Error 1801 Telling me to update my Secure Boot CA/Keys?


My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 5800X
    Motherboard
    Gigabyte B550M Aorus Pro
    Memory
    GSkill 3200, 2x8GB
    Graphics Card(s)
    MSI RX 6800 XT Gaming Z
    Sound Card
    on-board Realtek
    Monitor(s) Displays
    MSI 180hz
    Screen Resolution
    1440p
    Hard Drives
    Samsung 980 Pro, Samsung 870 Evo, generic PCIe NVME, WD 1TB 2.5" laptop spinner
    PSU
    Corsair RM 650
    Case
    mATX
    Cooling
    BeQuiet 240mm AIO and a bunch of case fans
    Keyboard
    one that clacks softly
    Mouse
    logitech
    Internet Speed
    bunches of bps
    Browser
    Firefox
    Antivirus
    Windows' own
  • Operating System
    Win11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 1700
    Motherboard
    GA-AB350M G-3
    Memory
    16GB DDR4
    Graphics card(s)
    RX-480
    Sound Card
    In-Built Realtek
    Monitor(s) Displays
    Samsung
    Screen Resolution
    1440p
    Hard Drives
    NVME/SSD's
    PSU
    Thermaltake BX1 550W
    Case
    Some junky thing
    Cooling
    ThermalTake Assassin(?)
    Browser
    FF/Edge
    Antivirus
    Whatever Windows does
    Other Info
    Secure Boot enabled updated to 2023 CA keys, TPM2.0 enabled with system drive Bitlocker'd.
Olax said:
If i wont do it, then certificates will not be updated?
Click to expand...
They will still be pushed into firmware even if you don't update BIOS. You should leave it in Secure Boot mode, enable diagnostic reporting and stay current with updates to allow Microsoft to do so.

But if you update BIOS they then become the default "built-in" keys.
 
Last edited:

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 5800X
    Motherboard
    Gigabyte B550M Aorus Pro
    Memory
    GSkill 3200, 2x8GB
    Graphics Card(s)
    MSI RX 6800 XT Gaming Z
    Sound Card
    on-board Realtek
    Monitor(s) Displays
    MSI 180hz
    Screen Resolution
    1440p
    Hard Drives
    Samsung 980 Pro, Samsung 870 Evo, generic PCIe NVME, WD 1TB 2.5" laptop spinner
    PSU
    Corsair RM 650
    Case
    mATX
    Cooling
    BeQuiet 240mm AIO and a bunch of case fans
    Keyboard
    one that clacks softly
    Mouse
    logitech
    Internet Speed
    bunches of bps
    Browser
    Firefox
    Antivirus
    Windows' own
  • Operating System
    Win11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 1700
    Motherboard
    GA-AB350M G-3
    Memory
    16GB DDR4
    Graphics card(s)
    RX-480
    Sound Card
    In-Built Realtek
    Monitor(s) Displays
    Samsung
    Screen Resolution
    1440p
    Hard Drives
    NVME/SSD's
    PSU
    Thermaltake BX1 550W
    Case
    Some junky thing
    Cooling
    ThermalTake Assassin(?)
    Browser
    FF/Edge
    Antivirus
    Whatever Windows does
    Other Info
    Secure Boot enabled updated to 2023 CA keys, TPM2.0 enabled with system drive Bitlocker'd.
Buddywh said:
They will still be pushed into firmware even if you don't update BIOS. You should leave it in Secure Boot mode, enable diagnostic reporting and stay current with updates to allow Microsoft to do so.

But if you update BIOS they then become the default "built-in" keys.
Click to expand...
How to enable diagnostic reporting?
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
Olax said:
How to enable diagnostic reporting?
Click to expand...
Open Windows Settings, then Privacy and Security, then Diagnostics and Feedback.

At least that's where I find it on my Win11 Pro, 25h2.

There is apparently some measure of reporting by default, so this piece of advice from Microsoft may be targeted more to people who've used third party apps, registry hacks or Group Policy editor settings to completely turn off all diagnostics reporting. I turned on Optional reporting just to be sure.

