Solved Secure boot update HowTo

Davy49 · Jan 28, 2026

XxXxX said:
i have put this together as i had problems updating 2 desktops and 3 laptops.
which have now all had their Secure Boot Certs updated to the new 2023 secure boot cert
also the other post about this were getting very long and confusing.
this is in two parts. part A and part B.
edit by me. please note, your system must be online for part A to update

Part A.
open a PowerShell as Admin
then copy and paste these two commands in this order.
thanks to @Brink tutorial.

1.

then press enter

2.

press enter and now restart your computer TWICE

##### to check that the 2023 cert is now available #####
to check that the 2023 cert is available after the 2 restarts
open a PowerShell as Admin copy and paste this command

the result of the command should show as 'True'

and then open the Windows registry to this key
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing

in the right window you will see ..
UEFICA2023Status which will show 'updating'
WindowsUEFICA2023Capable 0x00000001

close the registry and you can now begin part B.

######

Part B.
open a CMD Prompt as Admin
then copy and paste this command
thanks to @Scott

1. at the CMD Prompt as Admin

press enter and now close the CMD Prompt terminal

then open a PowerShell as Admin

2. within the PowerShell
As far as the

press enter and restart you computer.

Final Check once the system has restarted
open the registry and find this key (again)
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing

in the right Window you will see ..
UEFICA2023Status which will now show 'Updated'
WindowsUEFICA2023Capable 0x00000002

your system is now updated to the new 2023 certs
if this post is in the wrong part of the Forum please move it to the correct one.

edit by me. missed this out .. your system needs to be online for the update to work
best of luck Steve ..

As far as the instruction's are concerned, I have a question about this one:
press enter and now restart your computer TWICE

##### to check that the 2023 cert is now available #####
to check that the 2023 cert is available after the 2 restarts
open a PowerShell as Admin copy and paste this command

the result of the command should show as 'True'
I didn't receive a 'true' instead I received a 'false', so I'll need to determine what to do about it. I'm one of those type of people that don't like to wait until the last minute to get something done that I feel is important.

XxXxX · Jan 28, 2026

Davy49 said:
As far as the instruction's are concerned, I have a question about this one:
press enter and now restart your computer TWICE

##### to check that the 2023 cert is now available #####
to check that the 2023 cert is available after the 2 restarts
open a PowerShell as Admin copy and paste this command

the result of the command should show as 'True'
I didn't receive a 'true' instead I received a 'false', so I'll need to determine what to do about it. I'm one of those type of people that don't like to wait until the last minute to get something done that I feel is important.

you will need to do Part One again
when you get to the restarts leave about 5 to 15 mins between each one.

best of luck Steve ..

Davy49 · Jan 29, 2026

XxXxX said:
you will need to do Part One again
when you get to the restarts leave about 5 to 15 mins between each one.

best of luck Steve ..

Steve,
Thanks so much for your timely response, I wish you the best that life has to offer.

Davy49 · Jan 29, 2026

Steve,
Hopefully that's where I went wrong as far as restarting my computer twice, I didn't wait long enough between restarting.

XxXxX · Jan 29, 2026

Davy49 said:
Steve,
Hopefully that's where I went wrong as far as restarting my computer twice, I didn't wait long enough between restarting.

it isnt your fault this came to light after several people had similar problems and that work around was found
sometimes it can take several attempts and several restarts for Part one of the update to work

i haven't put into the HowTo because
1. i dont wish to edit it continuously and make it more confusing.
2. for a vast majority it works first time but i dont normally get to hear about the success stories.

glad you got it sorted.
best of luck Steve ..

Davy49 · Jan 30, 2026

Unfortunately I'm still receiving a 'false' notification when I try to perform the secure boot update, I'm enclosing a screenshot to show you what I'm seeing.

