LTSC)
  • Not affected: Copilot+ PCs released in 2025
Note: Affected third-party OS includes MacOS. However, it's outside the scope of Microsoft support. For Linux systems dual booting with Windows, Windows will update the certificates that Linux relies on.
Click to expand...

Secure Boot uses certificate-based trust hierarchy to ensure that only authorized software runs during system startup. At the top of this hierarchy is the Platform Key (PK), typically managed by the OEM or a delegate, which acts as the root of trust. The PK authorizes updates to the Key Enrollment Key (KEK) database, which in turn authorizes updates to two critical signature databases: the Allowed Signature Database (DB) and the Forbidden Signature Database (DBX). This layered structure ensures that only validated updates can modify the system's boot policy, maintaining a secure boot environment. See how it works in Updating Secure Boot keys.

The change: Expiring certificates​

Windows systems released since 2012 might have expiring versions of the certificates listed below. The UEFI Secure Boot DB and KEK need to be updated with the corresponding new certificate versions.

See what new certificates will be available in the coming months to maintain UEFI Secure Boot continuity.

Expiration dateExpiring certificateUpdated certificateWhat it doesStoring location
June 2026Microsoft Corporation KEK CA 2011Microsoft Corporation KEK 2K CA 2023Signs updates to DB and DBXKEK
June 2026Microsoft Corporation UEFI CA 2011 (or third-party UEFI CA)*a) Microsoft Corporation UEFI CA 2023
b) Microsoft Option ROM UEFI CA 2023		a) Signs third-party OS and hardware driver components
b) Signs third-party option ROMs		DB
Oct 2026Microsoft Windows Production PCA 2011Windows UEFI CA 2023Signs the Windows bootloader and boot componentsDB
*You need two new certificates for Microsoft Corporation UEFI CA 2011, which together allow for more granular control.

Microsoft and partner OEMs will be rolling out certificates to add trust for the new DB and KEK certificates in the coming months.

The impact and implications​

The CAs ensure the integrity of the device startup sequence. When these CAs expire, the systems will stop receiving security fixes for the Windows Boot Manager and the Secure Boot components. Compromised security at startup threatens the overall security of affected Windows devices, especially due to bootkit malware. Bootkit malware can be difficult or impossible to detect with standard antivirus software. For example, even today, the unsecured boot path can be used as a cyberattack vector by the BlackLotus UEFI bootkit (CVE-2023-24932).

Every Windows system with Secure Boot enabled includes the same three certificates in support of third-party hardware and Windows ecosystem. Unless prepared, physical devices and VMs will:
  • Lose the ability to install Secure Boot security updates after June 2026.
  • Not trust third-party software signed with new certificates after June 2026.
  • Not receive security fixes for Windows Boot Manager by October 2026.
To prevent this, you'll need to update your organization's entire Windows ecosystem with certificates dated 2023 or newer. This will also help you apply mitigations needed to help secure your systems against the BlackLotus and similar boot-level cyberattacks today.

Take action today​

To begin, bookmark the Secure Boot certificate rollout landing page and take our readiness survey!

Important: Check with your OEMs on the latest available OEM firmware. Apply any available firmware updates to your Windows systems before applying the new certificates. In the Secure Boot flow, firmware updates from OEMs are the foundation for Windows Secure Boot updates to apply correctly.
Click to expand...

Microsoft support is only available for supported client versions of Windows 11 and Windows 10. Once Windows 10 reaches end of support in October 2025, consider getting Extended Security Updates (ESU) for Windows 10, version 22H2 if you're not ready to upgrade.

In the coming months, we expect to update the Secure Boot certificates as part of our latest cumulative update cycle.

The solution that requires the least effort is letting Microsoft manage your Windows device updates, including Secure Boot updates. However, you might need to adopt multiple solutions. Your specific next step depends on the Windows systems and how you manage them.

Enterprise IT-managed systems that send diagnostic data​

No action is required if Windows systems at your organization receive Windows updates from Microsoft and send diagnostic data back to Microsoft. This includes devices that receive updates through Windows Autopatch, Microsoft Configuration Manager, or third-party solutions.