Except I also went ahead and updated the keys using MOSBY ;-)
 
Last edited:

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 5800X
    Motherboard
    Gigabyte B550M Aorus Pro
    Memory
    GSkill 3200, 2x8GB
    Graphics Card(s)
    MSI RX 6800 XT Gaming Z
    Sound Card
    on-board Realtek
    Monitor(s) Displays
    MSI 180hz
    Screen Resolution
    1440p
    Hard Drives
    Samsung 980 Pro, Samsung 870 Evo, generic PCIe NVME, WD 1TB 2.5" laptop spinner
    PSU
    Corsair RM 650
    Case
    mATX
    Cooling
    BeQuiet 240mm AIO and a bunch of case fans
    Keyboard
    one that clacks softly
    Mouse
    logitech
    Internet Speed
    bunches of bps
    Browser
    Firefox
    Antivirus
    Windows' own
  • Operating System
    Win11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 1700
    Motherboard
    GA-AB350M G-3
    Memory
    16GB DDR4
    Graphics card(s)
    RX-480
    Sound Card
    In-Built Realtek
    Monitor(s) Displays
    Samsung
    Screen Resolution
    1440p
    Hard Drives
    NVME/SSD's
    PSU
    Thermaltake BX1 550W
    Case
    Some junky thing
    Cooling
    ThermalTake Assassin(?)
    Browser
    FF/Edge
    Antivirus
    Whatever Windows does
    Other Info
    Secure Boot enabled updated to 2023 CA keys, TPM2.0 enabled with system drive Bitlocker'd.
Buddywh said:
Open Windows Settings, then Privacy and Security, then Diagnostics and Feedback.

At least that's where I find it on my Win11 Pro, 25h2.

There is apparently some measure of reporting by default, so this piece of advice from Microsoft may be targeted more to people who've used third party apps, registry hacks or Group Policy editor settings to completely turn off all diagnostics reporting. I turned on Optional reporting just to be sure.

Except I also went ahead and updated the keys using MOSBY ;-)
Click to expand...
I need to enable the optional?
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 5800X
    Motherboard
    Gigabyte B550M Aorus Pro
    Memory
    GSkill 3200, 2x8GB
    Graphics Card(s)
    MSI RX 6800 XT Gaming Z
    Sound Card
    on-board Realtek
    Monitor(s) Displays
    MSI 180hz
    Screen Resolution
    1440p
    Hard Drives
    Samsung 980 Pro, Samsung 870 Evo, generic PCIe NVME, WD 1TB 2.5" laptop spinner
    PSU
    Corsair RM 650
    Case
    mATX
    Cooling
    BeQuiet 240mm AIO and a bunch of case fans
    Keyboard
    one that clacks softly
    Mouse
    logitech
    Internet Speed
    bunches of bps
    Browser
    Firefox
    Antivirus
    Windows' own
  • Operating System
    Win11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 1700
    Motherboard
    GA-AB350M G-3
    Memory
    16GB DDR4
    Graphics card(s)
    RX-480
    Sound Card
    In-Built Realtek
    Monitor(s) Displays
    Samsung
    Screen Resolution
    1440p
    Hard Drives
    NVME/SSD's
    PSU
    Thermaltake BX1 550W
    Case
    Some junky thing
    Cooling
    ThermalTake Assassin(?)
    Browser
    FF/Edge
    Antivirus
    Whatever Windows does
    Other Info
    Secure Boot enabled updated to 2023 CA keys, TPM2.0 enabled with system drive Bitlocker'd.
Improved system stability and compatibility, mitigated security threats are common benefits.

