Event details

It's time for our second Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot play...
Heather_Poulsen
Updated Feb 19, 2026
AMA
Eric_Bl's avatar
Eric_Bl
Copper Contributor
Jan 23, 2026

This topic comes right in place to share what I saw on a old computer from 2013.

I read carefully the blog page on the topic: Updating Microsoft Secure Boot keys | Windows IT Pro blog

and the registry key settings: 

https://support.microsoft.com/en-us/topic/registry-key-updates-for-secure-boot-windows-devices-with-it-managed-updates-a7be69c9-4634-42e1-9ca1-df06f43f360d#articlefootersupportbridge=communitybridge

If I understand properly, the task

Start-ScheduledTask -TaskName “\Microsoft\Windows\PI\Secure-Boot-Update”

is trying to update the UEFI with the new certificates. It is correct?

BUT the whole is missing a critical scenario: what if the UEFI do NOT support the update of certificates?

On my mainboard from 2013, an Asrock Z87E-ITX, with last bios 2.5 from 2018, out of support from Asrock for years already, running the task is having a very strange behavior on Windows 10 Pro:

  • if the wifi is off, I get an error 1801 with "Updated Secure Boot certificates are available on this device but have not yet been applied to the firmware"
  • if the wifi is on, the computer is freezing completely (exactly 5 min after start, matching the delay of the trigger in the task), nothing is written is any logs, as if the task trying to touch the UEFI will reach a critical address.

In the bios/UEFI on this machine, there is no way whatsoever to manage the keys and certificates. No way to read (and less to write). It seems Asrock did not implement the SecureBoot completely there...
And there is NO TPM chip on that board...

So next question: what if the certificates are not updated in the UEFI? Should not the update within Windows be enough? 

HmmmUK's avatar
HmmmUK
Occasional Reader
Mar 25, 2026

Lots of people are seeing the 'hang/freeze after 5 minutes' (Windows 10) when Task Scheduler runs 'Microsoft\Windows\PI\Secure-Boot-Update'. Numerous people (including me) started seeing this issue after January's ESU KB5073724. Reddit etc. is full of similar stories. I've been getting by by disabling the network (stopping NSI service at startup and enabling after 5 mins). Hopefully Microsoft will pick up on this and resolve things as it's hurting lots of people! 

I've added my story to this Windows forum:

https://www.tenforums.com/windows-updates-activation/222472-january-2026-esu-kb5073724-windows-freezes-after-4-5-minutes.html 

 

  • mihi's avatar
    mihi
    Brass Contributor
    Mar 25, 2026

    Does it avoid the freeze if you set in registry 

    Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot

    • AvailableUpdates = 0 (remember the previous value)
    • HighConfidenceOptOut = 1 (you may have to create as DWORD if not present)

    That way, the scheduled task should not pick up any Secure Boot update and future cumulative updates will not automatically try to install any Secure Boot updates either. On the other hand, you should try manually to install all the ones you can (without freezing) if you intend to have Secure Boot protecting your machine at the same level after June 2026. If you cannot install any of them, leaving Secure Boot on with old certificates is still more secure than turning it off.

    Out of curiositry, in 

    Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing

    Can you look up BucketHash and ConfidenceLevel and post them here? Thanks.