Windows Server 202X - Unable to update Windows Boot Manager with the Windows UEFI CA 2023 Certificate

AgostinhoCarvalho 20 Reputation points
2026-06-26T19:14:54.57+00:00

Hello,

I am trying to update Windows Server 2022/2025 Boot Manager files, with the newer Windows UEFI CA 2023 Certificates.

Issue

Despite the Secure Boot servicing state machine reporting completion...

  • The system Boot Manager (bootmgfw.efi) remains signed by: Microsoft Windows Production PCA 2011

Expected:

  • Boot Manager should be signed by: Windows UEFI CA 2023

Hardware:

Computer: Dell Pro Tower Plus QBT1250.

CPU: Intel Ultra 5 235

Firmware:

BIOS Version/Date: 1.15.1, 5/21/2026

SMBIOS Version: 3.8

Embedded Controller Version: 1.19

BIOS Mode: UEFI

Secure Boot: Enabled

TPM: Present (not actively used for BitLocker)

Software:

OS: Windows Server 2025 (fresh install + updates)

Edition: Windows Server 2025 Standard

Version: 24H2

OS Build: 26100.32995

Experience: Windows Feature Experience Pack 1000.26100.275.0

Verification

Initial steps: Open PowerShell (with Admin rights), and run the Boot Manager update according to Microsoft's instructions (see link sources in the end).

The result is shown in the file Output-2023BootCertificate_before_update.txt.

After running the update and rebooting the system, the result is shown in the file Output-2023BootCertificate_after_update.txt.

Result: For some reason, the Windows Boot Manager was not updated and is still using the 2011 boot chain.

What could be causing this? No obvious errors are present, so what might have been overlooked?

The following websites were used as sources for relevant information:

https://support.microsoft.com/en-us/topic/how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d

https://lenovopress.lenovo.com/lp2353-updating-windows-boot-manager-and-winpe-windows-uefi-ca-2023-certificate

https://support.microsoft.com/en-us/topic/a-closer-look-at-the-high-confidence-database-32382469-4505-4ed4-915b-982eff09b5d2

https://support.microsoft.com/en-us/topic/enterprise-deployment-guidance-for-cve-2023-24932-88b8f034-20b7-4a45-80cb-c6049b0f9967#id0ebbl=overview&id0ebbj=validate&id0ebbh=overview&id0ebbf=overview

https://support.microsoft.com/en-us/topic/secure-boot-db-and-dbx-variable-update-events-37e47cf8-608b-4a87-8175-bdead630eb69

Windows for business | Windows Server | Devices and deployment | Install Windows updates, features, or roles
0 comments No comments

Answer accepted by question author

Brian Huynh 3,305 Reputation points Microsoft External Staff Moderator
2026-06-29T00:30:09.79+00:00

Hello AgostinhoCarvalho, thank you for posting in the Microsoft Q&A community.

This behavior occurs because the update to the Windows Boot Manager is a multi-stage process. Windows will safely abort or defer the replacement of the bootloader if the system firmware (Secure Boot DB) has not successfully committed the Windows UEFI CA 2023 certificate to NVRAM first. Additionally, some OEM BIOS versions may block OS-initiated Secure Boot DB variable updates to prevent unauthorized changes. When this happens, the 2023 CA certificates must be injected natively via an OEM BIOS update. It is also possible that the system servicing stack is stuck in the "DB Updated" phase but hasn't proceeded to the "Boot Manager Updated" phase because it is waiting for a secondary validation or an additional reboot cycle.

Before Windows can swap the bootmgfw.efi file, we must verify that the firmware actually accepted the new certificate. Please open PowerShell as Administrator and run the following command to check your Secure Boot Database:

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

If this returns False, your Dell firmware has not accepted the new certificate into the Secure Boot database, which explains exactly why the bootloader wasn't swapped.

Once you have verified the BIOS is fully up to date and can accept the keys, try forcing the coordinated update mode using update flag. Run the following commands:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x40 /f
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Restart the server twice after running this task. The process requires a double-reboot cycle to first finalize the database injection and subsequently complete the bootloader swap on the next startup.

If the standard update continues to fail, you might need to temporarily suspend BitLocker while running the update, as TPM sealing conflicts can occasionally cause the bootloader swap to abort and roll back to the 2011 loader to prevent a BitLocker recovery lockout.

To help me further isolate why the update is stalling in your environment, could you provide a bit more data?

Please share the output of the PowerShell verification command above. Additionally, please check the Event Viewer under Applications and Services Logs > Microsoft > Windows > TPM-WMI > Operational for Event IDs 1796 or 1801 immediately after running the scheduled task and rebooting, and let me know if you see any errors logged there.

If this helps clarify the current path forward, please consider hitting "Accept Answer" so other users facing this failure can easily find your workaround.

Was this answer helpful?

1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.