Secure Boot Problem.


Dirtyflash said:
Did your BIOS Secure Boot settings change when you updated, or was the Custom setting with reference to the KEK something new?
Click to expand...
Within the BIOS itself, nothing changed after the update. I left the switch to Custom settings in place and did not revert back to original Standard. I could not see a reason to revert back.

Within, Windows 11, the update changed Device Security - Secure Boot to "Secure Boot is on and all required certificate updates have been applied. No further certificate changes are needed."

A reminder, about 24 hours was needed before Microsoft did the update after my settings change.
 

My Computers

System One System Two

  • OS
    Windows 11 25H2
    Computer type
    Laptop
    Manufacturer/Model
    Microsoft Surface 7 Laptop/64-bit ARM Snapdragon X-12-core
    CPU
    64-bit ARM Snapdragon X-12-core/3.40GHz
    Memory
    16.0 GB
    Graphics Card(s)
    QUALCOMM R Adreno X1-85 GPU
    Screen Resolution
    2496x1664
  • Operating System
    2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell-XPS8940
    CPU
    11th Gen Intel (R) Core i7-11700 @ 2.50GHz
    Memory
    32.0GB
    Graphics card(s)
    Multiple GRUs install (Nvidia-Intel)
    Monitor(s) Displays
    Samsung G5
    Keyboard
    Mx3
    Mouse
    Mx3
    Internet Speed
    700mb
    Browser
    Edge
I had a hell of a time getting mine updated.

I went to Dell looking for the latest BIOS update, the one they offered was from Jan but I applied it. No luck.

Came across a page with some confusing instructions as well as telling me I had to tell it which BIOS I was running (they had 8 to choose from).

Went back to Dell & did some digging, found a newer update that wasn't offered on the initial list. Updated to that. Still no change in the cert.

Went with garlins script & d/l ed the new cert. Now I had both of them in the system. Rebooted several times, still booting from the old one.

Waited a couple days to see if the new one would be recognized. Nope.

Went back to the scripts & had to manually revoke the permissions of the old cert.

That did the trick. Finally got things on track.
 

My Computer

System One

  • OS
    Win 11 Pro, Win 10 pro, Win 13.7 Pro Chinese Ver
    Computer type
    PC/Desktop
    Manufacturer/Model
    It's a Dell Dude
    CPU
    12th Gen Intel(R) Core(TM) i9-12900 2.40 GHz
    Motherboard
    Father is bored too...
    Memory
    64.0 GB of transcendental dimensional RAM
    Graphics Card(s)
    NVIDIA GeForce RTX 3070 Ti
    Sound Card
    N/A
    Monitor(s) Displays
    27" Samsung Monitor/Alternative Dimensional Viewing Portal
    Screen Resolution
    Fuzzy after a couple drinks
    Hard Drives
    2 or 3, depending on if it's a night they're arguing about having a "split personality crisis" because I partitioned the drive.
    PSU
    Shockingly active
    Case
    Don't get on my case....man
    Cooling
    Scotch on the rocks on the weekends.
    Keyboard
    Steel Series Lighted Glow in the dark something or another
    Mouse
    Currently being stalked by the cat...
    Internet Speed
    DSL
    Browser
    Defeated by Mario...wait...OH...BRowser...
    Antivirus
    Yep
You can wait for June's Patch Tuesday, but I doubt your PC will be automatically updated.

The answer is in your reg keys:
Code: 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing]
"WindowsUEFICA2023Capable"=dword:00000002
"UEFICA2023Status"="InProgress"
"BucketHash"="2c4b724581ad294f70e62fe9e37e377a9ea69783dd8c732dba32bc215df91d20"
"ConfidenceLevel"="High Confidence"
"LastParsedBucketDataVersion"=dword:00000010
"ConfidenceUpdateType"=dword:00005944
"KEKLastUpdateError"=dword:80070002
"KEKLastUpdateErrorReason"="Firmware_MissingKEKInPackage"  <-- No KEK file provided by Acer to MS
"UEFICA2023Error"=dword:80070002
"UEFICA2023ErrorEvent"=dword:0000070b
 

My Computer

System One

  • OS
    Windows 7
Reldel said:
I have been watching this thread with interest and while Acer54 hasn't yet posted an anticipated successful outcome, I thought I would share my successful Acer Secure boot outcome.

My wife has a 2022 Acer C24-1700 all in one that was not going to be given a 2023 Cert update from Acer. The computer was getting warnings from Microsoft Security Center that the machine was not eligible for the Secure Cert update.

I checked the Acer support website and found there was a 2025 bios update that had not been installed. I thought perhaps that update might unfreeze the eligibility. I installed it and then waited several days to see if anything changed. It did not.

My next step was to go into the bios and check the Secure Boot settings. The machine was set to Standard Secure Boot option; I believe that was the standard OEM delivery option. I was looking for anything that might have some KEK reference. The alternate setting option was Custom. Indeed, it had a KEK reference within the description. I changed the option to Custom and then was prepared to see if anything changed over time. Within 24 hours the update was installed from Microsoft and now the Secure Boot Certificate is accepted and issue resolved.

