Solved Secure boot certificate 2023 valid but event present

In the UEFI security model, cert enforcement is a "chain of trust"

Your UEFI's Platform Key is owned by the OEM. It validates one or more Microsoft KEK certs (2011 or 2023).
The KEK's validate one or more Microsoft DB or DBX certs.

While you could install the CA 2023 DB or DBX certs without the matching KEK CA 2023, the absence of KEK CA 2023 means those certs don't work in Secure Boot mode (enabled). For security reasons, the OEM must use their PK to sign Microsoft's KEK to confirm it's trusted.

The holdup for so many unsupported systems is the OEM isn't signing the KEK. They don't have to provide a whole new BIOS update, they can simply send the signed KEK as a file to MS. MS can use that file to append KEK CA 2023 on a live system, even if your BIOS doesn't have factory support for it.

This is the "Secure Boot (KEK)" message seen in Windows Update by some users. But not every PC will get the KEK installed, because your OEM didn't bother signing it for MS. Signing KEK certs isn't super hard for vendors. It's running a bunch of scripts and tools, and MS provides reference examples.

666pierog said:

Hello, after fresh windows install 23h2 (22631.6936) got that: why now i got FAIL 154 failures? before fresh installation that was all green full success.
View attachment 169061

Click to expand...

On newest 25h2 also 154 failures. Why?

154 DBX entries were retired from the April 2026 version of DBXupdate.bin. 151 from MS, 3 from Canonical.

Thank you, to clarify: when i use script to get all that secureboot keys and whenever i clear that keys does microsoft still gonna give me them after june 2026? Will my device be marked as I have already received them and will I not receive them later?