Event details

It's time for our fourth Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot play...
Pearl-Angeles
Updated Apr 15, 2026
AMA
acamachor's avatar
acamachor
Copper Contributor
Apr 23, 2026

Hello, I made a test in Windows Server 2022, executed this 2 commands in powershell:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f

Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Then restart the server 4 times, the new certificate was downloaded but I am getting this message UEFI2023Status: Capable, KEKLastUpdateErrorReason: Firmware_MissingKEKInPackage, what this means the certificate is downloaded but not applied correctly?

Thanks.

mihi's avatar
mihi
Brass Contributor
Apr 23, 2026

It means that your firmware vendor has not provided a signed KEK to Microsoft (signed with the firmware's platform key). You have two options

  • Contact your firmware vendor (probably fruitless)
  • Check if there is a firmware update available, install it
  • If the issue persists after installing the firmware update, and the firmware update is supposed to include the new certificates in the Default DB reset secure boot settings so that the default DB is used. Don't forget to suspend Bitlocker if you use it with TPM.