Solved Secure boot update HowTo

gdvbel · Feb 1, 2026

Razman said:
hello all, tried to update boot certs. but it fails, found out that secure boot was disabled in bios, enablede it and run the update again
but it still fails. my question is if secure boot is disabled, will my computer be able to boot after june??

With secure boot disabled, there is no control of the Windows boot sector against the certificates in secure boot So even if a malicious program inserted inself into uefi, your Windows system will not be aware of that, and continue booting as always after June 2026.
Without the new CA 2023 certificates, neither your secure boot uefi nor your Windows boot will get the necessary Windows security updates after June 2026.
Your uefi will remain using CA 2011 certificates.

If you do your financial transactions on this computer, you will need to be sure, and have the CA 2023 certificates.

XxXxX · Feb 1, 2026

Davy49 said:
Hello All,
First of all I'm not trying to cause any kind of strife between any of the user's within this great platform. I've always appreciated the assistance that's been provided to me when I needed it, and whenever possible I enjoy providing assistance to others.

no strife caused, none. asking Q's is what this forum is for.

i would do Part One on a regular weekly basis to see if it updates
Microsoft surely wont abandon millions upon millions of computers
because there are millions that wont get support from there manufactures

but we shall wait and see but please do Part One weekly.
best of luck Steve ..

gunrunnerjohn · Feb 1, 2026

My reasoning for "jumping the gun" and doing my own Secure Boot configuration was that my machines either home-brew or somewhat obscure brands that I had little faith would be supported by Microsoft. Besides, learning a bit about the process is probably a good thing.

Razman · Feb 1, 2026

gdvbel said:
With secure boot disabled, there is no control of the Windows boot sector against the certificates in secure boot So even if a malicious program inserted inself into uefi, your Windows system will not be aware of that, and continue booting as always after June 2026.
Without the new CA 2023 certificates, neither your secure boot uefi nor your Windows boot will get the necessary Windows security updates after June 2026.
Your uefi will remain using CA 2011 certificates.

If you do your financial transactions on this computer, you will need to be sure, and have the CA 2023 certificates.

thank for reply, will try and fix it before june

Davy49 · Feb 1, 2026

Razman said:
thank for reply, will try and fix it before june

I'm surely not complaining because I always appreciate any assistance that I receive

gdvbel · Feb 1, 2026

gdvbel said:
You cannot update the new certificates if you are on a legacy bios. It has to boot in uefi.

I need to specify you need to boot in uefi SECURE BOOT for the certificates to get integrated. And you need a uefi firmware which supports getting these new certificates. Some computers have an older uefi which is not capable of ingesting these CA 2023 certs.

Davy49 · Feb 2, 2026

Right now I'm using my mini pc which I think shouldn't have any problem with the secure boot update, I'm enclosing the specifications here:
Device name WIN-O757DLOHA3T
Processor Intel(R) N97 (2.00 GHz)
Installed RAM 16.0 GB (15.8 GB usable)
Device ID 84A8E68A-21A3-4FDD-B2D3-837A15751102
Product ID 00331-20471-20000-AA824
System type 64-bit operating system, x64-based processor
Pen and touch No pen or touch input is available for this display

XxXxX · Feb 3, 2026

@garlin advice needed please
just as a heads up and something for you to check please ..

within the Group Policy Editor
Computer Configuration > Administrative Templates > Windows Components

there is a 'Secure Boot' folder with these settings ..
1. Enable Secure Boot Certificate Deployment
2. Automatic Certificate Deployment via Update
3. Certificate Deployment via Controlled Feature Rollout

i have mine all set to 'Enabled'

would these settings/features be of any use to the average user.
best of luck Steve ..

Davy49 · Feb 3, 2026

XxXxX said:
@garlin advice needed please
just as a heads up and something for you to check please ..

within the Group Policy Editor
Computer Configuration > Administrative Templates > Windows Components

there is a 'Secure Boot' folder with these settings ..
1. Enable Secure Boot Certificate Deployment
2. Automatic Certificate Deployment via Update
3. Certificate Deployment via Controlled Feature Rollout

i have mine all set to 'Enabled'

would these settings/features be of any use to the average user.
best of luck Steve ..

