TPM update:

Bios Update

Windows Update: Download Multi Os

Security Update followed running a Windows Update after the OS update. 2026-05 KB5089549
Fairly large update: While Uploading: Secure Boot - Using an old trust boot configuration.

Will run updates and try to force install scripts once Windows has run all updates
Multiple Updates checks and restarts no change.
Maybe a bios issue

Even with everything updated, my full check showed an error code (see below).
Basically jump into the Bios and 

Fixing Secure Boot Update Error 2147500037 (Access Denied) on HP EliteOne 800 G2

If your Windows System Event Logs are showing Event ID 1801 (Error 2147500037) during the Secure Boot 2026 certificate rollout, it means your HP motherboard is blocking Windows from updating its internal security keys.

Because older HP firmwares default to a strict "Factory Locked" mode, Windows is denied access to write the new 2023 Certificate Authorities (CAs).

Follow this step-by-step hardware walkthrough to clear the lock and successfully apply the security update.

Prerequisites

• Ensure you have updated your HP EliteOne 800 G2 to the absolute latest available BIOS version from HP's official support site before beginning.

Step 1: Clear the Old Hardware Locks

1. Shut down your computer completely.

2. Turn the computer on and immediately begin tapping the F10 key (or Esc then F10) to enter the HP Computer Setup (BIOS).

3. Use your arrow keys to navigate to the Security tab, then select Secure Boot Configuration (or Key Management).

4. Select Clear Secure Boot Keys.

5. Note: The BIOS will warn you that Secure Boot is disabling, and the other options will turn grey. This is normal behavior as the motherboard enters "Setup Mode."

6. Ensure that the option "Enable MS UEFI CA Key" remains Checked/Ticked. (This is critical so your computer continues to trust third-party hardware drivers and graphics components).

7. Press F10 to Save, then exit the BIOS and let the computer restart.

Step 2: Reload the Updated Factory Keys

1. Crucial Step: As the computer restarts, immediately begin tapping the F10 key again to jump right back into the BIOS before Windows loads.

2. Navigate back to Security > Secure Boot Configuration.

3. You will notice the options are no longer greyed out. Select Reset Secure Boot Keys to Factory Default.

4. By doing this on the latest BIOS, the motherboard will reload its internal database, which now natively includes the new 2023 Microsoft certificates alongside the old ones.

5. Press F10 to Save changes and Exit. Allow the computer to boot all the way into Windows normally.

Step 3: Sync Windows and Verify Success

Once you are logged back into your Windows desktop, you need to force the operating system to bind to the motherboard's newly unlocked keys:

1. Right-click the Windows Start Menu and select Terminal (Admin) or PowerShell (Administrator).

2. Copy and paste the following command, then press Enter:

Powershell
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Wait roughly 2 to 3 minutes for the background process to complete, then Restart your computer one final time.

Your HP EliteOne 800 G2 is now fully updated, verified, and secure against the 2026 certificate expirations!