How to check if your Secure Boot certs are updated. (three methods)

Sequence said:

Could i leave it like that, or will there still be work to do?

Click to expand...

You can wait for the revocation, or do it yourself. If you want to revoke now, then follow the instructions at the end of the report.

Hardware was compatible with Windows 11. In the event display there is
12.03.2026 17:14:04 1801 Fehler Updated Secure Boot certificates are available on this device but have not yet been applied to the firmware. Review the published guidance to complete the update and maintain full ...

So, how do I proceed, please?

Your PC has not revoked the PCA 2011 cert. This is an optional step for now. You can wait for Windows, or do it now.

Run these commands as the Admin:

Well, yes, but I'm more worried about

x Microsoft Corporation KEK 2K CA 2023
x Windows UEFI CA 2023
x Microsoft UEFI CA 2023
x Microsoft Option ROM UEFI CA 2023
Windows Bootmgr SVN: None
Windows cdboot SVN: None
Windows wdsmgfw SVN: None

Shouldn't I do something about the four issues on top of this list?

No. That script's output causes endless confusion. Read the sections in this different order:

1. Default PK (UEFI started from the factory BIOS)
2. Current PK (right now)

3. Default KEK (starting)
4. Current KEK (now)

5. Default DB (starting)
6. Current DB (now)

Afterwards, you shouldn't be so worried about Defaults.

OK, thank you for making this clear!

Just do nothing! All my PCs have been updated via Windows Update as confirmed by running the script Detect-SecureBootCertUpdateStatus.ps1 in C:\Windows\SecureBoot\ExampleRolloutScripts installed in the latest monthly update.

Steve C said:

Just do nothing!

Click to expand...

Hi Team, can you help with this:
Checking for Administrator permission...
Running as administrator - continuing execution...

20 May 2026
Manufacturer: Dell Inc.
Model: XPS 8930
BIOS: Dell Inc., 1.1.31, 1.1.31, DELL - 1072009
Windows version: 25H2 (Build 26200.8457)

Secure Boot status: Enabled

Current UEFI PK
√ Pegatron PK
Default UEFI PK √ Pegatron PK Current UEFI KEK √ Microsoft Corporation KEK CA 2011 (revoked: False) X Microsoft Corporation KEK 2K CA 2023 Default UEFI KEK √ Microsoft Corporation KEK CA 2011 (revoked: False)
X Microsoft Corporation KEK 2K CA 2023

Current UEFI DB
√ Microsoft Windows Production PCA 2011 (revoked: False)
√ Microsoft Corporation UEFI CA 2011 (revoked: False)
X Windows UEFI CA 2023
X Microsoft UEFI CA 2023
X Microsoft Option ROM UEFI CA 2023

Default UEFI DB
√ Microsoft Windows Production PCA 2011 (revoked: False)
√ Microsoft Corporation UEFI CA 2011 (revoked: False)
X Windows UEFI CA 2023
X Microsoft UEFI CA 2023
X Microsoft Option ROM UEFI CA 2023

Current UEFI DBX
2025-10-14 (v1.6.0) : SUCCESS: 431 successes detected
Windows Bootmgr SVN : None
Windows cdboot SVN : None
Windows wdsmgfw SVN : None

Press any key to continue . . .



