Solved Secure boot update HowTo

XxXxX · Dec 5, 2025

fg2001gf11F said:
That is exactly the same reply I got from Dell about this desktop DELL XPS 8930. Sounds like a canned answer.

DELL XPS 8930 with BIOS 1.1.31 dated 2023-11-21, which gives me these results.
("Microsoft Corporation KEK 2K CA 2023" is missing in the UEFI KEK Certs list.)
View attachment 155652

according to that output that system has the 2023 cert available and is booting from the 2023 cert.
your EFI Files is showing WindowsUEFICA2023Capable =2

please check your registry.

best of luck Steve ..

fg2001gf11F · Dec 5, 2025

XxXxX said:
according to that output that system has the 2023 cert available and is booting from the 2023 cert.
your EFI Files is showing WindowsUEFICA2023Capable =2

please check your registry.
View attachment 155656

best of luck Steve ..

Yes, it shows (2) but the registry in my case still shows "InProgress" which seems like a contradiction.

XxXxX · Dec 5, 2025

fg2001gf11F said:
Yes, it shows (2) but the registry in my case still shows "InProgress" which seems like a contradiction.

View attachment 155657

InProgress may mean the other system keys like KEK are awaiting update
but your system DELL XPS 8930 is booting from the 2023 cert via secure boot.

best of luck Steve ..

Fabler2 · Dec 5, 2025

fg2001gf11F said:
Yes, it shows (2) but the registry in my case still shows "InProgress" which seems like a contradiction.

View attachment 155657

Exact same result I get on a 4 1/2 year old ACER laptop.

fg2001gf11F · Dec 5, 2025

XxXxX said:
InProgress may mean the other system keys like KEK are awaiting update
but your system DELL XPS 8930 is booting from the 2023 cert via secure boot.

best of luck Steve ..

Thanks.

,
We'll see what happens next June 2026.

XxXxX · Dec 5, 2025

Fabler2 said:
Exact same result I get on a 4 1/2 year old ACER laptop.

please post these registry details for me

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing

and the output of this PowerShell command as Administrator

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match "Windows UEFI CA 2023"

best of luck Steve ..

XxXxX · Dec 5, 2025

@fg2001gf11F

please have a look at this now you have the system booting from the 2023 cert.

Microsoft guidance for applying Secure Boot DBX update (KB4575994)

Provides guidance for installing a DBX update to fix a vulnerability that exists in some Secure Boot modules if they trust the Microsoft third-party UEFI CA.

web.archive.org

that was posted by @garlin here

How to check if your Secure Boot certs are updated. (three methods)

Method Two... 1. Download the script at the bottom of this post. 2. Extract the Check-SecureBootCerts.ps1 script and place it on your desktop. 3. Go to: C:\Users\your account name\Desktop and right click Desktop and choose: Open in Terminal 4. In the powershell window that pops up, type...

www.elevenforum.com

best of luck Steve ..

fg2001gf11F · Dec 5, 2025

Here is another machine with a similar situation and different registry setting.
This is a mini-PC, model "GMKtec M2".

Bios

Version
TB03_GMK_01_35W
Date
2024-01-30

XxXxX · Dec 5, 2025

fg2001gf11F said:
Here is another machine with a similar situation and different registry setting.
This is a mini-PC, model "GMKtec M2".

Bios
Version
TB03_GMK_01_35W
Date
2024-01-30

View attachment 155660

View attachment 155661

View attachment 155662

that system as indicated by the EFI Files output is also using the 2023 cert via secure boot.
as the 2023 cert is listed in the DB of the secure boot boot manager.

also the registry is showing
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing

in the right Window you will see ..
WindowsUEFICA2023Capable 0x00000002

best of luck Steve ..

RJARRRPCGP · Dec 11, 2025

Looks like people keep getting this message in the event log:

Code:

Secure Boot certificates have been updated but are not yet applied to the device firmware.

What is this? Is this faulty UEFI?

DJNelson · Dec 11, 2025

RJARRRPCGP said:
What is this? Is this faulty UEFI?

Just a wild guess, but some genius probably didn't think to make the new certs valid prior the old certs expiry.

garlin · Dec 11, 2025

RJARRRPCGP said:
Looks like people keep getting this message in the event log:

Code:

Secure Boot certificates have been updated but are not yet applied to the device firmware.

What is this? Is this faulty UEFI?

You can apply new certs, but it doesn't take effect until the system restarts. Reboot the system.

Dirtyflash · Dec 11, 2025

RJARRRPCGP said:
Looks like people keep getting this message in the event log:

Code:

Secure Boot certificates have been updated but are not yet applied to the device firmware.

What is this? Is this faulty UEFI?