go back and read
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 5800X
    Motherboard
    Gigabyte B550M Aorus Pro
    Memory
    GSkill 3200, 2x8GB
    Graphics Card(s)
    MSI RX 6800 XT Gaming Z
    Sound Card
    on-board Realtek
    Monitor(s) Displays
    MSI 180hz
    Screen Resolution
    1440p
    Hard Drives
    Samsung 980 Pro, Samsung 870 Evo, generic PCIe NVME, WD 1TB 2.5" laptop spinner
    PSU
    Corsair RM 650
    Case
    mATX
    Cooling
    BeQuiet 240mm AIO and a bunch of case fans
    Keyboard
    one that clacks softly
    Mouse
    logitech
    Internet Speed
    bunches of bps
    Browser
    Firefox
    Antivirus
    Windows' own
  • Operating System
    Win11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 1700
    Motherboard
    GA-AB350M G-3
    Memory
    16GB DDR4
    Graphics card(s)
    RX-480
    Sound Card
    In-Built Realtek
    Monitor(s) Displays
    Samsung
    Screen Resolution
    1440p
    Hard Drives
    NVME/SSD's
    PSU
    Thermaltake BX1 550W
    Case
    Some junky thing
    Cooling
    ThermalTake Assassin(?)
    Browser
    FF/Edge
    Antivirus
    Whatever Windows does
    Other Info
    Secure Boot enabled updated to 2023 CA keys, TPM2.0 enabled with system drive Bitlocker'd.
antspants said:
I don’t understand why people visit the Event Viewer. The only time I have ever seen it was to work out how to instruct a member on how to use it. It causes mayhem, panic, there’s always blood and someone dies in the end.
Click to expand...
Event Viewer errors are as prevalent carbon dioxide. The Viewer can be annoying but it's useful to have. Obsessing over it is a waste of time. Only when there are serious issues, BSODs, catastrophic system failures, etc. is it worth looking into. All systems generate errors to a greater or lesser extent. Most of them are negligible as the system will usually sort itself out. Anyway, that has been my finding.
 

My Computer

System One

  • OS
    WIN 11, WIN 10, WIN 8.1, WIN 7 U, WIN 7 PRO, WIN 7 HOME (32 Bit), LINUX MINT
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY, ASUS, and DELL
    CPU
    Intel i7 6900K and i9-7960X / AMD 3800X (8 core)
    Motherboard
    ASUS X99E-WS USB 3.1 and ASUS X299 SAGE
    Memory
    128 GB CORSAIR DOMINATOR PLATINUM (B DIE)
    Graphics Card(s)
    NVIDIA 1070 and RTX 3070
    Sound Card
    Crystal Sound (onboard)
    Monitor(s) Displays
    single Samsung 30" 4K and 8" aux monitor
    Screen Resolution
    4K and something equally attrocious. I'll be working on this.
    Hard Drives
    A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W

    Ports X, Y, and Z are reserved for USB access and removable drives.

    Drive types consist of the following: Various mechanical hard drives bearing the brand names, Seagate, Toshiba, and Western Digital. Various NVMe drives bearing the brand names Kingston, Intel, Silicon Power, Crucial, Western Digital, and Team Group. Various SATA SSDs bearing various different brand names.

    RAID arrays included:

    LSI RAID 10 (WD Velociraptors) 1115.72 GB
    LSI RAID 10 (WD SSDS) 463.80 GB

    INTEL RAID 0 (KINGSTON HYPER X) System 447.14 GB
    INTEL RAID 1 TOSHIBA ENTERPRIZE class Data 2794.52 GB
    INTEL RAID 1 SEAGATE HYBRID 931.51 GB
    PSU
    SEVERAL. I prefer my Corsair Platinum HX1000i but I also like EVGA power supplies
    Case
    ThermalTake Level 10 GT (among others)
    Cooling
    Noctua is my favorite and I use it in my main. I also own various other coolers.
    Keyboard
    all kinds.
    Mouse
    all kinds
    Internet Speed
    360 mbps - 1 gbps (depending)
    Browser
    FIREFOX
    Antivirus
    KASPERSKY (no apologies)
    Other Info
    Gave Dell touch screen with Windows 11 to daughter and got me an OTVOC. Being a PC builder I own many desktop PCs as well. I am a father of five providing PCs, laptops, and tablets for all my family, most of which I have modified, rebuilt, or simply built from scratch. I do not own a cell phone, never have, never will.
Buddywh said:
They will still be pushed into firmware even if you don't update BIOS. You should leave it in Secure Boot mode, enable diagnostic reporting and stay current with updates to allow Microsoft to do so.

But if you update BIOS they then become the default "built-in" keys.
Click to expand...
AFAIK disabling diagnostic reporting or disabling telemetry (or both) doesn't prevent Windows Update from pushing them into firmware. Disabling Secure Boot does prevent, but the dbx capsule still gets staged in a special EFI variable (EFI_UPDATE_CAPSULE) in NVRAM/flash where either:
  • it will stay staged until you boot with Secure Boot enabled or
  • it will stay staged until it is discarded/replaced with another, newer dbx capsule that supersedes it (e.g. if the capsule from KB5012170 still sits in there staged when the new one will be staged).
In a nutshell, Windows Update downloads and installs the update the successful installation of which causes the dbx capsule to be staged, and, after that, booting with Secure Boot enabled causes the staged dbx capsule to be pushed into firmware.
 