I truly appreciate all of the help that is provided in this wonderful forum.

nikki605 · Feb 3, 2026

XxXxX said:
@garlin advice needed please
just as a heads up and something for you to check please ..

within the Group Policy Editor
Computer Configuration > Administrative Templates > Windows Components

there is a 'Secure Boot' folder with these settings ..
1. Enable Secure Boot Certificate Deployment
2. Automatic Certificate Deployment via Update
3. Certificate Deployment via Controlled Feature Rollout

i have mine all set to 'Enabled'

would these settings/features be of any use to the average user.
best of luck Steve ..

Interesting. I just looked at these settings on my System 1 (Lenovo T490 laptop) and they are all set to "Not configured." Hmmm

I have not changed them at this point since I went through @garlin 's scripts and manually updated the certs.

john1955 · Feb 3, 2026

Mine are all set to not configured
Has the information in this article been covered in this thread?
I'm still reading it now . . .

Group Policy Objects (GPO) method of Secure Boot for Windows devices with IT-managed updates - Microsoft Support

support.microsoft.com

The one above is referenced from this page

Windows Secure Boot certificate expiration and CA updates - Microsoft Support

support.microsoft.com

Is there a consensus that it's important for individuals to deal with this now or just wait till it's something we have to address. And is it absolutly certain that this will in fact happen in 2026 and not be pushed to a later date?

XxXxX · Feb 3, 2026

john1955 said:
Mine are all set to not configured
Has the information in this article been covered in this thread?
I'm still reading it now . . .

Group Policy Objects (GPO) method of Secure Boot for Windows devices with IT-managed updates - Microsoft Support

support.microsoft.com

The one above is referenced from this page

Windows Secure Boot certificate expiration and CA updates - Microsoft Support

support.microsoft.com

Is there a consensus that it's important for individuals to deal with this now or just wait till it's something we have to address. And is it absolutly certain that this will in fact happen in 2026 and not be pushed to a later date?

well Microsoft are NOT saying DONT enable any of them
so i have them all enabled just to ensure any available updates are updated.

Best of luck Steve ..

fg2001gf11F · Feb 3, 2026

XxXxX said:
well Microsoft are NOT saying DONT enable any of them
so i have them all enabled just to ensure any available updates are updated.

Best of luck Steve ..

This is one of the 3, when enabled is blocking the Automatic Deployment. The description below is confusing.

XxXxX · Feb 3, 2026

@fg2001gf11F
hence me waiting for @garlin for advice and guidance.
but this is what it states within the settings.

For devices where test results are available that indicate that the device can process the certificate updates successfully, the updates will be initiated automatically as part of the servicing updates. This policy is enabled by default. For enterprises that desire managing automatic update, use this policy to explicitly enable or disable the feature.

best of luck Steve ..

HeavyHemi · Feb 3, 2026

This maybe completely unrelated but I figured setting all three these as configured would be harmless as a test...so off I went setting all three to configured. Then rebooted. I was in the process of checking for any error messages in event viewer when I got a nvlddmkm 153, or GPU driver error. I have to tell you, seeing random characters speckled across the screen got my heart rate up. I've not had one of those errors in literally years. Ran a couple of games and stress tests with GPU pulling up to ~450 watts and solid as a rock. I don't believe in such coincidences, but I don't see how they could possibly be related.

john1955 · Feb 3, 2026

XxXxX said:
i have put this together as i had problems updating 2 desktops and 3 laptops.
which have now all had their Secure Boot Certs updated to the new 2023 secure boot cert
also the other post about this were getting very long and confusing.
this is in two parts. part A and part B.
edit by me. please note, your system must be online for part A to update

Part A.
open a PowerShell as Admin
then copy and paste these two commands in this order.
thanks to @Brink tutorial.

