![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(48, 45%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHB%3C/text%3E%3C/svg%3E)
Authorized TimeStamps and OsRecovery Signatures are not user‑installable items on a Windows 11 home PC. They are part of the Secure Boot certificate and key ecosystem that OEMs, firmware vendors, and Microsoft manage through UEFI Secure Boot variables (PK, KEK, db, dbx) and firmware/Windows updates, not something that can be manually added like normal certificates.
For a home device that is showing Secure Boot–related errors (such as Event 1801) and instability, the supported remediation path is to repair or reset the Secure Boot configuration rather than trying to manually install specific keys:
- Reset Secure Boot keys to factory defaults in firmware (UEFI/BIOS)
- Enter the device’s UEFI/BIOS setup.
- Locate the Secure Boot section.
- Use the option to Reset Secure Boot keys to factory defaults (do not use “Clear”; the goal is to restore the OEM’s default PK/KEK/db/dbx set).
- Save changes and reboot.
This restores the OEM‑provided Platform Key (PK), Microsoft KEK, db, and dbx that Windows relies on.
- If the system will not boot or remains unstable, use the documented recovery procedure
The supported recovery sequence for Secure Boot/boot‑manager issues is:- Turn off Secure Boot in UEFI/BIOS.
- Reset Secure Boot keys to factory defaults (if available).
- Boot Windows and repair the EFI system partition from an elevated Command Prompt:
mountvol S: /s del S:\*.* /f /s /q bcdboot %systemroot% /s S: - Reboot and confirm Windows starts normally.
- If this fails, reinstall Windows from recovery media, then re‑enable Secure Boot.
- Finally, re‑enable Secure Boot in UEFI/BIOS.
- Ensure the standard Microsoft Secure Boot objects are present
On correctly configured systems, the following are present in the UEFI Secure Boot variables and are sufficient for Windows to boot and for Secure Boot to function:- Platform Key (PK) from the OEM.
- Microsoft Corporation KEK 2K CA 2023 in KEK.
- Windows UEFI CA 2023 in db (required for the Windows boot loader to be trusted).
- A valid dbx (forbidden signatures) from Microsoft.
These are provided by the OEM firmware and Microsoft updates; they are not manually installed by end users.
- If Event 1801 persists after resetting keys
- Confirm that Secure Boot is enabled and that keys were reset (not cleared).
- Apply all pending Windows Updates, including any Secure Boot certificate updates.
- If random reboots continue, investigate other hardware or driver causes; Secure Boot key absence alone is not typically the direct cause of random reboots once the default key set is restored.
There is no supported mechanism on Windows 11 Home for manually adding “Authorized TimeStamps” or “OsRecovery Signatures” as separate keys. The supported and safe approach is to restore the OEM/Microsoft Secure Boot key set and repair the EFI boot files as described.
References:
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 81%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAD%3C/text%3E%3C/svg%3E)