Note: Check that your firewall doesn't block diagnostic data. If it does, please take action to help diagnostic data reach Microsoft.
Click to expand...

Windows diagnostic data and OEM feedback will help us group devices with similar hardware and firmware profiles to gradually release Secure Boot updates to you. This allows us to intelligently monitor the rollout process, proactively pausing, addressing any issues, and continuing as needed. Just keep your devices updated with the latest Windows updates!

Enterprise IT-managed systems that don't send diagnostic data​

Enable Windows diagnostic data and let Microsoft manage your updates by taking the following steps:
  1. Configure your organizational policies to allow at least the “required” level of diagnostic data. You can use Group Policy or mobile device management (MDM) to do this. See how to do this in Group Policy Management Editor for Windows 11 and Windows 10.
  2. Allow Microsoft to manage Secure Boot-related updates for your devices by setting the following registry key:
  • o Registry path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot
  • o Key name: MicrosoftUpdateManagedOptIn
  • o Type: DWORD
  • o DWORD value: 0x5944 (opt in to Windows Secure Boot updates)
We recommend setting this key to 0x5944. It indicates that all certificates should be updated in a manner that preserves the security profile of the existing device. It also updates the boot manager to the one signed by the Windows UEFI CA 2023 certificate. Note: If the DWORD value is 0 or the key doesn't exist, Windows diagnostic data is disabled.

If you prefer not to enable diagnostic data, please take this anonymous readiness survey. Help us assess the needs of environments like yours to create future guidance on managing the update process independently. You'll remain fully in control and responsible to execute and monitor these updates.

Air-gapped devices, such as in government scenarios or manufacturing, are a special case. Because Microsoft cannot manage these updates, we can only offer the following limited support:
  • Recommend known steps or methods for deploying these updates
  • Share data gathered from our rollout stream
When available, look for these resources on the Secure Boot certificate rollout landing page.

Systems with Secure Boot disabled​

Windows cannot update the active variables of the Secure Boot certificates if Secure Boot is disabled.

Important: Toggling Secure Boot on or off might erase the updated certificates. If Secure Boot is on, leave it enabled. Turning it off can reset the settings with defaults, which is not desirable.
Click to expand...

Share these recommendations with individual users:
  1. Press Windows key + R, type msinfo32, and then press Enter.
  2. In the System Information window, look for Secure Boot State.
  3. If it says On, you're good to go!
If Secure Boot is off or unsupported, the device may not receive the new CAs. For these devices, you may choose to enable Secure Boot with this guidance: Windows 11 and Secure Boot.

www.elevenforum.com

Check if Secure Boot is Enabled, Disabled, or Unsupported in Windows 11

This tutorial will show you how to check if Secure Boot is currently enabled, disabled, or unsupported on your Windows 10 or Windows 11 PC. Windows 11 minimum system requirements include your system to be UEFI (Unified Extensible Firmware Interface) and Secure Boot capable. While the...
www.elevenforum.com www.elevenforum.com
www.elevenforum.com

Enable or Disable Secure Boot in Windows 11

This tutorial will show you how to enable or disable Secure Boot on your Windows 10 and Windows 11 PC. Windows 11 minimum system requirements include your system to be UEFI (Unified Extensible Firmware Interface) and Secure Boot capable. While the requirement to upgrade a Windows 10 device to...
www.elevenforum.com www.elevenforum.com

Change management considerations​

Don't wait until June 2026! Updating DB and KEK with new 2023 certificates will help prevent your systems from boot-level security vulnerabilities today.

Get the latest OEM firmware updates and let Microsoft manage your Windows updates to receive Secure Boot updates automatically. Otherwise, help us understand your special case by completing this anonymous readiness survey.

Watch the release notes for Windows 11, version 24H2, version 23H2, and Windows 10 in the coming months to know when these updates are available to you. Stay tuned for additional guidance for the LTSC as needed.

