Microsoft Forces Secure Boot 2023 Update to Millions of PCs: How to Verify Your Status

Microsoft is aggressively expanding the rollout of the Secure Boot 2023 certificate update via the June 2026 Patch Tuesday release (KB5094126). After two years of cautious, phased deployments held back by firmware compatibility checks, the vast majority of supported Windows 11 and Windows 10 devices are now classified in the high confidence category. This means the critical security certificates are either already applied or installing silently in the background. With the original 2011-era certificates set to begin expiring on June 24, 2026, ensuring your system is updated is vital to maintaining boot-level protection against rootkits and bootkits.

Secure Boot is a foundational security feature built into your PC's UEFI firmware. It verifies the cryptographic signature of software attempting to load before Windows even starts, blocking unauthorized malware that hides from standard antivirus programs. While the update process is largely automated for everyday consumers, IT administrators and users with older hardware or specific OEM configurations need to verify their status to avoid potential boot failures or lapsed security coverage.

For most home users, the Secure Boot 2023 certificates are delivered seamlessly through Windows Update. However, you should manually verify that the installation was successful, especially if your PC is from the 2015-2019 era. Follow these steps to check your status:

1. Open the Windows Security app. This is the central hub for all built-in Microsoft protection features.
2. Navigate to Device Security, then click on the Secure Boot section. This menu displays your current firmware protection level.
3. Check the status icon displayed on the screen. This indicator tells you exactly what action, if any, is required.

• Green Checkmark: Your PC is fully updated with the 2023 certificates. No further action, BIOS changes, or PowerShell commands are needed.
• Yellow Warning: Windows is waiting to apply the update because it needs more compatibility data about your specific firmware. Keep Windows Update running and wait.
• Red Alert: This indicates a serious firmware incompatibility. You must visit your PC manufacturer's support page (HP, Dell, Lenovo, ASUS) to download and install the latest BIOS/UEFI update. Windows will retry the certificate installation afterward.

If your PC restarted two or three times after installing the recent Windows updates, this is completely normal. Pushing cryptographic certificates into the firmware requires staging the files, applying them, and booting the updated bootloader, with each step triggering a reboot. Additionally, you may notice a new folder named SecureBoot inside your C:\Windows directory. Microsoft has confirmed this is not a bug; the system uses this folder to stage files before flashing them to the firmware, and it should not be deleted.

However, users of HP devices need to exercise caution. HP's April 2026 BIOS updates caused severe BitLocker recovery loops and boot failures on premium commercial laptops and workstations when attempting to apply the Secure Boot certificates. HP has acknowledged the issue and released updated firmware. If you own an HP device and experience BitLocker prompts after the KB5094126 update, you must install the latest BIOS update directly from HP's support site before taking any other troubleshooting steps.

The June Patch Tuesday update shifted a massive number of device models into the high confidence database. For devices in this bucket, Microsoft Intune handles the update automatically. However, for devices outside this category - such as white box machines or uncommon OEM firmware versions - administrators must manually trigger the update. Microsoft recommends pulling the Intune monitoring report, identifying un-updated devices, and pushing the policy to a small representative group before expanding.

To manually trigger the update on IT-managed devices, administrators can use the registry key approach by setting the AvailableUpdates value:

5944

Administrators should closely monitor the TPM-WMI event source in the Windows System event log to track deployment success. Key Event IDs include:

• Event 1801: The device is tracked and awaiting more compatibility data.
• Event 1802: A specific firmware-level issue was detected, placing the device in a temporarily paused state. Do not force the update; install an OEM BIOS update first.
• Event 1803: Failure to apply the KEK update, often seen in virtual machine setups with invalid Platform Key configurations.
• Event 1808: The update is fully complete, and the new Secure Boot keys are active.

For detailed deployment strategies, Microsoft provides official documentation on monitoring Secure Boot certificate status with Intune remediations and the registry key method for IT-managed devices. If a device is paused, consult Microsoft’s OEM pages for Secure Boot for firmware resources. Virtual environments also require specific attention; administrators should review guidance for Trusted Launch and Confidential VMs on Azure and Azure Virtual Desktop environments.

June 24, 2026, marks the expiration date of the Microsoft Corporation KEK CA 2011 certificate. Devices will not suddenly stop working on this date. However, Microsoft will lose the ability to sign new DBX revocation payloads with the old KEK. This means that any PC that has not received the 2023 KEK update will no longer receive new malware and bootkit blacklist updates, leaving them vulnerable to newly discovered early-boot threats. The DB key itself does not expire until October 2026. For a comprehensive overview of the transition, administrators can visit aka.ms/GetSecureBoot.

The transition to the Secure Boot 2023 certificates highlights a critical vulnerability in the modern PC ecosystem: the heavy reliance on OEM firmware quality. While Microsoft can push OS-level updates seamlessly, the fact that HP's April 2026 BIOS update triggered BitLocker recovery loops proves that hardware manufacturers are still struggling to keep pace with strict security mandates. This rollout is a stress test for the entire industry's update infrastructure.

This situation validates the necessity of Microsoft's Driver Quality Initiative announced at WinHEC 2026. By forcing OEMs and silicon vendors to share accountability for firmware stability, Microsoft is acknowledging that OS security is only as strong as the motherboard it runs on. For IT administrators, the lesson is clear: treating firmware updates as routine patches is a dangerous game, and piloting these updates on a small cohort is no longer optional - it is a mandatory survival tactic.