UEFI KEK Certs not updated.

Cameraman1955 · Wednesday at 4:16 AM

I have a Huawei D14 matebook from 2021 and updated the microsoft certificates, when I check this I get the following output, I see that the KEK cert is not updated is that stored in the bios ? Am I safe this way? Please help.

I also have this warning.

Hazel123 · Wednesday at 4:36 AM

Maybe just wait a bit and keep restarting now and then and check the security settings again. When I did them on a few laptops, it took a few hours to "filter through" before the security settings changed (gradually) to you have everything needed or whatever. Leave the computer on for a few hours then restart maybe.

How did you update the security certificates? Via Windows update? Also keep running Windows update.

Just my two pennorth, but others, more expert than me, may know more.

suatcini54 · Wednesday at 5:24 AM

I suggest you should read the thread at garlin's PowerShell scripts for updating Secure Boot CA 2023

It will be a long read. You should be prepared to spare enough time.

Hope this helps.

XxXxX · Wednesday at 5:56 AM

this may explain better how the KEK database is updated
they will normally update after the 2023 certs have been installed by Windows update
or by a BIOS update from the manufacturer

Secure Boot Allowed Key Exchange Key (KEK)" - Microsoft Q&A

i just got this update what does this mean my certificates for boot still said 2011 im pretty sure so what was this supposed to do.

learn.microsoft.com

also here is a MS KEK key update which has links to the KEK keys for downlaod
the download for the KEK keys downlaod is about halfway down the page.

Windows Secure Boot Key Creation and Management Guidance

learn.microsoft.com

so first use the KEK keys from MS then check Windows update then check the manufacturers website.
best of luck Steve ..
edit spelling, again.

Helmut · Wednesday at 6:09 AM

All you need to do is let MS do it's analysis and it will be done automatically.
So you need it connected up for sometime, maybe days. Checking Windows updates now and again.
That should be all you need to do for a 2021 machine.
You could check the Manufacturers updates for your specific product but I doubt you will get anything after so many years.

If you read too much about the subject it gets overcomplicated, error prone, and wastes your time.

garlin · Wednesday at 10:16 AM

If your last BIOS update was around 2021, it's unlikely Huawei provided a signed KEK CA 2023 to MS.

Please check if your BIOS's Secure Boot menus for three options:
1. Switching from Standard to Custom (or User) mode
2. KEK key management where you can add a new key
3. Delete all keys

Depending on the age of your current BIOS, the KEK CA 2023 can either be installed using KEK key management, or deleting all keys and installing a replacement set of certs from MS.

Cameraman1955 · Thursday at 9:54 AM

I dont think this works for my laptop its having an InsydeH2O bios so I can't get to the advanced setting and the last update was in 2021, so no possebility to install KEK CA 2023 on this bios I think a lot of users of older laptops have this. It can run Windows 11 so thats something. I leave it this way.

garlin · Thursday at 10:11 AM

Most BIOS'es from around 2020 (or later) can be manually updated, but navigating the BIOS screens is the most frustrating part of this exercise. It's still an option if you want to revisit it later.

gunrunnerjohn · Thursday at 10:14 AM

garlin said:
Most BIOS'es from around 2020 (or later) can be manually updated, but navigating the BIOS screens is the most frustrating part of this exercise. It's still an option if you want to revisit it later.

I had no issues with a 2014 AMI BIOS in the HP-ENVY desktop. It seemed the mechanism for Secure Boot as far as the BIOS was concerned was still compatible with the 2023 certs. If not, I would have thought I'd have come to grief updating this computer.

Is this true or was I just lucky it worked?

garlin · Thursday at 11:18 AM

Everyone's BIOS can be different. Some are insanely more frustrating than others.

Hazel123 · Friday at 5:06 AM

According to google there are bios later than 2021 available. Do you have the PC Manager installed (which enables bios updates apparently). The first link is the download to PC Manager.

