With the recent June 2026 Patch Tuesday update (KB5094126), Microsoft has broadened the rollout of the Secure Boot 2023 certificate update to a larger array of Windows 11 and Windows 10 devices. This cautious and phased rollout, which has been in place for nearly two years, was previously hindered by firmware compatibility checks. However, the latest update places the majority of supported consumer PCs within the high confidence category, indicating that the necessary certificates are either already installed or will be automatically applied without user intervention.
Secure Boot has become a topic of confusion among many users, particularly those outside the IT sphere. While much of the discussion has been directed at IT professionals, regular home users may find themselves questioning whether any action is required on their part. The short answer for most is no. However, the specifics can vary, and we delve into those details here.
What is Secure Boot and why is it important for your PC?
Secure Boot is a security feature embedded within the firmware of your PC, specifically utilizing UEFI, the modern successor to BIOS. Upon powering on your computer, Secure Boot verifies the cryptographic signature of the software attempting to load before Windows even begins its startup process. If any unauthorized software, such as a rootkit or bootkit, tries to execute at this early stage, Secure Boot intervenes and blocks it. This feature has been a requirement for Windows 11 since its inception and is enabled by default on all contemporary PCs.
The certificates that underpin this system were initially issued in 2011, and they are now expiring in stages, starting June 24, 2026, with further expirations extending into October 2026. To ensure continued boot-level security updates, Microsoft has been deploying replacement certificates known as Secure Boot 2023. For those curious about the implications for Windows 11 PCs if these deadlines are ignored, we have previously provided a comprehensive overview.
If you’re a regular Windows 11 or Windows 10 user, here’s what to do
Check your status in Windows Security
For the majority of home users, no manual action is necessary. The Secure Boot 2023 certificates are being distributed via Windows Update, and if your device qualifies and Windows Update is active, the update will occur seamlessly in the background. Nevertheless, it is advisable to verify your status. Since the April 2026 update, Windows 11 users can check their Secure Boot certificate status directly within the Windows Security app. Navigate to Windows Security > Device Security > Secure Boot. A green checkmark indicates that your PC is fully updated and requires no further action.
What if you see a Yellow or Red icon?
A yellow warning typically signifies that Windows is awaiting additional compatibility data regarding your specific device firmware before applying the certificate update. In most instances, all you need to do is ensure that Windows Update remains active and wait patiently. The June update has significantly expanded the list of devices eligible for automatic updates.
A red alert, while less common, indicates a more serious issue, often stemming from firmware incompatibility that necessitates a BIOS/UEFI update from your PC manufacturer (HP, Dell, Lenovo, ASUS, etc.). If you encounter a red icon, it is prudent to check your manufacturer’s support page for a BIOS update and install it. Following the firmware update, Windows will automatically attempt to retry the certificate update.
Do you need to do anything if your PC already has a Green checkmark?
No action is required. If Windows Security displays a green checkmark under Secure Boot, your PC has successfully received the 2023 certificates and is fully up to date. There are no BIOS changes or PowerShell commands necessary.
Multiple Reboots during Secure Boot updates is normal
Some users have reported experiencing two or three restarts following recent Windows updates. Microsoft has confirmed that this behavior is expected, particularly due to the Secure Boot certificate update process. The deployment of these certificates into the firmware necessitates staging, applying, and booting the updated bootloader, each of which requires a reboot. If your PC restarted multiple times after the June update, it was likely functioning as intended.
You may see a new SecureBoot Folder in Windows
If you discover a new SecureBoot folder within C:Windows, there is no need for concern or to delete it. Microsoft has confirmed that this is not a bug; rather, it is a designated space for staging cryptographic files before they are integrated into the firmware. It is best to leave this folder undisturbed.
Secure Boot on older PCs
Older PCs can be categorized in various ways. If your PC was shipped with Windows 10 or 11 and has been consistently receiving Windows updates, there is a strong likelihood that the June update will apply. However, if your device is from the 2015-2019 era and has not received a recent BIOS update from the manufacturer, you may notice a yellow status for a longer duration as Microsoft continues to assess compatibility for those firmware versions.
A very small number of older PCs may never receive the automatic update due to firmware issues that can only be resolved through a manufacturer update that may not exist. For those devices, we have published a detailed analysis of Secure Boot failures across older hardware and how to diagnose them. However, for the average consumer with a PC from 2020 or later, the June update should suffice.
