Hello AgostinhoCarvalho, thank you for posting in the Microsoft Q&A community.
This behavior occurs because the update to the Windows Boot Manager is a multi-stage process. Windows will safely abort or defer the replacement of the bootloader if the system firmware (Secure Boot DB) has not successfully committed the Windows UEFI CA 2023 certificate to NVRAM first. Additionally, some OEM BIOS versions may block OS-initiated Secure Boot DB variable updates to prevent unauthorized changes. When this happens, the 2023 CA certificates must be injected natively via an OEM BIOS update. It is also possible that the system servicing stack is stuck in the "DB Updated" phase but hasn't proceeded to the "Boot Manager Updated" phase because it is waiting for a secondary validation or an additional reboot cycle.
Before Windows can swap the bootmgfw.efi file, we must verify that the firmware actually accepted the new certificate. Please open PowerShell as Administrator and run the following command to check your Secure Boot Database:
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')
If this returns False, your Dell firmware has not accepted the new certificate into the Secure Boot database, which explains exactly why the bootloader wasn't swapped.
Once you have verified the BIOS is fully up to date and can accept the keys, try forcing the coordinated update mode using update flag. Run the following commands:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x40 /f
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
Restart the server twice after running this task. The process requires a double-reboot cycle to first finalize the database injection and subsequently complete the bootloader swap on the next startup.
If the standard update continues to fail, you might need to temporarily suspend BitLocker while running the update, as TPM sealing conflicts can occasionally cause the bootloader swap to abort and roll back to the 2011 loader to prevent a BitLocker recovery lockout.
To help me further isolate why the update is stalling in your environment, could you provide a bit more data?
Please share the output of the PowerShell verification command above. Additionally, please check the Event Viewer under Applications and Services Logs > Microsoft > Windows > TPM-WMI > Operational for Event IDs 1796 or 1801 immediately after running the scheduled task and rebooting, and let me know if you see any errors logged there.
If this helps clarify the current path forward, please consider hitting "Accept Answer" so other users facing this failure can easily find your workaround.