Event details

It's time for our second Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot play...
Heather_Poulsen
Updated Feb 19, 2026
AMA
HmmmUK's avatar
HmmmUK
Copper Contributor
Mar 25, 2026

Lots of people are seeing the 'hang/freeze after 5 minutes' (Windows 10) when Task Scheduler runs 'Microsoft\Windows\PI\Secure-Boot-Update'. Numerous people (including me) started seeing this issue after January's ESU KB5073724. Reddit etc. is full of similar stories. I've been getting by by disabling the network (stopping NSI service at startup and enabling after 5 mins). Hopefully Microsoft will pick up on this and resolve things as it's hurting lots of people! 

I've added my story to this Windows forum:

https://www.tenforums.com/windows-updates-activation/222472-january-2026-esu-kb5073724-windows-freezes-after-4-5-minutes.html 

 

mihi's avatar
mihi
Brass Contributor
Mar 25, 2026

Does it avoid the freeze if you set in registry 

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot

  • AvailableUpdates = 0 (remember the previous value)
  • HighConfidenceOptOut = 1 (you may have to create as DWORD if not present)

That way, the scheduled task should not pick up any Secure Boot update and future cumulative updates will not automatically try to install any Secure Boot updates either. On the other hand, you should try manually to install all the ones you can (without freezing) if you intend to have Secure Boot protecting your machine at the same level after June 2026. If you cannot install any of them, leaving Secure Boot on with old certificates is still more secure than turning it off.

Out of curiositry, in 

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing

Can you look up BucketHash and ConfidenceLevel and post them here? Thanks.

  • HmmmUK's avatar
    HmmmUK
    Copper Contributor
    Mar 26, 2026

    Hi, Thanks for the reply.
    Looking in my Registry, AvailableUpdates is currently set to 0
    ConfidenceLevel is: "Under Observation - More Data Needed".
    I haven't posted the BucketHash as this is over my head and I don't understand what info I would be giving away here - so to be safe I'll leave that. Same for making any Registry changes ATM. My PC has had a rough couple of months(!) so I don't wish to break things further at this point, but may revisit that.
    Do you know what disabling the item in Task Scheduler will effect going forwards?
    Thanks again.

    • mihi's avatar
      mihi
      Brass Contributor
      Mar 26, 2026

      So, both the confidence level and the AvailableUpdates would suggest it does not even try to install any updates when the task starts. So it confuses me that you are indeed experiencing freezes when that task is started. Maybe there is a second issue in the task that makes it fail even if nothing is to be done? Or maybe the freeze is a coincidence and not actually caused by starting the task?

      In any case, you can look in 

      https://github.com/microsoft/secureboot_objects/tree/main/HighConfidenceBuckets - if you can find your hash in one of the lines, this is what information it would give away (your mainboard model, your firmware revision/date, and some data about confidence (whether telemetry shows that this has been installed successfully).

      There are a few theoretically possible cases

      • The hash does not appear here. Which matches to the Confidence Level you posted, and would *not* explain why you experienced the freezes
      • The hash does appear here but it refers to a completely different model than you have. That would mean something is wrong in Microsoft calculating the hashes or evaluating the telemetry they received
      • The hash appears here, it matches your model, and is High Confidence. That would explain why you got the update, but still no idea how it got onto that list if it causes freezes for you.

      But it is fine if you prefer to be cautious. Thank you for your feedback anyway.

      • HmmmUK's avatar
        HmmmUK
        Copper Contributor
        Mar 27, 2026

        Thanks for that.
        Would I need to download all the github csvs to search? 

        Via Twitter, someone else with the same issue has told me that this TPM registry change has stopped their freezes:
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TPM", set "Start" from 3 to 4.

        I see on my old PC I'm currently set to '3' - I'm not sure if that's correct?
        EDIT: Another old W10 PC which is unaffected by the freeze/hang I have also has this key set to 3 so perhaps this is a red herring...
        Not one official response on the Microsoft Feedback Hub to the many reports on this :(

        If anyone from Microsoft is interested and reading this please search the MS Feedback Hub and there are lots of people reporting the freeze/hang issue since KB5073724 in January 2026. 
        I managed 3 normal successful Windows starts after the March ESU KB5078885 before the ''freeze after 5 minutes' returned which people are reporting is due to the Task Scheduler running Microsoft\Windows\PI\Secure-Boot-Update which if how I ended up in these comments :)