Show Secure Boot update events.cmd output


ProviderName: Microsoft-Windows-TPM-WMI

TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
5/20/2026 10:01:15 PM 1801 Error Updated Secure Boot certificates are available on this device b...
5/20/2026 10:01:15 PM 1796 Error The Secure Boot update failed to update 3P UEFI CA 2023 (DB) wi...
5/20/2026 10:01:15 PM 1796 Error The Secure Boot update failed to update Option ROM CA 2023 (DB)...
5/20/2026 10:01:15 PM 1796 Error The Secure Boot update failed to update Windows UEFI CA 2023 (D...
5/20/2026 2:09:01 PM 1801 Error Updated Secure Boot certificates are available on this device b...
5/20/2026 2:09:01 PM 1796 Error The Secure Boot update failed to update 3P UEFI CA 2023 (DB) wi...
5/20/2026 2:09:01 PM 1796 Error The Secure Boot update failed to update Option ROM CA 2023 (DB)...
5/20/2026 2:09:01 PM 1796 Error The Secure Boot update failed to update Windows UEFI CA 2023 (D...
5/20/2026 1:40:40 PM 1801 Error Updated Secure Boot certificates are available on this device b...
5/20/2026 1:40:40 PM 1796 Error The Secure Boot update failed to update 3P UEFI CA 2023 (DB) wi...
5/20/2026 1:40:40 PM 1796 Error The Secure Boot update failed to update Option ROM CA 2023 (DB)...
5/20/2026 1:40:40 PM 1796 Error The Secure Boot update failed to update Windows UEFI CA 2023 (D...
5/20/2026 11:33:26 AM 1801 Error Updated Secure Boot certificates are available on this device b...
5/20/2026 11:33:26 AM 1796 Error The Secure Boot update failed to update 3P UEFI CA 2023 (DB) wi...
5/20/2026 11:33:26 AM 1796 Error The Secure Boot update failed to update Option ROM CA 2023 (DB)...
5/20/2026 11:33:26 AM 1796 Error The Secure Boot update failed to update Windows UEFI CA 2023 (D...
5/20/2026 10:14:44 AM 1796 Error The Secure Boot update failed to update 3P UEFI CA 2023 (DB) wi...
5/20/2026 10:14:44 AM 1796 Error The Secure Boot update failed to update Option ROM CA 2023 (DB)...
5/20/2026 10:14:44 AM 1796 Error The Secure Boot update failed to update Windows UEFI CA 2023 (D...
5/19/2026 10:14:48 AM 1801 Error Updated Secure Boot certificates are available on this device b...
5/19/2026 10:06:51 AM 1801 Error Updated Secure Boot certificates are available on this device b...
5/18/2026 8:41:19 PM 1801 Error Updated Secure Boot certificates are available on this device b...
5/18/2026 8:33:20 PM 1801 Error Updated Secure Boot certificates are available on this device b...
5/18/2026 9:54:17 AM 1801 Error Updated Secure Boot certificates are available on this device b...
5/16/2026 6:53:51 PM 1801 Error Updated Secure Boot certificates are available on this device b...
5/16/2026 5:55:30 PM 1801 Error Updated Secure Boot certificates are available on this device b...
5/14/2026 4:13:23 PM 1801 Error Updated Secure Boot certificates are available on this device b...
5/14/2026 4:04:49 PM 1801 Error Updated Secure Boot certificates are available on this device b...
5/13/2026 9:17:00 PM 1801 Error Updated Secure Boot certificates are available on this device b...
5/13/2026 4:23:06 PM 1801 Error Updated Secure Boot certificates are available on this device b...
5/13/2026 11:07:36 AM 1801 Error Updated Secure Boot certificates are available on this device b...
5/12/2026 10:37:56 PM 1801 Error Updated Secure Boot certificates are available on this device b...
5/12/2026 10:08:55 PM 1801 Error Updated Secure Boot certificates are available on this device b...
5/12/2026 9:24:53 PM 1801 Error Updated Secure Boot certificates are available on this device b...
5/12/2026 8:26:19 PM 1801 Error Updated Secure Boot certificates are available on this device b...
5/12/2026 8:01:07 PM 1801 Error Updated Secure Boot certificates are available on this device b...
5/12/2026 7:39:12 PM 1801 Error Updated Secure Boot certificates are available on this device b...
5/12/2026 7:19:07 PM 1801 Error Updated Secure Boot certificates are available on this device b...
5/12/2026 7:07:48 PM 1801 Error Updated Secure Boot certificates are available on this device b...
5/12/2026 6:33:09 PM 1801 Error Updated Secure Boot certificates are available on this device b...
5/12/2026 6:03:54 PM 1034 Information Secure Boot Dbx update applied successfully
5/12/2026 6:03:53 PM 1801 Error Updated Secure Boot certificates are available on this device b...



Press any key to continue . . .



And from event log:
Event[10648]
Log Name: System
Source: Microsoft-Windows-TPM-WMI
Date: 2026-05-20T14:09:01.9440000Z
Event ID: 1796
Task: N/A
Level: Error
Opcode: Info
Keyword: N/A
User: S-1-5-18
User Name: NT AUTHORITY\SYSTEM
Computer: TopFuel
Description:
The Secure Boot update failed to update Windows UEFI CA 2023 (DB) with error The process cannot access the file because it is being used by another process.. For more information, please see Secure Boot DB and DBX variable update events - Microsoft Support

Event[10649]
Log Name: System
Source: Microsoft-Windows-TPM-WMI
Date: 2026-05-20T14:09:01.9520000Z
Event ID: 1796
Task: N/A
Level: Error
Opcode: Info
Keyword: N/A
User: S-1-5-18
User Name: NT AUTHORITY\SYSTEM
Computer: TopFuel
Description:
The Secure Boot update failed to update Option ROM CA 2023 (DB) with error The process cannot access the file because it is being used by another process.. For more information, please see Secure Boot DB and DBX variable update events - Microsoft Support