Do you need to check your BIOS or do anything manually?
For home users on Windows 11 or Windows 10 ESU, no manual intervention is necessary. Microsoft has explicitly stated in its official guidance that for devices receiving Microsoft-managed updates, the process is automatic. There is no requirement to access the BIOS or modify any registry settings. Earlier this year, we provided instructions on how to manually check the Secure Boot certificate status if desired, but this is entirely optional for home users.
A Note for HP users
HP users should be particularly aware that the April 2026 BIOS updates from HP caused BitLocker recovery loops and boot failures on premium commercial laptops and workstations when attempting to apply the Secure Boot certificates. HP has since acknowledged this issue and released updated firmware. If you own an HP device and are encountering BitLocker recovery prompts or boot problems following recent updates, it is advisable to consult HP’s support advisory and install the latest BIOS update from their support site before proceeding with any other actions. Additionally, our coverage of Windows 11 KB5094126 known issues highlights that HP PCs appear to be among the affected devices.
What IT Administrators need to know about changes in the June 2026 Update
The June Patch Tuesday update has significantly increased the number of device models included in the high confidence database, which Microsoft utilizes to determine which PCs receive the certificate update automatically. Microsoft’s engineering team confirmed during their second Secure Boot AMA session on June 4 that the vast majority of systems with available diagnostic data will be classified as high confidence following the June update.
Devices in the High Confidence bucket
Devices categorized within the high confidence bucket will have their updates managed automatically by Intune, requiring no action from administrators. The Intune monitoring report, updated in mid-May, provides the certificate update status for every managed device. Microsoft recommends pulling this report first to identify which devices are in high confidence and which are not, allowing for a strategic rollout plan.
Devices not in High Confidence
For devices that fall outside the high confidence category, including white box machines, older configurations with limited telemetry, or uncommon OEM firmware versions, administrators will need to manually initiate the update. The two primary methods for doing so are the registry key approach (setting the AvailableUpdates value to 5944) or utilizing the equivalent Intune settings catalog policy. Both methods instruct the scheduled task to execute the certificate update process immediately, bypassing the wait for device classification.
Microsoft’s recommended workflow for Intune-managed devices is to pull the Secure Boot monitoring report, identify devices that have not updated, select one or two representative units from each firmware variant, push the policy, and wait for a green status before expanding. It is advisable to select active and accessible devices, avoiding remote machines that may remain offline for extended periods. Microsoft has provided detailed guidance on monitoring Secure Boot certificate status with Intune remediations and the registry key method for IT-managed devices on its support pages.
The temporarily paused bucket
Devices classified as temporarily paused are there due to the rollout system detecting a firmware compatibility issue that could render the update risky for that specific configuration. Forcing the update through the registry on these devices without first installing a firmware update from the OEM is not advisable. It is essential to check the OEM’s support page for a BIOS update, apply it, and then retry. After a firmware update, the device will transition into a new bucket based on its updated firmware version, likely categorized under observation or high confidence instead of remaining paused.
It is important to note that once a device moves to a new bucket following a firmware update, the previous bucket classification does not change. Relying on cached data exports from weeks prior may provide a misleading picture. Always consult live Intune or GitHub CSV data to ascertain the current status of a specific device. Microsoft’s OEM pages for Secure Boot offer firmware update resources for all major manufacturers.
Machines with Secure Boot turned off
For devices where Secure Boot is disabled within the firmware, Microsoft is unable to update the certificates, as the firmware does not permit it. These machines are already vulnerable to the boot-level attacks that Secure Boot is designed to prevent, and the expiration of the certificates does not alter that exposure. If you plan to enable Secure Boot on these machines in the future, thorough testing is essential. The boot manager on the device will be updated to the 2023-signed version, but if the firmware trust database only contains the 2011 certificate when you re-enable Secure Boot, the machine will fail to boot and will require manual recovery.
Event Log entries to monitor
The TPM-WMI event source within the Windows System event log serves as the most reliable diagnostic tool for assessing Secure Boot certificate update status. Event 1801 indicates that the device is being tracked and is awaiting additional data. Event 1802 points to a specific firmware-level issue, which is a common reason for a temporarily paused classification. Event 1803 signifies a failure to apply the KEK update, typically due to the absence of a PK-signed KEK payload for that device’s Platform Key configuration, a situation often encountered in certain virtual machine setups where the PK was assigned an invalid value.
