Why aren't the Secure Boot Certificates being applied to my SER5 Max

Question

Why aren't the Secure Boot Certificates being applied to my SER5 Max

BDB-6880 0

New to this forum. I am operating a Bee Link SER 5 Max mini pc with AMD Ryzen 7 6800U processor and Radeon Graphics. Running Windows 11 Pro 25H2 (26200.7705) system fully updated through Windows Update within a local account with secure boot enabled. I have updated the Bios and AMD drivers. I currently have BitLocker and Data Encryption disabled.

From reviewing the event logs, key registry and using PowerShell, it appears that the 2023 CA certificates are present in DB and KEK. The Task Scheduler shows Secure-Boot-Update task has run a successful operation (0x0). Registry keys : AvailableUpdates value of 0x0000000 (0), UEFICA2023Status is NotStarted, Windows UEFICA2023Capable value of 0x0000002 (2) and UEFISecureBootEnabled 0x00000001 (1). TPM 2.0 status is ready for use.

Reviewing the event logs it appears that there are multiple sequential TPM ID 17 events with " TPM hardware failed to execute a TPM command" and then a TPM-WMI event error ID 1801 with "Updated Secure Boot Certificates are available on this Device but have not yet been applied to the firmware" occurs.

I have run "Clear TPM" in Windows and "Restore Factory Keys" in Bios without resolving the issue. Manufacturer suggests to cycle the current enabled fTPM setting to disabled/restart and then back to enabled/restart. I am concerned that there are risks with doing this. I have read about forcing the update with PowerShell script by setting AvailableUpdates key to 0x5944 but I am not sure that applies to this situation and I don't know how to run the script.

With the Secure-Boot-Update task successfully completing it's run and if the 2023 CA certificates are in the data bases, why won't the registry key UEFICA2023Status proceed through the "NotStarted", "InProgress" and finally to "Updated" sequence on its own through Windows Update?

Neil D 32,315 Reputation points Volunteer Moderator

2026-02-12T14:21:48.6933333+00:00

In KB5077181 it states :

[Secure Boot] With this update, Windows quality updates include a broad set of targeting data that identifies devices and their ability to receive new Secure Boot certificates. Devices will receive the new certificates only after they show sufficient successful update signals, which helps ensures a safe and phased rollout.

Perhaps that relates to the problem you see.
BDB-6880 0 Reputation points

2026-02-12T22:06:59.4366667+00:00

Thank you Neil D for your response. I have installed the referenced KB5077181 update when it was launched. It didn’t result in any changes. I still get multiple TPM ID 17 warnings (TPM FAILED TO EXECUTE A COMMAND) right up to the second in time that the TPM-WMI error ID 1801 shows up (UPDATED SECURE BOOT CERTIFICATES ARE AVAILABLE ON THIS DEVICE BUT HAVE NOT YET BEEN APPLIED TO THE FIRMWARE). At the exact same time that 1801 shows up, the task Secure-Boot-Updates “Last Run Time” is the same but says it successfully ran the task.

Seems to me, perhaps I am wrong, that my pc has received the certificates ( I have run script that says they are present in db and KEK) and I think therefore the pc has shown “sufficient successful update signals” as per KB5077181.

I have been concentrating on the TPM error 1801 and warning 17 as being the culprit that stops the certificate application to the firmware because at the end of multiple ID17 events ( over mere seconds) the last ID17 time seems to correlate with the arrival time of error 1801 and the task last run time. This happens on every restart. I just don’t know how to trouble shoot TPM because all information says TPM is running fine. One piece of information from Get-TPM script shows “RestartPending as “True” which I don’t understand as I have restarted multiple times. I have cleared TPM once and restored “Factory Default Settings” in Bios (latest version and updated drivers) with no changes in the results.

Some of my research has suggested to “uninstall TPM” in Device Manger and restart but I don’t know how risky that is. The motherboard manufacturer has suggested cycling the fTPM switch but again I fear turning my pc into a brick. Any thoughts would be appreciated.

3 answers

Your answer

Neil D 32,315 Reputation points Volunteer Moderator

2026-02-12T14:21:48.6933333+00:00

In KB5077181 it states :

[Secure Boot] With this update, Windows quality updates include a broad set of targeting data that identifies devices and their ability to receive new Secure Boot certificates. Devices will receive the new certificates only after they show sufficient successful update signals, which helps ensures a safe and phased rollout.

Perhaps that relates to the problem you see.
BDB-6880 0 Reputation points

2026-02-12T22:06:59.4366667+00:00

Thank you Neil D for your response. I have installed the referenced KB5077181 update when it was launched. It didn’t result in any changes. I still get multiple TPM ID 17 warnings (TPM FAILED TO EXECUTE A COMMAND) right up to the second in time that the TPM-WMI error ID 1801 shows up (UPDATED SECURE BOOT CERTIFICATES ARE AVAILABLE ON THIS DEVICE BUT HAVE NOT YET BEEN APPLIED TO THE FIRMWARE). At the exact same time that 1801 shows up, the task Secure-Boot-Updates “Last Run Time” is the same but says it successfully ran the task.

Seems to me, perhaps I am wrong, that my pc has received the certificates ( I have run script that says they are present in db and KEK) and I think therefore the pc has shown “sufficient successful update signals” as per KB5077181.

I have been concentrating on the TPM error 1801 and warning 17 as being the culprit that stops the certificate application to the firmware because at the end of multiple ID17 events ( over mere seconds) the last ID17 time seems to correlate with the arrival time of error 1801 and the task last run time. This happens on every restart. I just don’t know how to trouble shoot TPM because all information says TPM is running fine. One piece of information from Get-TPM script shows “RestartPending as “True” which I don’t understand as I have restarted multiple times. I have cleared TPM once and restored “Factory Default Settings” in Bios (latest version and updated drivers) with no changes in the results.