Event[10650]
Log Name: System
Source: Microsoft-Windows-TPM-WMI
Date: 2026-05-20T14:09:01.9610000Z
Event ID: 1796
Task: N/A
Level: Error
Opcode: Info
Keyword: N/A
User: S-1-5-18
User Name: NT AUTHORITY\SYSTEM
Computer: TopFuel
Description:
The Secure Boot update failed to update 3P UEFI CA 2023 (DB) with error The process cannot access the file because it is being used by another process.. For more information, please see Secure Boot DB and DBX variable update events - Microsoft Support

Event[10651]
Log Name: System
Source: Microsoft-Windows-TPM-WMI
Date: 2026-05-20T14:09:01.9750000Z
Event ID: 1801
Task: N/A
Level: Error
Opcode: Info
Keyword: N/A
User: S-1-5-18
User Name: NT AUTHORITY\SYSTEM
Computer: TopFuel
Description:
Updated Secure Boot certificates are available on this device but have not yet been applied to the firmware. Review the published guidance to complete the update and maintain full protection. This device signature information is included here.
DeviceAttributes: FirmwareManufacturerell Inc.;FirmwareVersion:1.1.31;OEMManufacturerNameell Inc.;OEMModelSKU:0859;OSArchitecture:amd64;
BucketId: 20b053aa5ab91c5a11490dea87f49522aa09ffaa65d03a1a24eb8d73cfd89c4d
BucketConfidenceLevel: Under Observation - More Data Needed
UpdateType:
For more information, please see Windows Secure Boot certificate expiration and CA updates - Microsoft Support.


I checked the MS links in the error messages but they were of no help.

Thanks
Barry

barryde said:

Manufacturer: Dell Inc.
Model: XPS 8930
BIOS: Dell Inc., 1.1.31, 1.1.31, DELL - 1072009

Click to expand...

Version 1.1.31 is the last BIOS for the XPS 8930. It's probably not a factory supported BIOS for CA 2023 updates.

barryde said:

Current UEFI KEK
√ Microsoft Corporation KEK CA 2011 (revoked: False)
X Microsoft Corporation KEK 2K CA 2023

Click to expand...

You're missing a Dell provided KEK CA 2023, which is blocking the update. And none will be provided.
Mostly likely, you need to delete all of the current Secure Boot keys, to allow the installation of a replacement set of keys.

1. Check if BitLocker encryption is enabled on the system drive, disable or suspend it.
2. Check if you're using Windows Hello PIN to unlock Windows. Disable it.
3. Enter the BIOS, and disable Secure Boot mode.
4. Change the UEFI mode to Custom mode.
5. Look for the option to Delete All Keys.
6. Restart Windows.

Download the scripts from this thread, and run the update script:
garlin's PowerShell scripts for updating Secure Boot CA 2023


After the script has confirmed successful install of a replacement set of Secure Boot certs, you can:

1. Enable Secure Boot mode.
2. Enable BitLocker and Windows Hello if needed.

garlin said:

You're missing a Dell provided KEK CA 2023, which is blocking the update. And none will be provided.
Mostly likely, you need to delete all of the current Secure Boot keys, to allow the installation of a replacement set of keys.

1. Check if BitLocker encryption is enabled on the system drive, disable or suspend it.
2. Check if you're using Windows Hello PIN to unlock Windows. Disable it.
3. Enter the BIOS, and disable Secure Boot mode.
4. Change the UEFI mode to Custom mode.
5. Look for the option to Delete All Keys.
6. Restart Windows.

Download the scripts from this thread, and run the update script:
garlin's PowerShell scripts for updating Secure Boot CA 2023

Click to expand...

Hi Garlin, I am not using either item mentioned in steps 1 and 2
When I enter the BIOS, the selections regarding Secure Boot Mode are

UEFI Boot Mode, Secure Boot ON
or
Legacy Boot Mode, Secure Boot Off

So I selected - Legacy Boot Mode, Secure Boot Off
I exited BIOS and let system attempt a boot which fails - seems he can't find the boot device

So looked around for step 4 setting: 4. Change the UEFI mode to Custom mode.
There is no setting like that.

I switched back to UEFI Boot Mode, Secure Boot ON and the pc now boots normally.

Any ideas?

Thanks
Barry

We're discussing two different settings.

1. UEFI Boot Mode will only run on a GPT system drive with an UEFI boot file, and Legacy Boot Mode will only run on MBR using the "BIOS" boot file. Although some BIOS'es have a quirky UEFI+CSM mode that allows both. Secure Boot doesn't exist for CSM, since it requires UEFI support.

2. Secure Boot mode manages whether cert enforcement is done. If your boot file isn't signed with the right certs, then you can't boot.

