Skip to main content
Start a Conversation

Unsolved

5Melanie5

1 Rookie

 • 

4 Posts

 • 

13 Points

82

May 30th, 2026 13:38

Aurora R13, 2023 Secure Boot Certificate

Please help if you can, I have noticed for a while since Microsoft decided to retire the old 2011 certificate that I have been receiving TMP-WMI errors in my event viewer. I thought it was just because I hadn't updated my bios. I updated my bios last weekend, 23/5/26 since it included the new 2023 secure boot certificate.

Since it gets closer to June, Windows is telling me that I am still using an old boot trust manager. I am not too sure what to do about, so if anyone has any ideas that would be great. Please see images below. 

When I run the PowerShell command: ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

it says True

I also noticed this too in my bios, that Microsoft UEFI CA is disabled 

anne_droid

5 Journeyman

 • 

1.6K Posts

 • 

6.3K Points

May 30th, 2026 16:59

Hi

Well I would point you to a post I made earlier ....

https://www.dell.com/community/en/conversations/windows-general/secure-boot-2023-cert-upgrade/6a187f63a3bee005f7656895

Mine returns true and does not seem to nag me.

However I have double checked, just in case I am wrong ....

Prerequisites

  • Updated BIOS: Your motherboard must have a BIOS version that includes the 2023 certificates. If your BIOS is outdated, the update will fail with Event ID 1802.

  • Admin rights: Run PowerShell or Command Prompt as Administrator.

  • BitLocker: If enabled, save your recovery key before updating BIOS.

NB: There are instructions that say decrypt bitlocker before beginning, but I don't know why.

Step-by-Step Manual Update (Windows)

Step Action Command
1 Set registry key to enable updates reg add HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f 
2 Trigger the Secure Boot update task Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update" 
3 Reboot the system Restart your PC (may need 2 reboots) 
4 Verify update succeeded [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023' (returns True

Run this PowerShell command to check for all 4 new 2023 certificates:

powershell
foreach ($UEFIDb in @("db", "KEK")) { Write-Host "`n--- Secure Boot $UEFIDb ---" $Data = Get-SecureBootUEFI -Name $UEFIDb $Path = "$env:TEMP\SB_$UEFIDb.bin" [System.IO.File]::WriteAllBytes($Path, $Data.Bytes) certutil -dump $Path | Select-String "2023" -Context 2,2 }

You should see: Windows UEFI CA 2023Microsoft UEFI CA 2023Microsoft Option ROM UEFI CA 2023, and Microsoft Corporation KEK 2K CA 2023.

For Linux (Dell/Alienware)

Since you use Linux, note that Secure Boot certificate updates are typically handled viaUEFI firmware updates(not OS-level). On Dell systems:

  1. Download the latest BIOS from Dell's support site

  2. Update BIOS viafwupdmgr(Linux Firmware Manager):

    bash
    sudo fwupdmgr get-updates sudo fwupdmgr update

  3. Reboot into BIOS setup to verify Secure Boot keys include "Windows UEFI CA 2023"

The 2011 certificates expire June 2026, so update before then to maintain Secure Boot protection.

 

 

 

AND as I run mostly Linux Mint.....

/home/anne# fwupdmgr get-updates && fwupdmgr update
Devices with no available firmware updates: 
 • CT2000P310SSD8
 • System Firmware
 • UEFI Device Firmware
 • UEFI dbx
 • USB2.0 HD UVC WebCam
No updatable devices

I think I am OK.

At least one is ....

mokutil --KEK

Issuer: C=US, O=Microsoft Corporation, CN=Microsoft RSA Devices Root CA 2021
        Validity
            Not Before: Mar  2 20:21:35 2023 GMT
            Not After : Mar  2 20:31:35 2038 GMT

If in doubt please ask.

(edited)

Tesla1856

10 Wizard

 • 

17.7K Posts

 • 

70.7K Points

May 30th, 2026 18:05

1. I updated my bios last weekend, 23/5/26 since it included the new 2023 secure boot certificate.

2. Since it gets closer to June, Windows is telling me that I am still using an old boot trust manager.

3. I also noticed this too in my bios, that Microsoft UEFI CA is disabled 

1. Ok ... you want your Aurora-R13 running the latest BIOS-Firmware. No problem there.

2. Interesting. So, that new "Status Indicator" does work.

No, I've never seen this particular message. I've done about 10 computers now.

3. Well, that is what you are working on, isn't it? Can you think of any reason to keep it Disabled? My (newish) XPS laptops are the only ones with this particular BIOS option. I keep it Enabled.

 

Additionally, if you want to see the actual Keys and Certificates on this screen, you can go ahead and Enable "Custom Mode". Just because you can finally see them, does not give license to mess with them (I certainly would not recommend changing them manually). But, yeah, I use Custom-Mode on all my computers.

