The Windows 11 preview update KB5074105, released on January 29, 2026, and subsequent official updates, mark a significant turning point in the transition from the preparatory phase to the "regular rollout" of Secure Boot updates.
In order to accurately convey the impact and countermeasures, we have used actual devices to intentionally recreate a situation where the device will not boot due to a Secure Boot violation, and have actually verified full recovery from that point.
Not only for KB5074105, but for all Windows 11 users (version 24H2/25H2) who apply updates from this point onwards, the PC's startup process will be physically rewritten, so it is important to understand the details correctly and prepare for any eventuality.
What happens with KB5074105 (preview) and future official versions?
With this update (and all future updates, including the preview version), the boot manager will be replaced gradually for devices that already have the "Windows UEFI CA 2023" certificate in their BIOS (DB).
- Signature renewal and pre-check: The "2011 Signature" that has been used until now
bootmgfw.efiHowever, the new "2023 Signature"bootmgfw.efiHowever, depending on your environment, the file may have already been replaced with a new one before installing this update. You can easily check which signature your PC is currently using by manually checking, or by using the tool published on the following page. - Transitioning to normal deployment: Until now, this has been a manual setup and gradual preparation phase, but with this patch and the next official release, the system will enter an automatic "execution phase," which will forcibly raise the security level of Secure Boot.
⚠️ Risk of "Secure Boot Violation"
Here, we will clarify the specific operations that Microsoft is warning about and explain why they are dangerous.
After this update is applied, the PC's boot system (boot manager) will not function without the 2023 key. The biggest risk here is thatDB (certificate database) and Secure Boot settings operations.
- trigger: Reset the DB (certificate database), ま た は Toggle Secure Boot on or off * Depending on the model, when you perform "Initializing BIOS settings (Load Default)", the DB may also be reset.
- result: If these operations cause the "2023 version certificate" information to be lost, the BIOS will mistakenly identify the new boot manager as an "invalid file." As a result, errors such as "Secure Boot Violation" or "Boot failure" will be displayed, and Windows will not be able to start. (Secure Boot Violation)
Boot failure : a proper digital signature was not found. One of the files on the selected boot device was rejected by the Secure Boot feature.
Japanese translation:
Boot failure: No proper digital signature was found. One of the files on the selected boot device was rejected by the Secure Boot feature.
[Proven] Why does simply turning Secure Boot on and off cause the device to become unbootable?
Regarding the sentence in the official documentation that "turning settings on or off will result in violations,"We contacted Microsoft's technical support directly to confirm the detailed mechanism.
Secure Boot In this release of Windows 11, version 24H2, devices that already have the Windows UEFI CA 2023 certificate in the Secure Boot signature database (DB) will perform an update in Boot Manager, which will replace the 2011-signed bootmgfw.efi with the 2023-signed bootmgfw.efi. There is no need to reset the DB orTurning Secure Boot on or off can cause a "Secure Boot Violation" issue.In these rare cases, the solution is to create Secure Boot recovery media.
ecosystem
The cause was discovered to be not a malfunction of the OS itself, but a "trust mismatch" with the BIOS (firmware).
- Windows Update behavior: At the moment the update is performed, Windows correctly verifies that the BIOS has the "2023 certificate," and therefore the 2023-signed boot manager is installed successfully.
- Why "on and off" is a trigger: The problem comes after that. When you turn off Secure Boot or change the setting, some BIOS behavior is as follows:The newly added "2023 Certificate" is dropped (deleted/forgotten) from the list.You may.
- Error when re-enabling: If you turn Secure Boot back on in this "certificate forgotten" state, the BIOS will determine that "the latest boot manager is present, but the certificate recognizing it is not on hand (because it has been deleted)," and will block booting (Secure Boot violation).
In other words, the problem was that "Windows Update checks were performed correctly, but subsequent user operations caused the BIOS to subsequently lose trust."
If you frequently switch settings, such as dual booting with Linux, there is a risk that this "certificate drop by BIOS" will occur, so please install "Secure Boot Recovery MediaIt is extremely important to have this ready.
This site provides easy-to-understand explanations on how to create this "Secure Boot Recovery Media" so that even beginners can easily understand it.
[MS recommended measures]
To avoid the worst-case scenario of the device becoming unable to boot, we strongly recommend that you first complete the creation of this media for devices that already have the "Windows UEFI CA 2023" certificate in the BIOS (DB).
[Important] For those using older environments where BIOS updates are not provided
If you are using an "older PC" for which the manufacturer does not provide a BIOS (UEFI) that is compatible with the 2023 version of the certificate, and the certificate has been updated via Windows Update, please pay close attention to the following points.
