Curious updates when updates turned off

Hazel123 · Feb 6, 2026

On my main laptop I have had a curious thing recently (twice) where when I got to shut down it says there are Windows updates. I shut down, it apparently does some updates and restarts. But I have Windows updates paused at the moment (I checked and they are still paused). The only recent update I can see is from 30th January which says "Secure Boot allowed Key Exchange Key (KEK) update." Would that bypass Windows updates being paused?

OAT · Feb 6, 2026

Hazel123 said:
On my main laptop I have had a curious thing recently (twice) where when I got to shut down it says there are Windows updates. I shut down, it apparently does some updates and restarts. But I have Windows updates paused at the moment (I checked and they are still paused). The only recent update I can see is from 30th January which says "Secure Boot allowed Key Exchange Key (KEK) update." Would that bypass Windows updates being paused?

Yes, because not getting that update could have really caused you boot issues.

Hazel123 · Feb 6, 2026

Is it related to security certificates then?

garlin · Feb 6, 2026

The KEK update falls into this weird category because it's not a Windows feature or security update, and not a driver.

What they've done is push the KEK CA 2023 cert to your PC's UEFI (a good thing if you have an older PC).

No actual Windows files were updated in the process, it went directly to the UEFI. It's not a permanent change like a new BIOS (resetting to factory defaults will undo the push). I would guess MS left themselves a loophole to make this change when WU is paused.

Hazel123 · Feb 6, 2026

garlin said:
The KEK update falls into this weird category because it's not a Windows feature or security update, and not a driver.

What they've done is push the KEK CA 2023 cert to your PC's UEFI (a good thing if you have an older PC).

No actual Windows files were updated in the process, it went directly to the UEFI. It's not a permanent change like a new BIOS (resetting to factory defaults will undo the push). I would guess MS left themselves a loophole to make this change when WU is paused.

Thank you. So that means I now have the updated security certificates then?

garlin · Feb 6, 2026

You now have a valid KEK CA 2023, so Windows can successfully install the CA 2023 certs on its own. It's not clear if Windows actually did the other certs, but there are no more barriers to block a push later this year.

If you want to run a script to check the cert status, a few are available. But the KEK CA 2023 predicts a high success rate for a Secure Boot update, so I wouldn't worry about it.

MS is probably doing a gradual rollout, trying to see how many PC's they can successfully add the KEK CA 2023. And they left you a little note in WU history that it worked out.

Hazel123 · Feb 6, 2026

Thank you. So it's a forerunner to the cert updates then?

Hazel123 · Feb 6, 2026

I got this output

EFI DB Certificates
-------------------
Microsoft Windows Production PCA 2011
Microsoft Corporation UEFI CA 2011
Windows UEFI CA 2023
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023

EFI DBX Certificates
--------------------

AvailableUpdates: 0x0
---------------------

EFI Files
---------
Boot Manager [Microsoft UEFI CA 2023] on Disk 0 is allowed.

garlin · Feb 6, 2026

You should probably use the newer version of the script.

Hazel123 · Feb 6, 2026

garlin said:
You should probably use the newer version of the script.

Thank you. Is it the same method? Unzip it to a folder called “Temp” in C drive and run a power shell command? And is it the same power shell command?

garlin · Feb 6, 2026

Download attachment to a folder. Open a CMD window as Admin:

Code:

cd \whatever\download\foldername
powershell -ep bypass -f .\Check_UEFI-CA2023.ps1

Hazel123 · Feb 6, 2026

garlin said:
Download attachment to a folder. Open a CMD window as Admin:

Code:

cd \whatever\download\foldername powershell -ep bypass -f .\Check_UEFI-CA2023.ps1

Thank you. Can the folder be anywhere? Desktop eg. And does it need a particular name? Also is that actually in cmd and not power shell please?

Edit - ok I can see you replace foldername with folder name. What do you replace “whatever” with? Presumably location - eg desktop.

HeavyHemi · Feb 6, 2026

Hazel123 said:
Thank you. Can the folder be anywhere? Desktop eg. And does it need a particular name? Also is that actually in cmd and not power shell please?

Edit - ok I can see you replace foldername with folder name. What do you replace “whatever” with? Presumably location - eg desktop.

Because I am lazy sometimes, I put a copy of the script in the Windows system32 folder. That is the location Powershell opens to by default. Then you only need to type powershell -ep bypass -f .\Check_UEFI-CA2023.ps1
at the prompt.

Hazel123 · Feb 6, 2026

Ok output is now:

Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
(NONE)

EFI Files
---------
Disk 0: Windows Boot Manager [Production PCA 2011] is ALLOWED.

Registry: WindowsUEFICA2023Capable = 1
[Windows UEFI CA 2023] in UEFI DB.

Disk 0: SkuSiPolicy.p7b (for VBS) is NOT PRESENT.

REQUIRED ACTION
===============

OPTION 1: DO NOTHING. Windows will apply the UEFI updates in 2026 (supported BIOS).

OPTION 2: To install Windows Boot Manager [UEFI CA 2023], run the commands:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x100 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

OPTION 3: To install [UEFI CA 2023] certs and REVOKE the [PCA 2011] cert, run the commands:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x280 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

To install SkuSiPolicy.p7b, run the command:
Update_UEFI-CA2023.ps1 -SkuSiPolicy

garlin · Feb 6, 2026

Hazel123 said:
REQUIRED ACTION
===============

OPTION 1: DO NOTHING. Windows will apply the UEFI updates in 2026 (supported BIOS).

OPTION 2: To install Windows Boot Manager [UEFI CA 2023], run the commands:

Code:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x100 /f powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Windows is 40% done with the Secure Boot steps.
It hasn't replaced the boot manager file yet, but you're on target since that action is optional for now.

You have the choice to follow OPTION 1 (do nothing, let Windows do its job), or OPTION 2 (finish the first half).

To follow OPTION 2, just copy & paste each of the two separate command lines into an Admin window. It's safe to pick OPTION 2, if you want to get that out of your way instead of waiting for this summer.

Hazel123 · Feb 6, 2026

Thank you. I think I'll just wait for now.

Curious updates when updates turned off

Well-known member

My Computers

"No need to be anybody but oneself"

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

Attachments

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers