Microsoft has published a new support document, KB5105943, detailing an unusual Secure Boot certificate block that prevents certain Windows 10, Windows 11, and Windows Server devices from receiving critical security updates. The advisory, released on June 29, 2026, explains why some systems are being blocked from obtaining updated Secure Boot certificates, and what that means for long-term security posture. While the PCs continue to boot normally, the inability to install new certificates could slowly weaken the Secure Boot enforcement, leaving machines more vulnerable to bootkits and firmware-level attacks over time.

The core of the problem is not a bug in the traditional sense, but a deliberate safeguard mechanism. When Secure Boot certificate updates roll out—usually as part of cumulative updates or standalone servicing stack releases—the firmware must successfully process and store these new certificates. On affected devices, the installation is blocked because the system fails to meet certain prerequisites. The KB article clarifies that this block is by design to prevent a failed or corrupted certificate update from rendering the device unbootable. In other words, the system chooses continued bootability at the cost of eventually having outdated Secure Boot protections.

This explanation, however, has not entirely calmed concerns among IT administrators and power users. Many have taken to Windows-focused forums to voice frustration over the opaque nature of the block and the lack of immediate remediation. Some note that the affected devices appear perfectly functional, passing system file checks and showing all updates installed. Yet, when running Microsoft’s validation tools, they find the Secure Boot certificate store is incomplete or frozen in time. The disconnect between a system reporting as fully patched and actually being left behind on Secure Boot is a gap that KB5105943 tries to bridge.

What Secure Boot Actually Does—and Why Certificates Matter

Secure Boot is a UEFI firmware security feature that ensures only software with a valid signature loads during the boot process. When a PC starts, Secure Boot checks the signature of each piece of boot software, including UEFI firmware drivers, EFI applications, and the operating system. If the signatures are valid against a database of trusted certificates, the boot continues; if not, the system halts. This prevents rootkits and boot malware from hijacking the system before the OS even loads.

The certificate database—split into the allowed signature database (db) and the forbidden signature database (dbx)—must evolve to revoke compromised keys and add new trusted authorities. Microsoft periodically updates these certificates through Windows Update to respond to newly discovered threats and to phase out weak or stolen keys. For example, when a major UEFI bootkit is discovered, Microsoft may release an update that adds the malware’s hash or certificate to the revocation list. Without this update, the system remains vulnerable to that specific threat.

The KB5105943 situation involves a subset of devices that, for various technical reasons, cannot install the refreshed certificate packages. The block is silent—there is no toast notification, no error in Windows Update history, and no immediate user impact. But over months and years, as the Secure Boot certificate landscape shifts, these machines will rely on an increasingly obsolete set of trust anchors. Security experts warn that this erosion is particularly dangerous because it’s invisible to most users.

Inside KB5105943: Why the Block Happens

The support document breaks down the block into three primary scenarios, all tied to firmware behavior and the specific Secure Boot certificate update mechanism.

First, some systems have UEFI firmware that lacks enough non-volatile storage to hold the updated certificate payload. Secure Boot certificates are stored in protected flash memory on the motherboard. On older machines or those with poorly designed firmware, that memory space is tight. When Microsoft pushes a certificate update, the firmware may refuse to write the new data—or worse, could crash. To avoid boot failures, Windows checks the available space and installability before attempting the update. If the check fails, the update is suppressed, and the device lands in the blocked state.

Second, certain motherboard implementations have bugs that prevent correct handling of the Secure Boot variable update process. The UEFI specification defines how the OS can interact with the firmware to update certificates. However, some manufacturers deviated from the spec or introduced race conditions. When Windows detects such known-bad firmware revisions, it applies a block to prevent bricking the system. A well-intentioned certificate update on these platforms could corrupt the boot process permanently.

Third, there is a newer class of devices with hardware-backed security processors (like Microsoft Pluton or discrete TPM 2.0 with specialized firmware) that enforce additional integrity checks. In some cases, the Secure Boot certificate store is locked down more aggressively, and the firmware will only accept certificate updates signed by a specific platform key. If the Windows Update-delivered package does not match that key or fails the extra validation step, the update is silently rejected.

The KB emphasizes that the block is not a result of failing hardware, a virus, or an out-of-date BIOS—though BIOS updates from the OEM may later resolve the issue. The block is decision logic built into the Windows servicing stack to maintain boot integrity.

How to Check if Your System Is Affected

Microsoft provides a PowerShell cmdlet and a standalone MSInfo32 validation path to identify blocked devices. The KB includes a script that queries the UEFI Secure Boot certificate stores and compares them against the expected set. Administrators can run:

Get-SecureBootUEFI -Variable db

and inspect the certificate list. A companion tool, Confirm-SecureBootUEFI, is also referenced. Additionally, the System Information utility (msinfo32.exe) now shows a “Secure Boot Certificate Status” line, which may read “Up to date,” “Installation blocked,” or “Unknown.”

On affected devices, the status will show “Installation blocked” alongside an error code or reason string. Common reasons include “Insufficient UEFI variable storage,” “Firmware revision blocked,” or “Platform key mismatch.” The KB advises users to note these codes and cross-reference them with the remedy table.

