OEM's and their Secure Boot Keys (2023) BIOS Update Policy

My experience is HP were very proactive & provided updates ahead of every other brand laptop in the house for this Secure Boot 2023 key exchange (on PCs aged between 2017 & 2022). The 2024 Lenovo Yoga 9i was the next one after HP, & the Dell XPS 9700 got it a month ago.

Absolutely nothing for the Gigabyte laptops though. One I'm not surprised about as it's 11 years old, but the 12th gen 2023 Gigabyte Aero XE5 hasn't received anything. It's only had 1 BIOS update since it came out & that was a few months after purchasing, & will not have included the necessary changes. I'm not holding my breath...

For HP owners, you may have a look at this HP website for a probable BIOS update: https://support.hp.com/my-en/document/ish_13070353-13070429-16

Please expand the "Supported Platforms and Minimum BIOS Versions List" and look for your model PC. You will find the link to updated BIOS if your PC is listed in the page.

I have a notebook PC, HP EliteBook 840 G5 from late 2018 (build in the last week of 2018 by the serial number) and it was in the list of BIOS updates.





HP refreshed the page two days ago and I saw to my disappointment and dismay that my PC was left off the BIOS update chart. It was removed from the list of BIOS updates. The last BIOS update date was moved up one year to 2019.



Now what I think is, if HP didn't dare to update its own notebook BIOS and refrained from it, how will I be able to update the BIOS for new Microsoft Windows UEFI CA2023 certificates ??? This notebook has what HP calls HP Sure Start security system. I disabled HP Sure Start Certificate protection in BIOS and whole BIOS protection to see if Windows Update could handle certificate replacement. The answer is no.

Microsoft should force the OEMs to provide latest BIOS update with these 2023 certificates or to allow users to manually update the certificates. Like in my case, I constantly mailed Acer for like 7 days in which they said since my laptop is out of warranty, they won't do it and to contact Microsoft directly. Later, they remembered something or get some knock on their heads and updated their Secure Boot KB article with laptop models. Now, that page also lists models that came before mine lol.

suatcini54 said:

Now what I think is, if HP didn't dare to update its own notebook BIOS and refrained from it, how will I be able to update the BIOS for new Microsoft Windows UEFI CA2023 certificates ??? This notebook has what HP calls HP Sure Start security system. I disabled HP Sure Start Certificate protection in BIOS and whole BIOS protection to see if Windows Update could handle certificate replacement. The answer is no.

Click to expand...

HP Sure Start is not the answer. Every BIOS needs a signed KEK CA 2023 certificate to validate the other CA 2023 certs.

Vendors have two options to provide the KEK CA 2023:

If your vendor doesn't follow either option, you may be able to try:

Sure Start and BIOS protections must be disabled in order to try the manual steps.

HuntyFtw said:

Microsoft should force the OEMs to provide latest BIOS update with these 2023 certificates or to allow users to manually update the certificates. Like in my case, I constantly mailed Acer for like 7 days in which they said since my laptop is out of warranty, they won't do it and to contact Microsoft directly. Later, they remembered something or get some knock on their heads and updated their Secure Boot KB article with laptop models. Now, that page also lists models that came before mine lol.

Click to expand...

Some of the smaller brands are making last-minute pushes to get out BIOS updates. End of last year was supposed to be the general deadline for OEM's, but a few updates are still being submitted. Larger brands like Dell or HP are "finished".

garlin said:

If your vendor doesn't follow either option, you may be able to try:

- Manual key enrollment of KEK CA 2023 from a cert file​

- Delete all certs and go into Setup mode, before replacing them with a MS provided set of certs​

Sure Start and BIOS protections must be disabled in order to try the manual steps.

Click to expand...

Thanks for your reply.

Your solution will be my last resort.

According to HP documentation below, I have not yet lost all my hope.



I will wait for some time for HP to update the page and come up with a viable solution. But my thinking is worded by HP in its note: Select product configurations might not be able to receive the updated certificates.

suatcini54 said:

I will wait for some time for HP to update the page and come up with a viable solution. But my thinking is worded by HP in its note: Select product configurations might not be able to receive the updated certificates.

