- **
- #1
I recently started getting this,should I be worried about this
Secure Boot certificates have been updated but are not yet applied to the device firmware. Review the published guidance to complete the update and ensure full protection. This device signature information is included here.
When the check the msi download page,the latest bios version is E17T2IMS.110 and this is the version I currently have installed
Sword 17 HX B14VGKG
OS Windows 11
Computer type Laptop
Manufacturer/Model MSI Sword 17 HX
CPU 14700HX
Memory 64GB
Graphics Card(s) RTX 4070
- **
- #2
You ca…
- **
- #1
I recently started getting this,should I be worried about this
Secure Boot certificates have been updated but are not yet applied to the device firmware. Review the published guidance to complete the update and ensure full protection. This device signature information is included here.
When the check the msi download page,the latest bios version is E17T2IMS.110 and this is the version I currently have installed
Sword 17 HX B14VGKG
OS Windows 11
Computer type Laptop
Manufacturer/Model MSI Sword 17 HX
CPU 14700HX
Memory 64GB
Graphics Card(s) RTX 4070
- **
- #2
You can read the error codes here, including 1801:
OS Windows 11 Pro build 26200.7462
Computer type PC/Desktop
Manufacturer/Model Home Built
CPU Intel i7-4790
Motherboard Asus H97 Pro Gamer with add-on TPM1.2 module
Memory Teams DDR3-1600 4x4 GB
Graphics Card(s) MSI Nvidia GeForce GTX 1050Ti
Sound Card Realtek ALC1150
Monitor(s) Displays Dell P2425D
Screen Resolution 2560 by 1440 pixels
Hard Drives Corsair NVMe M.2 Core XT 1000 GB (Windows 11 v.25H2); Samsung SATA Evo 870 500 GB (Windows 11 v.25H2);
PSU Corsair HX850
Case Gigabyte Solo 210
Cooling Zalman CNPS7X Tower
Keyboard Microsoft AIO Wireless (includes touchpad)
Mouse HP S1000 Plus Wireless
Internet Speed 500 Mb fiber optic
Browser Chrome; MS Edge
Antivirus Windows Defender
Operating System MacOS 12 Monterey
Computer type Laptop
Manufacturer/Model Apple Macbook Air
CPU Intel Core i5
Memory 8 GB
Graphics card(s) Intel integrated
Screen Resolution 1440 by 900 pixels
Hard Drives 128 GB
Keyboard Built-in
Mouse Microsoft Wireless
Internet Speed 802.11 ac
Browser Chrome; Safari
Antivirus N/A
- **
- #3
I recently started getting this,should I be worried about this View attachment 156923 Secure Boot certificates have been updated but are not yet applied to the device firmware. Review the published guidance to complete the update and ensure full protection. This device signature information is included here.
When the check the msi download page,the latest bios version is E17T2IMS.110 and this is the version I currently have installed
Sword 17 HX B14VGKG
See if you have any specific error codes listed in this registry key: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing
OS Windows 11
Computer type PC/Desktop
Manufacturer/Model EVGA home brew
CPU Broadwell-e 6850K 4.5ghz @1.36v
Motherboard EVGA X99 FTW K
Memory 32GB Corsair LPM 3600 C16
Graphics Card(s) EVGA RTX 3080Ti FTW
Sound Card Asus Centurion true 7.1 headset. (5 speakers in each earpeice)
Monitor(s) Displays LG C4 55"
Screen Resolution 4K 144hz
Hard Drives Various models of SSDs ~10TB No HDDs installed.
PSU be quiet! BN516 Straight Power 12-1000w 80 Plus Platinum
Case Corsair 780T modified to dual 200mm intake fans
Cooling Corsair H110i
Keyboard Corsair K95 Platinum
Mouse Corsair M65 RGB Elite
Internet Speed 50Mbs
- **
- #4
I stopped getting the 1801 logged events 10/21/25. Not sure what finally convinced MSC that my Secure Boot was good, but something finally resonated. 
