A Neowin writer discovered in June 2026 that two separate Windows 11 clean installations hit a boot loop on the very first reboot—unless Secure Boot was turned off during setup. The workaround is simple: disable Secure Boot in the UEFI firmware, let Windows finish installing and updating, then re-enable Secure Boot afterward. The culprit appears to be a Secure Boot certificate transition, where the boot files on the installation media use a new signing certificate that the system’s firmware doesn’t yet trust.
This glitch could affect anyone performing a clean install of Windows 11 from freshly created USB media in the coming months, particularly those who download the latest ISO from Microsoft’s website. It adds a frustrating hurdle to what should be a routine procedure, but the temporary Secure Boot toggle keeps the installation on track.
The Discovery: Boot Loop After First Reboot
The Neowin writer, whose report was published in early June 2026, detailed two attempts to clean-install Windows 11 onto modern UEFI-based PCs. In both cases, the initial phase of setup—copying files, detecting hardware, and the first restart—proceeded without error. However, after that first reboot, the system never progressed to the Out-Of-Box Experience (OOBE). Instead, the PC looped back to the Windows Setup screen, refusing to continue.
“I tried everything—re-creating the USB with the Media Creation Tool, using a different flash drive, even swapping the SSD—but nothing worked until I remembered the Secure Boot changes that have been quietly rolling out,” the writer explained. After disabling Secure Boot in the firmware, the installation proceeded normally, and Windows 11 booted to the desktop without issue. Once all updates were applied, Secure Boot could be re-enabled, and the system booted correctly.
Multiple users across forums and social media later confirmed the same behavior. The problem only appeared on clean installs using media created after late May 2026, pointing to a change in the Windows boot files on Microsoft’s latest ISOs.
Root Cause: A Secure Boot Certificate Transition
Microsoft periodically updates the certificates that underpin Secure Boot, often in response to industry-wide security improvements or certificate expirations. The UEFI Secure Boot database (db) and the forbidden signatures database (dbx) are used by the firmware to decide which bootloaders are trusted. Starting in mid-2026, a key Secure Boot certificate is being transitioned: the old certificate is being deprecated, and a new one introduced to sign critical boot components like bootmgfw.efi.
During a clean install, the Windows setup engine copies a set of UEFI boot files to the system’s EFI system partition. If the installation media contains boot files signed with a certificate that the firmware’s db does not include, the post-reboot bootloader verification fails. The firmware sees an untrusted signature, refuses to load Windows Boot Manager, and the system falls back to the installation media—hence the boot loop.
This is not a bug in Windows itself, but a mismatch between the signing certificate embedded in the boot files and the firmware’s Secure Boot policy. The mismatch only occurs when:
- The installation media was built using the latest Microsoft ISO that includes boot files signed with the new certificate.
- The device’s UEFI firmware has not yet received an update containing the new certificate’s hash in its db.
Devices that have already applied a recent firmware update—or that have been updated through Windows Update’s Secure Boot DBX/db updates—will trust the new certificate and will not experience the boot loop. However, fresh out-of-the-box machines, or those that haven’t been kept current with firmware updates, are vulnerable.
How Secure Boot Works and Why It Fails
Secure Boot is a UEFI feature that ensures only trusted code can execute during the boot process. The firmware maintains a database of authorized keys (db), a database of forbidden keys (dbx), and a platform key (PK) that controls updates to these databases. When the system starts, each boot component—including the bootloader—must be signed with a key that chains back to a certificate in the db. If the signature cannot be verified, the component is blocked.
During a Windows 11 clean install, the process typically goes like this:
1. The PC boots from the USB installation media, which contains a signed bootloader trusted by the firmware.
2. Windows setup copies the boot files (bootmgfw.efi, BCD, etc.) to the EFI system partition.
3. The system reboots, and the firmware now loads the bootloader from the internal drive instead of the USB.
4. If the bootloader on the internal drive is signed with a different certificate—one not in the firmware’s db—Secure Boot rejects it, and the system falls back to the next boot option, which is often the USB drive again.
The boot loop is not endless; after a few attempts, the system usually shows an error or the Windows Recovery Environment, but many users simply saw the setup start over.
This certificate transition is reminiscent of the Secure Boot DBX update KB5012170, released in August 2022, which updated the forbidden signatures database and caused boot issues for some dual-boot configurations and older Linux installations. The current situation is slightly different: it’s a new certificate being added, not an old one being revoked, but the effect on clean installs is similar.
The Workaround: Disable Secure Boot, Install, Update, Re-enable
For users encountering the boot loop, the immediate fix is to temporarily disable Secure Boot in the UEFI firmware settings. This allows the untrusted bootloader to run long enough for Windows to complete installation and download updates—including the Secure Boot certificate update that adds the new certificate to the firmware’s db. Once that update is installed, Secure Boot can be re-enabled, and the system will boot normally.
Here are the steps:
- During installation: When the PC first powers on, press the key to enter firmware setup (commonly F2, Del, or Esc).
- Locate Secure Boot: Navigate to the Security or Boot tab, find Secure Boot, and set it to Disabled. Save and exit.