My Computers

System One System Two

  • OS
    11 Home
    Computer type
    Laptop
    Manufacturer/Model
    Asus TUF Gaming F16 (2024)
    CPU
    i7 13650HX
    Memory
    16GB DDR5
    Graphics Card(s)
    GeForce RTX 4060 Mobile
    Sound Card
    Eastern Electric MiniMax DAC Supreme; Emotiva UMC-200; Astell & Kern AK240
    Monitor(s) Displays
    Sony Bravia XR-55X90J
    Screen Resolution
    3840×2160
    Hard Drives
    512GB SSD internal
    37TB external
    PSU
    Li-ion
    Cooling
    2× Arc Flow Fans, 4× exhaust vents, 5× heatpipes
    Keyboard
    Logitech K800
    Mouse
    Logitech G402
    Internet Speed
    30Mbit/s up, 500Mbit/s down
    Browser
    FF
    Antivirus
    What's an antivirus?
  • Operating System
    11 Home
    Computer type
    Laptop
    Manufacturer/Model
    Medion S15450
    CPU
    i5 1135G7
    Memory
    16GB DDR4
    Graphics card(s)
    Intel Iris Xe
    Sound Card
    Eastern Electric MiniMax DAC Supreme; Emotiva UMC-200; Astell & Kern AK240
    Monitor(s) Displays
    Sony Bravia XR-55X90J
    Screen Resolution
    3840×2160
    Hard Drives
    2TB SSD internal
    37TB external
    PSU
    Li-ion
    Keyboard
    Logitech K800
    Mouse
    Logitech G402
    Internet Speed
    30Mbit/s up, 500Mbit/s down
    Browser
    FF
hdmi said:
AFAIK disabling diagnostic reporting or disabling telemetry (or both) doesn't prevent Windows Update from pushing them into firmware. Disabling Secure Boot does prevent, but the dbx capsule still gets staged in a special EFI variable (EFI_UPDATE_CAPSULE) in NVRAM/flash where either:
  • it will stay staged until you boot with Secure Boot enabled or
  • it will stay staged until it is discarded/replaced with another, newer dbx capsule that supersedes it (e.g. if the capsule from KB5012170 still sits in there staged when the new one will be staged).
In a nutshell, Windows Update downloads and installs the update the successful installation of which causes the dbx capsule to be staged, and, after that, booting with Secure Boot enabled causes the staged dbx capsule to be pushed into firmware.
Click to expand...
Microsoft makes a point of enabling diagnostic reporting in their documents. I think they might use the diagnostics data to determine the precise motherboard model, rev. and BIOS revision that's installed, among whatever else is needed. That way the routine can pick (or perhaps get prepared) the correct OEM-signed KEK for pushing into BIOS. If that's correct, without the data it won't update KEK.

And of course it also won't update KEK if an OEM hasn't provided a signed one for that model/rev, hence they may send out requests to OEM's for ones they don't have.

I may be wrong, but it does make sense. Also, if you go check the Secure Boot Update registry key there's quite a bit of that data there. If it's considered protected data they may need permission to send it back.
 
Last edited:

