TPM / SBAT errors

I was looking in one of the logs in Event Viewer, and there seems to be a daily occurrence of the following:


Log Name: System
Source: Microsoft-Windows-TPM-WMI
Date: 19/04/2026 12:34:39
Event ID: 1796
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: DESKTOP-1BCOBNU
Description:
The Secure Boot update failed to update SBAT with error Unknown HResult Error code: 0x800700c1. For more information, please see Secure Boot DB and DBX variable update events - Microsoft Support
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-TPM-WMI" Guid="{7d5387b0-cbe0-11da-a94d-0800200c9a66}" />
<EventID>1796</EventID>
<Version>3</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2026-04-19T11:34:39.3787150Z" />
<EventRecordID>65234</EventRecordID>
<Correlation />
<Execution ProcessID="9384" ThreadID="18296" />
<Channel>System</Channel>
<Computer>DESKTOP-1BCOBNU</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="UpdateType">SBAT</Data>
<Data Name="HResult">-1878589247</Data>
</EventData>
</Event>


This is highly concerning. I know the KEK update was applied ? (That was installed on 21st Feb)

Under Settings, Device Security, there are no problems reported with Secure Boot. Also, in Security Processor, no problems reported with TPM.




Any ideas please ?

(I don't really know anything about TPM, other than it stands for Trusted Platform Module). I am concerned this may pose a problem in future with Secure Boot Certificates expiring in June ?

Secure Boot's SBAT (or "SBAT Level") is only used by Linux systems. It's their equivalent of the SVN number, to prevent older and insecure boot managers from loading.

Windows itself doesn't care about the actual SBAT value, other than MS thinks it's helping Linux users by writing it to the UEFI. Some users have claimed their BIOS'es throw errors when the SBAT is written, because it's a secure UEFI variable.

You might want to try this setting, which opts out of writing the SBAT:

The event warnings may be annoying, but this error will not impact Windows' ability to use Secure Boot.

I was having this event as well only on my laptop lol. Glad to see is not anything serious.
I've been ignoring this error since I'm all updated... should I add that reg command or just keep ignoring this thing?

The Secure Boot task is programmed to constantly retry, so it's better to Opt Out. If you get used to ignoring event log messages, after a while you will miss something critical.

garlin said:

Secure Boot's SBAT (or "SBAT Level") is only used by Linux systems. It's their equivalent of the SVN number, to prevent older and insecure boot managers from loading.

Windows itself doesn't care about the actual SBAT value, other than MS thinks it's helping Linux users by writing it to the UEFI. Some users have claimed their BIOS'es throw errors when the SBAT is written, because it's a secure UEFI variable.

You might want to try this setting, which opts out of writing the SBAT:

Code:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\SBAT /v OptOut /d 1 /t REG_DWORD

The event warnings may be annoying, but this error will not impact Windows' ability to use Secure Boot.

Click to expand...

Thanks.

What about TPM ? How do I know if I have any TPM errors ?

Do I need to be concerned ? How do I check please ?

The problem is not all TPM "errors" are really errors, or about TPM. Windows has decided to dump all Secure Boot migration messages, whether informational or not, as "critical" events in the TPM-WMI logs.

As the deadline nears for PCA 2011's expiration, the event log messages are getting louder on purpose. I wouldn't stress about it. If you get a green check mark in the Windows Security Center's tab for Device Security / Secure Boot, then your PC is fine.

Yes, I have got green ticks for all in Windows Security.


I know TPM stands for Trusted Platform Module, but I'm not sure what it relates to exactly, and what I need to be concerned about on this PC.


As far as I know, my BIOS is up to date.

TPM is a separate security chip where Windows hides your BitLocker keys or Windows Hello PIN passwords.

The Secure Boot update process isn't directly related to TPM, but MS decided it was going to dump all those messages into this category instead of creating a Secure Boot-only category. Hence the confusion for users. Some of the logged messages are intended for IT admins, who are interested in collecting data on PC's.

Not everything in the event logs is designed to be read by the average home user.

Right.......a lot I don't understand there, but thanks for that.