Does anyone know whether our machines will need special attention from Framework or if a regular Windows update will resolve this? There’s still plenty of time, I just like to know what to expect. Thanks!
I’m uncertain if BIOS updates will be rolled out via Windows Update. Traditionally the updates are made available via knowledge base or on the forum as an .exe to run/install.
Thanks, I appreciate the input. I agree, if it has to be a BIOS update, I’d expect it to come from Framework. If it doesn’t require a firmware update, I guess it could be through the regular Windows update channels. I’m hoping that Framework will make an announcement soon about how this will happen.
Most Framework programs have already received firmware updates to add the new UEFI CA 2023 KEK certificate. You can search the firmware release notes for “UEFI CA 2023” or equivalent. Note that many of their recent products came out after this transition, and their use of the newer CA cert may not be reflected in their firmware update release notes.
Fantastic! I updated BIOS once last year and didn’t realize there was another release on Oct 31 that “Added Framework’s dbx key and updated the default CA of Windows Secure Boot”. Sounds like the solution I was looking for. Thanks!
Edit: I ran the BIOS update, it went fine, and I confirmed that it the new certificate is installed. Thanks for all the quick responses!
It looks like my Framework 13 AMD 7040 hasn’t gotten the KEK certificate update yet. Is this update planned?
EDIT: It looks like 3.16 included the updated certificates, but they weren’t showing up in Windows. For anyone else who has this issue the solution appears to be the suspend Bitlocker (or ensure you have the recovery key) and then reset the secure boot settings to factory default in the BIOS. Now it looks like my certificates are fully up-to-date.
Thanks for your hint. For 12th Gen i7-1260P with BIOS 03.19, latest Win11 25H2, the certificates were fine, but I was getting a yellow triangle warning badge on Windows Security / Device Security.
I made sure I had my recovery key, Suspended protection in the BitLocker control panel, rebooted->F2, reset secure boot in BIOS as you suggested, and rebooted.
I got a strange “Wizard Initialization has Failed” dialog when checking the control panel to verify BitLocker was re-enabled (it was). Note the BitLocker recovery key had not changed and the Device Security warning was still on. A second reboot cleared the warning when opening the BitLocker page and in Device Security.
For anyone searching for the text of the Device security warning: "Secure Boot is on, but your device does not support the automated Secure Boot certificate update due to hardware or firmware limitations. Contact your device manufacturer for assistance. "
Any guess if resetting Secure Boot for the 11th gen will also work? Currently, the status in Windows 11 for my 11th gen is “Secure Boot is on, but your device is using an older boot trust configuration that should be updated. There is not yet enough data to classify your device for automatic update.”
Unfortunately, it did not work. Under Security → Secure Boot, I enabled the option to reset Secure Boot. My 11th gen rebooted, Windows complained about a driver incompatibility and forced a restart, after which Windows booted fine. I rebooted again from the login screen, then logged in and checked Device Security. The Secure Boot message had not changed.
The message still appears for me on my 11th gen intel 13"… but when I check KEK and db they both show the proper 2023 one instead of 2011 (and both are listed in the bios). The windows secure boot message doesn’t check if your computer has the proper one, it only checks if your make/model is capable of automatically updating the kek, which the older frameworks cannot… so basically you might be stuck with the message pop up… but it is still secure and will continue to update all security patches as long as you have the 2023 one… well until probably 2030 or whenever the newer one expires.