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 5800X
    Motherboard
    Gigabyte B550M Aorus Pro
    Memory
    GSkill 3200, 2x8GB
    Graphics Card(s)
    MSI RX 6800 XT Gaming Z
    Sound Card
    on-board Realtek
    Monitor(s) Displays
    MSI 180hz
    Screen Resolution
    1440p
    Hard Drives
    Samsung 980 Pro, Samsung 870 Evo, generic PCIe NVME, WD 1TB 2.5" laptop spinner
    PSU
    Corsair RM 650
    Case
    mATX
    Cooling
    BeQuiet 240mm AIO and a bunch of case fans
    Keyboard
    one that clacks softly
    Mouse
    logitech
    Internet Speed
    bunches of bps
    Browser
    Firefox
    Antivirus
    Windows' own
  • Operating System
    Win11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 1700
    Motherboard
    GA-AB350M G-3
    Memory
    16GB DDR4
    Graphics card(s)
    RX-480
    Sound Card
    In-Built Realtek
    Monitor(s) Displays
    Samsung
    Screen Resolution
    1440p
    Hard Drives
    NVME/SSD's
    PSU
    Thermaltake BX1 550W
    Case
    Some junky thing
    Cooling
    ThermalTake Assassin(?)
    Browser
    FF/Edge
    Antivirus
    Whatever Windows does
    Other Info
    Secure Boot enabled updated to 2023 CA keys, TPM2.0 enabled with system drive Bitlocker'd.
hdmi said:
AFAIK disabling diagnostic reporting or disabling telemetry (or both) doesn't prevent Windows Update from pushing them into firmware. Disabling Secure Boot does prevent, but the dbx capsule still gets staged in a special EFI variable (EFI_UPDATE_CAPSULE) in NVRAM/flash where either:
  • it will stay staged until you boot with Secure Boot enabled or
  • it will stay staged until it is discarded/replaced with another, newer dbx capsule that supersedes it (e.g. if the capsule from KB5012170 still sits in there staged when the new one will be staged).
In a nutshell, Windows Update downloads and installs the update the successful installation of which causes the dbx capsule to be staged, and, after that, booting with Secure Boot enabled causes the staged dbx capsule to be pushed into firmware.
Click to expand...
When Will be the update? I have secure boot on and diagnostics reporting on requied and newest Windows version. The have even my friend on the Same board as mine and he have the newest bios and still the error is here.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
Olax said:
When Will be the update? I have secure boot on and diagnostics reporting on requied and newest Windows version. The have even my friend on the Same board as mine and he have the newest bios and still the error is here.
Click to expand...

please have a look at this post it maybe of help.

Secure boot update HowTo

i have put this together as i had problems updating 2 desktops and 3 laptops. which have now all had their Secure Boot Certs updated to the new 2023 secure boot cert also the other post about this were getting very long and confusing. this is in two parts. part A and part B. edit by me. please...
www.elevenforum.com www.elevenforum.com

best of luck Steve ..
 

My Computers

System One System Two

  • OS
    Windows 11 Home
    Computer type
    PC/Desktop
    Manufacturer/Model
    HP 24" AiO
    CPU
    Ryzen 7 5825u
    Motherboard
    HP
    Memory
    64GB DDR4 3200
    Graphics Card(s)
    Ryzen 7 5825u
    Sound Card
    RealTek
    Monitor(s) Displays
    24" HP AiO
    Screen Resolution
    1920 x 1080 @60 Hz
    Hard Drives
    1TB WD Blue SN580 M2 SSD Partitioned.
    2x 1TB USB HDD External Backup/Storage.
    PSU
    90W external power brick
    Case
    24" All in One
    Cooling
    Default Air Cooling
    Keyboard
    HP WiFi UK extended
    Mouse
    HP WiFi 3 Button
    Internet Speed
    1GB full fibre
    Browser
    Edge & Firefox
    Antivirus
    AVG Internet Security/Windows Defender
    Other Info
    Mainly Open Source Software
  • Operating System
    Ubuntu 22.04.5 LTS
    Computer type
    Laptop
    Manufacturer/Model
    Dell 13" Latitude 2017
    CPU
    i5 7200u
    Motherboard
    Dell
    Memory
    16GB DDR4
    Graphics card(s)
    Intel
    Sound Card
    Intel
    Monitor(s) Displays
    13" Dell Laptop
    Hard Drives
    250GB Crucial 2.5" SSD
    Mouse
    Generic WiFi 3 button
    Internet Speed
    WiFi only
    Browser
    Firefox
    Antivirus
    ClamAV TK
    Other Info
    Mainly Open Source Software
Olax said:
When Will be the update? I have secure boot on and diagnostics reporting on requied and newest Windows version. The have even my friend on the Same board as mine and he have the newest bios and still the error is here.
Click to expand...
techcommunity.microsoft.com

Act now: Secure Boot certificates expire in June 2026 - Windows IT Pro Blog

Get tips to prepare for the rollout of updated certificates across your organization.
techcommunity.microsoft.com techcommunity.microsoft.com

