Microsoft confirmed on July 10, 2026, that it has paused the distribution of a critical Secure Boot update for some Windows 11 PCs, citing device and firmware combinations that could prevent successful installation or cause boot failures. The move comes as the company works with hardware partners to resolve compatibility issues before resuming the rollout.
What Actually Changed
The update in question is the Secure Boot 2023 certificate update. This is a servicing stack update that revokes trust for bootloaders signed with older certificates, closing known security holes that have been actively exploited. The rollout, which was being distributed through Windows Update, has been paused after Microsoft identified specific hardware configurations where the firmware does not properly handle the new certificate chain. In these cases, installation could either block midway or, more seriously, cause the system to fail to pass POST or boot correctly.
Microsoft has not released a comprehensive list of affected devices, but the issue appears tied to firmware implementations that cannot validate the updated Secure Boot disallow list (DBX) or fail to recognize the new certificate as valid. The pause is temporary; the update continues to be offered to devices that have already received a compatible firmware update from their original equipment manufacturer (OEM).
What It Means for You
For Home Users
If your Windows 11 PC has not yet offered the update, it will likely be blocked automatically until the pause is lifted. No action is required. If you do see the update in Windows Update, your device should be compatible, but it’s wise to first check your PC manufacturer’s support site for any recent firmware updates and install them before proceeding. The update is critical for security, so do not permanently hide it. Wait for the all-clear from Microsoft, then install as soon as it’s made available again.
For Power Users and Enthusiasts
You can manually check the state of Secure Boot on your system by running msinfo32.exe and looking for “Secure Boot State.” If it says “On,” you are booting with Secure Boot enabled. To see the current DBX version, open PowerShell as administrator and run:
Get-SecureBootUEFI -Variable dbx
A successful return will show the current revocation list. If you’re curious whether the 2023 certificate is already applied, compare the list signatures against Microsoft’s advisory ADV230001. Do not attempt to force the update via the Microsoft Update Catalog if it is not offered to you—doing so on an incompatible system could render the machine unbootable.
For IT Administrators
If you manage a fleet of Windows 11 devices, review your update rings and consider temporarily pausing the deployment of this specific servicing stack update if you haven’t already. Use Microsoft Intune, WSUS, or Group Policy to defer the update until you’ve verified firmware compatibility across your hardware inventory. Check your OEM’s enterprise support pages for firmware compatibility matrices. Microsoft has published detection logic that is supposed to only offer the update to compatible devices, but the pause indicates that logic wasn’t fully accurate. Be prepared to test on a representative set of hardware before rolling out broadly.
How We Got Here
Secure Boot was introduced with Windows 8 to prevent unauthorized bootloaders and rootkits from hijacking the boot process. In 2022, the BlackLotus bootkit made headlines by exploiting a Secure Boot vulnerability (CVE-2022-21894) to bypass these protections, even on fully patched Windows 11 systems. The attack leveraged bootloaders signed with legitimate but later revoked certificates. In response, Microsoft began planning a broader revocation of older bootloaders through a new certificate—the Secure Boot 2023 certificate—and started pushing the update in phases.
The initial rollout for this DBX update began in 2023 alongside the release of KB5007651, but distribution was cautious. Throughout 2024 and 2025, Microsoft expanded availability, and by early 2026 it was pushing the update more aggressively to close the remaining exploit window. However, on July 10, 2026, the company acknowledged that its automatic compatibility detection was missing a subset of devices where firmware bugs or missing UEFI updates could lead to installation failures or boot loops. The pause is reminiscent of similar past halts, such as the 2022 pause of the original DBX update for certain AMD systems, and underscores the delicate balance between security hardening and system reliability.
What to Do Now
- Don’t force the update. If Windows Update doesn’t offer it, your device may be in the paused group. Wait for Microsoft and your OEM to approve it.
- Check for firmware updates. Visit your PC or motherboard manufacturer’s support site and install the latest UEFI/BIOS update. Many OEMs are releasing updates specifically to address this Secure Boot change. For example, Dell has published guidance under its DSA-2023-123 advisory, and HP advises checking its TPM and Secure Boot firmware updates.
- If you see the update offered: Before installing, ensure you have a full system backup and a recovery drive. Even on compatible systems, rare edge cases have historically caused startup problems. If the system fails to boot after the update, you may need to temporarily disable Secure Boot in the UEFI settings (if possible), boot into safe mode, or use a recovery USB to roll back the update. Contact Microsoft Support or your OEM if stuck.
- For IT admins: Use Microsoft’s Update Compliance or Windows Update for Business reports to identify devices that have not yet received the update. Align your deployment with OEM firmware release schedules. If you encounter devices that fail, Microsoft recommends opening a case with your OEM and providing memory dumps and UEFI logs.
Outlook
Microsoft is working on enhanced detection in the servicing stack to more accurately exclude incompatible firmware versions. The company expects to resume the rollout “in the coming weeks,” pending firmware updates from major OEMs. In the meantime, the Windows release health dashboard will reflect the latest status.
This episode highlights the growing complexity of UEFI-level security. As threats like BlackLotus evolve, so must the defense mechanisms—but the infrastructure of millions of unique hardware combinations means these rollouts will never be entirely seamless. The 2026 pause is a bump, not a stop. Once resolved, the update will close one of the most persistent Secure Boot vectors seen in years, and users should install it without delay.
For now, the safest stance is patience: check your firmware, watch for the all-clear, and then let Windows Update do its job.