The difference between "OS overwrite" and "motherboard memory"
The official documentation is full of difficult language, but to summarize it:
"In environments where certificates are updated through Windows Update, the Secure Boot active variable is enforced through the OS. The Secure Boot firmware defaults are maintained by the OEM..."
ecosystem
To break this down in an easy-to-understand way, it means this:
- Windows Update is a "makeshift coloring book"After the OS (Windows) starts up, the "latest key" is forcibly overwritten on top of the certificate in the motherboard's memory (application of the active variable).
- I only have an "old sketch" of the motherboard: The "factory default values" that the PC itself (motherboard) originally has can only be overwritten by a BIOS update provided by the manufacturer (OEM).
- "Reset" is the act of erasing a coloring book: If you load the default values in the BIOS menu, all of the "latest key" coloring that the OS has carefully overwritten will be erased, and the "old sketch (old key from 2011)" remaining on the motherboard will be exposed.
Microsoft's advice: Don't touch it unless there's a manufacturer update
There is a very important "nail-biting sentence" in the official Microsoft documentation:
"We recommend that you do not change or update your Secure Boot configuration unless your OEM has released an update that changes your firmware defaults to the new certificates."
ecosystem
When we apply this to our current situation, a frightening truth emerges.
- OS updates are a tightrope walk: Windows Update only keeps the "latest key" active in memory while the OS is running (application of the active variable).
- Motherboard "default" settings are still from 2011: The "factory defaults" stored in the PC itself (motherboard) will not be replaced unless the manufacturer (OEM) provides a BIOS update.
- Changing settings can lead to breakdownsIf you try to "update" or "reset" the Secure Boot settings from the BIOS screen without the manufacturer's update, the BIOS will try to use the old default settings it has. As a result, there is a risk that the latest protection settings implemented by the OS will conflict with the system, making it unable to boot, so Microsoft warns you not to touch it lightly.
The risk of "resetting to defaults" being fatal
Even if the certificate has been updated to the latest version by Windows Update from the OS side (active variable applied), The moment you run "Load Optimized Defaults" the certificates will be forced back to their old state.
Incompatibility with the latest WindowsIf the manufacturer has not updated the BIOS, this "reset" will erase the 2023 signature data from the motherboard, making it incompatible with the latest security features of Windows. Checkmate situation to happen.
Events that occurIf the OS boot manager is set to require the "2023 new key," the motherboard will only be able to provide the "2011 old key."This will be considered a "Secure Boot Violation" and Windows will not be able to start.
The only way to avoid a "checkmate"
Since manufacturers do not update BIOS, the default values in the "deep root" of the PC remain old. If you reset the BIOS and the OS cannot start,"Secure Boot Recovery MediaWithout it, you will never be able to boot with Secure Boot turned on again.
[Proven] Solution for when your computer fails to boot due to a "Secure Boot Violation" before creating recovery media
If the manufacturer does not update the BIOS, the default settings deep inside the PC will remain outdated. If the BIOS is reset (restored to factory settings) due to a dead CMOS battery or an accidental operation, and the OS cannot be started, it is usually impossible to start the PC with Secure Boot enabled again without Secure Boot recovery media.
But,I actually demonstrated that it is possible to recover from a "stuck" state (where the certificates in the database were manually deleted, rendering the system unable to start) by following the steps below.
If you encounter problems before you can create recovery media, don't give up. Try the following steps:
[Rescue flow: Recovery procedure when you do not have Secure Boot recovery media]
- Symptoms: Due to a BIOS reset or update problem, the message "Secure Boot Violation" appears during startup and Windows will not start.
- first aid: Enter the BIOS settings and temporarily enable "Secure Boot" Disabled to save the settings.
- *This will temporarily skip the security check and allow Windows to start.
- work: On the booted Windows, click "Secure Boot Recovery Media" to create a
- *This is the key point. As long as you can start the OS, you can create a "key" later.
- repair: Boot your PC from the created USB memory.How to use and operate Secure Boot recovery media
- *This process will re-inject (append) the lost 2023 certificate into the DB.
- completion: Go into the BIOS settings again and enable "Secure Boot" Enabled Return to → Windows starts successfully with Secure Boot ON international success.
Does your PC have the "Key to 2023"?
Updates from KB5074105 onwards will only replace the boot manager on devices that already have the "Windows UEFI CA 2023" certificate in their BIOS (DB).Those with a key need to be careful when resetting the BIOS after updating.
Follow the steps below to check if your PC is eligible.
Method 1: Easily check with a dedicated tool (recommended) You can determine this with just one click by using the check tool provided on this website. Download the Windows Secure Boot Certificate Checker
Method 2: Check with PowerShell command If you want to check without using a tool, follow the steps below.
- Start buttonRight-click > Terminal (Administrator).