The best thing to do is see if your system has a firmware update available. Microsoft will be rolling out updates all the way up to June of 2026... maybe even October of 2026, not everyone all at once.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 5800X
    Motherboard
    Gigabyte B550M Aorus Pro
    Memory
    GSkill 3200, 2x8GB
    Graphics Card(s)
    MSI RX 6800 XT Gaming Z
    Sound Card
    on-board Realtek
    Monitor(s) Displays
    MSI 180hz
    Screen Resolution
    1440p
    Hard Drives
    Samsung 980 Pro, Samsung 870 Evo, generic PCIe NVME, WD 1TB 2.5" laptop spinner
    PSU
    Corsair RM 650
    Case
    mATX
    Cooling
    BeQuiet 240mm AIO and a bunch of case fans
    Keyboard
    one that clacks softly
    Mouse
    logitech
    Internet Speed
    bunches of bps
    Browser
    Firefox
    Antivirus
    Windows' own
  • Operating System
    Win11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 1700
    Motherboard
    GA-AB350M G-3
    Memory
    16GB DDR4
    Graphics card(s)
    RX-480
    Sound Card
    In-Built Realtek
    Monitor(s) Displays
    Samsung
    Screen Resolution
    1440p
    Hard Drives
    NVME/SSD's
    PSU
    Thermaltake BX1 550W
    Case
    Some junky thing
    Cooling
    ThermalTake Assassin(?)
    Browser
    FF/Edge
    Antivirus
    Whatever Windows does
    Other Info
    Secure Boot enabled updated to 2023 CA keys, TPM2.0 enabled with system drive Bitlocker'd.
@Buddywh

What the KEK is​

  • The Key Exchange Key (KEK) database in UEFI Secure Boot is a list of public keys authorized to update the Secure Boot databases (db, dbx).
  • Microsoft’s KEK entry is one of them, pre‑installed by OEMs in nearly all Windows‑certified machines.
  • The KEK is what allows Microsoft‑signed capsules (like dbx updates) to be accepted and applied by firmware.

How dbx updates work vs. KEK updates​

  • dbx updates:
    • Delivered as capsules signed with Microsoft’s KEK private key.
    • Firmware validates the signature against the KEK already stored in NVRAM.
    • If valid, the dbx database is updated.
  • KEK updates:
    • Much rarer. Updating the KEK itself means replacing or adding trusted keys in the KEK database.
    • This requires a capsule signed by a key already in KEK or by the Platform Key (PK).
    • Microsoft only issues KEK updates if the existing KEK is compromised or needs rotation.

How Microsoft knows what to include​

  • Microsoft maintains the authoritative KEK entry for Windows‑certified platforms.
  • OEMs ship firmware with Microsoft’s KEK pre‑installed (alongside OEM KEKs).
  • When Microsoft decides to update the KEK (e.g., rotate to a new certificate), they generate a capsule containing the new KEK entry.
  • That capsule is signed by the current valid KEK or PK, so firmware can authenticate it.
  • The data included is deterministic: the new KEK certificate itself, plus metadata (version, GUID) so firmware knows how to replace or append.

Lifecycle of a KEK update​

  1. Microsoft issues new KEK certificate (e.g., new RSA/ECC keypair).
  2. Capsule created containing the new KEK entry.
  3. Capsule signed with the existing KEK private key (or PK).
  4. Windows Update delivers capsule to client systems.
  5. Firmware validates capsule against current KEK/PK.
  6. Firmware updates KEK database in NVRAM.
  7. Future db/dbx updates are signed with the new KEK.
Microsoft doesn’t use diagnostics reporting or anything to figure out what KEK data to include—they author the KEK entry themselves. OEMs ship it, firmware trusts it, and when rotation is needed, Microsoft publishes a capsule containing the new KEK certificate signed by the old one (or PK). That’s how the chain of trust is preserved.
 