OS Win 11 Pro 25H2, Build 26220.7523
Computer type PC/Desktop
Manufacturer/Model Home Brew
CPU Intel Core i5 14500
Motherboard Gigabyte B760M G P WIFI
Memory 64GB DDR4
Graphics Card(s) GeForce RTX 4060
Sound Card Chipset Realtek
Monitor(s) Displays LG 45" Ultragear, Acer 24" 1080p
Screen Resolution 5120x1440, 1920x1080
Hard Drives Crucial P310 2TB 2280 PCIe Gen4 3D NAND NVMe M.2 SSD (O/S) Silicon Power 2TB US75 NVMe PCIe Gen4 M.2 2280 SSD (backup) Crucial BX500 2TB 3D NAND (2nd backup) Seagate 4TB Ironwolf, rotating HDD archive files External off-line backup Drives: 2 NVMe 4TB drives in external enclosures
PSU Thermaltake Toughpower GF3 750W
Case LIAN LI LANCOOL 216 E-ATX PC Case
Cooling Lots of fans!
Keyboard Microsoft Comfort Curve 2000
Mouse Logitech G305
Internet Speed Verizon FiOS 1GB
Browser Firefox
Antivirus Malware Bytes & Windows Defender Security
Operating System Win 11 Pro 25H2, Build 26200.7462
Computer type PC/Desktop
Manufacturer/Model Home Brew
CPU Intel Core i5 14400
Motherboard Gigabyte B760M DS3H AX
Memory 32GB DDR5
Graphics card(s) Intel 700 Embedded GPU
Sound Card Realtek Embedded
Monitor(s) Displays 27" HP 1080p
Screen Resolution 1920x1080
Hard Drives Crucial P310 2TB 2280 PCIe Gen4 eD NAND PCIe SSD Samsung EVO 990 2TB NVMe Gen4 SSD Samsung 2TB SATA SSD
PSU Thermaltake Smart BM3 650W
Case Okinos Micro ATX Case
Cooling Fans
Keyboard Microsoft Comfort Curve 2000
Mouse Logitech G305
Internet Speed Verizon FiOS 1GB
Browser Firefox
Antivirus Malware Bytes & Windows Defender Security
- **
- #5
See if you have any specific error codes listed in this registry key: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing
What exactly am I looking for
OS Windows 11
Computer type Laptop
Manufacturer/Model MSI Sword 17 HX
CPU 14700HX
Memory 64GB
Graphics Card(s) RTX 4070
- **
- #6
You don’t have any errors. It might be worth doing the following 2 steps in the first post of the thread below and checking the same registry again as you proceed.:
Secure boot update HowTo
i have put this together as i had problems updating 2 desktops and 3 laptops. which have now all had their Secure Boot Certs updated to the new 2023 secure boot cert also the other post about this were getting very long and confusing. this is in two parts. part A and part B. edit by me. please...
www.elevenforum.com
OS Windows 11
- **
- #7
You don’t have any errors. It might be worth doing the following 2 steps in the first post of the thread below and checking the same registry again as you proceed.:
Secure boot update HowTo
i have put this together as i had problems updating 2 desktops and 3 laptops. which have now all had their Secure Boot Certs updated to the new 2023 secure boot cert also the other post about this were getting very long and confusing. this is in two parts. part A and part B. edit by me. please...
@vsub just an add on to the good advice that you have given.
in that HowTo please complete Part A and both commands in an Admin PowerShell.
when you have completed Part A and restarted your system TWICE please run this command in an Admin PowerShell and post back its output.
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match "Windows UEFI CA 2023"
best of luck Steve ..
OS W11 25H2 Home
Computer type PC/Desktop
Manufacturer/Model HP 24" AiO
CPU Ryzen 7 5825u
Motherboard HP
Memory 64GB DDR4 3200
Graphics Card(s) Ryzen 7 5825u
Sound Card RealTek
Monitor(s) Displays 24" HP AiO
Screen Resolution 1920 x 1080 @60 Hz
Hard Drives 1TB WD Blue SN580 M2 SSD Partitioned. 2x 1TB USB HDD External Backup/Storage.