Click to expand...

That's HP saying "your PC is unsupported".

My Gigabyte B550i has been stuck in a low confidence bucket for some months. It's quite normal to see multiple BIOS releases, some lasting only a week or so and others for many months - so users will likely be on many different BIOS versions. For AM4 (B450 B550 etc) there was a non-beta release last October - but my board was still on a slightly earlier, but functionally similar, interim version number.

I updated the BIOS to that latest version, and even though it still didn't contain the new certs, not long after I saw the WU notification of cert update - getting the update was entirely due to switching to the more common BIOS version number and being in a high confidence bucket.

My B850 board did come with new certs in BIOS - it's an uncommon board with an earlier BIOS so is also in a low confidence bucket - but that's OK as it's not relying on getting certs via WU. For B650 owners there's a chance that updating to latest BIOS will contain the latest certs

But for AM4 although the BIOS was released last year it still didn't include the new certs - it's simply getting a more common BIOS version number that tiggered the WU.

Updating BIOS is not without risk and effort - getting the update file is not so easy on non-retail boards and with Gigabyte AM4 there's still the quirk that with BIOS update SB goes to Not Active - as seen by 1000s of users - I use the trick of toggling in and out of Custom to load keys to allow SB to be properly enabled.

What happens in the future if BIOS needs to be reset when it doesnt contain the new certs is unclear. The update last year was to get TPM-B when users couldn't play certain games so maybe manufacturers will be forced to provide updates for certs too.

--

So the problems are -
- OEMs not including new certs for common products even in BIOS updates in the last year,
- the whole bucket system being flawed - each bucket should contain a range of version numbers with identical characteristics to avoid people needing to update BIOS
- this process happening with only a couple of months to go

The Confidence Bucket scheme is to help large organizations who own fleets of PC's (they bought hundreds or thousands of the same model PC). Since they're all the same model, the update will work or fail the same for all of the PC's.

Where the buckets fail is when you don't have a popular PC model that MS has collected data on. So the Secure Boot scheduled task is very cautious. It's waiting for help. Once enough data is collected, the task might be approved to try updating the certs.

MS invented a solution to help the big companies (who own large numbers of PC), but it really doesn't help you at home. Everyone gets the Confidence Bucket warnings, even if it doesn't speed up the update process.

I would suggest just running an update script, and finding out the results now. If you wait too long, the window to get things fixed will be too short and people will unnecessarily be in a panic mode. When the deadline passes, your Windows will still be working with old certs. It just won't be protected as much as having the PCA 2011 revoked.

For information only for those who might have an idea where I can find .bin files for MS Windows CA2023 certificates for HP notebooks, my HP BIOS has a setting to "Import Custom Secure Boot keys". If this works, then I may be able to update to CA2023 certificates. The certificates must be in .bin file format.

The problem is you still need a signed KEK CA 2023 from HP. HP will not provide you a .bin file for this.
You can't make one unless you make a new set of self-signed certs. Mosby follows this method, and is one option.

You have another option to Clear Secure Boot Keys and apply the Windows OEM Devices PK certs as a direct replacement for your current keys.

The Windows OEM Devices PK is a PK provided by MS, it ships with a matching KEK CA 2023. This solves the problem of not having a working KEK CA 2023. But it requires wiping the original HP PK and substituting a MS-provided PK and KEK CA 2023. Same device security, but you bypass HP because they won't support your old PC.

garlin said:

The problem is you still need a signed KEK CA 2023 from HP. HP will not provide you a .bin file for this.
You can't make one unless you make a new set of self-signed certs. Mosby follows this method, and is one option.

Click to expand...

What exactly is Mosby?

Dirtyflash said:

It will still boot, just that your certs will no longer get updated.

Click to expand...

You simply remain on the secure boot certificate you have. Windows 11 will continue to run. Older PCs won't be bricked.

garlin said:

Until Windows ships a new boot manager which is signed by Windows UEFI CA 2023. Then your out-of-compliance BIOS can't do Secure Boot. So you're trapped with a version of Windows which can't be updated past the end of summer 2026.

