Which of your clients haven't taken the Secure Boot update?

Microsoft is retiring the 2011 Secure Boot certificates and rolling out new "Windows UEFI CA 2023" certificates to fix CVE-2023-24932 (BlackLotus, KB5025885). The 2011 KEK certificate expired June 24, 2026; the Secure Boot DB certificate expires October 2026. Here's the catch your RMM won't tell you: "fully patched" ≠ "certificates deployed." The mitigations aren't on by default — HP devices need a firmware update first, Qualcomm/ARM64 devices are blocked, and devices that never get the 2023 certs quietly stop receiving Secure Boot revocation updates. Upload a CSV of your client devices to see exactly which need action — in 30 seconds, free, right in your browser.

⏰ 2011 KEK cert expired Jun 24, 2026 · DB cert expires Oct 2026

1. Upload your device list (CSV)

Drag & drop your CSV here, or click to choose a file

Export a device list from your RMM (NinjaRMM, ConnectWise, Datto, Action1) or any spreadsheet with columns like client, hostname, OS, manufacturer. Nothing leaves your computer.

Don't have a CSV handy? Try it with sample fleet data →

2. Confirm your columns

We auto-detected these from your file. Adjust if anything looks off, then run the check. Only OS version and manufacturer are needed for the readiness logic — the rest just make the report readable.

Client / company column

Device / hostname column (optional)

OS version column

Manufacturer column

Model column (optional — helps detect ARM64)

Architecture column (optional — e.g. x64 / ARM64)

Your Secure Boot fleet readiness report

Clients

–

Devices checked

–

Need action

–

Blocked

–

This is a screen, not a guarantee: it flags the well-documented blockers (HP firmware, Qualcomm ARM64, encryption-software conflicts) and out-of-support / clearly-behind-on-patches devices. Always confirm against Microsoft's KB5025885 guidance and your hardware vendor before deploying the Secure Boot revocations.

Get a heads-up before the next Microsoft enforcement deadline

Secure Boot is just the latest. Microsoft flips on a new enforcement (SMBv1, TLS 1.0, NTLM, LAPS, Basic Auth, now Secure Boot) 2–4× a year — and each one quietly turns "fully patched" fleets into "about to break." I'm building a service that re-checks your client fleet before every enforcement deadline and emails you the exact devices that need action. Drop your email for the beta.

Free beta. Paid auto-monitoring tiers below. No spam, unsubscribe anytime.

Solo MSP

$29/mo

Up to 10 clients / 50 devices
Alert before every Microsoft enforcement deadline
Per-client readiness reports

Pro

$49/mo

Unlimited clients & devices
RMM import (NinjaRMM / ConnectWise / Datto)
Scheduled re-checks + CSV/PDF export

Why "all patches applied" isn't the whole story

The 2011 Secure Boot certificates are expiring. To fix the BlackLotus bypass (CVE-2023-24932), Microsoft is replacing the 2011 Secure Boot certificates with new "Windows UEFI CA 2023" certificates. The original Key Exchange Key (KEK) certificate expired June 24, 2026, and the Secure Boot DB certificate expires October 2026. Microsoft has said June 24 is not a hard stop — devices keep booting — but devices that never receive the 2023 certificates will stop getting Secure Boot revocation (DBX) updates and grow less secure over time.
The mitigations are not enabled by default. Per KB5025885, installing the monthly update does not deploy the new certificates on its own — an admin must enable deployment (via Windows Update's "high-confidence" rollout, Intune, registry, or Group Policy). That's why "fully patched" in your RMM doesn't mean a device is actually updated.
HP devices with HP Sure Start need the latest HP firmware/BIOS update first — Microsoft blocks the mitigations until the firmware is current. Patching Windows alone isn't enough — these show as Needs action.
Qualcomm / ARM64 devices (Snapdragon-based Surface, ThinkPad X13s, Copilot+ PCs) have the mitigations blocked by known Qualcomm UEFI firmware issues until the OEM ships fixed firmware — flagged as Blocked.
Third-party pre-boot encryption (e.g. Symantec Endpoint Encryption) can't take the Secure Boot mitigations yet — Microsoft and the vendor are still working on it — flagged as Blocked / verify.
Out-of-support or stale-patched OS builds may not reliably receive the certificate-update servicing — flagged as Needs action.
Windows 10 reached end of support on Oct 14, 2025. A Win10 device only keeps getting the KB5025885 servicing update if Extended Security Updates (ESU) is active — so we flag Win10 as Verify rather than assuming it's ready.

Sources: Microsoft's KB5025885 — How to manage the Windows Boot Manager revocations for Secure Boot (CVE-2023-24932) and Microsoft's Enterprise deployment guidance for CVE-2023-24932. Note: the Enforcement Phase that makes these revocations permanent has not been given a fixed date by Microsoft — "the date for this phase will be announced at a later date." This tool is an independent triage screen, not affiliated with Microsoft, and not a substitute for that guidance.