On July 14 Patch Tuesday, Microsoft auto-enables Secure Boot enforcement for CVE-2023-24932 (KB5025885). Here's the catch your RMM won't tell you: "patch applied" ≠ "enforcement ready." HP devices need a firmware update first, Qualcomm/ARM64 devices are blocked, and stale-patched machines may fail to boot. Upload a CSV of your client devices to see exactly which clients need action — in 30 seconds, free, right in your browser.
⏰ Enforcement auto-enables July 14, 2026 (Patch Tuesday)
1. Upload your device list (CSV)
Drag & drop your CSV here, or click to choose a file
Export a device list from your RMM (NinjaRMM, ConnectWise, Datto, Action1) or any spreadsheet with columns like client, hostname, OS, manufacturer. Nothing leaves your computer.
Don't have a CSV handy? Try it with sample fleet data →
2. Confirm your columns
We auto-detected these from your file. Adjust if anything looks off, then run the check. Only OS version and manufacturer are needed for the readiness logic — the rest just make the report readable.
Your Secure Boot fleet readiness report
Clients
–
Devices checked
–
Need action
–
Blocked
–
This is a screen, not a guarantee: it flags the well-documented blockers (HP firmware, Qualcomm ARM64, encryption-software conflicts) and out-of-support / clearly-behind-on-patches devices. Always confirm against Microsoft's KB5025885 guidance and your hardware vendor before enforcement day.
Get a heads-up before the next Microsoft enforcement deadline
Secure Boot is just the latest. Microsoft flips on a new enforcement (SMBv1, TLS 1.0, NTLM, LAPS, Basic Auth, now Secure Boot) 2–4× a year — and each one quietly turns "fully patched" fleets into "about to break." I'm building a service that re-checks your client fleet before every enforcement deadline and emails you the exact devices that need action. Drop your email for the beta.
Free beta. Paid auto-monitoring tiers below. No spam, unsubscribe anytime.
Solo MSP
$29/mo
Up to 10 clients / 50 devices
Alert before every Microsoft enforcement deadline
Per-client readiness reports
Pro
$49/mo
Unlimited clients & devices
RMM import (NinjaRMM / ConnectWise / Datto)
Scheduled re-checks + CSV/PDF export
Why "all patches applied" isn't the whole story
July 14, 2026 Patch Tuesday auto-enables Secure Boot enforcement for CVE-2023-24932. The servicing update (KB5025885) updates the Secure Boot DB/DBX so the old vulnerable bootloader is distrusted. A device that hasn't taken the deployment steps can fail to boot once enforcement flips on.
HP devices with HP Sure Start can require an HP firmware/BIOS update before enforcement so the firmware accepts the updated Secure Boot keys. Patching Windows alone isn't enough — these show as Needs action.
Qualcomm / ARM64 devices (Snapdragon-based Surface, ThinkPad X13s, Copilot+ PCs) have hit firmware issues with the Secure Boot key updates and may be Blocked until the OEM/Qualcomm ships a fix. We flag them so you don't enforce into a brick.
Third-party encryption / boot software (e.g. Symantec Endpoint Encryption and similar pre-boot tools) can conflict with the updated Secure Boot chain — flagged as Blocked / verify.
Out-of-support or stale-patched OS builds won't reliably receive the enforcement servicing — flagged as Needs action.
Windows 10 reached end of support on Oct 14, 2025. By July 14, 2026 a Win10 device only keeps getting the KB5025885 servicing update if Extended Security Updates (ESU) is active — so we flag Win10 as Verify rather than assuming it's ready.