PSU 90W external power brick
Case 24" All in One
Cooling Default Air Cooling
Keyboard HP WiFi UK extended
Mouse HP WiFi 3 Button
Internet Speed 1GB full fibre
Browser Edge & Firefox
Antivirus AVG Internet Security/Windows Defender
Other Info Mainly Open Source Software
Operating System Ubuntu 22.04.5 LTS
Computer type Laptop
Manufacturer/Model Dell 13" Latitude 2017
CPU i5 7200u
Motherboard Dell
Memory 16GB DDR4
Graphics card(s) Intel
Sound Card Intel
Monitor(s) Displays 13" Dell Laptop
Hard Drives 250GB Crucial 2.5" SSD
Mouse Generic WiFi 3 button
Internet Speed WiFi only
Browser Firefox
Antivirus ClamAV TK
Other Info Mainly Open Source Software
- **
- #8
@XxXxX thanks,I did all steps(restarted twice),is everything ok now?
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match "Windows UEFI CA 2023" says true
AvailableUpdates says 0x00004100 and for some reason when I try to edit it it shows 4000 in hex instead 4100 UpdateStatus says 3 UEFICA2023Status Updated WindowsUEFICA2023Capable says 2
I had to restart twice for Part B too(I had some errors with only one restart)
I don’t have that error anymore
OS Windows 11
Computer type Laptop
Manufacturer/Model MSI Sword 17 HX
CPU 14700HX
Memory 64GB
Graphics Card(s) RTX 4070
- **
- #9
Same error message here too for less than a week. Will Microsoft fix it, or do we have to wait for a new update ?
Microsoft had to update the certificate, but something is still missing for it to apply correctly.
Secure Boot certificates have been updated but are not yet applied to the device firmware. Review the published guidance to complete the update and ensure full protection. This device signature information is included here.
OS Windows 11
- **
- #10
That’s weird While replaying,I check the log again and the error appear again and the registry for AvailableUpdates was changed from 4100 to 4000
After the error in the event viewer,I have an information log with Boot Manager signed with Windows UEFI CA 2023 was installed successfully
Edit:After the 3rd restart I get The TPM was successfully provisioned and is now ready for use.
OS Windows 11
Computer type Laptop
Manufacturer/Model MSI Sword 17 HX
CPU 14700HX
Memory 64GB
Graphics Card(s) RTX 4070
- **
- #11
I recently started getting this,should I be worried about this
Secure Boot certificates have been updated but are not yet applied to the device firmware. Review the published guidance to complete the update and ensure full protection. This device signature information is included here.
When the check the msi download page,the latest bios version is E17T2IMS.110 and this is the version I currently have installed
Sword 17 HX B14VGKG
I have had the same problem alsof. Here is is the thread to fix the issue. The maker of those scripts has made some changes now. So it’s output differs somewhat but it is basically still the same. Thread page: How to check if your Secure Boot certs are updated. (two methods)
New output when fixed.
Run "Check UEFI PK, KEK, DB and DBX.cmd" first to see if there any red crosses inside the Current Values (only those are important) of UEFI PK, KEK or DB. When there are red crosses visible in the Current section of UEFI KEK and/or UEFI DB; Run: "Apply KEK & DB update.cmd" When the Current EUFI DBX says; FAIL, Run: "Apply DBX update.cmd"
When you run "Check UEFI PK, KEK, DB and DBX.cmd" again and see a similar output as above; You fixed the problem.
Note: A reboot is sometimes not enough. You have to kick-off the following command a few times to force that scheduled task to do its job. Sometimes a reboot is not enough. This scheduled task will run every 12 hours. A reboot should force it to run, but after the feedback I am getting even a reboot is not necessary. To kick-off that scheduled task by hand; CMD as admin: schtasks /run /tn "\Microsoft\Windows\PI\Secure-Boot-Update" (Both Apply xxx.cmd files do this also only with a Powershell command.) Just run this task after you applied one or both Apply xxx.cmd and Check xxx.cmd and it don’t give you the above result. Give it some time; Some KEK, DB or DBX data has to be downloaded from a Microsoft site. They can be quite busy sometimes. It will solve your problem within a few minutes in worst cases. Sometimes the change is immediate. We are not talking about a huge amount of data. Only some Bytes.