- Copy and paste the following command and run it:
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'Judgment result:
- If it's True (or the tool displays "[Windows UEFI CA 2023] - Expiration Date: June 2035"):
- Your PC is eligible. When you apply the update, the boot manager will be updated to the latest signature version at the same time as the update task is executed.Secure Boot Recovery MediaPlease create a
- If False (or not detected):
- This "forced replacement" does not apply. The risk at this time is low, but we recommend that you understand the mechanism in preparation for future full deployment.
For more information about the "Update Task", please refer to the following page.
[Advanced] How to Manually Update Secure Boot Certificates Immediately
Solution: Create Secure Boot recovery media
Microsoft strongly recommends creating dedicated "recovery media" to resolve this rare case of boot failure.
Previously, procedures based on the OS's standard "recovery drive" were sometimes provided, but in current UEFI environments, large system files are no longer necessary. An empty USB flash drive formatted in FAT32 format.By simply placing a single repair program file on it, it functions perfectly as a dedicated repair medium.
[Update: March 20, 2026] Regarding the significant simplification of the procedure Initially, we provided instructions based on the OS's "recovery drive," but subsequent testing revealed that for simple repair purposes, it's sufficient to copy just one necessary file to an empty USB flash drive. While repair is still possible with media created using the previous procedure, those creating new media should follow the simpler procedure below.
Prerequisites: Please use a PC that meets the following conditions:
- Updates from July 9, 2024 onwards will be applied.
C:\windows\boot\efi\insidesecurebootrecovery.efiThe file must exist. - FAT32 Prepare a USB flash drive formatted in the specified format (a very small capacity is sufficient).
[Update March 20, 2026: Warning] Regarding devices for which repair tools cannot be used
Currently, Microsoft's official documentation warns against using this repair application on devices and environments that fall under the following "Known Issues."
- Certain HP devices (models with Sure Start Security)
- Arm64-based devices (models with Qualcomm firmware)
- Apple Macs (including Boot Camp on models with the T2 security chip)
- VMware environment (Windows on a virtual machine)
- Windows Server 2012 / 2012 R2 (TPM 2.0-based system)
- Systems with Symantec Endpoint Encryption installed
In the above environment, there have been reports of known issues where the repair tool may not function correctly or the system may become unbootable due to firmware limitations. If you are using a PC that falls into this category, please refrain from performing this procedure and wait for an official firmware update from your PC manufacturer (OEM).
For detailed conditions, please refer to the "Known Issues" section in the following official Microsoft documentation. ▶ Microsoft official documentation (page on mitigating Secure Boot issues)
STEP 1: Create the necessary folders on the USB flash drive.
*important:The drive letter of the USB memory stick is as follows:D:I will explain assuming this.
Open Command Prompt (as administrator), confirm the drive letter, and then execute the following command.D:Please change the part to suit your environment.
Learn how to open a command prompt
1. Press Windows key + R to open Run.
2. Type "cmd".
3.Shift + Ctrl + Enter Please press.
4. When the "User Account Control" message appears, click "Yes".
md D:\EFI\BOOT- [Explanation] Create the "standard startup folder (\EFI\BOOT)" that will be read first when the USB memory starts up. (If you get an error message saying that it already exists, just ignore it and proceed to the next step.)
STEP 2: Copy the "dedicated app" for fixing the lock.
Next, execute the following command.
copy C:\windows\boot\efi\securebootrecovery.efi D:\efi\boot\bootx64.efiboot¥bootx64.efi を上書きしますか?(Yes/No/All):If asked,yand press Enter.
- [Explanation]The original repair tool located on your PC (
securebootrecovery.efi) to the boot file name of the USB memory (bootx64.efiChange it to this and place it. UEFI is thisbootx64.efiIt's designed to automatically find and execute the necessary actions. - After pressing the Enter key, please confirm that the message "1 file copied." is displayed on the screen.
Now, "Secure Boot Recovery Media" is now complete. You can close the command prompt.
【Related Links】
- [Independent Verification] Will the Secure Boot issue brick your graphics card in 2026? We asked official Microsoft support directly.
- [Warning] BIOS manipulation can make your PC unbootable? Three measures to prepare for Secure Boot updates
- How to check the version and expiration date of Windows Secure Boot certificate
[Independent verification] Is it possible to repair on a different PC or an unsupported PC?
Is the Secure Boot recovery media only usable on the PC it was created on? Or is it a panacea that can be used on other PCs? To answer this question, which is not covered in the official documentation, we conducted a test on a real PC on this website.
Actual machine test: Transferring media created on a current BTO PC to a laptop
First, to check the "media versatility," we conducted tests in the following environment.
- Creation environment: A working BTO desktop PC (Windows 11)
- Repair target: A laptop that cannot boot (Windows 11)
Normally, a Windows "recovery drive" contains drivers specific to the PC it was created on, so it is not recommended to use it on another machine. However, with regard to this "Secure Boot recovery media,"I was able to confirm that it worked without any problems even when created on a different PC.