Bookmark these additional resources:


 Source:

techcommunity.microsoft.com

Act now: Secure Boot certificates expire in June 2026 - Windows IT Pro Blog

Get tips to prepare for the rollout of updated certificates across your organization.
techcommunity.microsoft.com techcommunity.microsoft.com

See also:
www.elevenforum.com

Updating Microsoft Secure Boot keys before expiration in June 2026

https://techcommunity.microsoft.com/event/windowsevents/ask-microsoft-anything-secure-boot---may-2026/4513524 UPDATE 4/02: https://support.microsoft.com/en-us/topic/secure-boot-certificate-update-status-in-the-windows-security-app-5ce39986-7dd2-4852-8c21-ef30dd04f046 UPDATE 2/10...
www.elevenforum.com www.elevenforum.com
 
Last edited:
Click to expand...
Because you didn't encounter the problem, you would report it in this thread.

PC #2 system automatically updates the PCA2023 certificate through Windows Update is no problem. And boots using the new certificate.

PC #1 The motherboard firmware already contains the PCA2023 certificate, it's booted with the PCA2011 certificate. don't works.
I clean installed Windows I followed the Microsoft instructions again, and Windows still booted with the PCA2011 certificate. If revoked CA 2011 certificates in full accordance with Microsoft's instructions, the system won't boot. These steps may punish the user when your motherboard firmware may not work even if you follow them.

The two PC motherboards are from different manufacturers, so it can be inferred that the problem may be with the motherboard firmware.

These potential issues are not mentioned, or have not been tested for availability among all motherboard manufacturers.
 

My Computer

System One

  • OS
    Windows 11, version 25H2 (26200)
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 9 9950X 16-Core Processor
    Motherboard
    ASRock B650M PG Riptide
    Memory
    DDR5-6000 (CL36) 64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4090
    PSU
    1200W
    Case
    Phanteks Enthoo Pro 2
    Cooling
    Noctua NH-D12L
When you are doing the steps you have to check the event viewer after each step after running the secure boot task.
Under system in event viewer it will create a TPM event each time you run the task and one time it said I needed to reboot before it could update the DB.
If you don't reboot the update will fail.
Go step by step and before proceeding to the next step check event viewer under system for TPM events and what they say either successful or need to reboot.
 

My Computer

System One

  • OS
    Windows 11 Pro
KevTech said:
When you are doing the steps you have to check the event viewer after each step after running the secure boot task.
Under system in event viewer it will create a TPM event each time you run the task and one time it said I needed to reboot before it could update the DB.
If you don't reboot the update will fail.
Go step by step and before proceeding to the next step check event viewer under system for TPM events and what they say either successful or need to reboot.
Click to expand...

I did. Don't always assume it's the user's fault.
 

My Computer

System One

  • OS
    Windows 11, version 25H2 (26200)
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 9 9950X 16-Core Processor
    Motherboard
    ASRock B650M PG Riptide
    Memory
    DDR5-6000 (CL36) 64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4090
    PSU
    1200W
    Case
    Phanteks Enthoo Pro 2
    Cooling
    Noctua NH-D12L
PC#1
3DFseRF.png


PC#2
PBDd53Y.png
 

My Computer

System One

  • OS
    Windows 11, version 25H2 (26200)
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 9 9950X 16-Core Processor
    Motherboard
    ASRock B650M PG Riptide
    Memory
    DDR5-6000 (CL36) 64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4090
    PSU
    1200W
    Case
    Phanteks Enthoo Pro 2
    Cooling
    Noctua NH-D12L
According to Microsoft instructions, I don't think current Windows 11 versions have PCA2023 active.

WindowsUEFICA2023Capable registry key:
0 (or key missing): The PCA2023 certificate is not installed.
1: PCA2023 is installed but not yet active.
2: PCA2023 is installed, and the system is booting using the updated boot manager.
 

My Computer

System One

  • OS
    Windows 11, version 25H2 (26200)
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 9 9950X 16-Core Processor
    Motherboard
    ASRock B650M PG Riptide
    Memory
    DDR5-6000 (CL36) 64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4090
    PSU
    1200W
    Case
    Phanteks Enthoo Pro 2
    Cooling
    Noctua NH-D12L

My Computer

System One

  • OS
    Windows 11, version 25H2 (26200)
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 9 9950X 16-Core Processor
    Motherboard
    ASRock B650M PG Riptide
    Memory
    DDR5-6000 (CL36) 64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4090
    PSU
    1200W
    Case
    Phanteks Enthoo Pro 2
    Cooling
    Noctua NH-D12L
I don't know if you have used Microsoft's official Windows 11 to clean install the system after completing these steps.