(edited)

5Melanie5

1 Rookie

 • 

4 Posts

 • 

13 Points

May 31st, 2026 19:03

Thank you very much both of you for your post and replying, I will definitely use these codes and helpful information if the setting in bios doesn't work. I'm sorry for late reply been busy. Will update you both if things change. Thank you again 

rhiett

2 Intern

 • 

11 Posts

 • 

3 Points

June 1st, 2026 05:01

I'm running the most recent bios update available for my R12, April 2025, and I'm getting this secure boot notice down in my Windows 11 icon tray.   However my windows powershell returns "True" when I run the command...

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

So I don't really know why Windows is giving me a system notice about it. 

Tesla1856

10 Wizard

 • 

17.7K Posts

 • 

70.7K Points

June 1st, 2026 05:14

@rhiett​ ,

I'm running the most recent bios update available for my R12, April 2025, and I'm getting this secure boot notice down in my Windows 11 icon tray.   However my windows powershell returns "True" when I run the command...

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

So I don't really know why Windows is giving me a system notice about it. 

Who knows. Probably because something is broken I would imagine. There are various parts to it.

What does it say in Windows Security / Device Security / SecureBoot ?

anne_droid

5 Journeyman

 • 

1.6K Posts

 • 

6.3K Points

June 1st, 2026 07:29

Hi

There is nothing that an end user is supposed to do, because MS updates everything in the background via Windows updates, and also DELL re-inforces those changes by it's BIOS updates.

Therefore it is a wait and see scenario I believe, which does not prevent you from trying to resolve the issue.

IF/WHEN I run the command, in Linux Mint, 

root# mokutil --kek > /home/root/kek.txt

I get quite a long txt file, the short version is ...

[key 2]
SHA1 Fingerprint: 31:59:0b:fd:89:c9:d7:4e:d0:87:df:ac:66:33:4b:39:31:25:4b:30
Certificate:
          Issuer: C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Microsoft Corporation 
            Not Before: Jun 24 20:41:29 2011 GMT
            Not After : Jun 24 20:51:29 2026 GMT
       

[key 3]
SHA1 Fingerprint: 45:9a:b6:fb:5e:28:4d:27:2d:5e:3e:6a:bc:8e:d6:63:82:9d:63:2b
Certificate:
           Issuer: C=US, O=Microsoft Corporation, CN=Microsoft RSA Devices Root CA 2021
        Validity
            Not Before: Mar  2 20:21:35 2023 GMT
            Not After : Mar  2 20:31:35 2038 GMT
        

AND I run.........

mokutil --sb-state && mokutil --list-enrolled
SecureBoot enabled
[key 1]
SHA1 Fingerprint: 76:a0:92:06:58:00:bf:37:69:01:c3:72:cd:55:a9:0e:1f:de:d2:e0
        Issuer: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
        Validity
            Not Before: Apr 12 11:12:51 2012 GMT
            Not After : Apr 11 11:12:51 2042 GMT
        Subject: C=GB, ST=Isle of Man, L=Douglas, O=Canonical Ltd., CN=Canonical Ltd. Master Certificate Authority
        

[key 2]
SHA1 Fingerprint: 54:f4:18:74:f4:d8:84:28:09:bc:be:88:10:65:92:0a:17:56:5d:25
        Issuer: CN=grub
        Validity
            Not Before: Feb 24 22:38:00 2019 GMT
            Not After : Feb 21 22:38:00 2029 GMT
        Subject: CN=grub
        

I do wonder whether all is actually all correct, because Linux Mint and the Boot Loader GrUB are both "valid", but no sign of a Microsoft Key.

Hopefully more later.

5Melanie5

1 Rookie

 • 

4 Posts

 • 

13 Points

June 3rd, 2026 15:46

Hi there

Just wanted to update, I have changed that setting in my bios, to be enabled and put the setting for custom mode back to disabled, there is still sadly no change in my secure boot certificate. So i am really at a loss of what to do,

(edited)

Tesla1856

10 Wizard

 • 

17.7K Posts

 • 

70.7K Points

June 3rd, 2026 16:38

@5Melanie5​ ,

 

1. I have changed that setting in my bios, to be enabled

2. and put the setting for custom mode back to disabled,

3. there is still sadly no change in my secure boot certificate. 

1. Good

2. Why? Who's suggestions are you following?

3. What makes you say that?

 

Additionally, sometimes it takes some casual use, reboots, and some normal use of Windows-Update while online.

(edited)

5Melanie5

1 Rookie

 • 

4 Posts

 • 

13 Points

June 3rd, 2026 19:55

Hi there

Thank you and if my certificate doesnt update i will try using custom mode, and see if that helps, I will wait and see if it does update and give it a week and will update you then. I also tried using check uefi pk kek db and dbx.cmd from github which displayed that all certificates where updated. Thank you for everyones support and help

anne_droid

5 Journeyman

 • 

1.6K Posts

 • 

6.3K Points

June 3rd, 2026 21:02

Hi

Despite Microsofts best efforts I did find a screen with the certs buried deep in the bowels of the BIOS.

Which leads me to believe that others may have the same situation, and actually don't have to panic.

Was this post helpful?

View All

No Events found!

Top