- Boot from USB: Start the Windows 11 installation as usual. The setup will now proceed past the first reboot without the boot loop.
- Finish OOBE: Complete the Out-Of-Box Experience, sign in, and connect to the internet.
- Install all updates: Run Windows Update and install every available update, including any firmware updates that may be offered. If a specific Secure Boot certificate update is pending, it should appear as an optional update or be delivered automatically.
- Re-enable Secure Boot: Once updates are fully installed and the system has rebooted at least once, restart into firmware settings again, re-enable Secure Boot, and restart.
For users uncomfortable with disabling Secure Boot entirely, some motherboards allow you to set Secure Boot to “Audit” mode, which logs failures but does not block boot. However, this mode is less commonly available on consumer PCs.
After re-enabling Secure Boot, the system should boot without issues because the firmware now trusts the new certificate. Users who later wipe their PC and reinstall from the same media will not encounter the boot loop again, as the firmware db has been updated.
Which Devices and Windows Versions Are Affected?
This is not a widespread issue for existing installations—only for clean installs performed after a specific cutoff date. The affected ISOs are those built after late May 2026, which correspond to Windows 11 version 24H2 (build 26100.xxxx) and any Insider Preview builds that include the new certificate. Devices that installed Windows 11 before the certificate transition and have kept up with Windows Update are not at risk because their boot files already trust the existing certificate, and the transition update will be delivered through the normal update channel.
However, devices that:
- Are new and received the motherboard firmware before the certificate update was included.
- Have never been connected to the internet after assembly (common in enterprise imaging scenarios).
- Have firmware that is no longer actively maintained by the OEM (older devices).
might hit the boot loop when performing a clean install from the latest media.
Enterprise IT administrators performing mass deployments using the latest Windows 11 ISO should be aware of this issue. A temporary Secure Boot disable during the deployment task sequence, followed by a firmware update step, can prevent rework. Most modern deployment tools like MDT or Configuration Manager can automate this.
Microsoft’s Response and Permanent Fix
As of the report’s publication, Microsoft has not issued an official advisory regarding the boot loop. However, the root cause—the Secure Boot certificate transition—is a planned and well-documented part of the Windows servicing lifecycle. In the past, similar changes (such as the 2023 Secure Boot DB update) were accompanied by Knowledge Base articles and guidance.
The permanent fix is twofold:
- Firmware updates: OEMs will integrate the new certificate into their UEFI firmware updates. Users who keep their motherboard’s UEFI up to date will not experience the issue on future clean installs.
- Secure Boot certificate updates via Windows Update: Like the DBX updates delivered through KB5012170 and later revisions, Microsoft will likely push a db update that adds the new certificate. This update will be offered automatically to all supported Windows 11 systems and, once installed, will prevent the boot loop.
Microsoft normally staggers these certificate updates to avoid boot failures on systems where the firmware update hasn’t been applied. The boot loop on clean installs suggests the new certificate arrived in the ISO before many PCs received the corresponding firmware or Windows Update package. Users who have already applied the June 2026 cumulative update might have received the certificate addition silently, which is why many aren’t affected.
Community Feedback and Workaround Validation
Forum discussions quickly latched onto the Neowin report. A moderator on a popular Windows help site noted, “We’ve been seeing a spike in boot loop complaints since the end of May. The Secure Boot disable workaround has worked for nearly everyone. It’s reminiscent of the KB5012170 mess.” Several users reported that after the workaround, running msinfo32.exe showed Secure Boot as “On” without incident.
Some users questioned whether Microsoft intended this to happen. “Why would they ship ISOs signed with a certificate that no one’s firmware trusts yet? That’s a recipe for disaster,” one commenter wrote. Others pointed out that the transition is necessary but poorly communicated. The general sentiment is that while the workaround is straightforward, the lack of an official warning from Microsoft is frustrating—especially for less technical users who face a baffling boot loop.
What This Means for Windows 11 Users
The Secure Boot certificate transition is an important security maintenance step. As certificates age, they become vulnerable to compromise, and rotating them is standard practice. The boot loop, while inconvenient, is a temporary hiccup that affects only a narrow slice of scenarios—primarily clean installs from the latest media on devices that haven’t received the updated firmware or db update.
For the average Windows 11 user who keeps their PC updated, this issue will never appear. For IT professionals, the workaround is a quick toggle during deployment. As OEMs roll out firmware updates over the next few months, the problem will fade.
Still, the incident highlights the communication gap between Microsoft’s servicing pipeline and its install media. Including a certificate that isn’t yet trusted by a significant portion of hardware is a risky move, even if the plan is to push the db update alongside the ISO release. Historically, Microsoft has timed such ISOs to coincide with cumulative updates that prep the firmware, but clearly a mismatch occurred in June 2026.
If you’re planning a clean install in the near future, download the latest installation media from Microsoft, but be prepared to disable Secure Boot if you encounter a post-reboot loop. Alternatively, wait until your device has installed the latest firmware and Windows updates before wiping the system. As always, back up your data and note your UEFI settings before making changes.
The episode is a reminder that even a foundational security feature like Secure Boot isn’t immune to growing pains—but a simple toggle can keep your install on track while Microsoft catches up.