Some of my research has suggested to “uninstall TPM” in Device Manger and restart but I don’t know how risky that is. The motherboard manufacturer has suggested cycling the fTPM switch but again I fear turning my pc into a brick. Any thoughts would be appreciated.

Answer 1

Hello BDB-6880,

UEFICA2023Capable 2 indicates that device does have new boot manager signed with new Windows UEFI CA 2023 certificate. This also confirms that you have primary Windows UEFI CA 2023 certificate in the Secure Boot DB. The event 1801 indicates device is missing 1 or more of remaining certificates (KEK CA 2023, Option ROM CA 2023 and Microsoft UEFI CA 203). To Deploy remaining certs, follow below steps:

Run Powershell as Administrator and execute following commands
Reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot" /v AvailableUpdates /t REG_DWORD /d 0x5944 /f
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

This will immediately apply the remaining certificates to the Secure Boot DB and KEK. After this step, registry value UEFICA2023Status will transition to "Updated"

Answer 2

Hello BDB-6880,

DISM an SFC actually is a built-in scanner of system file embedded by Microsoft. It was meant to be user friendly, even with low-tech users. So, they are relatively safe, it will try to detect and repair any corruption in the system files. They will return a failed message if they cannot safely repair them.

What you see while looking for the files is actually expected. It does mean that the payload folder is ready, and it seems like the thing blocking it is the AvailableUpdates parameter is 0.

I do understand your concerns about editing the registry and uninstall TPM from your device manager. These steps do pose a risk, especially when we can only give suggestion based on what you described without have a direct look on it. That is why I recommend that you save a copy of the registry before editing, since in the worst case, you can access the Safe Mode and restore the saved registry.

In this case, if you are not confident in this. I suggest that you could look for a local store in your area to see if they can help you in this or contact Microsoft Support. They will have the proper tool and more expertise in this to help you and provide remote assistance if needed. Thank you for your understanding.

Carl-L 9,895 Reputation points Microsoft External Staff Moderator

2026-02-14T12:56:39.5433333+00:00

Hello BDB-6880,

Just checking in to make sure that you have received my reply. Please let me know if there are any updates.
Carl-L 9,895 Reputation points Microsoft External Staff Moderator

2026-02-16T10:46:11.69+00:00

Hello BDB-6880,

It's been a while since I last heard from you. May I know if you still need assistance in this?

Any feedback is appreciated.

Answer 3

Hello BDB-6880,

Welcome to Microsoft Q&A forum.

Even if the certificate is present, the status might not advance due to various reasons from the OS (Cannot write variables, complete the boot manager handoff or waiting for a trigger). The error 1801 might indicates that Windows does recognize the certificate but currently unable to do all the changes and swap to the 2023 boot manager. We can start from that.

Restore the payloads using SFC.
1. Go to C:\Windows\System32\SecureBootUpdates and find files like dbupdate.bin, kekupdatecommand.bin and bootmgfw_2023.efi. (The name might be slightly different)
2. If the folder is empty. Type "Command Prompt" in the search bar and select "Run as administrator"
3. Type "DISM /Online /Cleanup-image /restorehealth and press Enter.
4. When the scan is done. Type SFC /scannow and press Enter.
5. Restart your computer.
Set the trigger to start the task. Disclaimer: Generally, modifying registry subkeys or work group is intended for advanced users, administrators, and IT Professionals. It can help fix some problems, however, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For further protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click How to back up and restore the registry in Windows - Microsoft Support to view the article.
1. Type "PowerShell" in the search bar and select "Run as administrator"
2. Type reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot" /v AvailableUpdates /t REG_DWORD /d 0x5944 /f and press Enter.
3. Type Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update" and press Enter.
4. Restart your computer.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

BDB-6880 0 Reputation points

2026-02-12T22:19:35.65+00:00

Hello Carl L. Thank you for your response.

Can running SFC as you have described cause issues of restarting or messing with things I don’t understand and with my limited skills in running registry scripts won’t be able to address later?

Also, what should I do if the files you list are not empty?

I have in fact been considering the PowerShell script you suggest, however I am concerned that if the TPM isn’t setup and operating properly (even though all information indicates that it is) I could brick my pc.

see my response to Neil D for more information and my concerns. Appreciate your thoughts.
BDB-6880 0 Reputation points

2026-02-12T22:41:10.3966667+00:00

Hi Carl L, checked for the suggested files. The dbupdate.bin file appears empty with 1kB, kekupdatecombined.bin file has 768KB, there was no bootmgfw_2023.egi file nor any file with that extension.
BDB-6880 0 Reputation points

2026-02-13T00:55:20.6333333+00:00

Hello Carl L.

I had written a longer response before but I think it got lost somehow so I will attempt to rewrite a shorter version. Apologies if it did get posted and this doubles it up.

First how safe is it to run the DISM and restore health steps? I am not overly confident in my skill set when it comes to doing “cleaning”.

I checked on the files that you list and the dbupdate.bin appears empty with 1KB, KEKupdatecommand.bin appears to have something in it with 768KB, there is no file present with a .efi extension. All other files in the SecureBootUpdates folder appear to have something in them. Is ok to proceed with the your suggested procedure with something in one of the referenced files?

Second, I have considered forcing the update with the PowerShell script you provide but have hesitated because I am concerned that the problem exists within TPM and if I try to force an update it may brick my pc. I don’t know if this is a legitimate concern or not but I don’t want to get to a place where I can’t get out of.

Appreciate getting your thoughts back. Please review my response to Neil D as it may provide some additional information that wasn’t in my original post.

Share via

Why aren't the Secure Boot Certificates being applied to my SER5 Max

3 answers

Your answer