Your possible combinations are:


On some BIOS'es, there may not be an explicit option to choose a Custom Mode. You may end up in Custom Mode by making a different change like Deleting All Keys, or if your BIOS has options for manual key enrollment. On really old Dell's, manual enrollment doesn't really work with these types of certs, and you have to choose the Delete All Keys option (which should end up as "Custom Mode").

When the keys are gone, it's possible to install a whole new set of keys to replace them (which are now compatible with CA 2023). Until then, the lack of factory support holds you back.

Hi Garlin, silly me, I didn't look close enough to the options.

I have now set UEFI Boot Mode, Secure Boot Off

However, I don't see any options like Delete keys or Custom Mode or Manual Enrollment

I do see some cryptic settings like:
UEFI Firmware Capsule Updates and it is set to <ENABLE>
UEFI Boot Path Security and it's set to <Always Except Internal HDD>


Also there are these:
Intel Software Guard Extensions
the option are:
Disabled
Enabled
Software Controlled <============= Thia is the one that is set

Thanks
Barry

You should have an entire Secure Boot submenu, these are the generic high-level settings for CPU modes.

How To Update Secure Boot Active Database from BIOS | Dell US

Hi, I checked this page for the BIOS examples
How To Update Secure Boot Active Database from BIOS | Dell US

I have BIOS Type 4. however there the menus don't match exactly

The link you sent says this:

Perform the following steps:​

1. Press F2 to enter the BIOS
2. Select Security tab along top
3. Select Secure Boot

There is no Secure Boot on the Security Tab - mine is on the Boot Tab




Mine is on the Boot Tab






The only selections on the Boot --- Secure Boot ---- are enable or disable




Any ideas

Thanks
Barry

This is a REALLY OLD PC. It's unlikely any Secure Boot update is possible.

You have two (or three) options:
1. Leave Secure Boot mode enabled, and ignore all future Windows messages and alerts about Secure Boot. Windows can't help you with updates, but it will complain more and more as time goes by. You will be slightly more protected with Secure Boot than without it

2. Leave Secure Boot mode disabled, which is less secure but eliminates a lot of Windows warnings about failed update attempts. When you don't have Secure Boot enabled, Windows will know not to bother trying.

3. Get a less outdated PC.

garlin said:

This is a REALLY OLD PC. It's unlikely any Secure Boot update is possible.

Click to expand...

It's too bad his outdated bios is preventing him from updating Secure Boot certs.
My i7-8700 is one generation older than his i7-9700 but my ASUS bios is more modern
and allowed my to add the CA2023 certificate using a .der file from Github. Ever since
then WU has been doing it's thing and keeping it updated.

Hi Garlin, I found the setting to change to get to Key Management Screen.


When I followed steps 1-3 and then went to step 4 I there was no BIOS options for Key Management

1. Check if BitLocker encryption is enabled on the system drive, disable or suspend it.
2. Check if you're using Windows Hello PIN to unlock Windows. Disable it.
3. Enter the BIOS, and disable Secure Boot mode.
4. Change the UEFI mode to Custom mode.
5. Look for the option to Delete All Keys.
6. Restart Windows.

I had to have enable Secure Boot on the Boot tab. I then save and exited the BIOS to set the Secure Boot. I then went back into the BIOS and Secure Boot was a selectable option on the Security tab. When selected it went to the Key Management screen and the options were <standard> and <custom>





So you original instructions were this:

1. Check if BitLocker encryption is enabled on the system drive, disable or suspend it.
2. Check if you're using Windows Hello PIN to unlock Windows. Disable it.
3. Enter the BIOS, and disable Secure Boot mode. <==================
4. Change the UEFI mode to Custom mode. <==================
5. Look for the option to Delete All Keys.
6. Restart Windows.


So I thinks the screenshots are good news so I can continue with your update instructions but I think step 3 should should be"
3. Enter the BIOS and change the UEFI mode to Custom mode
4. Look for the option to Delete All Keys.
5. Restart Windows


Download the scripts from this thread, and run the update script:
garlin's PowerShell scripts for updating Secure Boot CA 2023


Since at this point I don't know what state my BIOS will be in when I delete the keys?
Will I need to be in secure boot enabled still be enabled after this, Disabled because all the keys are deleted or something else


Thanks
Barry

If you switch to Custom Mode, does that unlock other options to Delete Keys? We may be looking at a really old BIOS that has limited support for replacing the current Secure Boot keys.

Hi , I didn't drill in the the Custom Mode options last night, so I just did and here are the options



So I assume I want to
1. select Delete All Secure Boot Variables
2. save settings
3. restart and let windows boot
4. run Update-UEFI.bat
5. cross fingers all goes well

Do I want to do a normal windows boot or a clean boot or doesn't matter?

Barry