Download the ISO from Microsoft's official website, and do not make any modifications to the ISO. I don't think Microsoft is ready to implement PCA2023 on all users. At least not now.
 

My Computer

System One

  • OS
    Windows 11, version 25H2 (26200)
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 9 9950X 16-Core Processor
    Motherboard
    ASRock B650M PG Riptide
    Memory
    DDR5-6000 (CL36) 64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4090
    PSU
    1200W
    Case
    Phanteks Enthoo Pro 2
    Cooling
    Noctua NH-D12L
Either Microsoft gets this certificate update rollout correct within a standard monthly update with no user intervention
OR
they don't and user's systems get updated and don't boot, users will go in and turn off secure boot.
And their system will boot.
And they will leave secure boot turned off.
Forever.
So it is 100% up to Microsoft to get this right with no user intervention involved or secure boot will become a joke.
Just my opinion.
 

My Computers

System One System Two

  • OS
    Win11 25H2 26200.7623
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo P520
    CPU
    Intel XEON W-2245 8c/16t
    Memory
    128GB DDR4-2933 ECC
    Graphics Card(s)
    Nvidia Quadro K4200
    Sound Card
    Bultin
    Monitor(s) Displays
    LCD 24in
    Screen Resolution
    1920x1200
    Hard Drives
    1TB SSD system, 16TB data 3.5in HDD, 16TB backup 3.5in HDD
    PSU
    900W
    Cooling
    Air
    Internet Speed
    1Gb
    Browser
    Firefox & Chrome
    Antivirus
    MalwareBytes
  • Operating System
    Win10 22H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo T530
    CPU
    Intel Core i7-3520m
    Memory
    16GB
    Graphics card(s)
    integrated CPU graphics
    Hard Drives
    1TB SSD
    Internet Speed
    1Gb
    Browser
    Fiefox & Chrome
    Antivirus
    Malwarebytes
Mine is also WindowsUEFICA2023 Capable

My last clean install was with Offical Microsoft ISO downloaded with Media Creation tool, then the USB was created with Rufus to have the setup i wanted for my personal system.

So far working great, no issues to report
 

Attachments

  • Secure boot status.webp
    Secure boot status.webp
    21.3 KB · Views: 4

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2 26200.8037
    Computer type
    PC/Desktop
    Manufacturer/Model
    PreBuilt
    CPU
    AMD Ryzen 7700X
    Motherboard
    MSI B650 VC WIfi Rev 1.0
    Memory
    32GB DDR 5 RGB 5600Mhz
    Graphics Card(s)
    Radeon 7800XT
    Sound Card
    Onboard Audio
    Monitor(s) Displays
    Asus VG245H
    Screen Resolution
    1920x1080
    Hard Drives
    Samsung 990 Evo Plus NVMe Boot
    Samsung 990 Pro 1TB Game NVMe