Last edited: Dec 15, 2025
OS Win 11 Pro "25H2" Build 26200.7462, RHEL 10
Computer type PC/Desktop
Manufacturer/Model Self built
CPU Intel® Core™ i7-12700KF 12th Gen.
Motherboard ASUS Prime Z690-A, BIOS v4301
Memory 32GB DDR5 5600-36 Vengeance
Graphics Card(s) PCIe4.0 Asus NVIDIA RTX3060Ti
Sound Card Onboard; Realtek
Monitor(s) Displays 34" LG 34UC79G-B Curved 21:9 144Hz
Screen Resolution 2560x1080 (No HDR)
Hard Drives 250Gb Samsung 870PRO NVMe (Win 11 Pro) 1Tb Samsung 980PRO NVMe 1Tb Samsung 970EVO NVMe 2Tb Samsung 990PRO NVMe with heatsink. 4Tb WDC WD40EZRZ Blue SATA (Int.) 4Tb WDC WD40EZRZ Blue SATA (Int.) 3Tb WDC WD30EFRZ Red SATA (Int.) 256Gb Samsung 840PRO SSD (RHEL 9,5)
PSU Coolermaster 850W V2 Gold with internal 12cm exaust fan
Case Be-Quiet Pure Base 600. An real Übercase!!
Cooling 3x Be-Quiet! 12/14cm "Silent Wings 4" casefans, 1x Arctic Freezer i35 CPU towerblock with fan.
Keyboard Steelseries APEX 7 keyboard.
Mouse Logitech G-502 Hero
Internet Speed 1Gb
Browser Google Chrome
Antivirus F-Secure
Other Info No Noise system. 256Gb Kingston Travler USB 3.0 drive. 8Gb Philips USB 3.0 drive. (Win. Inst.) 8Gb Philips USB 3.0 drive. (Rescue disk) 2Tb WD USB 3.0 Passport drive. USB Ext. 500Gb WD SATA drive. External USB 3.0 C.A. CD/DVD* burner.
- **
- #12
That’s weird While replaying,I check the log again and the error appear again and the registry for AvailableUpdates was changed from 4100 to 4000
After the error in the event viewer,I have an information log with Boot Manager signed with Windows UEFI CA 2023 was installed successfully
Edit:After the 3rd restart I get The TPM was successfully provisioned and is now ready for use.
The microsoft push is an iterative process so it can take a few times to restart, then let it set a registry entry for the next action, then restart again. It can play out over a couple days, maybe longer for a computer that’s not always online since it retrieves the necessary binaries to install in firmware at run-time.
But once complete the desired result is to get a 2023-signed Boot Manager installed, so it sounds like your pretty much complete. But download and run the "Check UEFI PK, KEK, DB and DBX.cmd" linked by @hader above to confirm you have all the keys updated.
OS Windows 11 Pro
Computer type PC/Desktop
Manufacturer/Model DIY
CPU Ryzen 7 5800X
Motherboard Gigabyte B550M Aorus Pro
Memory GSkill 3200, 2x8GB
Graphics Card(s) MSI RX 6800 XT Gaming Z
Sound Card on-board Realtek
Monitor(s) Displays MSI 180hz
Screen Resolution 1440p
Hard Drives Samsung 980 Pro, Samsung 870 Evo, generic PCIe NVME, WD 1TB 2.5" laptop spinner
PSU Corsair RM 650
Case mATX
Cooling BeQuiet 240mm AIO and a bunch of case fans
Keyboard one that clacks softly
Mouse logitech
Internet Speed bunches of bps
Browser Firefox
Antivirus Windows’ own
Operating System Win11 Pro
Computer type PC/Desktop
Manufacturer/Model DIY
CPU Ryzen 7 1700
Motherboard GA-AB350m Gaming 3
Memory 16GB DDR4
Graphics card(s) RX-480
Sound Card In-Built Realtek
Monitor(s) Displays Samsung
Screen Resolution 1440p
Hard Drives NVME/SSD’s
PSU 490W
Case Some junky thing
Cooling ThermalTake Assassin(?)
