Your PC shows "Windows Boot Manager has been blocked by the current security policy" and refuses to start. This started happening after the March 2026 cumulative update (KB5079473) for Windows 11. The update replaces expiring 2011 Secure Boot certificates with new 2023 versions, and some systems with older BIOS firmware choke on the swap.

Your PC is fine. The data is still there. You just need to fix the Secure Boot configuration.

Quick Fix

Option 1: Reset Secure Boot keys in BIOS

  1. Power on and mash F2, DEL, or F1 to enter BIOS/UEFI setup ; the exact key varies by manufacturer
  2. Navigate to the Security or Secure Boot section
  3. Set Secure Boot Mode to Custom
  4. Select Clear Secure Boot Keys. Some boards label this "Reset Keys"
  5. Save and exit
  6. Re-enter BIOS immediately
  7. Select Install Default Secure Boot Keys or Restore Factory Keys
  8. Set Secure Boot Mode back to Standard or User Mode
  9. Make sure OS Type is set to Windows UEFI Mode. Do not select "Other OS"
  10. Save and reboot

Windows should boot normally.

Option 2: Disable Secure Boot temporarily

If resetting keys does not work:

  1. Enter BIOS setup
  2. Find Secure Boot and set it to Disabled
  3. Save and boot into Windows
  4. Install all pending Windows updates
  5. Update your BIOS firmware from your manufacturer's website (see below)
  6. Re-enter BIOS and Enable Secure Boot again

Update Your BIOS Firmware

This is the real fix. KB5079473 ships newer Secure Boot certificates that older firmware does not recognize. Updating your BIOS adds support for the 2023 certificates.

Check your manufacturer's support page:

Download the latest BIOS update for your exact model. Most manufacturers provide a Windows-based installer or a USB flash method. Follow their instructions carefully.

If You Cannot Boot at All

If you are stuck at the error screen and cannot reach BIOS:

  1. Create a Windows 11 bootable USB on another computer using the Media Creation Tool
  2. Boot from the USB drive
  3. Click Repair your computer instead of Install
  4. Go to Troubleshoot > Advanced options > Startup Repair
  5. If Startup Repair does not fix it, go back to Advanced options > Command Prompt and run:
bcdedit /set {default} bootstatuspolicy ignoreallfailures
bootrec /rebuildbcd
bootrec /fixboot
  1. Reboot and enter BIOS to reset Secure Boot keys using the key reset steps above

What Causes This

Microsoft is phasing out Secure Boot certificates that expire in 2026. KB5079473 started pushing replacement certificates from 2023 to devices automatically. The rollout is phased and targets devices that Microsoft considers "high confidence" for the swap.

The problem: some motherboards with older UEFI firmware do not have the 2023 certificate authority in their trust store. When the new certificate lands but the firmware does not recognize it, the system blocks the Windows boot loader entirely.

This mostly hits:

  • Custom-built PCs with motherboards from 2018-2021 that have not had BIOS updates
  • Older business laptops that skipped firmware updates
  • Systems where the manufacturer stopped releasing BIOS updates

Prevent It From Happening Again

  • Keep your BIOS firmware up to date. Check for updates every 6 months.
  • If your manufacturer no longer provides BIOS updates for your model, you may need to keep Secure Boot disabled after future Windows updates that rotate certificates.
  • Consider setting Windows Update to notify before installing, so you can update BIOS first when certificate changes are included.

PC stuck on a boot error after updating? Rain City Techworks helps businesses across Seattle-Tacoma recover from update failures and keep systems running. Get in touch if your team needs help.