    External
    Western Digital Elements 500GB
    Western Digital My Passport 2TB Blue
    Western Digital My Passport 2TB Red
    Toshiba 2TB in External Enclosure
    Seagate 8TB in External Enclosure
    Seagate 1TB Portable USB 3 External Drive
    Western Digital My Book 8TB (Primary Backup drive)
    Western Digital Black 4TB In External Enclosure
    PSU
    750 Watt High Power
    Case
    Lian Li Lan Cool 216 ARGB Airflow
    Cooling
    2 160MM Front, 1 140MM Rear Exhaust
    Keyboard
    Logitech G513
    Mouse
    Logitech G502 X
    Internet Speed
    Gigabit 1100Mb/35 Upload
    Browser
    MS Edge Chromium and Bing Search
    Antivirus
    Windows Defender, Malwarebytes Premium
    Other Info
    UEFI, Secure Boot, TPM 2.0, Macrium Reflect X
  • Operating System
    Windows 11 Pro 25H2 26200.8037
    Computer type
    Laptop
    Manufacturer/Model
    Asus TUF A16 Advantage Edition FA617NT.A16.R7700
    CPU
    Ryzen 7 7735HS
    Motherboard
    OEM Asus Motherboard
    Memory
    16GB DDR 5
    Graphics card(s)
    AMD Radeon™ 680M & Radeon 7700S
    Sound Card
    Onboard
    Monitor(s) Displays
    16inch FHD 165hz
    Screen Resolution
    1920x1080
    Hard Drives
    512GB NVMe Boot Drive
    PSU
    Laptop PSU
    Case
    Laptop Case
    Cooling
    OEM Cooling
    Keyboard
    OEM Laptop Keyboard
    Mouse
    Touchpad & G502 Hero
    Internet Speed
    Gigabit 1100 Download/35 Upload
    Browser
    MS Edge with Bing search
    Antivirus
    Windows Defender & Malwarebytes Premium
    Other Info
    Macrium Reflect X
bikemanAMD said:
Mine is also WindowsUEFICA2023 Capable

My last clean install was with Offical Microsoft ISO downloaded with Media Creation tool, then the USB was created with Rufus to have the setup i wanted for my personal system.

So far working great, no issues to report
Click to expand...

It seems that users don’t need to worry. Perhaps Microsoft will gradually enable CA 2023 certificates on all users’ hardware.
 

My Computer

System One

  • OS
    Windows 11, version 25H2 (26200)
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 9 9950X 16-Core Processor
    Motherboard
    ASRock B650M PG Riptide
    Memory
    DDR5-6000 (CL36) 64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4090
    PSU
    1200W
    Case
    Phanteks Enthoo Pro 2
    Cooling
    Noctua NH-D12L
AK6DN said:
So it is 100% up to Microsoft to get this right with no user intervention involved or secure boot will become a joke.
Just my opinion.
Click to expand...
This is the equivalent of cutting off your nose to spite your face.

While Microsoft hopes you secure your PC, if you choose not to because of some grievance against Microsoft, it not hurting them it hurting you because its "your" PC and data at risk, not theirs.

I'm confident the issue will eventually be patched up via a Windows update, but first you may need to update the BIOS. But if you (general audience) have the "if it ain't broke, don't fix it" mentality on BIOS updates, well... 🤷‍♂️

From article on first page....
Important: Check with your OEMs on the latest available OEM firmware. Apply any available firmware updates to your Windows systems before applying the new certificates. In the Secure Boot flow, firmware updates from OEMs are the foundation for Windows Secure Boot updates to apply correctly.
Click to expand...
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 24H2 (Build 26100.4770)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom built
    CPU
    Intel Core 9 Ultra 285K
    Motherboard
    Gigabyte Aorus Z890 Xtreme AI Top
    Memory
    64G (4x16) DDR5 Corsair RGB Dominator Platinum (6400Mhz)
    Graphics Card(s)
    Radeon (XFX Mercury) RX 9070XT OC (with Magnetic Fans)
    Sound Card
    Onboard (DTS:X® Ultra Audio: ESS ES9280A DAC)
    Monitor(s) Displays
    27-inch Eizo Color Edge - CG2700X
    Screen Resolution
    3840 x 2160
    Hard Drives
    4 Samsung NVM 990 Pro drives: 1TB (OS), 2TB, 2 X 4TB.
    PSU
    Seasonic TX-1300 (1300 Watts)
    Case
    Cooler Master H500M
    Cooling
    Corsair Link Titan 280 RX RGB
    Keyboard
    Logitech Craft
    Mouse
    Logitech MX Master 3S
    Internet Speed
    1TB Download. 512mb Upload
    Browser
    Microsoft Edge Chromium
    Antivirus
    Windows Security
    Other Info
    System used for gaming, photography, music, school.
  • Operating System
    Windows 11 Pro 24H2 (Build 26100.4061)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom built
    CPU
    Intel Core i9-9900K
    Motherboard
    Gigabyte Z390 Aorus Xtreme
    Memory
    32gig (4 x 8) Corsair Dominator Platinum DDR4 3600Mhz (B-Die)
    Graphics card(s)
    Radeon XFX Merc 7900XT (20gig)
    Sound Card
    Onboard
    Monitor(s) Displays
    24-Inch NEC PA242W
    Screen Resolution
    2880 x 1800
    Hard Drives
    2 X NVME, 1 X SATA SSD
    PSU
    EVGA Super Nova 1000 P2 (1000 Watt)
    Case
    Phantek Enthoo Luxe
    Cooling
    Corsair H115i Elite AIO Cooler
    Keyboard
    Logitech Keys
    Mouse
    Logitech MX Master 3
    Internet Speed
    1TB Download. 512mb Upload
    Browser
    Microsoft Edge Chromium
    Antivirus
    Windows Security
    Other Info
    Backup System
Dru2 said:
I'm confident the issue will eventually be patched up via a Windows update, but first you may need to update the BIOS. But if you (general audience) have the "if it ain't broke, don't fix it" mentality on BIOS updates, well... 🤷‍♂️
Click to expand...

Another reason to consider whether to update the BIOS is that we don't know whether the new BIOS firmware will cause damage to the hardware.

Of course, it is safe in most cases, but there are still cases where the update causes CPU failure or other hardware failure.
 

My Computer

System One

  • OS
    Windows 11, version 25H2 (26200)
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 9 9950X 16-Core Processor
    Motherboard
    ASRock B650M PG Riptide
    Memory
    DDR5-6000 (CL36) 64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4090
    PSU
    1200W
    Case
    Phanteks Enthoo Pro 2
    Cooling
    Noctua NH-D12L
bikemanAMD said:
Mine is also WindowsUEFICA2023 Capable

My last clean install was with Offical Microsoft ISO downloaded with Media Creation tool, then the USB was created with Rufus to have the setup i wanted for my personal system.

So far working great, no issues to report
Click to expand...
I did a clean install the other day using 26100.1742 ISO.
Mine has a value of '1' in the box - what's the difference between 1 and 2 (yours) ?
I Disabled Secure boot before installing
 

My Computer

System One

  • OS
    Windows 11 Pro 25H2 (RP channel)
    Computer type
    PC/Desktop
    Manufacturer/Model
    MSI
    CPU
    AMD Ryzen 7 9800X3D 8-core
    Motherboard
    MEG X870E Godlike
    Memory
    64GB Corsair Titanium 6000/CL30
    Graphics Card(s)
    MSI Suprim 5080 SOC
    Sound Card
    Soundblaster AE-9
    Monitor(s) Displays
    ASUS TUF Gaming VG289Q
    Screen Resolution
    3840x2160
    Hard Drives
    Samsung 9100 Pro 4TB (gen 5 x4, system drive/games)
    Samsung 990 Pro 2TB
    Samsung 980 Pro 2TB
    Samsung 870 Evo 4TB
    Samsung 870 Evo 2TB
    Samsung T9 4TB
    PSU
    Seasonic PX-2200
    Case
    Bequiet! Dark Base Pro 901
    Cooling
    Noctua NH-D15S Chromax black
    Keyboard
    Logitech G915 X (wired)
    Mouse
    Logitech G903 with PowerPlay charger
    Internet Speed
    900Mb/sec
    Browser
    Microsoft Edge
    Antivirus
    Windows Defender
BrianInEngland said:
I did a clean install the other day using 26100.1742 ISO.
Mine has a value of '1' in the box - what's the difference between 1 and 2 (yours) ?
I Disabled Secure boot before installing
Click to expand...
The difference is what those keys suppose to be, and determines if the system is using the PCA2023 certificate or not from what i understand of it.

Number after The Registry Key Meanings
0 (or key missing): The PCA2023 certificate is not installed.
1: PCA2023 is installed but not yet active.
2: PCA2023 is installed, and the system is booting using the updated boot manager.

