UEFI KEK Certs not updated.


garlin said:
While you're waiting for a response, check the BIOS menus for Secure Boot. Is there an option for manual KEK Key Enrollment?
Your BIOS is probably updated, and will need some manual help.
Click to expand...
The problem with this bios is that it don't have an advanced settings mode, so I can only switch secureboot on and of, I try some key combinations but this bios is locked to basic settings. What I now going to do is ask Huawei how I can unlock this InsideH20 bios to advanced I try a lot of key combinations.
The other question is can I use this laptop in the futere with the KEK certificate not updated or will it get boot problems ? The other certificates are updated.
 

My Computer

System One

  • OS
    Windows 11 Pro 25H2 26200.7019
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self built midi tower
    CPU
    Intel Core i7-8700K
    Motherboard
    Gigabyte Z390GX
    Memory
    Corsair 32GB 4x DDR4-2998 / PC4-23900 DDR4 SDRAM UDIMM
    Graphics Card(s)
    AMD RX570
    Sound Card
    Sound Blaster Z
    Monitor(s) Displays
    2x IIyama Prolite X2380HS
    Screen Resolution
    1920x1080
    Hard Drives
    Samsung SSD 970 EVO Plus NVMe 1TB
    Samsung SSD 970 EVO Plus NVMe 500GB
    PSU
    Seasonic 550W
    Cooling
    Noctua fans
    Keyboard
    Logitech G213
    Mouse
    Logitech Marble Mouse
    Browser
    Chrome
    Antivirus
    Norton
    Other Info
    Video/Audio editting machine
Without the KEK CA 2023 installed, the other CA 2023 certs aren't actually validated. The UEFI security model is based on a chain of trust, KEK CA 2023 isn't an optional feature. You can have other certs loaded, but they will not be respected.

Huawei PK -> validates KEK CA 2023 -> validates Windows UEFI CA 2023 -> validates CA 2023 boot manager

On some BIOS'es, you must create an Admin password as a security measure to unlock advanced Secure Boot settings.
 

My Computer

System One

  • OS
    Windows 7
garlin said:
Without the KEK CA 2023 installed, the other CA 2023 certs aren't actually validated. The UEFI security model is based on a chain of trust, KEK CA 2023 isn't an optional feature. You can have other certs loaded, but they will not be respected.

Huawei PK -> validates KEK CA 2023 -> validates Windows UEFI CA 2023 -> validates CA 2023 boot manager

On some BIOS'es, you must create an Admin password as a security measure to unlock advanced Secure Boot settings.
Click to expand...
Thanks for the information, yes I need all the certificates I understand, I wait what Huawei do with this, I still love this very fast compact notebook I don't want replace it yet.
 

My Computer

System One

  • OS
    Windows 11 Pro 25H2 26200.7019
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self built midi tower
    CPU
    Intel Core i7-8700K
    Motherboard
    Gigabyte Z390GX
    Memory
    Corsair 32GB 4x DDR4-2998 / PC4-23900 DDR4 SDRAM UDIMM
    Graphics Card(s)
    AMD RX570
    Sound Card
    Sound Blaster Z
    Monitor(s) Displays
    2x IIyama Prolite X2380HS
    Screen Resolution
    1920x1080
    Hard Drives
    Samsung SSD 970 EVO Plus NVMe 1TB
    Samsung SSD 970 EVO Plus NVMe 500GB
    PSU
    Seasonic 550W
    Cooling
    Noctua fans
    Keyboard
    Logitech G213
    Mouse
    Logitech Marble Mouse
    Browser
    Chrome
    Antivirus
    Norton
    Other Info
    Video/Audio editting machine
It’s very annoying and I hope they reply to you. I think some people just turn secure boot off - not ideal I know. I have a couple of old ones that don’t even have secure boot. I suppose they are not used regularly so not particularly at risk. Microsoft released something a couple of weeks ago saying a machine will still boot - it just means they don’t get updates against various boot viruses. It could be that with sensible use and maybe avoiding using usb sticks that have been in other machines - you never have an issue. So your machine wouldn’t be useless if it didn’t get the secure boot certificates - but it’s just a bugbear when you’re in this position.

