One day, when I turned on my PC as usual, a warning message appeared and Windows 11 wouldn't start up at all.
Such a nightmare could soon happen to your PC, not due to a virus or malfunction, but due to a legitimate security update.
In this article, we will explain, based on actual testing, what the update to the "Secure Boot Certificate (2023 version)" currently underway for Windows 11 is and why, when combined with a "BIOS reset," it becomes a time bomb that can render a PC unable to boot.
And to prepare for that "what if" moment, we'll introduce you to three ironclad measures you should take right now (creating a dedicated repair tool, backing up, and setting up emergency systems).
What's happening? Generational change in "Secure Boot Certificates"
First, let's briefly understand what's going on in the background.
There is a mechanism called "Secure Boot" that protects the safety of your PC when it starts up. This is like a tough "gatekeeper" for the OS, watching over the PC from when it is turned on until Windows starts up, to prevent any malicious programs from interfering.
This gatekeeper judges security by looking at the "digital signature (certificate)" that serves as a pass, but there are vulnerabilities in old certificates (CVE-2023-24932) was found. Therefore, the entire industry is aiming for 2026,Complete transition to the new "2023 version" certificatePreparations are underway to do so.
Here's the catch: In the Windows 11 preview update released on January 29, 2026 (KB5074105 and later),For devices that already have the "Windows UEFI CA 2023" certificate in the BIOS (DB)In 2023, the Windows boot system (boot manager) will be replaced with the "2023 version."
In other words, Windows will present a new "pass." The biggest risk here is:BIOS OperationIf the 2023 version information is deleted from the "gatekeeper's list (DB)" that accepts the bill due to a reset or other operation, the bill will be deemed "not on the list" even though it is a legitimate bill, and will be refused activation.
The purpose of this article is not to stop updates. It is to help you understand the mechanisms of problems specific to this "transitional period" and prepare to reissue a "new promissory note (key)" yourself in case of an emergency. That is the main purpose.
[Important] Is your BIOS being updated "without your knowledge"?
Many people may think, "I don't remember updating the BIOS," but do you have a dedicated support app provided by your PC manufacturer, such as Dell's "SupportAssist" or HP's "Support Assistant," installed?
These tools are:Updating your BIOS without you realizing itThere is a possibility.
In particular, when the tool notifies you that there is an important update,You hit the "Update All" button without realizing that the list includes a BIOS update.It is a case.
Even if you don't intend to do so, the "Secure Boot Certificate," which is the core of your PC's security, may have already been updated.
How to check the BIOS update date
1. Press Windows key + R to open Run, type "msinfo32" and press Enter.
2. Check the "BIOS Version/Date" in the right column.
[Supplementary Information] Manual BIOS update may be required
Of course, not all PCs update their BIOS automatically.
If you are using a self-built PC (BTO computer) or if you have a manufacturer-made PC but have disabled the support app, you may need to periodically check the official website of your PC manufacturer (or motherboard manufacturer) and manually download and update the BIOS yourself.
We recommend searching for your PC's manufacturer and model number and checking the support page to see if the latest BIOS has been released (check all updates for versions newer than your current BIOS version).
*For the author's PC motherboard (model number: B550M-P4), a BIOS including an update to the Secure Boot Key (2023 KEK/DB/PK) was released on 2025/10/09.
This has serious implications for your PC
This "gatekeeper rule update" is essential for strengthening security, but after Windows Update replaces the boot manager (startup system), if you perform certain operations,The PC won't start at allThis poses a fatal risk.
1. Biggest risk: "Secure Boot violation" due to BIOS manipulation
This is the most alarming point this time. Windows Update (KB5074105 or later) rewrites the PC's boot file to require the "2023 version key." However, resetting the motherboard (BIOS) settings or running out of battery can cause theAn accident in which the "2023 version key" was lost from the permission list (DB)can occur.
As a result, the PC mistakenly identifies genuine Windows as a "malicious program" andThe OS itself loses its startup privilegesIt may lead to a serious situation.
2. Peripherals or old cards stop working (Option ROM)
Another risk is that signatures (Option ROMs) of older graphics cards, network cards, etc. may be deemed "untrusted" under the new rules, which could result in certain hardware not being recognized or the screen going blank.