1.

then press enter

2.

press enter and now restart your computer TWICE

##### to check that the 2023 cert is now available #####
to check that the 2023 cert is available after the 2 restarts
open a PowerShell as Admin copy and paste this command

the result of the command should show as 'True'

and then open the Windows registry to this key
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing

in the right window you will see ..
UEFICA2023Status which will show 'updating'
WindowsUEFICA2023Capable 0x00000001

close the registry and you can now begin part B.

######

Part B.
open a CMD Prompt as Admin
then copy and paste this command
thanks to @Scott

1. at the CMD Prompt as Admin

press enter and now close the CMD Prompt terminal

then open a PowerShell as Admin

2. within the PowerShell

press enter and restart you computer.

Final Check once the system has restarted
open the registry and find this key (again)
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing

in the right Window you will see ..
UEFICA2023Status which will now show 'Updated'
WindowsUEFICA2023Capable 0x00000002

your system is now updated to the new 2023 certs
if this post is in the wrong part of the Forum please move it to the correct one.

edit by me. missed this out .. your system needs to be online for the update to work
best of luck Steve ..

I did all the above .
When I first checked WindowsUEFICA2023Capable was 0x00000000 and then changed to WindowsUEFICA2023Capable 0x00000001 as expected but when I entered
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update" it showed "The operation completed successfully"
but it did not change the DWORD to 0x00000002 as it should have.

XxXxX · Feb 3, 2026

john1955 said:
I did all the above .
When I first checked WindowsUEFICA2023Capable was 0x00000000 and then changed to WindowsUEFICA2023Capable 0x00000001 as expected but when I entered
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update" it showed "The operation completed successfully"
but it did not change the DWORD to 0x00000002 as it should have.

View attachment 162122

you can run Part B again as the settings auto update every 12 hours
running Part B .. First command in an Admin CMD prompt >> Second command in Admin PowerShell
will attempt to do the update manually there and then instead of waiting every 12 hours.

sometimes it can take several attempts of Part B and restarts for the system to update
some have found leaving the system over night and then checking again results in the system being updated.

best of luck Steve ..

XxXxX · Feb 3, 2026

HeavyHemi said:
This maybe completely unrelated but I figured setting all three these as configured would be harmless as a test...so off I went setting all three to configured. Then rebooted. I was in the process of checking for any error messages in event viewer when I got a nvlddmkm 153, or GPU driver error. I have to tell you, seeing random characters speckled across the screen got my heart rate up. I've not had one of those errors in literally years. Ran a couple of games and stress tests with GPU pulling up to ~450 watts and solid as a rock. I don't believe in such coincidences, but I don't see how they could possibly be related.

that could be the network as enabling these settings adds 2 connections to network connections which are looking and waiting for the update.
local area connection* 9
local area connection* 10

best of luck Steve ..

nikki605 · Feb 4, 2026

fg2001gf11F said:
This is one of the 3, when enabled is blocking the Automatic Deployment. The description below is confusing.

View attachment 162120

I just checked my System 2 (Lenovo M83 desktop) and they are also set to Not configured. I am leaving them as is on both systems.

Microsoft logic is beyond confusing. SMH

john1955 · Feb 4, 2026

XxXxX said:
you can run Part B again as the settings auto update every 12 hours
running Part B .. First command in an Admin CMD prompt >> Second command in Admin PowerShell
will attempt to do the update manually there and then instead of waiting every 12 hours.

sometimes it can take several attempts of Part B and restarts for the system to update
some have found leaving the system over night and then checking again results in the system being updated.

best of luck Steve ..

I turned the computer on this morning and waited a few hours before checking WindowsUEFICA2023Capable and the value is now (2)

Solved Secure boot update HowTo

Well-known member

My Computer

Just a Computer User

My Computers

Well-known member

My Computers

Member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Just a Computer User

My Computers

Well-known member

My Computer

Well-known member

My Computers

Jack of all trades

My Computers

Just a Computer User

My Computers

Well-known member

My Computer

Just a Computer User

My Computers

Well-known member

My Computer

Jack of all trades

My Computers

Just a Computer User

My Computers

Just a Computer User

My Computers

Well-known member

My Computers

Jack of all trades

My Computers

Similar threads