Event details

It's time for our third Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot playb...
Pearl-Angeles
Updated Mar 11, 2026
AMA
ImNotInThatBush's avatar
ImNotInThatBush
Occasional Reader
Apr 01, 2026

Hi,

 

I have a specific technical question about SBAT that I could not find addressed anywhere in public documentation, forums, or Microsoft's own tooling.

 

My system (MSI MPG Z590 Gaming Plus, Intel i7-11700K, Intel PTT TPM 2.0, Windows 11 Pro 25H2) has been logging Event ID 1796 with UpdateType: SBAT on every boot since the March 2026 out-of-band update introduced the SBAT update attempt. HResult: -2147024895 (0x80070001 — ERROR_INCORRECT_FUNCTION).

 

The system is otherwise fully compliant:

- UEFICA2023Status: Updated

- WindowsUEFICA2023Capable: 2 (2023 cert in DB, booting from 2023 signed boot manager)

- AvailableUpdates: 0x0400 (only SBAT bit remains, stuck)

- SBAT\UpdateStatus: 2

- Secure Boot enabled throughout, never disabled

- No manual registry or certificate modifications — everything was applied via standard Windows Update and an OEM BIOS update provided by MSI

 

Two things I cannot find explained anywhere:

 

1. Every documented case of a failing SBAT update shows HResult 0x800700c1. My system returns 0x80070001. These are different error codes — 0x80070001 is ERROR_INCORRECT_FUNCTION, not ERROR_BAD_EXE_FORMAT. I cannot find any public documentation, tool, or forum post that addresses 0x80070001 specifically in the context of a SbatLevel write attempt. What does this code indicate at the firmware level?

 

2. SbatLevel is a Boot Services variable. The write attempt happens during boot. On this specific platform (Z590 + Intel PTT), the write has been failing consistently across multiple BIOS versions and multiple clean Windows installations. Is there a known class of firmware implementations on this generation of Intel platform that cannot support the SbatLevel write, and if so, is this an expected/documented limitation or a gap that needs addressing before June 2026?

 

I am not looking for a workaround. The system is functional and secure. I am looking for a technical explanation of what this specific error code means in this specific context, because it does not appear in any public resource I can find.

 

Thank you.