How do I just block/prevent the Secure Boot update, without going into the BIOS?

Event viewer is populated with many Error messages, that "The Secure Boot update failed to update a Secure Boot variable with error Secure Boot is not enabled on this machine."

Searching how to prevent/block this update only shows results such as for disabling or enabling Secure Boot in the BIOS (or, sometimes on answers.microsoft.com, its typical recourse to doing a repair or clean install). However, I cannot find anyway on how to block/prevent this update. Of course, I find MS still trying to install updates even though they have been paused for 35 days.

Saved2Serve said:

Event viewer is populated with many Error messages, that "The Secure Boot update failed to update a Secure Boot variable with error Secure Boot is not enabled on this machine."

Searching how to prevent/block this update only shows results such as for disabling or enabling Secure Boot in the BIOS (or, sometimes on answers.microsoft.com, its typical recourse to doing a repair or clean install). However, I cannot find anyway on how to block/prevent this update. Of course, I find MS still trying to install updates even though they have been paused for 35 days.

Click to expand...

You shouldn't GET any BIOS updates, without manually downloading and flashing the BIOS yourself.
Not on a desktop motherboard used in a home built comp.

Do you have some kind of MSI motherboard utility installed?

Saved2Serve said:

. However, I cannot find anyway on how to block/prevent this update. Of course, I find MS still trying to install updates even though they have been paused for 35 days.

Click to expand...

Check out for Secure Boot DB and DBX variable update KB5016061 in Settings > Update > Update history. If you can find it check whether you can uninstall it. ( Most probably you may not find it and even if found you may not be able to uninstall it.)

I do not know whether you have looked at this

KB5016061: Secure Boot DB and DBX variable update events KB5016061: Secure Boot DB and DBX variable update events - Microsoft Support​

"To help keep Windows devices secure, Microsoft adds vulnerable bootloader modules to the Secure Boot DBX revocation list (maintained in the system UEFI-based firmware) to invalidate the vulnerable modules. When the updated DBX revocation list is installed on a device, Windows checks to determine whether the system is in a state where the DBX update can be successfully applied to the firmware and will report event log errors if an issue is detected."
(The support article also shows various Event IDs that can arise.)

Check for any updated BIOS for your specific MSI motherboard ( Your MSI model has many variants and as many motherboards.) and see whether updating the BIOS makes it a non-event. If not contact MSI Support with the specific Event ID for a resolution.

Ghot said:

You shouldn't GET any BIOS updates, without manually downloading and flashing the BIOS yourself.
Not on a desktop motherboard used in a home built comp.

Do you have some kind of MSI motherboard utility installed?

Click to expand...

Sorry for not seeing replies here (I though I would see an email) No, this is not a BIOS update you must manually install, and I have excluded driver updates (lest HP nukes me printer), but following event viewer>Event ID1796 "please see KB5016061: Secure Boot DB and DBX variable update events - Microsoft Support" it is related to KB5016061 (which is not listed as installed):

"To help keep Windows devices secure, Microsoft adds vulnerable bootloader modules to the Secure Boot DBX revocation list (maintained in the system UEFI-based firmware) to invalidate the vulnerable modules. When the updated DBX revocation list is installed on a device, Windows checks to determine whether the system is in a state where the DBX update can be successfully applied to the firmware and will report event log errors if an issue is detected."

Thus, event though updates are paused, Windows does not pause in apparently incessantly trying to install a DBX update,. Seems to do not harm, but I wanted to stop this from showing up.

If you have Secure Boot disabled in your UEFI then you'll always get this message after an update. What I do to prevent future error messages is to reboot my machine, go into my UEFI, set Secure Boot on, then reboot. Windows then resolves what it needs to do. Then I go back into the UEFI and disable Secure Boot. From then on no more error messages until the next Windows update which you will have to go through the same steps.

jumanji said:

Check out for Secure Boot DB and DBX variable update KB5016061 in Settings > Update > Update history. If you can find it check whether you can uninstall it. ( Most probably you may not find it and even if found you may not be able to uninstall it.)