Browser FF/Edge
Antivirus Whatever Windows does
Other Info Secure Boot enabled updated to 2023 CA keys, TPM2.0 enabled with system drive Bitlocker’d.
- **
- #13
.... The microsoft push is an iterative process so it can take a few times to restart, then let it set a registry entry for the next action, then restart again. It can play out over a couple days, maybe longer for a computer that’s not always online since it retrieves the necessary binaries to install in firmware at run-time.
FYI; The scheduled task that is responsible for updating the system is running every 12 hours. So a reboot can’t give you a direct result. Sometimes you have to reboot twice or a third time etc. What you can do is to kick-off that scheduled task by hand and so forcing that script (Secure-Boot-Update) to do it’s job.
We don’t know what MS has in store for us to fix this issue. But it will be a part of a future build. We have no control over it’s timeline. Fixing it now is all we can do and achieve. I think we are ahead of time fixing it now. It will come.... The final push from MS will be to replace all signed files now pointing to that CA2011 certificate replaced by a version that points towards the new CA2023 certificate before Jun-Oct 2026. At this moment all signed files from MS are still pointing towards the CA2011 certificate. That is what MS has to do. We can’t sign those files ourselves. Only MS can.
OS Win 11 Pro "25H2" Build 26200.7462, RHEL 10
Computer type PC/Desktop
Manufacturer/Model Self built
CPU Intel® Core™ i7-12700KF 12th Gen.
Motherboard ASUS Prime Z690-A, BIOS v4301
Memory 32GB DDR5 5600-36 Vengeance
Graphics Card(s) PCIe4.0 Asus NVIDIA RTX3060Ti
Sound Card Onboard; Realtek
Monitor(s) Displays 34" LG 34UC79G-B Curved 21:9 144Hz
Screen Resolution 2560x1080 (No HDR)
Hard Drives 250Gb Samsung 870PRO NVMe (Win 11 Pro) 1Tb Samsung 980PRO NVMe 1Tb Samsung 970EVO NVMe 2Tb Samsung 990PRO NVMe with heatsink. 4Tb WDC WD40EZRZ Blue SATA (Int.) 4Tb WDC WD40EZRZ Blue SATA (Int.) 3Tb WDC WD30EFRZ Red SATA (Int.) 256Gb Samsung 840PRO SSD (RHEL 9,5)
PSU Coolermaster 850W V2 Gold with internal 12cm exaust fan
Case Be-Quiet Pure Base 600. An real Übercase!!
Cooling 3x Be-Quiet! 12/14cm "Silent Wings 4" casefans, 1x Arctic Freezer i35 CPU towerblock with fan.
Keyboard Steelseries APEX 7 keyboard.
Mouse Logitech G-502 Hero
Internet Speed 1Gb
Browser Google Chrome
Antivirus F-Secure
Other Info No Noise system. 256Gb Kingston Travler USB 3.0 drive. 8Gb Philips USB 3.0 drive. (Win. Inst.) 8Gb Philips USB 3.0 drive. (Rescue disk) 2Tb WD USB 3.0 Passport drive. USB Ext. 500Gb WD SATA drive. External USB 3.0 C.A. CD/DVD* burner.
- **
- #14
i got this, but fixed by rerunning that commands Secure boot update HowTo do i need to do this every windows reinstall? Two days ago I was on Windows 25H2, but I moved back to Windows 23H2, and then this message appeared.
OS Windows 11
Computer type PC/Desktop
Manufacturer/Model Asrock b760 pro rs
- **
- #15
I have had the same problem alsof. Here is is the thread to fix the issue. The maker of those scripts has made some changes now. So it’s output differs somewhat but it is basically still the same. Thread page: How to check if your Secure Boot certs are updated. (two methods)
New output when fixed. View attachment 157002
Run "Check UEFI PK, KEK, DB and DBX.cmd" first to see if there any red crosses inside the Current Values (only those are important) of UEFI PK, KEK or DB. When there are red crosses visible in the Current section of UEFI KEK and/or UEFI DB; Run: "Apply KEK & DB update.cmd" When the Current EUFI DBX says; FAIL, Run: "Apply DBX update.cmd"
When you run "Check UEFI PK, KEK, DB and DBX.cmd" again and see a similar output as above; You fixed the problem.