I hope this might help others with an unresolved Acer issue.
Click to expand...
You got lucky. I have an Acer laptop, where no CA2023 KEK exists! But, then the last BIOS update was definitely before it even was 2023, so no surprise. (IIRC, it was no later than 2021, so such users like me with that laptop, are SOL!) It's a 9th-gen and Acer, apparently will not support 9th-gen era PCs, apparently.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro x64 24H2
    Computer type
    PC/Desktop
    CPU
    Ryzen 9 5900X
    Motherboard
    ASRock B550 PG Velocita (UEFI-BIOS 3.90)
    Memory
    64 GB G.Skill RipJaws V F4-3200C16D-64GVK
    Graphics Card(s)
    ASRock Steel Legend Arc B580 12 GB
    Monitor(s) Displays
    Alienware AW3423DWF OLED ultrawide
    Hard Drives
    Samsung 990 Pro 1 TB NVMe SSD
    PSU
    eVGA Supernova 750 G3
    Case
    Corsair 275R
    Internet Speed
    VTel FTTH 1 Gb down and 1 Gb up
  • Computer type
    PC/Desktop
    CPU
    Ryzen 7 5800X3D
    Motherboard
    Asus ROG Strix B550-F Gaming (UEFI-BIOS version 3607)
    Memory
    32 GB (2x16 GB G.Skill TridentZ Neo)
    Graphics card(s)
    Sapphire Nitro+ Radeon RX 6750 XT
    Hard Drives
    Samsung 970 Pro 512 GB NVMe SSD
    PSU
    Corsair RM850x
    Case
    Fractal Focus G
RJARRRPCGP said:
You got lucky. I have an Acer laptop, where no CA2023 KEK exists! But, then the last BIOS update was definitely before it even was 2023, so no surprise. (IIRC, it was no later than 2021, so such users like me with that laptop, are SOL!)
Click to expand...
Check if your BIOS menus have the option to manually add (append) Secure Boot keys. MS cannot automate an update, if it requires you to be sitting in front of the BIOS screen.

A large number of PC's from around 2020 onward can be saved. It's the really old ones before 2020 that have the most troubles.
 

My Computer

System One

  • OS
    Windows 7
garlin said:
Check if your BIOS menus have the option to manually add (append) Secure Boot keys.

A large number of PC's from around 2020 onward can be saved. It's the really old ones before 2020 that have the most troubles.
Click to expand...
It could be before 2020, because it's 9th-gen. I suspect 'TXes get better treatment! (especially ATX/mATX) As I have a motherboard that's only a year newer and got a BIOS update in 2025.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro x64 24H2
    Computer type
    PC/Desktop
    CPU
    Ryzen 9 5900X
    Motherboard
    ASRock B550 PG Velocita (UEFI-BIOS 3.90)
    Memory
    64 GB G.Skill RipJaws V F4-3200C16D-64GVK
    Graphics Card(s)
    ASRock Steel Legend Arc B580 12 GB
    Monitor(s) Displays
    Alienware AW3423DWF OLED ultrawide
    Hard Drives
    Samsung 990 Pro 1 TB NVMe SSD
    PSU
    eVGA Supernova 750 G3
    Case
    Corsair 275R
    Internet Speed
    VTel FTTH 1 Gb down and 1 Gb up
  • Computer type
    PC/Desktop
    CPU
    Ryzen 7 5800X3D
    Motherboard
    Asus ROG Strix B550-F Gaming (UEFI-BIOS version 3607)
    Memory
    32 GB (2x16 GB G.Skill TridentZ Neo)
    Graphics card(s)
    Sapphire Nitro+ Radeon RX 6750 XT
    Hard Drives
    Samsung 970 Pro 512 GB NVMe SSD
    PSU
    Corsair RM850x
    Case
    Fractal Focus G
I noticed that ASRock has good support with their ATXes.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro x64 24H2
    Computer type
    PC/Desktop
    CPU
    Ryzen 9 5900X
    Motherboard
    ASRock B550 PG Velocita (UEFI-BIOS 3.90)
    Memory
    64 GB G.Skill RipJaws V F4-3200C16D-64GVK
    Graphics Card(s)
    ASRock Steel Legend Arc B580 12 GB
    Monitor(s) Displays
    Alienware AW3423DWF OLED ultrawide
    Hard Drives
    Samsung 990 Pro 1 TB NVMe SSD
    PSU
    eVGA Supernova 750 G3
    Case
    Corsair 275R
    Internet Speed
    VTel FTTH 1 Gb down and 1 Gb up
  • Computer type
    PC/Desktop
    CPU
    Ryzen 7 5800X3D
    Motherboard
    Asus ROG Strix B550-F Gaming (UEFI-BIOS version 3607)
    Memory
    32 GB (2x16 GB G.Skill TridentZ Neo)
    Graphics card(s)
    Sapphire Nitro+ Radeon RX 6750 XT
    Hard Drives
    Samsung 970 Pro 512 GB NVMe SSD
    PSU
    Corsair RM850x
    Case
    Fractal Focus G
You must log in or register to reply here.

Similar threads

After 2025-10 update, secure boot problems with recovery media built with WinRE?
Replies
14
Views
3K
Ghot
Ghot
QUESTIONS regarding SECURE BOOT
Replies
12
Views
513
Lou
Lou
Solved Secure Boot Certificate
2
Replies
25
Views
2K
NormanF
N
Solved Secure Boot certificate updates fix?
Replies
6
Views
440
Steve C
Steve C
Solved Windows Secure Boot certificates expiring in 2026
Replies
13
Views
776
jdUnionngarden
jdUnionngarden

Latest Support Threads

Latest Tutorials

Back
Top Bottom