Solved Security Certificates and Secure Boot

New GMKtec computer first set up on 10th November 2025.
BIOS shows that ‘Secure Boot’ is [Disabled] and ‘Not active’.
Also BIOS shows ‘Secure Boot Mode’ is [Standard].

This is how it was set up by GMKtec at the factory so I assume it must be deemed to be safe to leave it alone. I don’t know the implications of enabling Secure Boot and I am loath to enable it so prefer to leave it as-is.

Question 1 - I know that Microsoft are to release new security certificates for the Secure Boot feature in June 2026 but with my Secure Boot [Disabled] is the following statement correct?: - “Microsoft will install these new certificates anyway via Windows Update but they will not stop my device from booting and I will be able to carry on as normal?”.

Question 2 - My other device (ASUS Zenbook 14) bought new on 30th December 2025: 'Secure Boot' is 'Active' and 'Secure Boot Control' is set to 'Enabled' so am I right to expect Microsoft to install the new certificates via Windows Update and I will be able to continue as normal?

Question 3 - Is the June 2026 release date for these certificates a fixed date or is it possible they could have already been installed via a phased rollout?

wiganken said:

New GMKtec computer first set up on 10th November 2025.
BIOS shows that ‘Secure Boot’ is [Disabled] and ‘Not active’.
Also BIOS shows ‘Secure Boot Mode’ is [Standard].

Click to expand...

Secure Boot enforcement is disabled. Any Windows version or bootable USB drive is allowed to boot.
Custom Secure Boot certificates are not allowed, only keys signed by the OEM or MS are permitted for updates.

wiganken said:

I know that Microsoft are to release new security certificates for the Secure Boot feature in June 2026 but with my Secure Boot [Disabled] is the following statement correct?: - “Microsoft will install these new certificates anyway via Windows Update but they will not stop my device from booting and I will be able to carry on as normal?”.

Click to expand...

Whether Secure Boot mode is disabled or not, Windows will try adding CA 2023 certs if your BIOS is currently missing them. Assuming your PC's BIOS not older than 1-2 years, the CA 2023 certs are probably already part of the BIOS.

Your BIOS is dated February 2025, and most likely the new certs are present.

If you leave Secure Boot disabled, two things will happen:
1. Windows can never switch the Secure Boot mode. That can only happen manually from the BIOS setup menu.

2. Windows may try to update your system for future compliance with Secure Boot, but as long as Secure Boot is disabled, you don't have to worry about Windows breaking. You might see additional messages or warnings about the migration process.

Thanks for putting my mind at rest.

FYI only

GMKtec device - I used Method 1 in the following thread: -
How to check if your Secure Boot certs are updated. (three methods)

The result is negative so I assume the 2023 certificates are not installed: -

UEFI is missing the Microsoft UEFI CA 2023 (used by Linux), and the Option ROM. As you have a NUC PC, Option ROM isn't required since you can't add any graphics or controller cards that might possibly need it.

None of the PCA 2011 certs are revoked. If you really feel like updating them now (instead of waiting), all of this can be done. But with Secure Boot disabled, this is all academic.

So I don't have to worry about anything and I can just leave things as they are?

Stop worrying. Secure Boot is disabled, so it doesn't matter if you don't have all the certs fully updated.

wiganken said:

So I don't have to worry about anything and I can just leave things as they are?

Click to expand...

That's kind of a judgement call.
MS insists we need Secure Boot to protect ourselves.

Many have decided that common sense works just as well.

Ghot said:

MS insists we need Secure Boot to protect ourselves

Click to expand...

I am scared to enable Secure Boot due the scary sound message in the BIOS. I would not have the the first idea of what it entails. I know nothing about Platform Keys but it sounds as if it is easy to mess things up and be unable to boot if I try to change anything so I'll leave things as-is. See: -

Ghot said:

Many have decided that common sense works just as well

Click to expand...

That's what I am going to do. I am careful about what I do.

You can check on the status of the certificate update by going into the Registry and navigating to:
HKLM\System\CurrentControlSet\Control\SecureBoot\Servicing
Look for the UEFICA2023Status key
The data value will be either "Not Started". "In Process", or "Updated".

You can also go to Event Viewer and navigate to:
Windows Logs > System
Then go to the Action menu > Find
And search for 1808
If the update has completed, Event 1808 will exist and will list the status

TVeblen said:

HKLM\System\CurrentControlSet\Control\SecureBoot\Servicing
Look for the UEFICA2023Status key
The data value will be either "Not Started". "In Process", or "Updated".

Click to expand...

Thank you. It shows as 'Not Started'.

I'll leave the room now and call this 'Solved'.

Just came here after seeing a YT vid about the certificates expiring, i checked and my Secure Boot is disabled. glad i came here instead of immediately fiddling :-D

wiganken said:

I am scared to enable Secure Boot due the scary sound message in the BIOS. I would not have the the first idea of what it entails. I know nothing about Platform Keys but it sounds as if it is easy to mess things up and be unable to boot if I try to change anything so I'll leave things as-is. See: -

Click to expand...

If you enable secure boot and have issues, you can simply disable it to get back to where you are. It's a trivial issue.