Upon successful completion of your update, Event ID 1808 will appear in Event Viewer, confirming that the new Secure Boot keys are active. For those managing virtual environments with HyperV or Azure VMs, the PK configuration may present a potential hurdle. It is crucial to verify that both the KEK and the DB certificates are the 2023 versions. If the DB certificates are present but the KEK update fails, the device remains partially protected but will not receive DBX revocation updates until the KEK is also updated. Microsoft has specific guidance for Trusted Launch and Confidential VMs on Azure and Azure Virtual Desktop environments.
OEMs and the Driver Quality Initiative
The Secure Boot deadline has exerted considerable pressure on OEMs to expedite BIOS updates; however, this urgency has sometimes led to unintended consequences. Instances have been reported where rushed firmware updates have rendered Windows 11 PCs inoperable. Microsoft’s Driver Quality Initiative, announced at WinHEC 2026, aims to foster a collaborative approach to firmware and driver quality among Microsoft, OEMs, and silicon vendors.
For IT administrators overseeing extensive fleets, this underscores the importance of piloting OEM firmware updates on a small scale before broader deployment, even when the update is marketed as a security fix.
KEK expiration and what stops working after June 24
June 24 marks the expiration date of the Microsoft Corporation KEK CA 2011 certificate, but it does not signify an abrupt halt in device functionality. After this date, Microsoft will lose the ability to sign new DBX revocation payloads using the old KEK. However, all previously signed payloads, including the registry key and scheduled task mechanisms, will continue to operate as before. The DB key remains valid until October 2026, allowing Microsoft to sign new boot managers until then. What ceases to accumulate after the KEK expires is Microsoft’s capacity to push new malware and bootkit blacklist updates to devices that have not yet received the new KEK.
For comprehensive information regarding Secure Boot, including documentation, scripts, OEM firmware links, Intune guidance, troubleshooting, and known issues, visit Microsoft’s central resource at aka.ms/GetSecureBoot. We welcome feedback in the comments regarding any challenges you may encounter with Secure Boot.
Microsoft released the Windows 11 Secure Boot update for all PCs, how to verify yours
With the recent June 2026 Patch Tuesday update (KB5094126), Microsoft has broadened the rollout of the Secure Boot 2023 certificate update to a larger array of Windows 11 and Windows 10 devices. This cautious and phased rollout, which has been in place for nearly two years, was previously hindered by firmware compatibility checks. However, the latest update places the majority of supported consumer PCs within the high confidence category, indicating that the necessary certificates are either already installed or will be automatically applied without user intervention.
Secure Boot has become a topic of confusion among many users, particularly those outside the IT sphere. While much of the discussion has been directed at IT professionals, regular home users may find themselves questioning whether any action is required on their part. The short answer for most is no. However, the specifics can vary, and we delve into those details here.
What is Secure Boot and why is it important for your PC?
Secure Boot is a security feature embedded within the firmware of your PC, specifically utilizing UEFI, the modern successor to BIOS. Upon powering on your computer, Secure Boot verifies the cryptographic signature of the software attempting to load before Windows even begins its startup process. If any unauthorized software, such as a rootkit or bootkit, tries to execute at this early stage, Secure Boot intervenes and blocks it. This feature has been a requirement for Windows 11 since its inception and is enabled by default on all contemporary PCs.
The certificates that underpin this system were initially issued in 2011, and they are now expiring in stages, starting June 24, 2026, with further expirations extending into October 2026. To ensure continued boot-level security updates, Microsoft has been deploying replacement certificates known as Secure Boot 2023. For those curious about the implications for Windows 11 PCs if these deadlines are ignored, we have previously provided a comprehensive overview.
If you’re a regular Windows 11 or Windows 10 user, here’s what to do
Check your status in Windows Security
For the majority of home users, no manual action is necessary. The Secure Boot 2023 certificates are being distributed via Windows Update, and if your device qualifies and Windows Update is active, the update will occur seamlessly in the background. Nevertheless, it is advisable to verify your status. Since the April 2026 update, Windows 11 users can check their Secure Boot certificate status directly within the Windows Security app. Navigate to Windows Security > Device Security > Secure Boot. A green checkmark indicates that your PC is fully updated and requires no further action.