My Computers

System One System Two

  • OS
    11 Home
    Computer type
    Laptop
    Manufacturer/Model
    Asus TUF Gaming F16 (2024)
    CPU
    i7 13650HX
    Memory
    16GB DDR5
    Graphics Card(s)
    GeForce RTX 4060 Mobile
    Sound Card
    Eastern Electric MiniMax DAC Supreme; Emotiva UMC-200; Astell & Kern AK240
    Monitor(s) Displays
    Sony Bravia XR-55X90J
    Screen Resolution
    3840×2160
    Hard Drives
    512GB SSD internal
    37TB external
    PSU
    Li-ion
    Cooling
    2× Arc Flow Fans, 4× exhaust vents, 5× heatpipes
    Keyboard
    Logitech K800
    Mouse
    Logitech G402
    Internet Speed
    30Mbit/s up, 500Mbit/s down
    Browser
    FF
    Antivirus
    What's an antivirus?
  • Operating System
    11 Home
    Computer type
    Laptop
    Manufacturer/Model
    Medion S15450
    CPU
    i5 1135G7
    Memory
    16GB DDR4
    Graphics card(s)
    Intel Iris Xe
    Sound Card
    Eastern Electric MiniMax DAC Supreme; Emotiva UMC-200; Astell & Kern AK240
    Monitor(s) Displays
    Sony Bravia XR-55X90J
    Screen Resolution
    3840×2160
    Hard Drives
    2TB SSD internal
    37TB external
    PSU
    Li-ion
    Keyboard
    Logitech K800
    Mouse
    Logitech G402
    Internet Speed
    30Mbit/s up, 500Mbit/s down
    Browser
    FF
hdmi said:
That capsule is signed by the current valid KEK or PK, so firmware can authenticate it.
Click to expand...
I'm not sure that's correct... at least everything I've read says a KEK must be signed by the machine's PK and nothing else will do to maintain the Root of Trust. Reference: UEFI Specification, (Version 2.1 and earlier), Section 32.3.1.

So this is why Microsoft prepares the KEK (as you say) but then sends them to the OEM's to sign with the PK's for each of their devices, who should then return them to be included in the updates. They did this many months ago but many of the OEM's have been very slow to return them, which is one reason Microsoft is rather far behind their original plans to roll these updates out. At least, this is the rather consistent story being told in most authoritative articles I've been reading.

You can get the KEK secure boot objects from MIcrosoft's GitHUB . There you can find both SIGNED (ordered by Mfr/OEM) KEK objects... and as well an unsigned KEK which a user can sign with their own PK. They can be directly appended to a device's secure boot variables... assuming it's BIOS includes the controls for doing so. And some may be able to append an unsigned KEK as a PUBLIC key which uses the device's PK to sign it first; or so I'm told at least.
 
Last edited:

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 5800X
    Motherboard
    Gigabyte B550M Aorus Pro
    Memory
    GSkill 3200, 2x8GB
    Graphics Card(s)
    MSI RX 6800 XT Gaming Z
    Sound Card
    on-board Realtek
    Monitor(s) Displays
    MSI 180hz
    Screen Resolution
    1440p
    Hard Drives
    Samsung 980 Pro, Samsung 870 Evo, generic PCIe NVME, WD 1TB 2.5" laptop spinner
    PSU
    Corsair RM 650
    Case
    mATX
    Cooling
    BeQuiet 240mm AIO and a bunch of case fans
    Keyboard
    one that clacks softly
    Mouse
    logitech
    Internet Speed
    bunches of bps
    Browser
    Firefox
    Antivirus
    Windows' own
  • Operating System
    Win11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 1700
    Motherboard
    GA-AB350M G-3
    Memory
    16GB DDR4
    Graphics card(s)
    RX-480
    Sound Card
    In-Built Realtek
    Monitor(s) Displays
    Samsung
    Screen Resolution
    1440p
    Hard Drives
    NVME/SSD's
    PSU
    Thermaltake BX1 550W
    Case
    Some junky thing
    Cooling
    ThermalTake Assassin(?)
    Browser
    FF/Edge
    Antivirus
    Whatever Windows does
    Other Info
    Secure Boot enabled updated to 2023 CA keys, TPM2.0 enabled with system drive Bitlocker'd.
I had that TPM error also. It's not the BIOS that needs to be updated. You have to implement CA2023.
Just download this .zip file; https://mega.nz/file/9MVjGLRK#NxCNK-QP4V1aJuDT6Td3u0cfj4AioVogl6CK2F2UF8Q (contains some small .bat files) and follow the instructions:

Check Windows UEFI CA 2023 Update Status/Capable : Right click on "Check.cmd" > Run as administrator
Windows UEFI CA 2023 Update Status :

NotStarted – The update has not yet run.
InProgress – The update is actively in progress.
Updated – The update has completed successfully.