Note: A reboot is sometimes not enough. You have to kick-off the following command a few times to force that scheduled task to do its job. Sometimes a reboot is not enough. This scheduled task will run every 12 hours. A reboot should force it to run, but after the feedback I am getting even a reboot is not necessary. To kick-off that scheduled task by hand; CMD as admin: schtasks /run /tn "\Microsoft\Windows\PI\Secure-Boot-Update" (Both Apply xxx.cmd files do this also only with a Powershell command.) Just run this task after you applied one or both Apply xxx.cmd and Check xxx.cmd and it don’t give you the above result. Give it some time; Some KEK, DB or DBX data has to be downloaded from a Microsoft site. They can be quite busy sometimes. It will solve your problem within a few minutes in worst cases. Sometimes the change is immediate. We are not talking about a huge amount of data. Only some Bytes.
What about that all red SVN? Should i do something with it?
OS Windows 11
Computer type PC/Desktop
Manufacturer/Model Asrock b760 pro rs
- **
- #16
What about that all red SVN? Should i do something with it?
Ah..... Good point!! (Was also wondering about that....) Looking into the MS documentation (Was searching for Windows Bootmgr SVN) I ran against; How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support
In section 4 there was part that describes: Apply the SVN update to the firmware.
I just executed the following commands; (Powershell as admin) reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x200 /f Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
After the update (by running that scheduled script by hand: Secure-Boot-Update) the request flag AvailableUpdates was returned to 0x000 again. After running "Check UEFI PK, KEK, DB and DBX.cmd" again, those SVN lines were updated with it’s version numbers; 7.0 ,3.0 and 3.0. (just as was shown inside cjee21 post of Check-UEFISecureBootVariables github post. It went back to 0 because it completed it’s task) I suspect that this update was left out in those scripts for reason unknown. I am now getting the following results. If you do this also; you will get the same results as I currently have....
OS Win 11 Pro "25H2" Build 26200.7462, RHEL 10
Computer type PC/Desktop
Manufacturer/Model Self built
CPU Intel® Core™ i7-12700KF 12th Gen.
Motherboard ASUS Prime Z690-A, BIOS v4301
Memory 32GB DDR5 5600-36 Vengeance
Graphics Card(s) PCIe4.0 Asus NVIDIA RTX3060Ti
Sound Card Onboard; Realtek
Monitor(s) Displays 34" LG 34UC79G-B Curved 21:9 144Hz
Screen Resolution 2560x1080 (No HDR)
Hard Drives 250Gb Samsung 870PRO NVMe (Win 11 Pro) 1Tb Samsung 980PRO NVMe 1Tb Samsung 970EVO NVMe 2Tb Samsung 990PRO NVMe with heatsink. 4Tb WDC WD40EZRZ Blue SATA (Int.) 4Tb WDC WD40EZRZ Blue SATA (Int.) 3Tb WDC WD30EFRZ Red SATA (Int.) 256Gb Samsung 840PRO SSD (RHEL 9,5)
PSU Coolermaster 850W V2 Gold with internal 12cm exaust fan
Case Be-Quiet Pure Base 600. An real Übercase!!
Cooling 3x Be-Quiet! 12/14cm "Silent Wings 4" casefans, 1x Arctic Freezer i35 CPU towerblock with fan.
Keyboard Steelseries APEX 7 keyboard.
Mouse Logitech G-502 Hero
Internet Speed 1Gb
Browser Google Chrome
Antivirus F-Secure
Other Info No Noise system. 256Gb Kingston Travler USB 3.0 drive. 8Gb Philips USB 3.0 drive. (Win. Inst.) 8Gb Philips USB 3.0 drive. (Rescue disk) 2Tb WD USB 3.0 Passport drive. USB Ext. 500Gb WD SATA drive. External USB 3.0 C.A. CD/DVD* burner.