Davy49 · Jan 30, 2026

XxXxX said:
it isnt your fault this came to light after several people had similar problems and that work around was found
sometimes it can take several attempts and several restarts for Part one of the update to work

i haven't put into the HowTo because
1. i dont wish to edit it continuously and make it more confusing.
2. for a vast majority it works first time but i dont normally get to hear about the success stories.

glad you got it sorted.
best of luck Steve ..

Steve,
I appreciate your well wishes but at least so far I'm still receiving a 'false' notification and at least so far I really don't know why. I'm providing my system information for some additional information in the hope that I can eventually solve my issue.
Windows Edition: Windows 11 Pro
" Version: 26H1
" OS Build: 28020.1495
" Experience: Windows Feature Experience Pack 1000.26100.317.0

john1955 · Jan 30, 2026

Davy49 said:
Steve,
I appreciate your well wishes but at least so far I'm still receiving a 'false' notification and at least so far I really don't know why. I'm providing my system information for some additional information in the hope that I can eventually solve my issue.
Windows Edition: Windows 11 Pro
" Version: 26H1
" OS Build: 28020.1495
" Experience: Windows Feature Experience Pack 1000.26100.317.0

Have you double check that it is supported and turned on in the BIOS for your HP8300EliteSFF?
I scrolled back a couple of pages of the tread but did not see that. I had what seems like the exact same issue you are having till I realized it was not set up in my BIOS

Accessing Secure Boot Settings

Enter BIOS: Restart the computer and immediately press the ESC key repeatedly until the Startup Menu appears.
Open Setup: Press F10 to enter the HP Computer Setup Utility.
Navigate to Security: Use the arrow keys to select the Security tab.
Configure Secure Boot:
- Select Secure Boot Configuration and press Enter.
- To Enable: Set Legacy Support to Disabled and Secure Boot to Enabled.
- To Disable: Set Secure Boot to Disabled and Legacy Support to Enabled (if needed for older OS/hardware).
Save Changes: Press F10 to accept changes, then go to the File menu and select Save Changes and Exit.

Key Requirements & Troubleshooting

BIOS Version: If "Secure Boot Configuration" is missing, you may need to update to the latest HP BIOS firmware (e.g., v03.xx or higher).
Partition Style: For Secure Boot to function with a bootable drive, the drive must be using the GPT partition style rather than MBR.
TPM: This model typically includes TPM 1.2, which is compatible with UEFI but does not meet the TPM 2.0 requirement for official Windows 11

Davy49 · Jan 31, 2026

Earlier this morning I followed this same setup procedure on my lenovo T-430 laptop that's currently running the exact same version of windows 11 pro and I received the same results as I did on my desktop computer (False). So at least for now I'm going to wait awhile before I try anything else, I still appreciate all of the help that's been provided to me.

Rollback_Jockey · Jan 31, 2026

Davy49 said:
Earlier this morning I followed this same setup procedure on my lenovo T-430 laptop that's currently running the exact same version of windows 11 pro and I received the same results as I did on my desktop computer (False). So at least for now I'm going to wait awhile before I try anything else, I still appreciate all of the help that's been provided to me.

Persevere, it does 'take' eventually. All my machines are updated now.

Davy49 · Jan 31, 2026

Earlier this morning I read (as I remember) was on this very site that microsoft will be offering the secure boot update to all eligible machines automatically via windows update.

larysid · Jan 31, 2026

Davy49 said:
Earlier this morning I read (as I remember) was on this very site that microsoft will be offering the secure boot update to all eligible machines automatically via windows update.

Yes! And this is the best solution. Waiting for Microsoft to fix it via upcoming updates...elsewise what? Neither me nor the most of windows users have done anything about it. Either Bios or next updates must fix it. Or else, we will all just ditch our PCs/laptops.

fg2001gf11F · Jan 31, 2026

Davy49 said:
Earlier this morning I read (as I remember) was on this very site that microsoft will be offering the secure boot update to all eligible machines automatically via windows update.

larysid said:
Yes! And this is the best solution. Waiting for Microsoft to fix it via upcoming updates...elsewise what? Neither me nor the most of windows users have done anything about it. Either Bios or next updates must fix it. Or else, we will all just ditch our PCs/laptops.

