Solved Successful manual update of Secure Boot on Dell XPS8930 with older BIOS that will never update.


S

swohnet

New member
Local time
6:09 PM
Posts
1
OS
Windows 11
Manual Secure Boot Update Fix on Dell XPS8930 that did not and will never receive a new BIOS. Hopefully will help you and be searchable so that others relying on AI for help will find what they need to apply to their attempts as well. I accomplished this using AI assistance.

Originally, I reset the keys to factory and could no longer boot with Secure Boot enabled for my in-between steps while figuring this out without disabling Secure Boot each time. So, don't do that. If you did, this will work to restore your boot and upgrade to the new certificates. Your BYTE sizes may differ because of this. Be sure to append the new certs so as not to break your current Secure Boot capability.



Dell XPS 8930 Secure Boot 2023 Certificate Migration Fix (BIOS 1.1.31)​

Summary​

This procedure successfully resolved the Microsoft Secure Boot 2023 certificate migration problem on a Dell XPS 8930 running BIOS 1.1.31 and Windows 11 25H2.

The system initially failed Secure Boot with:

Secure Boot ViolationInvalid signature detected.Check Secure Boot Policy in Setup.
Windows reported:

Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing
Result:

WindowsUEFICA2023Capable = 0UEFICA2023Status = NotStartedKEKLastUpdateErrorReason = Firmware_MissingKEKInPackage
After manually appending four Microsoft 2023 Secure Boot certificates directly into the BIOS Secure Boot databases, the system successfully booted with Secure Boot enabled and Windows reported:

WindowsUEFICA2023Capable = 2UEFICA2023Status = Updated
and:

Confirm-SecureBootUEFI
returned:

True

Important Notes​

DO NOT RESET FACTORY KEYS AS A FIRST STEP​

Although factory key restoration was performed during troubleshooting, it was NOT proven necessary for the final solution.

In fact, restoring factory keys temporarily made the system unable to boot with Secure Boot enabled.

The actual successful repair was accomplished by APPENDING the missing Microsoft 2023 certificates.

If your system is still bootable, consider backing up your Secure Boot databases before making any changes.

Certificate Downloads​

Official Microsoft Secure Boot Objects Repository:

Microsoft Secure Boot Objects Repository

KEK Certificate​

Download:

Microsoft Corporation KEK 2K CA 2023 DER

Filename:

microsoft corporation kek 2k ca 2023.der

DB Certificates​

Download:

Windows UEFI CA 2023 DER

Filename:

windows uefi ca 2023.der
Download:

Microsoft UEFI CA 2023 DER

Filename:

microsoft uefi ca 2023.der
Download:

Microsoft Option ROM UEFI CA 2023 DER

Filename:

microsoft option rom uefi ca 2023.der
Copy all four DER files to a FAT32 USB flash drive.

BIOS Procedure​

Step 1 - Append KEK 2023 Certificate​

BIOS:

Secure Boot→ Expert Key Management→ Key Exchange Keys (KEK)→ Append→ Load From External Media→ Public Key Certificate
Import:

microsoft corporation kek 2k ca 2023.der
Result on successful system:

KEKSize 1560 → 3066Keys 1 → 2Source Factory → Mixed

Step 2 - Append DB Certificates​

BIOS:

Secure Boot→ Expert Key Management→ Authorized Signatures (DB)→ Append→ Load From External Media→ Public Key Certificate
Import ALL THREE:

windows uefi ca 2023.dermicrosoft uefi ca 2023.dermicrosoft option rom uefi ca 2023.der
Result on successful system:

DBSize 3143 → 7636Keys 2 → 5Source Factory → Mixed

Step 3 - Leave DBX Alone​

DO NOT manually import:

DBXUpdate*.bindbxupdate*.bin
No DBX modifications were required to achieve a successful migration.

Step 4 - Enable Secure Boot​

Enable Secure Boot.

Save BIOS settings.

Boot Windows normally.

Verification​

PowerShell:

Confirm-SecureBootUEFI
Expected result:

True
PowerShell:

Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing
Expected result:

WindowsUEFICA2023Capable = 2UEFICA2023Status = Updated

Final Secure Boot Database Values​

Verified on successful Dell XPS 8930 system:

PK = 834KEK = 3066DB = 7636DBX = 3724
Verified from both BIOS and Windows:

(Get-SecureBootUEFI -Name PK).Bytes.Length(Get-SecureBootUEFI -Name KEK).Bytes.Length(Get-SecureBootUEFI -Name db).Bytes.Length(Get-SecureBootUEFI -Name dbx).Bytes.Length

Final Outcome​

  • Secure Boot Enabled
  • Windows Boots Normally
  • Microsoft 2023 Secure Boot Migration Complete
  • WindowsUEFICA2023Capable = 2
  • UEFICA2023Status = Updated
  • No BIOS update newer than Dell 1.1.31 required
  • No DBX updates required
  • No Secure Boot key reset required as part of the proven solution
This procedure was successfully verified on a Dell XPS 8930 running BIOS 1.1.31 and Windows 11 25H2.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell PowerEdge T30
    CPU
    Xeon E-1225 v5 (3.3 GHz)
    Memory
    16Gb
    Other Info
    8 year old entry level server that was supposed to max-out at Server 2016.
In the case where manual KEK key enrollment works (other older Dell model's have known issues accepting .der or .crt cert files), that's the only key that needs to be manually added. Once the KEK CA 2023 is installed, the other certs can be pushed by Windows.

All of the DB & DBX 2023 certs are signed by the KEK CA 2023, and Windows cannot install it because Dell didn't provide a post-signed file to MS. Whenever your BIOS supports it, you should import a DER-encoded cert file.

Assuming you manually added just the KEK CA 2023, Windows can handle the rest.
Code: 
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x1940 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
 
Last edited:

My Computer

System One

  • OS
    Windows 7
Hello there.
Found this thread thru google. Maybe someone can help...
I have almost the same situation:
- old BIOS (Acer laptop) that won't update by manufacturer
- same error 'Firmware_MissingKEKInPackage' and status 'InProgress' that stucked
- plus i took the AI's advice to reset keys in BIOS and got 'Secure Boot Fail' error
Following this guide,

"Step 1 - Append KEK 2023 Certificate​

BIOS:​

Secure Boot→ Expert Key Management→ Key Exchange Keys (KEK)"

where to find this option? i have 'Secure boot mode: Standard' that can't be changed even after setting Supervising password (see attached, image is from internet).
after googling, as i understand correctly, that mode changes to 'Setup' or 'Custom' only after 'clearing' the keys but this is a dead end (i guess).
 

Attachments

  • 1.webp
    1.webp
    48.7 KB · Views: 1

My Computer

System One

  • OS
    Windows 11
1. Switch Secure Boot mode from Standard (factory defaults) to Custom. You may need to set a Supervisor password if you're not allowed to change the setting.

2. Check if you're offered a manual key enrollment option for KEK. Depending on your BIOS, this may not be available. If you have a manual option, skip to Step 5.

3. If you don't have that option, select Erase all Secure Boot Setting. This will clear all factory keys.

4. Check that Secure Boot mode is off, or you're still in custom mode.

5. Download the update script, and run:
Code: 
Update-UEFI.bat

garlin's PowerShell scripts for updating Secure Boot CA 2023

6. If you have manual KEK enrollment, go back and import the KEK CA 2023 cert file from the menu options. If you deleted all keys before, the update script should have installed a set of replacement certs for you.
 

My Computer

System One

  • OS
    Windows 7
garlin said:
1. Switch Secure Boot mode from Standard (factory defaults) to Custom. You may need to set a Supervisor password if you're not allowed to change the setting.

2. Check if you're offered a manual key enrollment option for KEK. Depending on your BIOS, this may not be available. If you have a manual option, skip to Step 5.

3. If you don't have that option, select Erase all Secure Boot Setting. This will clear all factory keys.

4. Check that Secure Boot mode is off, or you're still in custom mode.

5. Download the update script, and run:
Code: 
Update-UEFI.bat

garlin's PowerShell scripts for updating Secure Boot CA 2023

6. If you have manual KEK enrollment, go back and import the KEK CA 2023 cert file from the menu options. If you deleted all keys before, the update script should have installed a set of replacement certs for you.
Click to expand...
it worked, thank you!

Code: 
PowerShell 7.6.2
Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011
    Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Microsoft Option ROM UEFI CA 2023
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023

UEFI DBX Certs
--------------
    (NONE)
MethodInvocationException: D:\!Temp\SecureBoot-CA-2023-Updates.v2026.06.08\Check_UEFI-CA2023.ps1:771
Line |
 771 |      [version]$SVN = '{0}.{1}' -f [System.Convert]::ToUInt16($Signatur …
     |      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Exception calling "Substring" with "2" argument(s): "startIndex cannot be larger than length of string.
     | (Parameter 'startIndex')"

EFI Files
---------
    Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.

    Registry: "WindowsUEFICA2023Capable" = 2
        [Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

    [OPTIONAL] SkuSiPolicy.p7b (for VBS) is MISSING.


REQUIRED ACTION
===============
To REVOKE the [PCA 2011] cert, run the commands:

    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x282 /f
    powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
now have questions about:
1) [OPTIONAL] SkuSiPolicy.p7b (for VBS) is MISSING - what is that?
2) To REVOKE the [PCA 2011] cert, run the commands - should i do that by myself or Windows do it later?
3) in Registry:
KEKLastUpdateError: 0x80070002
KEKLastUpdateErrorReason: Firmware_MissingKEKInPackage
is it ok in this situation? because UEFICA2023Status is Updated.
 

