Event details

It's time for our second Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot play...
Heather_Poulsen
Updated Jan 29, 2026
AMA
LarsDK's avatar
LarsDK
Occasional Reader
Feb 05, 2026

We are rolling this out with the Intune policies, and overall it appears to be working well. The new report in Autopatch looks great - thanks.

However, we have encountered a consistent issue with Dell OptiPlex 3040 and 7040 systems.

On these models, running the latest firmware and Windows 11 LTSC (unsupported, we understand), the machines lock up completely a few minutes after boot when network access is available. There is no blue screen or crash dump—the system simply freezes as if time has stopped. This behavior does not appear to occur when the network is disconnected.

These devices have been running since purchase in 2016 and have been using the same Windows 11 LTSC image since it was released, without prior issues.

We have confirmed that disabling Secure Boot in the BIOS immediately resolves the problem. Every OptiPlex 3040 and 7040 that has received this policy is affected.

These models must be on the known good list, but this specific configuration clearly does not work as expected.

  • Eric_Bl's avatar
    Eric_Bl
    Copper Contributor
    Feb 08, 2026

    Hi Lars,
    I got exactly the same behavior on my older machine as described in this  previous comment:

    (complete freeze of the PC after 5 min, and only when network is access is activated, caused by a scheduled task trying to update the certificates, see my comment. My PC is running Windows 10 Pro ESU, and has a i5 4670k CPU from 2013 so Gen4! It has no TPM chip despite having a connector for extra module).
    AFAIK, your systems are running Gen6 of Core CPU, correct?

    What means the "yeah" in AaronCR's question? It is failing despite those settings or no failure anymore after the settings?

    Likely keeping SecureBoot activated but disabling the "enable secure boot certifcate updates" will stop running the task freezing the systems.

    As mihi responded to  my other comment, "for the foreseeable future, having a system that has secure boot enabled but expired KEK only (or even expired KEK and expired DB) is still more secure than secure boot off, as it will properly protect agaisnt a lot of old attacks. It will not protect against new attacks, but disabled Secure Boot will neither."

  • AaronCR's avatar
    AaronCR
    Copper Contributor
    Feb 06, 2026

    Hello LarsDK,

    Do you just have the below config set and its working?

     

     

    • LarsDK's avatar
      LarsDK
      Occasional Reader
      Feb 06, 2026

      Yeah!