The question is: which machines are eligible and which ones are not?
None of these changes were done automatically by Windows update on any of my machines.
They are all updated now and ready with CA 2023.

garlin · Jan 31, 2026

One of the reasons I wrote my update script, is the Windows scheduled task is somewhat cantankerous. It deliberately moves slowly, sometimes deferring a future action until the next reboot. What you're doing is filling a reg key (AvailableUpdates) with a bitmask, and requesting a set of future actions.

Some of the boot manager file replacements appear to taking longer to fulfill. My script replicates all the same actions of the scheduled task, but does it immediately without delay. The results are the same without you waiting an unknown amount of time, to confirm if it was successful. It will work right away, or inform you there was an error.

MS could have written their task to do everything in one pass, but they did not. There is no immediate feedback from running the task, unless you want to browse the Windows event viewer (which IMO is a lame thing to ask users to do). I'm sure they have their reasons, but it's not like you can't replicate the task's work from reading the official Secure Boot docs.

If you would like to try the update script, download it from:
garlin's PowerShell scripts for updating Secure Boot CA 2023

Davy49 · Feb 1, 2026

Hello All,
First of all I'm not trying to cause any kind of strife between any of the user's within this great platform. I've always appreciated the assistance that's been provided to me when I needed it, and whenever possible I enjoy providing assistance to others.

Razman · Feb 1, 2026

hello all, tried to update boot certs. but it fails, found out that secure boot was disabled in bios, enablede it and run the update again
but it still fails. my question is if secure boot is disabled, will my computer be able to boot after june??

pietcorus2 · Feb 1, 2026

Im on a legacy-bios , so EUFI is not enabled , secure boot can only enabled in EUFI , so I dont have it enabled !
What will happen , when MS tries to update the boot certs.............??!

gdvbel · Feb 1, 2026

pietcorus2 said:
Im on a legacy-bios , so EUFI is not enabled , secure boot can only enabled in EUFI , so I dont have it enabled !
What will happen , when MS tries to update the boot certs.............??!

You cannot update the new certificates if you are on a legacy bios. It has to boot in uefi.

gdvbel · Feb 1, 2026

Davy49 said:
Steve,
I appreciate your well wishes but at least so far I'm still receiving a 'false' notification and at least so far I really don't know why. I'm providing my system information for some additional information in the hope that I can eventually solve my issue.
Windows Edition: Windows 11 Pro
" Version: 26H1
" OS Build: 28020.1495
" Experience: Windows Feature Experience Pack 1000.26100.317.0

I saw that your computer is a HP Elite 8300 SFF from 2012, latest rom firmware Apr 26, 2019. This older generation of UEFI firmware lacks the necessary mechanisms to correctly ingest and store the **Windows UEFI CA 2023** certificate into the firmware's internal db Secure Boot Signature Database) that modern BIOS versions support.
And HP does only support systems launched from 2017 on for the new Windows CA 2023 certificates.
Look here under "Affected platforms and minimum bios versions list" : https://support.hp.com/us-en/document/ish_13070353-13070429-16
This might be the reason your uefi does not accept the new CA 2023.

gdvbel · Feb 1, 2026

Davy49 said:
Earlier this morning I followed this same setup procedure on my lenovo T-430 laptop that's currently running the exact same version of windows 11 pro and I received the same results as I did on my desktop computer (False). So at least for now I'm going to wait awhile before I try anything else, I still appreciate all of the help that's been provided to me.

Your T-430 is also not on Lenovo's list among the computers which get the new CA 2023 certificates :
https://support.lenovo.com/us/en/solutions/HT518129

Solved Secure boot update HowTo

Well-known member

My Computer

Just a Computer User

My Computers

Well-known member

My Computer

Well-known member

My Computer

Just a Computer User

My Computers

Well-known member

Attachments

My Computer

Well-known member

My Computer

Jack of all trades

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Active member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Similar threads