Probably a 2023 CA certificate was downloaded but not applied to the firmware. Likely still currently using the 2011 CA certificate, just a guess.

RJARRRPCGP · Dec 11, 2025

garlin said:
You can apply new certs, but it doesn't take effect until the system restarts. Reboot the system.

I get this message. This happened weeks after I applied them and rebooted. All the CA 2023 certs now appear in the system.

When I check, they're there.

Buddywh · Dec 11, 2025

RJARRRPCGP said:
I get this message. This happened weeks after I applied them and rebooted. All the CA 2023 certs now appear in the system.

When I check, they're there.

I'm pretty sure those event log entries are a result of looking at registry keys, not from actually looking into the UEFI firmware secure boot variables. It only makes sense that the registry entries can become de-synced from the actual state of the secure boot keys since there are a variety of ways to push different keys into the secure boot variables. that might be the reason for it in some cases.

RJARRRPCGP · Dec 11, 2025

Well, for the first time, the reg value for UEFICA2023Status shows "Updated".

I just added the OpROM CA 2023 cert today.

fg2001gf11F · Dec 11, 2025

garlin said:
You can apply new certs, but it doesn't take effect until the system restarts. Reboot the system.

I think some newer PCs allow to store a new certificate in the UEFI KEK Certs but some older machines don't allow that and may require a new firmware, like in this case the CA 2023 is not showing in the firmware UEFI KEK Certs list for Dell XPS 8930, but it is showing on the other 2 machines below
Lenovo Yoga 920 and DELL XPS 8940.

Dell XPS 8930.

Lenovo Yoga 920 Laptop.

DELL XPS 8940.

XxXxX · Dec 11, 2025

@fg2001gf11F
this maybe of interest for those who require KEK certs applied to the data base.

GitHub - cjee21/Check-UEFISecureBootVariables: PowerShell scripts to check the UEFI KEK, DB and DBX Secure Boot variables as well as scripts for other Secure Boot related items.

PowerShell scripts to check the UEFI KEK, DB and DBX Secure Boot variables as well as scripts for other Secure Boot related items. - cjee21/Check-UEFISecureBootVariables

github.com

open the Windows registry to ..
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot

in the right window you will see ..
AvailableUpdates > REG_DWORD

#####Change > AvailableUpdates 0x00000000
#####To > AvailableUpdates 0x00000004

save settings and restart the computer

then check your UEFI KEK certs again to see if they have updated.
best of luck Steve ..

garlin · Dec 11, 2025

If you're comfortable navigating your UEFI's Secure Boot setup menu, then run these steps.

1. Download this MS certificate file:
https://raw.githubusercontent.com/m...ates/microsoft corporation kek 2k ca 2023.der

2. Mount the EFI partition, and copy the downloaded file to it.

Code:

mountvol S: /s
copy "microsoft corporation kek 2k ca 2023.der" S:\EFI
mountvol S: /d

3. Shutdown the PC, and enter BIOS. Navigate to your Secure Boot menu. Find the KEK key management screen (appearance depends on your BIOS), there should be an option to manage keys or "enroll a file". Enter that menu, you'll be asked to pick a drive volume to find the file. One of them will have the <EFI> folder underneath.

Navigate inside the <EFI> folder, and select the "microsoft corporation kek 2k ca 2023.der" file. Enroll it, and submit changes.

4. Restart Windows, check if KEK CA 2023 now appears in the script.

fg2001gf11F · Dec 11, 2025

XxXxX said:
@fg2001gf11F
this maybe of interest for those who require KEK certs applied to the data base.

GitHub - cjee21/Check-UEFISecureBootVariables: PowerShell scripts to check the UEFI KEK, DB and DBX Secure Boot variables as well as scripts for other Secure Boot related items.

PowerShell scripts to check the UEFI KEK, DB and DBX Secure Boot variables as well as scripts for other Secure Boot related items. - cjee21/Check-UEFISecureBootVariables

github.com

open the Windows registry to ..
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot

in the right window you will see ..
AvailableUpdates > REG_DWORD

#####Change > AvailableUpdates 0x00000000
#####To > AvailableUpdates 0x00000004

save settings and restart the computer

then check your UEFI KEK certs again to see if they have updated.
best of luck Steve ..

That did not work

Solved Secure boot update HowTo

Just a Computer User

My Computers

Well-known member

My Computer

Just a Computer User

My Computers

Well-known member

My Computers

Well-known member

My Computer

Just a Computer User

My Computers

Just a Computer User

My Computers

Well-known member

Bios​

My Computer

Just a Computer User

Bios​

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Just a Computer User

My Computers

Well-known member

My Computer

Well-known member

My Computer

Similar threads

Bios

Bios