What if you see a Yellow or Red icon?
A yellow warning typically signifies that Windows is awaiting additional compatibility data regarding your specific device firmware before applying the certificate update. In most instances, all you need to do is ensure that Windows Update remains active and wait patiently. The June update has significantly expanded the list of devices eligible for automatic updates.
A red alert, while less common, indicates a more serious issue, often stemming from firmware incompatibility that necessitates a BIOS/UEFI update from your PC manufacturer (HP, Dell, Lenovo, ASUS, etc.). If you encounter a red icon, it is prudent to check your manufacturer’s support page for a BIOS update and install it. Following the firmware update, Windows will automatically attempt to retry the certificate update.
Do you need to do anything if your PC already has a Green checkmark?
No action is required. If Windows Security displays a green checkmark under Secure Boot, your PC has successfully received the 2023 certificates and is fully up to date. There are no BIOS changes or PowerShell commands necessary.
Multiple Reboots during Secure Boot updates is normal
Some users have reported experiencing two or three restarts following recent Windows updates. Microsoft has confirmed that this behavior is expected, particularly due to the Secure Boot certificate update process. The deployment of these certificates into the firmware necessitates staging, applying, and booting the updated bootloader, each of which requires a reboot. If your PC restarted multiple times after the June update, it was likely functioning as intended.
You may see a new SecureBoot Folder in Windows
If you discover a new SecureBoot folder within C:Windows, there is no need for concern or to delete it. Microsoft has confirmed that this is not a bug; rather, it is a designated space for staging cryptographic files before they are integrated into the firmware. It is best to leave this folder undisturbed.
Secure Boot on older PCs
Older PCs can be categorized in various ways. If your PC was shipped with Windows 10 or 11 and has been consistently receiving Windows updates, there is a strong likelihood that the June update will apply. However, if your device is from the 2015-2019 era and has not received a recent BIOS update from the manufacturer, you may notice a yellow status for a longer duration as Microsoft continues to assess compatibility for those firmware versions.
A very small number of older PCs may never receive the automatic update due to firmware issues that can only be resolved through a manufacturer update that may not exist. For those devices, we have published a detailed analysis of Secure Boot failures across older hardware and how to diagnose them. However, for the average consumer with a PC from 2020 or later, the June update should suffice.
Do you need to check your BIOS or do anything manually?
For home users on Windows 11 or Windows 10 ESU, no manual intervention is necessary. Microsoft has explicitly stated in its official guidance that for devices receiving Microsoft-managed updates, the process is automatic. There is no requirement to access the BIOS or modify any registry settings. Earlier this year, we provided instructions on how to manually check the Secure Boot certificate status if desired, but this is entirely optional for home users.
A Note for HP users
HP users should be particularly aware that the April 2026 BIOS updates from HP caused BitLocker recovery loops and boot failures on premium commercial laptops and workstations when attempting to apply the Secure Boot certificates. HP has since acknowledged this issue and released updated firmware. If you own an HP device and are encountering BitLocker recovery prompts or boot problems following recent updates, it is advisable to consult HP’s support advisory and install the latest BIOS update from their support site before proceeding with any other actions. Additionally, our coverage of Windows 11 KB5094126 known issues highlights that HP PCs appear to be among the affected devices.
What IT Administrators need to know about changes in the June 2026 Update
The June Patch Tuesday update has significantly increased the number of device models included in the high confidence database, which Microsoft utilizes to determine which PCs receive the certificate update automatically. Microsoft’s engineering team confirmed during their second Secure Boot AMA session on June 4 that the vast majority of systems with available diagnostic data will be classified as high confidence following the June update.
Devices in the High Confidence bucket
Devices categorized within the high confidence bucket will have their updates managed automatically by Intune, requiring no action from administrators. The Intune monitoring report, updated in mid-May, provides the certificate update status for every managed device. Microsoft recommends pulling this report first to identify which devices are in high confidence and which are not, allowing for a strategic rollout plan.
Devices not in High Confidence
For devices that fall outside the high confidence category, including white box machines, older configurations with limited telemetry, or uncommon OEM firmware versions, administrators will need to manually initiate the update. The two primary methods for doing so are the registry key approach (setting the AvailableUpdates value to 5944) or utilizing the equivalent Intune settings catalog policy. Both methods instruct the scheduled task to execute the certificate update process immediately, bypassing the wait for device classification.