Windows UEFI CA 2023 Update Capable :

0x0Windows UEFI CA 2023 certificate is not in the DB (or key does not exist).
0x1Windows UEFI CA 2023 certificate is in the DB.
0x2Windows UEFI CA 2023 certificate is in the DB and the system is starting from the 2023 signed boot manager.

Update Windows UEFI CA 2023 :

- Right click on "1-Setup.cmd" > Run as administrator > Close the command prompt window
- Right click on "2-Update.cmd" > Run as administrator > Close the command prompt window
- Right click on "Check.cmd" > Run as administrator > Check that Windows UEFI CA 2023 Update Status is InProgress > Close the command prompt window > Wait 5 minutes then restart your PC
- Right click on "Check.cmd" > Run as administrator > Check that Windows UEFI CA 2023 Update Status is InProgress > Close the command prompt window > Wait 5 minutes then restart your PC
- Right click on "Check.cmd" > Run as administrator :

- If the Windows UEFI CA 2023 Update Status is still InProgress : Right click on "2-Update.cmd" > Run as administrator > Close the command prompt window > Wait 5 minutes then restart your PC (redo as much as necessary)
- If the Windows UEFI CA 2023 Update Status is Updated and the Windows UEFI CA 2023 Update Capable is 0x2 : Right click on "3-Cleanup.cmd" > Run as administrator > Close the command prompt window > Done.
 

My Computer

System One

  • OS
    Win 11 Pro "25H2" Build 26200.8524, Zorin OS Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self built
    CPU
    Intel® Core™ i7-12700KF 12th Gen.
    Motherboard
    ASUS Prime Z690-A, BIOS v4505
    Memory
    32GB DDR5 5600-36 Vengeance
    Graphics Card(s)
    PCIe4.0 Asus NVIDIA RTX3060Ti
    Sound Card
    Onboard; Realtek
    Monitor(s) Displays
    34" LG 34UC79G-B Curved 21:9 144Hz
    Screen Resolution
    2560x1080 (No HDR)
    Hard Drives
    250Gb Samsung 870PRO NVMe (Win 11 Pro)
    1Tb Samsung 980PRO NVMe
    1Tb Samsung 970EVO NVMe
    2Tb Samsung 990PRO NVMe with heatsink.
    4Tb WDC WD40EZRZ Blue SATA (Int.)
    4Tb WDC WD40EZRZ Blue SATA (Int.)
    3Tb WDC WD30EFRZ Red SATA (Int.)
    256Gb Samsung 840PRO SSD (RHEL 9,5)
    256Gb Samsung 850PRO SSD (Zorin OS Pro 18)
    PSU
    Coolermaster 850W V2 Gold with internal 12cm exaust fan
    Case
    Be-Quiet Pure Base 600.
    Cooling
    3x Be-Quiet! 12/14cm "Silent Wings 4" casefans, 1x Arctic Freezer i35 CPU towerblock with fan.
    Keyboard
    Steelseries APEX 7 keyboard.
    Mouse
    Logitech G-502 Hero
    Internet Speed
    1Gb
    Browser
    Brave
    Antivirus
    F-Secure
    Other Info
    No Noise system.
    256Gb Kingston Travler USB 3.0 drive.
    64Gb Sandisk USB 3.2 drive. (Ventoy)
    8Gb Philips USB 3.0 drive. (Win. Inst.)
    8Gb Philips USB 3.0 drive. (Rescue disk)
    2Tb WD USB 3.0 Passport drive.
    USB Ext. 500Gb WD SATA drive.
    External USB 3.0 C.A. CD/DVD* burner.
You must log in or register to reply here.

Similar threads

Solved garlin's PowerShell scripts for updating Secure Boot CA 2023
105 106 107
Replies
2K
Views
172K
garlin
G
Solved Secure Boot keys need updating. TPM-WMI Event Log Error 1801
Replies
6
Views
18K
garlin
G
Error 1801 Attempted Remediation Causes Windows Hang
Replies
6
Views
2K
wwhenderson
W
  • Sticky
  • Article Article
Updating Microsoft Secure Boot keys before expiration in June 2026
26 27 28
Replies
556
Views
108K
Phirevixen
P
Windows keeps logging me out of my account and telling me to sign back in
Replies
4
Views
39K
glasskuter
glasskuter

Latest Support Threads

Latest Tutorials

Back
Top Bottom