IT administrators can also leverage Microsoft Intune or Windows Update for Business reports to detect blocked machines at scale. The certificate block status is now surfaced through the Windows Update health dashboard, making it easier to isolate a fleet-wide issue without manually touching each PC.

What Happens When Secure Boot Erodes

The security impact of a frozen certificate store is cumulative. Initially, there is almost no practical risk—the device still enforces Secure Boot against the certificates it has. But as time passes, two problems converge. First, new threats emerge that are mitigated only by having updated prohibitions in the dbx. Second, older trusted certificates may be retired or become compromised, but the device still trusts them because the revocation update never applied. This opens a window for attackers who steal old signing keys or discover weaknesses in outdated certificate hashes.

Security researchers have demonstrated attacks that combine legacy trusted certificates with a malicious bootloader. If a system hasn’t received the update that blocks that certificate, the attacker can chain-load their code seamlessly. The scenario is not theoretical; bootkits like BlackLotus and FinSpy have exploited the gap between public disclosure of a certificate leak and the distribution of revocations. For blocked devices, that gap could become permanent.

Microsoft acknowledges this risk in KB5105943. The document states that while the immediate priority is maintaining bootability, “customers should remediate the block as soon as feasible to restore full Secure Boot protection.” The language is unusually direct for a support article, suggesting that the security implications are significant.

Microsoft’s Remediation Options

KB5105943 outlines a tiered approach to resolving the block, ranging from quick firmware tweaks to hardware replacement.

  1. BIOS/UEFI Firmware Update: In many cases, the block is tied to a specific firmware version that has a known bug. OEMs have released fixed firmware that expands variable storage or corrects the update mechanism. The KB advises visiting the OEM’s support site, downloading the latest BIOS, and applying it. After flashing, the block status often clears automatically on the next certificate check.

  2. Clearing Secure Boot Variables: For devices where the available flash space is genuinely too small, Microsoft provides a manual workaround: boot into UEFI settings, delete some existing Secure Boot keys (usually the platform key or some rarely used option ROM signatures), and then re-enroll the default keys. This frees up space for new certificates. However, this process is risky—incorrectly deleting keys can disable Secure Boot entirely or lock the system out. The KB includes detailed steps for advanced users only.

  3. Windows Update Block Override (Not Recommended): A registry key can force the certificate update installation, bypassing the safety checks. KB5105943 warns that this is a testing-only option and can result in an unbootable system. It should never be used on production machines.

  4. Hardware Replacement: For machines where no firmware update resolves the storage limitation, and the problem is inherent to the motherboard design, the only complete fix is to replace the device. For enterprise fleets nearing end of life, this may accelerate refresh cycles. Some corporate users on forums report that Microsoft support has offered to escalate these cases to hardware partners for a potential custom firmware build, but success is not guaranteed.

The Community Response and Unanswered Questions

While the KB provides a technical explanation, user discussion threads reveal lingering confusion. One common complaint: the block surfaces with no warning. Many learned about the issue only after a third-party security audit flagged outdated Secure Boot certificates. Some IT admins noted that their deployment dashboards showed all updates OK, yet hundreds of machines were silently blocked. The lack of proactive notification is a pain point.

Another recurring theme is the age of affected hardware. While KB5105943 does not call out specific models, early reports from forums point to motherboards released between 2015 and 2019, particularly those that were early UEFI implementers with limited flash memory. However, also affected are some premium business notebooks from 2021 that use a rigid platform-key system. The heterogeneity of the affected configurations makes it hard for organizations to predict which machines are at risk without running the specific diagnostic.

A few users have expressed concern that the block might be indirectly related to the broader push for hardware root-of-trust features in Windows 11 and Windows Server 2025. They speculate that newer requirements for Secure Boot to support memory integrity and credential guard have made the firmware more finicky. Microsoft has not confirmed this connection, but the timing aligns with an uptick in secure-certificate enforcement.

What’s Next: Evolving Secure Boot Hygiene

KB5105943 is likely just the first public acknowledgment of a issue that will become more common as Secure Boot ages. The UEFI specification continues to evolve, and managing cryptographic trust chains across a billion diverse devices is messy. Microsoft’s decision to prioritize bootability over security—while understandable—highlights a fundamental tension: at what point does a machine become so insecure that it should boot at all?

Some industry watchers suggest that Windows should eventually start displaying a visible warning on blocked devices, similar to the “Secure Boot is off” watermark in Windows 11. The silent nature of the block is its most dangerous trait. In a corporate environment, a security baseline tool could raise an alert; but for consumers, there is no indication. Microsoft says it is exploring ways to increase visibility without alarming non-technical users.

In the immediate term, the burden is on OEMs to release firmware updates quickly and on organizations to incorporate Secure Boot certificate validation into their health checks. The diagnostic tools provided with KB5105943 are a start, but they require manual scanning—not ideal for large fleets. Expect third-party management suites to add automated detection soon.

For the average Windows user, the best defense remains simple: keep your system’s BIOS up to date, enable automatic Windows Updates, and periodically check the Secure Boot status using msinfo32. If the status isn’t green, don’t ignore it—a blocked certificate update today could be the foothold for a bootkit tomorrow.