3. Risk of having to disable Secure Boot
If your PC won't boot, disabling Secure Boot may be a temporary solution. However, this comes with significant risks. Removing the "checkpoint" allows malicious malware, such as rootkits, to infect the OS boot process (its deepest part).
2."Second disaster" after recovery: PIN is broken and you can no longer sign in可能性
Another thing to be careful about is "PIN (personal identification number) corruption" .
When you reset or update the BIOS to resolve Secure Boot issues, it often also resets the TPM chip that manages Windows Hello security information. This can lead to a secondary disaster: after struggling to start your PC, you're locked out because you're told your PIN isn't available.
If you are in an environment without an internet connection and this happens, you will be stuck and unable to reset your Microsoft account password. To avoid this risk, we strongly recommend changing the following settings.
- Right-click the Start button > Settings > Accounts > Sign-in options.
- Under "Additional Settings," turn off the switch for "For better security, only allow Windows Hello sign-in for Microsoft accounts on this device (recommended)."
As of October 9, 2025, we have confirmed an issue where the PIN becomes unusable after performing a Windows Update or BIOS update, and the message "Could not verify credentials" is displayed.
Why turn this setting off?
By turning off this setting, even if there is any problem with your PIN or fingerprint authentication (Windows Hello), you will be given the option to sign in with your Microsoft account password as usual.
When you first create a PIN for your Microsoft account, it securely links your account to your PC's TPM (Trusted Platform Module).Internet connection requiredIn other words, a PIN is like a "key that you set online once and can be used conveniently offline," while a password is like a "key that is primarily used online but can also be used offline."
If you turn this setting off, you can sign in with your Microsoft account password even if you are not connected to the Internet or if your PIN has been deleted. This is a very important "escape route" in an emergency.
【Related Links】
- [Independent Verification] Will the Secure Boot issue brick your graphics card in 2026? We asked official Microsoft support directly.
- [Warning] BIOS manipulation can make your PC unbootable? Three measures to prepare for Secure Boot updates
- How to check the version and expiration date of Windows Secure Boot certificate
Recommended Preparation
To prevent such "unable to boot" problems, we strongly recommend that you take the following precautions:
Check for BIOS updates
Motherboard manufacturers may provide new BIOS versions that support the 2023 signature. By updating, the key may not be erased even after resetting. (Please be careful with the update procedure.)
[Most important] Create "Secure Boot recovery media"
Instead of using a regular recovery drive, create a "Secure Boot recovery media" that can restore the lost key (DB). With this, you can recover in just a few seconds even if a BIOS reset accident occurs.
Backing up your OS
We strongly recommend that you back up your entire current environment in case of system damage.
Use backup software such as Acronis True Image to save the entire state of your PC at this very moment when it is operating normally to an external hard drive or similar.
Pochip
of course,If the "2023 key" is lost, which is the biggest risk,Secure Boot Recovery MediaIt will not start unless you use ". However, if you experience any other problems (such as Windows corruption due to a failed update, operating error, or driver malfunction), you can always restore your PC to its current state with this backup.
- Secure Boot Recovery Media : Insurance to repair your front door lock
- backup: Insurance to protect your household goods (data and OS)
Having these two is truly the "strongest insurance" that allows you to perform important BIOS and Windows updates "at any time" without any fear.
Summary
- background: With the Windows 11 update (KB5074105 and later), the Secure Boot certificate is being replaced with the 2023 version.
- Biggest risks: If you reset or operate the BIOS, the key may be lost, resulting in a "Secure Boot Violation (unable to boot)." Also, if the TPM is cleared during recovery, a secondary disaster may occur, resulting in "unable to sign in."
[Three preparations you should make now]
- Key Repair: Create a "Secure Boot Recovery Media" in case your computer won't boot. (This is the only solution.)
- System Protection: Take a complete backup of the entire system in case of problems such as update failure.
- Secure an escape route: To prevent being locked out (PIN corruption) by clearing the TPM, enable the "Emergency Escape Route" in the sign-in settings.
As the saying goes, "prevention is better than cure," so in this case, you'll need three things: a USB stick, a hard hat (backup), and a duplicate house key (PIN code). We hope this article helps protect your PC from future problems.