Downloading Drivers | HUAWEI Support Global

Download latest drivers for HUAWEI products including HUAWEI PC Manager, HUAWEI MateBook, HUAWEI MateStation and more.<br/>

consumer.huawei.com

Also this (although you might know this already about power state)

BIOS update | HUAWEI Support UK

Learn about 'BIOS update'. Find all usage guide, troubleshooting tips and resources for your HUAWEI product.

consumer.huawei.com

Hazel123 · Friday at 5:19 AM

2024 bios -download link below. But presumably PC Manager would install it.

Search | HUAWEI Support Global

Get useful information about your issue, such as User manuals, Products, FAQs, Software downloads with HUAWEI search.

consumer.huawei.com

Cameraman1955 · Saturday at 2:16 AM

Hazel123 said:
2024 bios -download link below. But presumably PC Manager would install it.

View attachment 174063

Search | HUAWEI Support Global

Get useful information about your issue, such as User manuals, Products, FAQs, Software downloads with HUAWEI search.

consumer.huawei.com

Thanks for the info but I have the Matebook D14 AMD version I updated the bios now to version 1.19 thats the latest from 2023, so I think I don't get the new KEK certificates, I send the question also to Huawei.

Hazel123 · Saturday at 8:07 AM

Cameraman1955 said:
Thanks for the info but I have the Matebook D14 AMD version I updated the bios now to version 1.19 thats the latest from 2023, so I think I don't get the new KEK certificates, I send the question also to Huawei.

Ok - so have you just updated the bios or did that a while back? If you just updated them then maybe run windows update a time or two and leave the machine turned on and check security settings again - open settings, type device security in search box, open and scroll down to secure boot and see what the message says. Check again a day later. Hopefully Huawei will tell you if there is a later bios version.

On my machine, Windows update delivered the kek 2023 update directly. Hence keep checking device security info as it can go on in the background. And leave the machine turned on.

Cameraman1955 · Saturday at 8:11 AM

Hazel123 said:
Ok - so have you just updated the bios or did that a while back? If you just updated them then maybe run windows update a time or two and leave the machine turned on. Hopefully they will tell you if there is a later bios version.

Yes I found this but it's an old update from 2023 but maybe it works.

Hazel123 · Saturday at 8:20 AM

Cameraman1955 said:
Yes I found this but it's an old update from 2023 but maybe it works.

It should get installed by their pc manager app if it's the right one. Also see above - just edited last message about windows update delivering the kek 2023 update directly.

garlin · Saturday at 9:58 AM

While you're waiting for a response, check the BIOS menus for Secure Boot. Is there an option for manual KEK Key Enrollment?
Your BIOS is probably updated, and will need some manual help.

gunrunnerjohn · Saturday at 10:28 AM

garlin said:
While you're waiting for a response, check the BIOS menus for Secure Boot. Is there an option for manual KEK Key Enrollment?
Your BIOS is probably updated, and will need some manual help.

I guess I don't understand how a BIOS so recent can't be updated. If AMI was putting the Secure Boot handling in their 2014 BIOS, surely any reputable BIOS creator has it by 2022!

garlin · Saturday at 10:40 AM

Before Black Lotus was discovered, Secure Boot was largely ignored by the consumer market. Large enterprises wouldn't buy any PC that didn't take Secure Boot seriously and therefore had modern BIOS'es that were easier to manage, and received frequent firmware updates.

OEM's for low-end PC's will barely support Secure Boot because it's not a selling point. Managing Secure Boot incurs some engineering cost. Some OEM's used better BIOS'es, others used bare-bones or outdated BIOS'es.

Unfortunately your results will vary, especially for smaller PC brands.

Hazel123 · Saturday at 3:45 PM

I'll just add, most of what I suggested above was learned from @garlin when I did my secure boot on my computers

Eg checking device security app. Some was just finding out incidentally when it finally updated. Credit where credit is due!

UEFI KEK Certs not updated.

Active member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Just a Computer User

My Computers

Well-known member

My Computer

Well-known member

My Computer

Active member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Active member

My Computer

Well-known member

My Computers

Active member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Similar threads