For a number of PC's, it's possible to replace the factory certs in UEFI Setup Mode and install the Windows OEM Devices PK certs in its place. But that's a manual process, and will be scary for a large number of folks. It can't be fully automated since you have to be in front of the BIOS menus.

Click to expand...

Windows 11 will still continue to boot. The secure boot manager will run on the installed certificate. That's it. This issue is as irrelevant to older PCs as the Y2K scare. The world won't end in June 2026.

garlin said:

This is not true. Some users must run with Secure Boot disabled, because they have legacy device drivers which don't pass security requirements.

Windows has never blocked your ability to get monthly updates based on HW restrictions, it will only block your ability to perform a clean install or upgrade to the next release. MS would prefer not to leave unsupported systems unprotected since it creates bad PR for the brand. It's not officially stated policy, but it's how they've operated for two decades.

Click to expand...

Some older PCs don't have UEFI or Secure Boot. Windows 11 will still run. If secure boot was a hard requirement, it couldn't be bypassed on them. You can run Windows 11 on such PCs after June 2026. Nothing will change.

HuntyFtw said:

Microsoft should force the OEMs to provide latest BIOS update with these 2023 certificates or to allow users to manually update the certificates. Like in my case, I constantly mailed Acer for like 7 days in which they said since my laptop is out of warranty, they won't do it and to contact Microsoft directly. Later, they remembered something or get some knock on their heads and updated their Secure Boot KB article with laptop models. Now, that page also lists models that came before mine lol.

Click to expand...

If your PC is older than 2018, you will remain on the installed secure boot certificate. If its newer, you will get a BIOS update that will trigger the secure boot certificate update. That's how this is being dealt with by OEMs.

garlin said:

That's HP saying "your PC is unsupported".

Click to expand...

Unsupported PCs are PCs that no longer receive vendor support. Neither of my ZBook workstations are supported for Windows 11. But it still runs on them. I don't expect an issue with the installed secure boot certificate.

You're missing the entire point of this exercise. The Black Lotus UEFI rootkit is well known to Windows security researchers, and by now other variants are out there. To close the security holes, Windows needs to both revoke the CA 2011 cert used to validate the older (vulnerable) boot managers and to enforce version control on newer CA 2023-signed boot managers.

If you choose to ignore the Secure Boot migration, or have an unsupported PC, you're exposed to boot manager attacks. Now the real-world chances that an average home user will be targeted may be low, but that's the equivalent of advocating "you don't need to run an anti-virus or firewall security product" because bad stuff only happens to other users.

For those users who are interested in protecting their devices, a number of outdated PC's can be retrofitted with replacement certs.

For HP notebook PC owners, whose notebook PCs fall outside of manufacturer's service life, you can follow the procedure outlined in this website to install Secure Boot certificates CA 2023:

https://h30434.www3.hp.com/t5/Busin...3-CA-certificates-in-pre-2018-HP/td-p/9628370

The pre-2018 phrase in above web site is misleading. This was specifically stated because HP kept all 2018 M/Y PC inside service life at first and would release BIOS updates to renew Secure Boot certificates. HP later decided to leave all 2018 PCs outside service life for reasons unknown to me.

I followed the above-mentioned procedure and my HP EliteBook 840 G5 notebook PC ( of M/Y 2018) is fully updated SecureBoot-wise.

I did some things that are not stated in the above procedure. My notebook PC has "HP Sure Start tech" incorporated. Therefore, I also disabled Secure Boot certificate protection in BIOS.

I used Powershell 7.6.0. I do not know if that matters.

The procedure does not tell about revocation of old CA 2011 certificate. You can find all relevant information in @garlin 's post here:


@garlin also has a good number of powershell scripts in the above post that may automatically update PCs' secure boot certificates that have not received BIOS updates.

The following screenshot is from my HP notebook using one og @garlin 's check secure boot state script "Check_UEFI-CA2023.ps1", which you can get from the above elevenforum web site.



The same procedure may also work for other notebook PCs outside of manufacturers' service life.

Hope this helps.