Hi, I am seeing a new warning in Windows Security. I am not sure if the Framework team is aware of this.
It appears that the upcoming certificate update is not supported. The Learn More link goes to this page: Windows Secure Boot certificate expiration and CA updates - Microsoft Support
I don’t know what to expect here, I think that FW 13 AMD 7040 BIOS 3.16 includes updated Secure Boot keys but I assumed that updates roll upward and you’d get the new Secure Boot keys in 3.18, too.
Did you ever have BIOS 3.16 installed?
Could you use the UEFI Shell Method to downgrade to the 3.16 release, then use the same UEFI shell method again with the 3.18 release to lock in the new Secure Boot keys?
Did you ever have BIOS 3.16 installed?
I think I did but I am not sure. However, every time I got a notification about a new BIOS update availability, I installed it. So I must have installed 3.16?
Could you use the UEFI Shell Method to downgrade to the 3.16 release, then use the same UEFI shell method again with the 3.18 release to lock in the new Secure Boot keys?
I’ll have a look at this. Thank you!
Before downgrading BIOS, I would make sure BitLocker/device encryption recovery keys are backed up and suspend BitLocker for the firmware change. Secure Boot key enrollment is exactly the kind of thing that can make Windows ask for recovery on next boot. It may also be worth checking msinfo32 and Windows Update history to capture the current Secure Boot/BIOS state before changing anything, so Framework support can compare 3.16 vs 3.18 behavior.
Thank you for the info!
Did the downgrade work?
I have the exact same problem, digging a bit I’ve found this:
WindowsUEFICA2023Capable = 2
UEFICA2023Status = Updated
KEKLastUpdateErrorReason = Firmware_MissingKEKInPackage
I solved it taking the steps explained here + 3 reboots spread over an hour. Apparently some Windows background process needs some time to update the key. I have BIOS 4.04.
Did the downgrade work?
No, I have not yet tried it because from a brief glance, it seemed like it was a bit involved to do the downgrade and then to upgrade again. I didn’t have the time to read it thoroughly again. But it seems that @Willem_Bast has found a simpler way. I am going to give that a try instead.
Also, note that the expired key will prevent OS updates but will not cause other issues according to MS.
I solved it taking the steps explained here + 3 reboots spread over an hour. Apparently some Windows background process needs some time to update the key. I have BIOS 4.04.
Thank you! I didn’t realize there was a public issue tracker for the firmware. That’s nice. Definitely going to give the steps in that issue a shot before I do anything else.
The steps that @Willem_Bast linked to worked great. It’s the simplest thing to try first. It took somewhere between 10-20 mins before Windows updated the status of Device Security after I completed the steps.