- **
- #17
Ah..... Good point!! (Was also wondering about that....) Looking into the MS documentation (Was searching for Windows Bootmgr SVN) I ran against; How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support
In section 4 there was part that describes: Apply the SVN update to the firmware.
I just executed the following commands; (Powershell as admin) reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x200 /f Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
After the update (by running that scheduled script by hand: Secure-Boot-Update) the request flag AvailableUpdates was returned to 0x000 again. After running "Check UEFI PK, KEK, DB and DBX.cmd" again, those SVN lines were updated with it’s version numbers; 7.0 ,3.0 and 3.0. (just as was shown inside cjee21 post of Check-UEFISecureBootVariables github post. It went back to 0 because it completed it’s task) I suspect that this update was left out in those scripts for reason unknown. I am now getting the following results. If you do this also; you will get the same results as I currently have....
Yea, thank you! :)
OS Windows 11
Computer type PC/Desktop
Manufacturer/Model Asrock b760 pro rs
- **
- #18
No matter what I do, I am unable to install the KEK CA on my main PC. I do not understand how, meanwhile my IdeaPad laptop running a 7th gen CPU is up-to-date with all 2023 certs. I’m not sure why this PC is struggling. It’s a coffee lake machine from 2020. I keep getting Error 1801 for no reason. I even tried fwupdmgr on fedora and even it says that the KEK CA has no updates.:
I ran these two:
Code:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x200 /f
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
And I get these:
Last edited: Today at 10:19 AM
OS Windows 11
- **
- #19
I’m not sure why this PC is struggling.
I think other Acer Aspire owners have reported problems with updating / appending to the 2023 KEK key.
Have you tried MOSBY? It’s author has reported there are several BIOS’ he has run across that simply do not allow updating/appending to KEK. Whether due to poor UEFI implementation or by design it’s obviously a problem for owners if the OEM/manufacturer has abandoned it for BIOS updates. He has implemented a work-around in v2.8 of MOSBY that can help in some cases.
A proper BIOS update would be best, but if all-else has failed and Acer isn’t forthcoming with one this might be worth trying.
OS Windows 11 Pro
Computer type PC/Desktop
Manufacturer/Model DIY
CPU Ryzen 7 5800X
Motherboard Gigabyte B550M Aorus Pro
Memory GSkill 3200, 2x8GB
Graphics Card(s) MSI RX 6800 XT Gaming Z
Sound Card on-board Realtek
Monitor(s) Displays MSI 180hz
Screen Resolution 1440p
Hard Drives Samsung 980 Pro, Samsung 870 Evo, generic PCIe NVME, WD 1TB 2.5" laptop spinner
PSU Corsair RM 650
Case mATX
Cooling BeQuiet 240mm AIO and a bunch of case fans
Keyboard one that clacks softly
Mouse logitech
Internet Speed bunches of bps
Browser Firefox
Antivirus Windows’ own
Operating System Win11 Pro
Computer type PC/Desktop
Manufacturer/Model DIY
CPU Ryzen 7 1700
Motherboard GA-AB350m Gaming 3
Memory 16GB DDR4
Graphics card(s) RX-480
Sound Card In-Built Realtek
Monitor(s) Displays Samsung
Screen Resolution 1440p
Hard Drives NVME/SSD’s
PSU 490W
Case Some junky thing
Cooling ThermalTake Assassin(?)
Browser FF/Edge
Antivirus Whatever Windows does
Other Info Secure Boot enabled updated to 2023 CA keys, TPM2.0 enabled with system drive Bitlocker’d.
- **
- #20
I think other Acer Aspire owners have reported problems with updating / appending to the 2023 KEK key.
Have you tried MOSBY? It’s author has reported there are several BIOS’ he has run across that simply do not allow updating/appending to KEK. Whether due to poor UEFI implementation or by design it’s obviously a problem for owners if the OEM/manufacturer has abandoned it for BIOS updates. He has implemented a work-around in v2.8 of MOSBY that can help in some cases.
A proper BIOS update would be best, but if all-else has failed and Acer isn’t forthcoming with one this might be worth trying.
Do I have to use the PK, KEK, DB, DBX from Microsoft ?
OS Windows 11