What kind of operation are you running over there?
I finally find time to update my old board. Wasted couple of hours because of misleading post information. There is a large section in the middle “Updating a Mainboard outside of a laptop” which assumes one can update to 3.23 and 3.24 outside of the laptop (I am running my board in external case). This does NOT work - CapsuleApp won’t do any update without battery attach without any specific error message. It just won’t do update. And only in the bottom there is a note “This update requires a battery present to complete the update.“ which actually mean no outside update possible.
So what was the “Updating a Mainboard outside of a laptop” section about then? If it needs battery, it is not “outside of laptop“. “This release supports standalone updates without a battery attached only when updating using the EFI shell method only.“ - not working due to CapsuleApp.efi doesn’t work without battery attached.
If someone having same issues I described here please note - you HAVE TO CONNECT BATTERY if you want to install 3.23 and 3.24. Once you connect battery, everything going smooth, you will get 3.23 first, 3.24 next. Now, if Framework do release new version in future, it might be possible to install it without battery. However taking into account age of the board, I won’t count on it.
1 Like
Hi Everyone,
Just powered on my 11th gen intel framework (i7-1165G7), running BIOS 3.24. A few months ago I updated to 3.23 before updating to 3.24 (as suggested in the bios update notification).
Today Windows Security gave the notification “Actions Recommended”, when clicked it gives the “Secure Boot; Secure Boot is on, but your device does not support the automated Secure Boot certificate update due to hardware or firmware limitations. Contact your device manufacturer for assistance”.
Anyone any clue how to fix this?
Try this
Hi,
Thank you for the suggestion. I had already tried that one (without suspension, have acces recovery key), no effect. Did it again but this time with the suspension of Bitlocker, again nothing changes. I did however get an error message a black screen with white text, also got it the first time but went away too quick to read.
This is what it read; “Your device ran into a problem and needs to restart. We’ll restart for you. Stop Code: DRIVER_IRQL_NOT_LESS_OR_EQUAL (0xD1)”.
After doing a quick search online this opened up a whole load of pandora’s boxes for me. Any idea what to do for framework specifically or is this one of those problems where it’s basically try all the different steps suggested in other forums to see what might actually fix this?
I wonder if we’ll be getting another BIOS update for this board. It’s been 6 months since this version was released. I guess it does depends on what’s there to fix.
No idea where to go from there tbh but I wish you luck.
Just went into Event Viewer and discovered the following 2 errors during the reboot;
-
Updated Secure Boot certificates are available on this device but have not yet been applied to the firmware. Review the published guidance to complete the update and maintain full protection.
1.Q - Any clue what Framework has for this? -
A PK-signed Key Exchange Key (KEK) cannot be found for this device. Check with the device manufacturer for proper key provisioning.
2.Q - This sounds like a ‘contact support’ but feels like it might be something else, any idea?
I guess it will mostly depend on other downstream suppliers (chip manufactures etc) if they still support the chips in the board I would assume we’ll be getting other updates. Maybe no big updates but I would assume security updates are here to stay for as long as all suppliers support their components in this board.
Oddly enough, I managed to find the fix here as well, but it was a lot more complicated. My 11th gen is a bare board, so I needed to pull the battery out of my laptop to do the update to 3.24. After I got there I ended up in the same state. Out of deparation I tried clearing the secure boot keys and resetting to factory defaults, but that just resulted in broken Secure Boot. Then I stumbled upon Framework Laptop 13 - 11th Gen Intel Core BIOS 3.22 Release Stable , specifically Note #1 about broken secure boot.
So what I ended up doing was this:
- Upgrade 3.19 → 3.23 → 3.24
- Realize that secure boot wasn’t fully updated, try factory settings, but still no 2023 KEK
- This will required your Bitlocker recovery key, best to go find it now. You can run
manage-bde -protectors -get [DriveLetter]:if the machine still boots fine. - (Probably Optional) Out of desparation, delete all secure boot keys and break secure boot completely. I don’t think this is necessary since the 3.22 ClearVars update should reset them anyway. Windows will still boot after a recovery key entry, but secure boot will be disabled.
- Stumble on the 3.22 update notes Framework Laptop 13 - 11th Gen Intel Core BIOS 3.22 Release Stable and realize that it’s the same issue
- Downgrade 3.24 → 3.22 ClearVars
- Enter the BIOS and reset Secure Boot to factory settings again, now I have the 2011 KEK and secure boot sort of works.
- Realize that Windows didn’t want to boot anymore (probably because of the missing 2023 keys). I could boot the Windows installer, probably due to the 2011 key being trusted.
- Switch to the EFI Shell updater to upgrade 3.22 → 3.23 → 3.24. This was my first time using it, but since Windows didn’t boot it automatically booted the updater and finished both upgrades automatically.
- Enter the BIOS again and reset Secure Boot to factory settings again. After reboot you should have the 2023 keys back and Windows should boot again (after another recovery key entry).
- Windows still hadn’t finished the migration itself, but at that point you have the necessary keys and should be all set when they pull the trigger.
- (Optional) I ended up running commands to suspend bitlocker, set the update registry key, and force the scheduled task to run. This shouldn’t be necessary in the long term, but after this my Secure Boot was fully upgraded. I ran the instructions from Check-UEFI.bat from GitHub - garlin-cant-code/SecureBoot-CA-2023-Updates: PowerShell scripts for checking and applying Secure Boot CA 2023 updates for Windows. · GitHub
Thank you, thank you so much Kyle_Farnung!!! 
It worked, I realized I also updated from 3.19 → 3.23 → 3.24.
Followed your steps from 6 onward, had a big sweating bullets moment when a successful upgrade to 3.24 still gave boot error but soon realized I had forgotten to reset secure boot again (step 10) after which I was met with my wonderful lock-screen background and was able to login.
When I came back from getting myself a cup of tea the yellow icon at windows security badge had already turned into a green check mark, step 12 was therefore no longer needed for me. Thank you for including this tho, not sure if this will be updated for windows 11 Home automatically or not. I’m on windows 11 Pro and had set a rule in group policy to update KEK/secure boot certificates when available during my first try at fixing it myself before I realized the entire KEK was missing.
Side note; I had suspended bitlocker before I began this undertaking, not sure if this is why but I never had to fill out my Bitlocker recovery key (for those going to perform these steps after reading these post make sure you have access to your Bitlocker recovery key).
1 Like
Yeah, suspending Bitlocker is the right call if you can remember to do it (I was already too far in before I realized). It’s possible to do on Home editions as well, but you need to use the command line and I didn’t figure that out until the very end. Having the Bitlocker recovery key is critical though, you don’t want Bitlocker to resume when you didn’t expect it and lock you out.
Framework 13, 11th Gen Intel® Core™ i7-1165G7, 64GB RAM (Crucial), 2TB SSD (Crucial P5 Plus), Windows 11 25H2, BIOS 3.24
Is anyone else running Windows having this message appear?
Have you submitted a request to support?
I haven’t submitted a ticket yet, wanted to check to see if anyone was having a similar issue.