[Urgent] Inquiry About Secure Boot Support and Update Procedure

염규정 (David Yeom) 20 Reputation points
2026-06-09T11:23:29.17+00:00

Dear Microsoft Support Team,

Due to our company’s internal security requirements, we would like to update the Secure Boot certificate on the computer currently being used for our equipment.

The PC specifications are as follows:

[Brand: HP, Model Name: HP EliteDesk 800G2 TWR, Processor type: Intel Core i3-6100 CPU @3.70GHz, Memory: 8GB, Hard DISK: 1T , 1T, OS: Windows 10]

Could you please urgently advise whether the PC will be able to boot normally after the Secure Boot certificate update, and provide the recommended update procedure?

If you have any question or resquest, please contact below email adress please.

[PII removed]

Windows for business | Windows Client for IT Pros | Devices and deployment | Install Windows updates, features, or roles
0 comments No comments

Answer accepted by question author

Brian Huynh 3,305 Reputation points Microsoft External Staff Moderator
2026-06-10T01:47:04.9333333+00:00

Hello David Yeom, thank you for posting in the Microsoft Q&A community.

To directly answer your question: Yes, the PC will boot normally after the Secure Boot certificate update, as long as the device firmware (BIOS) correctly supports and applies the new certificates. If the certificates are not updated before the deadline, the device will still boot and operate, but with a degraded security posture.

Here is the officially recommended approach to perform the update safely:

  1. Ensure the device is fully updated with the latest Windows 10 cumulative updates.
  2. Open PowerShell as an Administrator.
  3. Run the following command to manually trigger the Secure Boot servicing task:
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
  1. Restart the computer twice to ensure it boots up with the updated database.

Could you please provide some additional data? First, please open PowerShell as Administrator, run the following command, and share the output:

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'

(Note: If this returns True, your system has already successfully applied the new certificate).

Second, could you press Windows + R, type msinfo32, press Enter, and let me know the BIOS Version/Date currently installed?

Was this answer helpful?

1 person found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. 염규정 (David Yeom) 20 Reputation points
    2026-06-10T01:06:35.4233333+00:00

    Dear Microsoft Support Team

    I want to get advise from human

    I downloaded Microsoft Corporation KEK 2K CA2023, Micfrosoft UEFI CA, Microsoft Option ROM UEFI CA202 certicates for uptate from microsoft web page

    I wonder next step to upgreat secure boot certificate.

    If you have questions or any request, please contact below adress.

    Thankyou

    Was this answer helpful?

    0 comments No comments

  2. AI answer

    2026-06-09T11:24:05.7366667+00:00

    The described HP EliteDesk 800 G2 running Windows 10 can continue to boot normally after Secure Boot certificate updates, provided the update process completes successfully and the device firmware correctly applies the new certificates.

    If Secure Boot certificates are not updated before the older 2011 certificates begin expiring in June 2026, the device will still start and operate normally and will continue to receive standard Windows updates. However, it will no longer receive new Secure Boot protections for early boot components (for example, Windows Boot Manager, Secure Boot databases, revocation lists, or mitigations for new boot-level vulnerabilities). Over time, this reduces protection and may affect scenarios that rely on Secure Boot trust, such as BitLocker hardening or third‑party bootloaders.

    For supported Windows 10 devices that share diagnostic data and are “managed by Microsoft,” Secure Boot certificates are delivered via Windows Update. The updated 2023 Secure Boot certificates are included in the May 13, 2025 cumulative updates (LCU) and later, but they are not applied automatically; additional steps are required to complete deployment.

    Recommended high‑level procedure for an IT‑managed Windows 10 device:

    1. Ensure the device is running a supported version of Windows 10 and is fully updated with the latest cumulative updates (May 13, 2025 or later) that include the 2023 Secure Boot certificates.
    2. Follow the IT guidance in “Windows Secure Boot certificate expiration and CA updates” (referenced as https://aka.ms/getsecureboot in the documentation) to:
      • Identify whether the device still uses 2011 Secure Boot certificates.
      • Apply the Secure Boot Active Variable updates through the OS so that the new 2023 certificates are used for boot validation.
    3. Monitor deployment status:
      • Check Secure Boot certificate status and system event logs for indicators such as Event ID 1801 or related events that show whether certificate remediation has been applied.
      • Verify that the UEFICA2023Status registry value reflects an Updated state, where applicable.
    4. If the device is older or OEM firmware is outdated and the OS‑based update does not apply correctly, coordinate with HP to obtain any required firmware/BIOS updates that refresh the Secure Boot default variables in firmware.

    If Secure Boot is disabled on the device, it will not receive the new Secure Boot certificates in firmware and will remain vulnerable to boot‑level malware because Secure Boot protections are not enforced. In that case, enable Secure Boot in firmware (UEFI) after ensuring certificates and keys are correctly provisioned according to OEM guidance.

    For customer/IT‑managed fleets where OEM firmware updates may not be available, Microsoft’s guidance indicates two paths:

    1. Where devices are managed by Microsoft with diagnostic data sharing and are on supported OS versions, Microsoft will attempt to update Secure Boot certificates through Windows Update.
    2. For customer/IT‑managed devices, administrators should use the documented Secure Boot certificate expiration and CA update procedures to apply the new certificates on validated devices that can safely take the updates. In cases where updates do not apply due to firmware issues, follow HP’s firmware guidance.

    If Secure Boot certificates were to expire without being updated, Secure Boot protection would be degraded, but as long as the device meets requirements for newer OS versions (for example, Windows 11) it would still be possible to upgrade, assuming other hardware prerequisites are met.


    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.