Event details

It's time for our third Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot playb...
Pearl-Angeles
Updated Mar 11, 2026
AMA
DJ8014A's avatar
DJ8014A
Copper Contributor
Mar 12, 2026

Hello,

I have machines that will not be receiving BIOS updates from the OEM (Dell).

They successfully installed the new certs, but did not apply them - throwing 1803/1801 errors. Will the 1803 error (PK-signed KEK not found) possibly be resolved thru Windows Update, or will machines affected by this simply be unable to apply/utilize the 2023 certs?

 

  • mihi's avatar
    mihi
    Brass Contributor
    Mar 13, 2026

    If Dell won't provide a signed KEK update to Microsoft for those devices (probably because they cannot), Windows will not be able to update the KEK.

    In my experience, Dell devices often have an option in their firmware setup to enroll a DB or KEK certificate from an USB key manually. You can try by putting 

    https://github.com/microsoft/secureboot_objects/blob/main/PreSignedObjects/KEK/Certificates/microsoft%20corporation%20kek%202k%20ca%202023.der  on a FAT32 formatted USB key and trying to import it as KEK. This should make the secure boot update continue and complete successfully.

     

    Still, from an economic standpoint, you have to decide whether spending a few minutes on each device manually is worth the effort or whether you would be better off replacing the devices.

    • DJ8014A's avatar
      DJ8014A
      Copper Contributor
      Mar 13, 2026

      Thank you for the response and giving me something to try. I have about a dozen machines that will probably need this workaround (hope it works). So, not hundreds or thousands. But unlike a general user's 4-core Optiplex from 10+ years ago, these are workstations that have 12 or 14 cores. Are they as powerful as an equivalent new machine? No, but they still do what we need them to do, and do it pretty well. So, a few minutes, assuming the fix works, is well worth my time. Thanks again. I'll report back when I've had a chance to try.

      • mihi's avatar
        mihi
        Brass Contributor
        Mar 14, 2026

        In case that option is not there, feel free to take and share photos of which Secure Boot options are there, maybe there is another way we can get that KEK in.

        And in general, before messing with Secure Boot options, it is a good idea to suspend BitLocker (if in use).

    • Arden_White's avatar
      Arden_White
      Icon for Microsoft rankMicrosoft
      Mar 13, 2026

      DJ8014A​ I can see that's a Dell device. It's difficult to determine which one it is. Would you be willing to share the model name/number of the device?

      • DJ8014A's avatar
        DJ8014A
        Copper Contributor
        Mar 13, 2026

        It's a T5610. We have a T5810 with the same issue. As noted above, I am aware that Dell will not be issuing new BIOS updates for these machines. I'm still hoping they will not be relegated to e-waste.