Microsoft’s recommended workflow for Intune-managed devices is to pull the Secure Boot monitoring report, identify devices that have not updated, select one or two representative units from each firmware variant, push the policy, and wait for a green status before expanding. It is advisable to select active and accessible devices, avoiding remote machines that may remain offline for extended periods. Microsoft has provided detailed guidance on monitoring Secure Boot certificate status with Intune remediations and the registry key method for IT-managed devices on its support pages.
The temporarily paused bucket
Devices classified as temporarily paused are there due to the rollout system detecting a firmware compatibility issue that could render the update risky for that specific configuration. Forcing the update through the registry on these devices without first installing a firmware update from the OEM is not advisable. It is essential to check the OEM’s support page for a BIOS update, apply it, and then retry. After a firmware update, the device will transition into a new bucket based on its updated firmware version, likely categorized under observation or high confidence instead of remaining paused.
It is important to note that once a device moves to a new bucket following a firmware update, the previous bucket classification does not change. Relying on cached data exports from weeks prior may provide a misleading picture. Always consult live Intune or GitHub CSV data to ascertain the current status of a specific device. Microsoft’s OEM pages for Secure Boot offer firmware update resources for all major manufacturers.
Machines with Secure Boot turned off
For devices where Secure Boot is disabled within the firmware, Microsoft is unable to update the certificates, as the firmware does not permit it. These machines are already vulnerable to the boot-level attacks that Secure Boot is designed to prevent, and the expiration of the certificates does not alter that exposure. If you plan to enable Secure Boot on these machines in the future, thorough testing is essential. The boot manager on the device will be updated to the 2023-signed version, but if the firmware trust database only contains the 2011 certificate when you re-enable Secure Boot, the machine will fail to boot and will require manual recovery.
Event Log entries to monitor
The TPM-WMI event source within the Windows System event log serves as the most reliable diagnostic tool for assessing Secure Boot certificate update status. Event 1801 indicates that the device is being tracked and is awaiting additional data. Event 1802 points to a specific firmware-level issue, which is a common reason for a temporarily paused classification. Event 1803 signifies a failure to apply the KEK update, typically due to the absence of a PK-signed KEK payload for that device’s Platform Key configuration, a situation often encountered in certain virtual machine setups where the PK was assigned an invalid value.
Upon successful completion of your update, Event ID 1808 will appear in Event Viewer, confirming that the new Secure Boot keys are active. For those managing virtual environments with HyperV or Azure VMs, the PK configuration may present a potential hurdle. It is crucial to verify that both the KEK and the DB certificates are the 2023 versions. If the DB certificates are present but the KEK update fails, the device remains partially protected but will not receive DBX revocation updates until the KEK is also updated. Microsoft has specific guidance for Trusted Launch and Confidential VMs on Azure and Azure Virtual Desktop environments.
OEMs and the Driver Quality Initiative
The Secure Boot deadline has exerted considerable pressure on OEMs to expedite BIOS updates; however, this urgency has sometimes led to unintended consequences. Instances have been reported where rushed firmware updates have rendered Windows 11 PCs inoperable. Microsoft’s Driver Quality Initiative, announced at WinHEC 2026, aims to foster a collaborative approach to firmware and driver quality among Microsoft, OEMs, and silicon vendors.
For IT administrators overseeing extensive fleets, this underscores the importance of piloting OEM firmware updates on a small scale before broader deployment, even when the update is marketed as a security fix.
KEK expiration and what stops working after June 24
June 24 marks the expiration date of the Microsoft Corporation KEK CA 2011 certificate, but it does not signify an abrupt halt in device functionality. After this date, Microsoft will lose the ability to sign new DBX revocation payloads using the old KEK. However, all previously signed payloads, including the registry key and scheduled task mechanisms, will continue to operate as before. The DB key remains valid until October 2026, allowing Microsoft to sign new boot managers until then. What ceases to accumulate after the KEK expires is Microsoft’s capacity to push new malware and bootkit blacklist updates to devices that have not yet received the new KEK.
For comprehensive information regarding Secure Boot, including documentation, scripts, OEM firmware links, Intune guidance, troubleshooting, and known issues, visit Microsoft’s central resource at aka.ms/GetSecureBoot. We welcome feedback in the comments regarding any challenges you may encounter with Secure Boot.