XPS 8940, will Dell release a BIOS update to deal with Microsoft's expiring SecureBoot Certificates?

It takes time between MS security patch and vendor/Dell incorporating it in next bios version.  The question is not will Dell but when.

now if the XPS model were old, Dell may stop updating its bios.  In those case you may see Dell driver site say that bios ver. Is the final one. 

@redxps630​ Well, my system is just past 5-years old so  I hope that is not too old to continue to be supported.  Microsoft's linked KB article states that the keys don't actually expire until June 2026.  I would guess that Microsoft informed all major OEMs and partners about this upcoming change so that they could have enough time to make the changes and thoroughly test them.  In any event, the article says that Microsoft will eventually attempt to incorporate the updated keys into the firmware by other means, but that having the BIOS updated by the vendor would be the preferred method.  I guess we shall see.

Thanks for your response.  One of my main reasons for posting this question was to be sure that other people would be aware of the issue, and the other was to get some visibility of the issue to Dell.  Many people practically never look at their Event Log so they might not have been aware of the issue yet.  Maybe, if they see this post, they will be motivated to wade into the Event Log and see what is really happening under the covers of their system.

Cheers, and Happy New Year to all.

The Event Viewer is full of useful information, and you have to know was is 'real' and what isn't? Easier said than done unfortunately.

MS (and some programs) sort of flood the Event Log with normal operational errors. They may or may not apply to your PC. Google "Is it normal to have errors in event viewer" and you'll find many answers, even YouTube video's explaining the Event Log Viewer.

I look 'often' and never see a real problem, even this one.

It is more informational than an error as it has not caused a problem or stop something from working, those are REAL errors, like BSOD for instance.

Yes, it is an 'error' in the definition of an error, but it is, at least right now 'harmless' and more an informational error. 

Face it, this one you can't fix, were most other errors you can by doing 'something'.

Me, until this particular problem breaks things, I'd not worry.

Matter of fact, when I've installed some programs I've see dialog windows telling the the Certificate is 'old'. I do the Install anyway without problems installing or the program running.

@ispalten​ I am pretty much fully in agreement with your assesment of the Event Log.  It does have a lot of events that are fully expected and so can give a false sense of the state of one's system.  Sometimes it seems like multiple layers in a software stack report the same event but with a different context and details.  It can be hard to see this in the aggregated summary view, but if one uses other Event Log viewers that show all entries ordered by timestamp it becomes possible to see the correlation of entries associated with a single event.

Unless one is familiar with many of the low level aspects of software, the Event Log tends to be overwhelming with spurious and/or superfluous information.  I happen to be a software developer and so tend to scan the Event Log on a regular basis as one way of evaluating the health of my system.

In this case, however, I would say that the whole point of Secure Boot is compromised if the chain of trust is 'broken' by an expired certificate.  Sure, the system will still boot but the 'secure' part is now not quite so secure, IMHO.  Of course, YMMV.  At some point, a firmware update that allows the new certificates to be incorporated into the firmware image is the proper way to solve this problem.  I do hope that Dell agrees and does the right thing.

@wbresler0aa7c4​ 

I assume at some point it will get updated... just for me, I am not worried at this point. Heck, I've had some programs that they don't have the correct certificate and the program was created and bundled over a year ago and never updated. It can happen more often that not when installing programs, and those 'errors' do not generally appear int the Event Viewer.

Interestingly, Google AI tells me this about Secured Boot Expired Certificate:

=========

Windows Secure Boot certificates, originally issued in 2011, are expiring starting June 2026, meaning devices must receive new 2023 certificates via Windows Update or OEM firmware updates to maintain security and receive future updates, or risk compromised boot security and inability to trust new boot components. While most users get updates automatically, IT admins should monitor updates and ensure diagnostic data is enabled for large deployments, as expired certs stop boot manager updates, exposing systems to malware

=========

I wonder if it is EXPIRED or you are getting a warning a new one is needed?

MS has even posted that it expires on June 2026, see https://support.microsoft.com/en-us/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e so it might still be good and Dell (and others) have time to get it updated it seems?

More Google AI info:

=================

What happens when they expire?

• Security Risk: Your device stops receiving security updates for the Windows Boot Manager and Secure Boot components, creating a vulnerability to bootkits and malware.
• Serviceability Issues: The system may no longer trust new signed boot components, impacting updates and functionality. 

• Automatic Updates (Most Users): Microsoft and OEMs are pushing new certificates through standard Windows Update and OEM updates.
• Manual Action (IT/Enterprise):
  • Monitor: Check Event ID 1808 (success) or 1801 (failure) in the Windows System Event Log.
  • Ensure Updates: Verify that UEFI_CA2023Status registry key shows "Updated".
  • Firmware: Apply OEM firmware updates if needed, as they can help prevent issues.
  • Registry: For managed environments (like Intune), ensure diagnostic data is at least "Required," or manually set MicrosoftUpdateManagedOptIn to 0x5944. 

• For personal devices: Keep Windows updated, and you should be fine.

=================

If that IS correct, no need to panic, yet.