Controls which Secure Boot update actions to perform on the device. Setting the appropriate bitfield here initiates the deployment of new Secure Boot certificates and related updates.

All Windows devices with Secure Boot enabled must be updated to the 2023 certificates before expiration to ensure continued security update support. This guide provides a monitoring-only approach using Microsoft Intune Remediations (Proactive Remediations).

Learn how to change settings to enable Secure Boot if you are not able to upgrade to Windows 11 because your PC is not currently Secure Boot capable.

Disabling Secure Boot significantly reduces device protection, removes safeguards against boot‑level malware, and can create new security and compliance risks. The recommended path is to ensure your device receives the updated 2023 Secure Boot certificates and any required OEM firmware updates.

Learn how to update your security processor or TPM firmware to protect Windows 10 and your device from attacks by malicious software.

Run Microsoft's Sample Secure Boot Inventory Data Collection script to check Secure Boot certificate update status. The script collects several data points including Secure Boot state, UEFI CA 2023 update status, firmware version, and event log activity.

Starts Windows using your current video driver and using low resolution and refresh rate settings. You can use this mode to reset your display settings. Enable Safe Mode. Safe mode starts Windows in a basic state, using a limited set of files and drivers.

In the Windows Security app on your PC, select Device security, or use the following shortcut: Device security. A Secured-core PC is designed to provide advanced security features right out of the box. These PCs integrate hardware, firmware, and software to offer robust protection against sophisticated threats.

Learn how to check if your PC is capable of running TPM 2.0 or how to enable TPM 2.0 to upgrade to Windows 11.

To install the update, use either of the following methods. Automatically install from Windows Update. KB5007651. Manually download the update. Note: Run the installation as an administrator. Learn more about the Windows Security app here.