Event details
Hello.
My Dell XPS 13 9360 will not have any BIOS updates that include the new certificates.
So, I tried to update it with the following commands:
from Admin CMD Prompt:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f
from Admin Powershell:
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
This action updated all certificates in the DB except for the KEK CA 2K 2023, which I cannot update.
In the registry editor, UEFICA2023Status remains indefinitely in "progress" and shows no errors.
In "availableUpdates" the value is 0x5944.
Windows UEFICA2023capable shows 0x2.
I would like to know, since I only need to update the KEK CA 2K 2023 certificate, how I should proceed.
Thank you!
I recommend reading https://learn.microsoft.com/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance?view=windows-11&WT.mc_id=MVP_444422 where it says: "The Microsoft Corporation KEK CA 2011 is set to expire in 2026, and all OEMs must create, sign, and submit updates for the new Microsoft Corporation KEK CA 2023 to Microsoft. This will allow Microsoft to update in-market devices with the new Microsoft KEK CA, allowing systems to continue receiving DB and DBX"
"https://uefi.org/sites/default/files/resources/Evolving%20the%20Secure%20Boot%20Ecosystem_Flick%20and%20Sutherland.pdf" is also a fantastic read on what Microsoft started to plan around 2 years ago. This document also contains other important situations.
TL;DR: If the OEM didn't and won't provide an update there's probably not much you can do. Looking forward for an official answer from MS on this though ¯\_(ツ)_/¯