UEFI2023Status Stuck at In Progress or Not Started on Windows 11

Windows tracks the rollout of the new Secure Boot 2023 certificates through a registry value called UEFICA2023Status. When this value stays at InProgress or NotStarted instead of moving to Updated, the new certificates have not fully deployed to your device yet. This guide walks through the real causes behind the stuck status and the fixes that actually resolve it.

UEFI2023Status stuck

What Causes UEFI2023Status to Get Stuck

A few issues can leave the status stuck, and the right fix depends on which one applies.

  • The certificates have downloaded but not yet applied to the firmware
  • The update is still mid-cycle, since the task only runs every 12 hours and needs a restart to finish
  • The firmware or BIOS is too old to accept the new keys
  • Microsoft has paused the rollout for the device, or the hardware has a firmware-side limitation

Fix 1: Check the Message in Windows Security First

Before changing anything, check what Windows itself says about the block. Open Windows Security and go to Device Security. The message shown there tells you exactly which of the four scenarios applies, and each one needs a different response.

  • “Secure Boot is on, but your device is affected by a known issue”: Microsoft has paused the update for your device. This is not something on your end. The update resumes automatically once Microsoft resolves it.
  • “Secure Boot is on, but your device is using an older boot trust configuration”: Windows does not have enough data yet to classify your device for automatic update. Keep installing Windows Updates and wait a few days. If this message does not change, check for a newer BIOS from your manufacturer.
  • “Your device does not support the automated Secure Boot certificate update”: Your firmware or hardware cannot process the new certificates automatically. Contact your device manufacturer, since no user-side fix applies here.
  • “This device can no longer receive required updates”: Your firmware does not support the new certificates. Contact your manufacturer for a BIOS update. If none is released, the device will not receive the new certificates.

Fix 2: Let the Scheduled Task Complete Its Normal Cycle

If Windows Security shows no blocking message, the InProgress state may simply be normal. The task that processes the update runs every 12 hours, and the boot manager portion of the update only completes after a restart. Keep the device on and connected, install any pending Windows Updates, and restart it once or twice over the next day before assuming something is broken.

To confirm the certificates have at least downloaded, check Event Viewer:

  1. Launch Event Viewer and expand Windows Logs, then select System.
  2. Click Filter Current Log on the right side.
  3. Enter 1808 in the field that says All Event IDs, then click OK.

If Event ID 1808 appears, Windows has already downloaded the latest Secure Boot certificates. They just have not been applied to the firmware yet, which is consistent with a status still sitting at InProgress.

Fix 3: Check the Exact Registry Values for the Failure Point

If waiting does not move the status, check the registry values directly to see where the process is actually stuck. Open Registry Editor and navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing

Look at these three values:

  • UEFICA2023Status: NotStarted means the update has not run yet. InProgress means it is actively running. Updated means it finished successfully.
  • WindowsUEFICA2023Capable: A value of 0 or a missing key means the certificate is not in the database yet. A value of 1 means the certificate is in the database but not yet installed. A value of 2 means the system is already starting from the 2023 signed boot manager, so no action is needed.
  • UEFICA2023Error: This should not exist, or should read 0, on a healthy device. Any non-zero value means the update hit an underlying issue that needs troubleshooting, and the specific error code corresponds to a documented Secure Boot event you can look up in Event Viewer.

If UEFICA2023Error shows a non-zero code, the status will not move past InProgress on its own no matter how long you wait or how many times you restart.

Fix 4: Update the BIOS or Firmware

TPM-WMI errors logged as Event ID 1796 or 1801 during the update task typically point to firmware that is not committing the new keys, even when Secure Boot is enabled and the task runs without any other errors. This is a firmware issue, not something Windows itself can fix on the software side.

One reported case matches this exactly: an HP EliteBook 840 G8 running BIOS 01.23.00 stayed stuck at InProgress with Event ID 1796 and 1801 appearing every time the update task ran, even after manually running the task, restarting multiple times, and confirming Secure Boot was enabled. The fix that resolved it was waiting for an HP BIOS update carrying the updated keys, since HP ships the Secure Boot key update through the BIOS itself starting from version 01.22 onward for this model. If your device uses BitLocker, disable it before updating the BIOS by running this from an elevated command prompt, then wait for decryption to finish:

manage-bde -off C:

Check your manufacturer’s support page for a BIOS version released after your device started shipping, install it, and re-enable BitLocker afterward if you turned it off.

Fix 5: Manually Trigger the Update Through the Registry

This method is meant for advanced users and IT-managed devices, and it works by manually setting the same trigger that Microsoft’s rollout system sets automatically. It will not help if your firmware is rejecting the update, since Fix 4 covers that case. Run each command separately from an administrator PowerShell prompt:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Reboot the system once the AvailableUpdates value changes to 0x4100, then run the scheduled task command again. This second pass updates the boot manager and moves AvailableUpdates to 0x4000 when it succeeds. You can find Microsoft’s full documentation on these keys on the official Secure Boot registry key support page.

If the status still will not move past InProgress after this, the block is almost certainly on the firmware side, and Fix 4 is the only remaining path forward.

Most devices resolve this on their own within a few update cycles, since Windows retries the task automatically every 12 hours. The cases that stay stuck long term almost always trace back to outdated firmware, which is why checking the Windows Security message and the registry error code early saves time before assuming something needs to be forced.

Frequently Asked Questions

Does InProgress mean the update failed?

No. InProgress means the update is actively running. It only indicates a real problem if it stays that way for several days while UEFICA2023Error shows a non-zero value.

What do Event ID 1796 and 1801 mean?

They are TPM-WMI errors logged when the update task attempts to apply the Secure Boot certificates and the firmware does not commit them. This usually points to outdated BIOS or firmware rather than a Windows-side problem.

Is it safe to manually trigger the update through the registry?

Yes, on a standard consumer device. Setting AvailableUpdates to 0x5944 and running the scheduled task is the same mechanism Windows uses automatically. It will not force the update through if your firmware is actually rejecting it.

Do I need to take action if the status shows NotStarted?

Not immediately. Wait a few days and keep installing Windows Updates. If it has not changed after that, move to checking the registry error code and the Windows Security message.

Related Guides

Leave a Comment

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply