Secure Boot Problem.

Reldel · Thursday at 6:44 AM

Dirtyflash said:
Did your BIOS Secure Boot settings change when you updated, or was the Custom setting with reference to the KEK something new?

Within the BIOS itself, nothing changed after the update. I left the switch to Custom settings in place and did not revert back to original Standard. I could not see a reason to revert back.

Within, Windows 11, the update changed Device Security - Secure Boot to "Secure Boot is on and all required certificate updates have been applied. No further certificate changes are needed."

A reminder, about 24 hours was needed before Microsoft did the update after my settings change.

Borg 386 · 2026-06-05T13:56:41-0400

I had a hell of a time getting mine updated.

I went to Dell looking for the latest BIOS update, the one they offered was from Jan but I applied it. No luck.

Came across a page with some confusing instructions as well as telling me I had to tell it which BIOS I was running (they had 8 to choose from).

Went back to Dell & did some digging, found a newer update that wasn't offered on the initial list. Updated to that. Still no change in the cert.

Went with garlins script & d/l ed the new cert. Now I had both of them in the system. Rebooted several times, still booting from the old one.

Waited a couple days to see if the new one would be recognized. Nope.

Went back to the scripts & had to manually revoke the permissions of the old cert.

That did the trick. Finally got things on track.

garlin · 2026-06-05T14:04:27-0400

You can wait for June's Patch Tuesday, but I doubt your PC will be automatically updated.

The answer is in your reg keys:

Code:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing]
"WindowsUEFICA2023Capable"=dword:00000002
"UEFICA2023Status"="InProgress"
"BucketHash"="2c4b724581ad294f70e62fe9e37e377a9ea69783dd8c732dba32bc215df91d20"
"ConfidenceLevel"="High Confidence"
"LastParsedBucketDataVersion"=dword:00000010
"ConfidenceUpdateType"=dword:00005944
"KEKLastUpdateError"=dword:80070002
"KEKLastUpdateErrorReason"="Firmware_MissingKEKInPackage"  <-- No KEK file provided by Acer to MS
"UEFICA2023Error"=dword:80070002
"UEFICA2023ErrorEvent"=dword:0000070b

RJARRRPCGP · 2026-06-05T20:39:03-0400

Reldel said:
I have been watching this thread with interest and while Acer54 hasn't yet posted an anticipated successful outcome, I thought I would share my successful Acer Secure boot outcome.

My wife has a 2022 Acer C24-1700 all in one that was not going to be given a 2023 Cert update from Acer. The computer was getting warnings from Microsoft Security Center that the machine was not eligible for the Secure Cert update.

I checked the Acer support website and found there was a 2025 bios update that had not been installed. I thought perhaps that update might unfreeze the eligibility. I installed it and then waited several days to see if anything changed. It did not.

My next step was to go into the bios and check the Secure Boot settings. The machine was set to Standard Secure Boot option; I believe that was the standard OEM delivery option. I was looking for anything that might have some KEK reference. The alternate setting option was Custom. Indeed, it had a KEK reference within the description. I changed the option to Custom and then was prepared to see if anything changed over time. Within 24 hours the update was installed from Microsoft and now the Secure Boot Certificate is accepted and issue resolved.

I hope this might help others with an unresolved Acer issue.

You got lucky. I have an Acer laptop, where no CA2023 KEK exists! But, then the last BIOS update was definitely before it even was 2023, so no surprise. (IIRC, it was no later than 2021, so such users like me with that laptop, are SOL!) It's a 9th-gen and Acer, apparently will not support 9th-gen era PCs, apparently.

garlin · 2026-06-05T20:42:01-0400

RJARRRPCGP said:
You got lucky. I have an Acer laptop, where no CA2023 KEK exists! But, then the last BIOS update was definitely before it even was 2023, so no surprise. (IIRC, it was no later than 2021, so such users like me with that laptop, are SOL!)

Check if your BIOS menus have the option to manually add (append) Secure Boot keys. MS cannot automate an update, if it requires you to be sitting in front of the BIOS screen.

A large number of PC's from around 2020 onward can be saved. It's the really old ones before 2020 that have the most troubles.

RJARRRPCGP · 2026-06-05T20:43:17-0400

garlin said:
Check if your BIOS menus have the option to manually add (append) Secure Boot keys.

A large number of PC's from around 2020 onward can be saved. It's the really old ones before 2020 that have the most troubles.

It could be before 2020, because it's 9th-gen. I suspect 'TXes get better treatment! (especially ATX/mATX) As I have a motherboard that's only a year newer and got a BIOS update in 2025.

garlin · 2026-06-05T20:45:02-0400

You should just check, a surprising number of folks (haven't kept track) have managed to get manual enrollment to work.

RJARRRPCGP · 2026-06-05T20:47:44-0400

I noticed that ASRock has good support with their ATXes.

gunrunnerjohn · 2026-06-06T10:24:37-0400

garlin said:
You should just check, a surprising number of folks (haven't kept track) have managed to get manual enrollment to work.

I was actually surprised that a 2014 AMI BIOS upgraded using your scripts without a whimper.

Dirtyflash · 2026-06-06T12:24:38-0400

gunrunnerjohn said:
I was actually surprised that a 2014 AMI BIOS upgraded using your scripts without a whimper.

I'm really curious as to what allows such old devices to update. The OEM couldn't have approved a 2023 KEK.

garlin · 2026-06-06T13:02:36-0400

Every Secure Boot key begins as a X509 certificate signed by a recognized Certificate Authority.

If you want to import this as a binary object (raw bytes), it must be signed by the OEM's Platform Key. A BIOS image from the OEM will have the encoded certs embedded in a default variable.

PKdefault = Default cert for PK
KEKdefault = Default cert(s) for KEK
DBdefault = Default cert(s) for DB
DBXdefault = Default cert(s) for DBX

Some BIOS'es can leave the default variables blank.

1. Because the imported "post-signed" object is signed by the current BIOS's PK, it recognizes the object (and the certs inside) are legitimate. Without the matching signing data on the object's container, your BIOS will reject it. MS has a KEK CA 2023 cert file available to sign. It's up to the OEM to sign it with their PK, and embed that cert into the KEKdefault or return the post-signed file to MS.

2. Another supported method is having the user manually import the cert file from the BIOS menu. Because you must be physically in front of the PC, and it can't be programmed or scripted, the BIOS will enroll this file as trusted. To prevent attackers from hacking your PC in person, a BIOS password is sometimes required or available.

3. The third supported method is to clear out all certs (incluing the PK which restricts the addition of new certs). This blank slate allows you to insert a new PK and any KEK or DB/DBX certs which were signed by the same PK. Microsoft provides such a collection in the Windows OEM Devices .bin files.

Since MS provides both their own PK (Windows OEM Devices PK), and self-signed the KEK CA 2023 with their PK, now all of the CA 2023 certs are fully validated. A fair number of older PC's always had the option to delete all certs and allow the user to replace them. This was to allow your PC to work with Linux, since a distro could ship with a complete set of trusted certs for the user to install.

For the Secure Boot update process, you work your way from best solution (BIOS support) towards the most difficult (delete and replace all keys).

gunrunnerjohn · 2026-06-06T13:19:39-0400

garlin said:
Since MS provides both their own PK (Windows OEM Devices PK), and self-signed the KEK CA 2023 with their PK, now all of the CA 2023 certs are fully validated. A fair number of older PC's always had the option to delete all certs and allow the user to replace them. This was to allow your PC to work with Linux, since a distro could ship with a complete set of trusted certs for the user to install.

For the Secure Boot update process, you work your way from best solution (BIOS support) towards the most difficult (delete and replace all keys).

This is the route I took. Although this is billed as the "most difficult", it was actually quite painless with your scripts. I had done previous machines with Mosby, but that required a bit more tinkering to get working, though it did indeed do the job. The 2014 AMI BIOS in my old HP ENVY had the option to nuke the whole secure boot configuration and start over, so that's what I did.

garlin · 2026-06-06T14:47:55-0400

From my perspective, appending certs in Setup Mode is straightforward and easy. For an user who's never had to navigate their Secure Boot menu screens, it's a tall order. On some threads, 80% of my time is trying to coax users thru the menu choices.

Some of you folks are even more helpful, because you own the same PC or a similar model from the same age.

Secure Boot Problem.

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Similar threads