I do not know whether you have looked at this

KB5016061: Secure Boot DB and DBX variable update events KB5016061: Secure Boot DB and DBX variable update events - Microsoft Support​

"To help keep Windows devices secure, Microsoft adds vulnerable bootloader modules to the Secure Boot DBX revocation list (maintained in the system UEFI-based firmware) to invalidate the vulnerable modules. When the updated DBX revocation list is installed on a device, Windows checks to determine whether the system is in a state where the DBX update can be successfully applied to the firmware and will report event log errors if an issue is detected."
(The support article also shows various Event IDs that can arise.)

Check for any updated BIOS for your specific MSI motherboard ( Your MSI model has many variants and as many motherboards.) and see whether updating the BIOS makes it a non-event. If not contact MSI Support with the specific Event ID for a resolution.

Click to expand...

Thanks for the reply, and as with the above (please see), sorry for not seeing it or an email (turns out that one was sent), and losing this thread among tabs. But yes, this has to do with KB5016061, but which is not listed among updates that could be uninstalled.


Secure boot is disabled on my PC. and I never remember changing it. Bios is 7B86vAH which says, it would "Change the default setting of Secure Boot" and there are only beta versions after that, none of which are said to deal with secure boot. I could try to follow instructions here, but there is a risk of having to restoring your PC to the factory state, which I do not want to do (extensively customized). Only I use this PC and am not interested in secure boot, nor in updating bios.

And the elevenforum post here only partly applies since Windows Security does not do anything now for me. But that page does instruct and include a Reg file to disable it. And despite HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard saying 1, meaning enabled, msinfo32 says it is disabled. So I will change the reg value to 0.

Thus my question presupposed that there was a way to prevent Windows from even trying to install this update.
However, if I could edit the DBX revocation list then that might be the solution. More on the DBX update and its purpose is here, and a list of them is here, while a page on updating it is here, but beyond me, As there is this. which I have seen to "disable check" in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot which seems to be a key one must create.

streetwolf said:

If you have Secure Boot disabled in your UEFI then you'll always get this message after an update. What I do to prevent future error messages is to reboot my machine, go into my UEFI, set Secure Boot on, then reboot. Windows then resolves what it needs to do. Then I go back into the UEFI and disable Secure Boot. From then on no more error messages until the next Windows update which you will have to go through the same steps.

Click to expand...

I read that one should at least be able to stop Event Viewer from populating itself with this error, by going into the Registry and navigating to the Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\ and going to {199fe037-2b82-40a9-82ac-e1d46c792b99} (or whatever GUID Event Viewer lists for Event 6155), and in the right pane of that key dbl click on Enabled and change the D word value to 0. Which I did.

I also found this https://www.elevenforum.com/t/enable-or-disable-system-guard-secure-launch-for-firmware-protection-in-windows-11.29233/ page which provides a Reg file to enable or disable System Guard Secure Launch for Firmware Protection, both of which I downloaded, and ran the disable one.

I also went to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot and dbl clicked on AvailableUpdates in the right pane and set it to 0. Have not restarted explorer yet.

See what happens.

Saved2Serve said:

I read that one should at least be able to stop Event Viewer from populating itself with this error, by going into the Registry and navigating to the Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\ and going to {199fe037-2b82-40a9-82ac-e1d46c792b99} (or whatever GUID Event Viewer lists for Event 6155), and in the right pane of that key dbl click on Enabled and change the D word value to 0. Which I did.

I also found this https://www.elevenforum.com/t/enable-or-disable-system-guard-secure-launch-for-firmware-protection-in-windows-11.29233/ page which provides a Reg file to enable or disable System Guard Secure Launch for Firmware Protection, both of which I downloaded, and ran the disable one.

I also went to Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot and dbl clicked on AvailableUpdates in the right pane and set it to 0. Have not restarted explorer yet.

See what happens.

Click to expand...

Over 12 days, and no more "The Secure Boot update failed to update a Secure Boot variable with error Secure Boot is not enabled on this machine." since I did the above! but I do get "A reboot is required before installing the Secure Boot update. Reason: 6. I rarely reboot. I would like to block that one.

Other than that, about the only warnings or errors now are " Installation Failure: Windows failed to install the following update..Notepad" or "Your Phone," or Session "Microsoft.Windows.Remediation" failure.Not serious.