Presumably installing Linux instead of Windows means not vulnerable to the same issues.

Anyway please let us know what Huswei say - I’d be interested to know.
 

My Computers

System One System Two

  • OS
    Windows 11 Home 25H2
    Computer type
    Laptop
    Manufacturer/Model
    HP Pavilion 14-ce3606sa
    CPU
    Core i5-1035G1
    Memory
    32gb
    Hard Drives
    Samsung 870 evo sata ssd
    Cooling
    Could be better
    Internet Speed
    50 mbps Starlink
    Browser
    Firefox
    Other Info
    Originally came installed with a 500gb H10 Optane ssd
  • Operating System
    Windows 11 Home
    Computer type
    Laptop
    Manufacturer/Model
    HP Pavilion ce3606sa
    CPU
    Intel Core i5-1035G1
    Memory
    16gb
    Hard Drives
    Hynix Gold P31 2TB
    Internet Speed
    200mbps Starlink
    Browser
    Firefox
    Antivirus
    Defender
Hazel123 said:
It’s very annoying and I hope they reply to you. I think some people just turn secure boot off - not ideal I know. I have a couple of old ones that don’t even have secure boot. I suppose they are not used regularly so not particularly at risk. Microsoft released something a couple of weeks ago saying a machine will still boot - it just means they don’t get updates against various boot viruses. It could be that with sensible use and maybe avoiding using usb sticks that have been in other machines - you never have an issue. So your machine wouldn’t be useless if it didn’t get the secure boot certificates - but it’s just a bugbear when you’re in this position.

Presumably installing Linux instead of Windows means not vulnerable to the same issues.

Anyway please let us know what Huswei say - I’d be interested to know.
Click to expand...
Yes I hope the respond, there are a lot users with a D series Matebook with that bios in it.
 

My Computer

System One

  • OS
    Windows 11 Pro 25H2 26200.7019
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self built midi tower
    CPU
    Intel Core i7-8700K
    Motherboard
    Gigabyte Z390GX
    Memory
    Corsair 32GB 4x DDR4-2998 / PC4-23900 DDR4 SDRAM UDIMM
    Graphics Card(s)
    AMD RX570
    Sound Card
    Sound Blaster Z
    Monitor(s) Displays
    2x IIyama Prolite X2380HS
    Screen Resolution
    1920x1080
    Hard Drives
    Samsung SSD 970 EVO Plus NVMe 1TB
    Samsung SSD 970 EVO Plus NVMe 500GB
    PSU
    Seasonic 550W
    Cooling
    Noctua fans
    Keyboard
    Logitech G213
    Mouse
    Logitech Marble Mouse
    Browser
    Chrome
    Antivirus
    Norton
    Other Info
    Video/Audio editting machine
The update script by itself will only work if you have a supported PC (either by BIOS update or submitted KEK to MS). When none exists, the user has to figure out how to access the BIOS menus to enable manual KEK enrollment or deleting all keys. That's the hardest part, not running the script.

Sometimes you need someone who's familiar with this BIOS to explain the proper way to find those settings.
 

My Computer

System One

  • OS
    Windows 7
You must log in or register to reply here.

Similar threads

  • Sticky
How to check if your Secure Boot certs are updated. (three methods)
23 24 25
Replies
482
Views
77K
garlin
G
Strange things happening with updated Secure Boot certificates and files
2
Replies
36
Views
3K
suatcini54
suatcini54
Solved Finding the UEFI's DBX SVN number using PowerShell
2 3 4
Replies
73
Views
10K
Ghot
Ghot
Solved garlin's PowerShell scripts for updating Secure Boot CA 2023
118 119 120
Replies
2K
Views
182K
garlin
G
Solved Fresh Windows 11 25H2 installation(Rufus) with Windows UEFI CA 2023 certificate?
2 3
Replies
40
Views
37K
zapbuzz
zapbuzz

Latest Support Threads

Latest Tutorials

Back
Top Bottom