As for UEFI bios i always update whenever a version is final, never betas though--i did my last update just before i did my last clean install of my system.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2 26200.8037
    Computer type
    PC/Desktop
    Manufacturer/Model
    PreBuilt
    CPU
    AMD Ryzen 7700X
    Motherboard
    MSI B650 VC WIfi Rev 1.0
    Memory
    32GB DDR 5 RGB 5600Mhz
    Graphics Card(s)
    Radeon 7800XT
    Sound Card
    Onboard Audio
    Monitor(s) Displays
    Asus VG245H
    Screen Resolution
    1920x1080
    Hard Drives
    Samsung 990 Evo Plus NVMe Boot
    Samsung 990 Pro 1TB Game NVMe



    External
    Western Digital Elements 500GB
    Western Digital My Passport 2TB Blue
    Western Digital My Passport 2TB Red
    Toshiba 2TB in External Enclosure
    Seagate 8TB in External Enclosure
    Seagate 1TB Portable USB 3 External Drive
    Western Digital My Book 8TB (Primary Backup drive)
    Western Digital Black 4TB In External Enclosure
    PSU
    750 Watt High Power
    Case
    Lian Li Lan Cool 216 ARGB Airflow
    Cooling
    2 160MM Front, 1 140MM Rear Exhaust
    Keyboard
    Logitech G513
    Mouse
    Logitech G502 X
    Internet Speed
    Gigabit 1100Mb/35 Upload
    Browser
    MS Edge Chromium and Bing Search
    Antivirus
    Windows Defender, Malwarebytes Premium
    Other Info
    UEFI, Secure Boot, TPM 2.0, Macrium Reflect X
  • Operating System
    Windows 11 Pro 25H2 26200.8037
    Computer type
    Laptop
    Manufacturer/Model
    Asus TUF A16 Advantage Edition FA617NT.A16.R7700
    CPU
    Ryzen 7 7735HS
    Motherboard
    OEM Asus Motherboard
    Memory
    16GB DDR 5
    Graphics card(s)
    AMD Radeon™ 680M & Radeon 7700S
    Sound Card
    Onboard
    Monitor(s) Displays
    16inch FHD 165hz
    Screen Resolution
    1920x1080
    Hard Drives
    512GB NVMe Boot Drive
    PSU
    Laptop PSU
    Case
    Laptop Case
    Cooling
    OEM Cooling
    Keyboard
    OEM Laptop Keyboard
    Mouse
    Touchpad & G502 Hero
    Internet Speed
    Gigabit 1100 Download/35 Upload
    Browser
    MS Edge with Bing search
    Antivirus
    Windows Defender & Malwarebytes Premium
    Other Info
    Macrium Reflect X
BrianInEngland said:
I did a clean install the other day using 26100.1742 ISO.
Mine has a value of '1' in the box - what's the difference between 1 and 2 (yours) ?
I Disabled Secure boot before installing
Click to expand...

If value is 1, This means you already have a CA 2023 certificate, but are not using the new boot manager.
 

My Computer

System One

  • OS
    Windows 11, version 25H2 (26200)
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 9 9950X 16-Core Processor
    Motherboard
    ASRock B650M PG Riptide
    Memory
    DDR5-6000 (CL36) 64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4090
    PSU
    1200W
    Case
    Phanteks Enthoo Pro 2
    Cooling
    Noctua NH-D12L
For testing.

I manually replaced the bootmgfw.efi and bootmgr.efi files in the EFI partition, and after restarting the system, the Value of WindowsUEFICA2023Capable changed to 2.
lcHY1m2.png


Code: 
mountvol s: /s
copy "C:\Windows\Boot\EFI_EX\bootmgfw_EX.efi" S:\EFI\Microsoft\Boot\bootmgfw.efi
copy "C:\Windows\Boot\EFI_EX\bootmgr_EX.efi" S:\EFI\Microsoft\Boot\bootmgr.efi

I think we should wait for Microsoft to finish these deployments.:-)
 

My Computer

System One

  • OS
    Windows 11, version 25H2 (26200)
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 9 9950X 16-Core Processor
    Motherboard
    ASRock B650M PG Riptide
    Memory
    DDR5-6000 (CL36) 64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4090
    PSU
    1200W
    Case
    Phanteks Enthoo Pro 2
    Cooling
    Noctua NH-D12L
uncyler825 said:
If value is 1, This means you already have a CA 2023 certificate, but are not using the new boot manager.
Click to expand...
Fair enough, like I said SB is disabled anyway
 