My Computer

System One

  • OS
    Windows 11
lonelyb0y said:
it worked, thank you!
Click to expand...
To save time for other Acer owners who find this thread, what's your PC's model?
Which procedure did you end up taking? KEK key enrollment or Delete All Keys?

lonelyb0y said:
1) [OPTIONAL] SkuSiPolicy.p7b (for VBS) is MISSING - what is that?
2) To REVOKE the [PCA 2011] cert, run the commands - should i do that by myself or Windows do it later?
3) in Registry:
KEKLastUpdateError: 0x80070002
KEKLastUpdateErrorReason: Firmware_MissingKEKInPackage
is it ok in this situation? because UEFICA2023Status is Updated.
Click to expand...
1. MS recommends using a SkuSiPolicy security policy as additional protection, whenever Virtualization Based Security (VBS) is enabled. This prevents Windows booting from an older (insecure) version of winload.efi. The problem is this can interfere in a dual-boot Windows setup, because the other Windows isn't in sync with the file versions, or for some USB recovery drives for the same reason.

The other Windows or USB drive won't boot until you make sure it's using the latest patched files. The script gives you a warning, just in case that applies to your setup.

2. You can wait for MS to revoke PCA 2011 later this year, or perform it right now. If you do, you may need to update your boot media and switch to the CA 2023 boot manager instead of the banned CA 2011 version.
Code: 
Update-UEFI.bat -Revoke

3. I tell people to ignore a number of the reg settings for Secure Boot. The Secure Boot task is doing things in a specific manner, and it tends to be overly cautious. Also it doesn't clear out some settings like "LastUpdateError".

There's more confusion to be gained from trying to understand the reg keys, compared to using a well-designed check script.
 

My Computer

System One

  • OS
    Windows 7
garlin said:
To save time for other Acer owners who find this thread, what's your PC's model?
Which procedure did you end up taking? KEK key enrollment or Delete All Keys?
Click to expand...
Acer Aspire A715-41G

After setting Supervising Password, Secure Boot mode was still not active (greyed). Other options like 'Erase', 'Select UEFI file' and 'Restore' became active. There is no option to append certificates to DB in my BIOS.
Didn't notice when (after which action) but Secure Boot mode changed to 'Custom' so i simply press Erase all Secure Boot Setting, switched off Secure Boot and loaded into Windows where started your Update-UEFI.bat and everything is ok now.
garlin said:
1. MS recommends using a SkuSiPolicy security policy as additional protection, whenever Virtualization Based Security (VBS) is enabled. This prevents Windows booting from an older (insecure) version of winload.efi. The problem is this can interfere in a dual-boot Windows setup, because the other Windows isn't in sync with the file versions, or for some USB recovery drives for the same reason.

The other Windows or USB drive won't boot until you make sure it's using the latest patched files. The script gives you a warning, just in case that applies to your setup.
Click to expand...

Guidance for blocking rollback of Virtualization-based Security (VBS) related security updates - Microsoft Support

support.microsoft.com support.microsoft.com
is this scenario OK to install this file?
garlin said:
3. I tell people to ignore a number of the reg settings for Secure Boot. The Secure Boot task is doing things in a specific manner, and it tends to be overly cautious. Also it doesn't clear out some settings like "LastUpdateError".

There's more confusion to be gained from trying to understand the reg keys, compared to using a well-designed check script.
Click to expand...
ok. also, i'll delete that task

thank you.
 

My Computer

System One

  • OS
    Windows 11
lonelyb0y said:

Guidance for blocking rollback of Virtualization-based Security (VBS) related security updates - Microsoft Support

support.microsoft.com support.microsoft.com
is this scenario OK to install this file?
Click to expand...
Those are instructions for removing the SkuSipolicy.p7b file if the policy interferes with booting. If you want to install the SkuSiPolicy, the update script will copy it to the EFI volume for you:
Code: 
Update-UEFI.bat -SkuSiPolicy

lonelyb0y said:
ok. also, i'll delete that task
Click to expand...
Don't delete the Secure Boot task, it's needed for after the CA 2023 migration to handle normal update tasks!

What I said is it creates some reg values which aren't very useful if you were forced to make a manual update. It's only designed to handle a situation where you have OEM support for updates, and anything else it gets frustrated and throws errors.

If you deleted the task by mistake, you can recreate it:
Code: 
powershell -f C:\Windows\SecureBoot\ExampleRolloutScripts\Enable-SecureBootUpdateTask.ps1 create
 

My Computer

System One

  • OS
    Windows 7
You must log in or register to reply here.

Similar threads

Secure boot update via Windows update
Replies
3
Views
2K
hader
hader
Secure Boot Update Issue for 2014 Dell Laptop
Replies
7
Views
2K
SIW2
SIW2
OEM's and their Secure Boot Keys (2023) BIOS Update Policy
2 3
Replies
45
Views
6K
Akeo
Akeo
Solved garlin's PowerShell scripts for updating Secure Boot CA 2023
115 116 117
Replies
2K
Views
180K
garlin
G
Solved Secure boot update HowTo
30 31 32
Replies
630
Views
102K
XyeZURDseSSzcGT
X

Latest Support Threads

Latest Tutorials

Back
Top Bottom