Event details

Join us in May for our fourth Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they start expiring in June of 2026. If you've already bookmarked Sec...
Heather_Poulsen
Updated May 18, 2026
AMA
Technical Takeoff
jad's avatar
jad
Copper Contributor
May 20, 2026

Trying to keep tabs on progress of cert rollout, I had a Dell device initiate the cert update process after applying the May LCU but with an oddity:

After reboot and waiting for the scheduled task to run, AvailableUpdates=0x4100 but UEFICA2023Status=NotStarted. I've never seen this combination, which skews reporting. 0x4100 is usually accompanied with InProgress status.

TPM-WMI event cadence looks normal with 1036/1044/1045/1043 then 1801 re: pending reboot (Reason: Boot Manager (2023)).

Get-SecureBootUEFI confirms 2023 certs are reflected in the db and kek variables.

So if the intention is to rely on UEFICA2023Status, am I missing something or does something seem off here? Any thoughts or direction would be most appreciated.

Arden_White​
Heather_Poulsen​ 

 

  • Arden_White's avatar
    Arden_White
    Icon for Microsoft rankMicrosoft
    May 20, 2026

    jad​ I have not seen this before. Two questions:

    • Did you initiate the updates or was this done automatically as a high confidence update?
    • Which version of Windows is this?

    I'll check with our team to see if they know why.

    • jad's avatar
      jad
      Copper Contributor
      May 20, 2026

      Many thanks for the reply, Arden_White​  To answer your questions:

      • No, I did not initiate the cert updates -- the update was applied on reboot after applying May updates so I anticipate LCU was the update mechanism.
      • Yes, ConfidenceLevel=High Confidence in registry. Was "Under Observation..." prior to applying the May LCU.
      • OS is Windows 11 24H2.