My Computer

System One

  • OS
    Windows 11 Pro 25H2 (RP channel)
    Computer type
    PC/Desktop
    Manufacturer/Model
    MSI
    CPU
    AMD Ryzen 7 9800X3D 8-core
    Motherboard
    MEG X870E Godlike
    Memory
    64GB Corsair Titanium 6000/CL30
    Graphics Card(s)
    MSI Suprim 5080 SOC
    Sound Card
    Soundblaster AE-9
    Monitor(s) Displays
    ASUS TUF Gaming VG289Q
    Screen Resolution
    3840x2160
    Hard Drives
    Samsung 9100 Pro 4TB (gen 5 x4, system drive/games)
    Samsung 990 Pro 2TB
    Samsung 980 Pro 2TB
    Samsung 870 Evo 4TB
    Samsung 870 Evo 2TB
    Samsung T9 4TB
    PSU
    Seasonic PX-2200
    Case
    Bequiet! Dark Base Pro 901
    Cooling
    Noctua NH-D15S Chromax black
    Keyboard
    Logitech G915 X (wired)
    Mouse
    Logitech G903 with PowerPlay charger
    Internet Speed
    900Mb/sec
    Browser
    Microsoft Edge
    Antivirus
    Windows Defender
Dru2 said:
This is the equivalent of cutting off your nose to spite your face.

While Microsoft hopes you secure your PC, if you choose not to because of some grievance against Microsoft, it not hurting them it hurting you because its "your" PC and data at risk, not theirs.

I'm confident the issue will eventually be patched up via a Windows update, but first you may need to update the BIOS. But if you (general audience) have the "if it ain't broke, don't fix it" mentality on BIOS updates, well... 🤷‍♂️
Click to expand...
LOL tell me your grandmother using her Windows PC knows that she needs to check the vendors site to look for BIOS updates
and then knows how to install them.

She should not have to. Microsoft created this problem with UEFI and secureboot and certificates. They need to solve it. Seamlessly.
 

My Computers

System One System Two

  • OS
    Win11 25H2 26200.7623
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo P520
    CPU
    Intel XEON W-2245 8c/16t
    Memory
    128GB DDR4-2933 ECC
    Graphics Card(s)
    Nvidia Quadro K4200
    Sound Card
    Bultin
    Monitor(s) Displays
    LCD 24in
    Screen Resolution
    1920x1200
    Hard Drives
    1TB SSD system, 16TB data 3.5in HDD, 16TB backup 3.5in HDD
    PSU
    900W
    Cooling
    Air
    Internet Speed
    1Gb
    Browser
    Firefox & Chrome
    Antivirus
    MalwareBytes
  • Operating System
    Win10 22H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo T530
    CPU
    Intel Core i7-3520m
    Memory
    16GB
    Graphics card(s)
    integrated CPU graphics
    Hard Drives
    1TB SSD
    Internet Speed
    1Gb
    Browser
    Fiefox & Chrome
    Antivirus
    Malwarebytes
You must log in or register to reply here.

Similar threads

  • Article Article
Refreshing the root of trust: industry collaboration on Secure Boot certificate updates
Replies
6
Views
2K
garioch7
garioch7
Solved Windows Secure Boot certificates expiring in 2026
Replies
13
Views
767
jdUnionngarden
jdUnionngarden
  • Article Article
Win Update KB5087539 Windows Server 2025 Cumulative Update build 26100.32860 - May 12
Replies
0
Views
153
Brink
Brink
  • Article Article
Win Update KB5089549 Windows 11 Cumulative Update build 26100.8457 (24H2) and 26200.8457 (25H2) - May 12
7 8 9
Replies
164
Views
23K
banger
banger
  • Article Article
What is new in Windows 11 from February 2026
Replies
0
Views
349
Brink
Brink

Latest Support Threads

Latest Tutorials

Back
Top Bottom