Certificate Error - MSI B550 Tomahawk

[BW-NET]

I'm getting this error: Windows Event Viewer

Updated Secure Boot certificates are available on this device, but they have not yet been applied to the firmware. Review the published guidance to complete the update and maintain full protection. This device’s signature information is included here.
Device Attributes:
Baseboard manufacturer: Micro-Star International Co., Ltd.
Firmware manufacturer: American Megatrends International, LLC.
Firmware version: A.K1
OEM baseboard model: MAG B550 TOMAHAWK (MS-7C91)
OEM manufacturer name: Micro-Star International Co., Ltd.
OS architecture: amd64
Bucket ID: ee49edd0fe5a4f0fdabb905db6c01ffad1f5c088b8103820e8f4c2cffec25a24
Bucket confidence level:
Update type:
For more information, see: https://go.microsoft.com/fwlink/?linkid=2301018

 

[plutomate]

Do you have that in the secure boot key management KEK section?

 

[Pangolin]

E7C91AMS.AK3

drive.google.com

Try this bios

 

[martyn.butte15d402e8]

Its not a bios you have to download. You have to download the certificates from this microsoft website;
https://learn.microsoft.com/en-us/w...=windows-11#14-signature-databases-db-and-dbx. Scroll down about halfway down the page and download the PK, KEK and db certificates. Mouse Right click on them after downloading them and you have the choice to install the certificate. After you install the certificates you can go back into bios and they will be there. You then have to select custom, not standard, in that section to run those certificates.
I remember having to do this myself, because it was just bugging me .

 

[BW-NET]

E7C91AMS.AK3

drive.google.com

Try this bios

Is this an official BIOS?

 

[BW-NET]

Its not a bios you have to download. You have to download the certificates from this microsoft website;
https://learn.microsoft.com/en-us/w...=windows-11#14-signature-databases-db-and-dbx. Scroll down about halfway down the page and download the PK, KEK and db certificates. Mouse Right click on them after downloading them and you have the choice to install the certificate. After you install the certificates you can go back into bios and they will be there. You then have to select custom, not standard, in that section to run those certificates.
I remember having to do this myself, because it was just bugging me .

I had already done that, but the problem persists.

 

[Pangolin]

Is this an official BIOS?

Yes, straight from MSI which includes newest secure key.

 

[BW-NET]

Yes, straight from MSI which includes newest secure key.

Updated Secure Boot certificates are available on this device, but have not yet been applied to the firmware. Review the published guidance to complete the update and maintain full protection. The signature information for this device is included here.
DeviceAttributes: BaseBoardManufacturer:Micro-Star International Co., Ltd.;FirmwareManufacturer:American Megatrends International, LLC.;FirmwareVersion:A.K3;OEMModelBaseBoard:MAG B550 TOMAHAWK (MS-7C91);OEMManufacturerName:Micro-Star International Co., Ltd.;OSArchitecture:amd64;
BucketId: 3a7b3c8539e395218bfce7209fcf136b8d7eeb8785b6469efaa008feef076160
BucketConfidenceLevel:
UpdateType:
For more information, see [https://go.microsoft.com/fwlink/?linkid=2301018.

Same problem with new BIOS.

 

[martyn.butte15d402e8]

Are the 2023 certificates viewable in the secure boot section of the bios? Are the 2011 certificates still in the secure boot certificate files in the bios? Have you deleted the 2011 certificates from the bios?

 

[BW-NET]

Are the 2023 certificates viewable in the secure boot section of the bios? Are the 2011 certificates still in the secure boot certificate files in the bios? Have you deleted the 2011 certificates from the bios?

2023 installed
2011 installed too.

 

[martyn.butte15d402e8]

Check these links for pics of my bios secure boot settings, check the difference!
I only have 2023 certificates and secure boot mode is set to custom. Sry for links but forum says files are too large.

https://share.icloud.com/photos/015kJ1XC9k3m_ONcHcqpTEu0w

https://share.icloud.com/photos/0beuLR1joN9YY61fJoLCzYpJg

https://share.icloud.com/photos/0e3xDt_lHMY_WSpNFw0Or1kug

https://share.icloud.com/photos/0beHMSAcIwPaQMbs-zCmPujaQ

https://share.icloud.com/photos/086bb-RTuJLlRrV2yt4eDI0TQ

 

[competitionnn]

You just need to update your BIOS to a version that includes the new Secure Boot certificates, or apply them manually through the BIOS.
Nothing is broken, Windows is just warning you about a future change.Microsoft is replacing Secure Boot certificates (the old ones expire in 2026).
Windows has already downloaded the new ones, but your BIOS hasn't applied them yet, and Windows says "You have new certificates, but the firmware hasn't activated them."
That's it.

 

[fatedust]

Same problem with new BIOS.

After updating your BIOS to vAK3, I think you might need to run below command lines (in PowerShell with Admin right) too.
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f

Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Manually reboot the system when the AvailableUpdates becomes 0x4100

Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Registry key updates for Secure Boot: Windows devices with IT-managed updates - Microsoft Support

support.microsoft.com

In the end, you should see this in Event Viewer > Windows Logs > System

I found all of these information on an FAQ post (MSI laptop) here:

MSI Global - The Leading Brand in High-end Gaming & Professional Creation

World-leading gaming laptop brand - MSI, offers unrivaled gaming experience: from thin & light to

www.msi.com

 

[BW-NET]

After updating your BIOS to vAK3, I think you might need to run below command lines (in PowerShell with Admin right) too.
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f

Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Manually reboot the system when the AvailableUpdates becomes 0x4100

Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Registry key updates for Secure Boot: Windows devices with IT-managed updates - Microsoft Support

support.microsoft.com

View attachment 209426

In the end, you should see this in Event Viewer > Windows Logs > System
View attachment 209427

I found all of these information on an FAQ post (MSI laptop) here:

MSI Global - The Leading Brand in High-end Gaming & Professional Creation

World-leading gaming laptop brand - MSI, offers unrivaled gaming experience: from thin & light to

www.msi.com

This solve my problem!

 

[albertronzz12be02b1]

update bios not help for me. plz msi support team HELP

 

[BW-NET]

E7C91AMS.AK3

drive.google.com

Try this bios

Hi, does MSI have plans to release an official, non-beta BIOS for this motherboard?

 

[Pangolin]

no idea, bug is usually fixed through beta. we don't get official bios release schedule from MSI.
but beta and official aren't all that different.

 

[hobhobu154102de]

Latest bios 7C91vAK is giving me secure boot errors, yet the previous beta did not.

 

[plutomate]

well, the new one update the security key. sounds more like the app problem to me. better contact the developer?