Recovery process for non-supported PCs (2015 models)
To further test the system under more demanding conditions, we also tested a 2015 model laptop that is not compatible with Windows 11 (which had been upgraded using a workaround).
- Intentionally creating a non-bootable state: We manually cleared the certificates in the DB from the BIOS (UEFI) which had an old design from 2015. We intentionally recreated the "Secure Boot Violation" condition that the official warning states.
- To perform a repair: Connect the Secure Boot recovery media created on a current BTO PC to the laptop and launch the repair program.
- result: Despite a generational gap of about 10 yearsThe certificate was successfully injected and the non-compliant PC was able to boot as Windows 11 again.
Verification results: This media is a "relief measure that transcends generations and models"
After this actual testing, we have concluded that this media is an extremely versatile tool, similar to a "master key to recovering the 2023 signature."
Confidence gained from testing
- Reinjecting trust: The essence of this medium is to re-teach the common trust of "Windows UEFI CA 2023" that BIOS has forgotten from the outside.
- Possible to take reactive measures: Even if you only have one PC and it becomes unbootable, you can create a media on another PC and bring it with you.The chances of salvation are greatly increased.
- A lifeline for older PC users: For users with non-compatible PCs or older motherboards who cannot expect a BIOS update from the manufacturer, this media is an extremely powerful way to avoid being stuck.
How to use and operate Secure Boot recovery media
Here are the steps to use the recovery media you created to repair a PC that will no longer boot. We will explain the actual behavior based on the verification on this site.
1. Insert the recovery media into your PC and boot from it
Insert the created USB memory into your PC and turn it on. Immediately enter the manufacturer's designated key (F12,F11,F8 ) to bring up the "Boot Menu" or go to the BIOS setting screen (F2,From ) and change the boot order (Boot Priority),Specify that you want to boot from the USB memory.
* The name of the USB memory is often displayed as "UEFI: (manufacturer name) USB".
Reference: Shortcut Key List by Manufacturer (BIOS/Boot Menu)
| Make | Boot Menu (Recommended) | BIOS setting screen |
| HP | F9 (or Esc) | F10 |
| Dell | F12 | F2 |
| Lenovo | F12 | F2 (or Fn+F2) |
| NEC / Fujitsu | F12 | F2 |
| Dynabook (Toshiba) | F12 | F2 (or Esc+F1) |
| ASUS | F8 (or Esc) | F2 / Delete |
| MSI | F11 | Delete |
| Surface | (Volume down + power) | (Volume up + Power) |
| Self-built PC / BTO | F11/F12 | Delete |
2. Automatic repair will be performed (no action required)
This tool is fully automatic. There is no need for you to click or type anything. All you see is a black background with white text like this:
Microsoft Secure Boot Recovery Version 1.0
Visit https://aka.ms/securebootrecovery to learn more about this application.
Checking Secure Boot Certificate Configuration…
Updating the Secure Boot Certificate database with the Microsoft UEFI 2023 certificate…
Secure Boot Certificate database successfully updated.
System will reboot in 10 seconds.
Translation
Microsoft Secure Boot Recovery Version 1.0
For more information about this application, visit https://aka.ms/securebootrecovery.
Verifying Secure Boot certificate configuration...
Updating Secure Boot certificate database with Microsoft UEFI 2023 certificate…
The Secure Boot certificate database was successfully updated.
The system will reboot after 10 seconds.
3. Automatically restarts and recovery is complete
After the message "Database updated successfully" is displayed, the PC will automatically restart in 10 seconds. The BIOS keyhole (DB) will now be updated with the "2023 version." When you remove the USB memory, Windows will start normally as before.
4. Remove the USB memory (Important) When the screen goes black and the reboot begins,Immediately remove the USB memory from your computer.
- If you use the boot menu (e.g. F12): Just unplug the USB. Since the setting is temporary, it will automatically boot from your regular Windows (HDD/SSD).
- If you change the "Boot order" in the BIOS settings: After removing the USB, if necessary, enter the BIOS settings screen and restore the boot priority.
If you can now successfully see the Windows sign-in screen, the repair is complete.
Summary: What users who have confirmed a "2023 signature" using the checking tool should do
This change in specifications means that operations such as "resetting the DB (certificate database)" and "changing Secure Boot settings (on/off)," which Microsoft warns against, can cause Secure Boot violations, creating a risk of serious problems such as "Windows 11 never booting again."
Distributed by this site Windows セキュアブート証明書チェッカーso,"[Windows UEFI CA 2023] – Expiration date: June 2035If you see this message, you are at risk of encountering problems at any time, regardless of whether you have applied KB5074105 or not.
Better safe than sorry, but now is the time toSecure Boot Recovery MediaIt is especially recommended for PC builders and those who have the opportunity to manipulate BIOS settings (related to Secure Boot) to keep one of these USB memory sticks on hand as a physical first aid kit (spare key).
