MSI Stealth 15M: Secure Boot Violation. Invalid signature detected. check Secure Boot Policy in Setup

[NoHouse91]

I have had my MSI Stealth 15M laptop for almost 5 years now, and only thing I have done is change my SSD last year.

Today I went to turn it on and I got the title message, and when I press Enter to the OK it sends me to BIOS. All I can think off is that maybe there was a Windows update that led to this but I am not sure. Never had this problem before.

My BIOS is up to date (last version from 2023).

In the security tab, it says there is no Administrator nor user password.

I wouldn’t like to reformat my drive and I wouldn’t want to disable SecureBoot for games that need anti-cheat. What can I do?

 

[Edric]

Can you enter the system currently? If not, then you would need to disable Secure Boot first to enter the system, and refer to the FAQ below to apply the secure boot certificate manually.

MSI Global - The Leading Brand in High-end Gaming & Professional Creation

As a world leading gaming brand, MSI is the most trusted name in gaming and eSports. We stand by our principles of breakthroughs in design, and roll out the amazing gaming gear like motherboards, graphics cards, laptops and desktops.

www.msi.com

 

[NoHouse91]

Can you enter the system currently? If not, then you would need to disable Secure Boot first to enter the system, and refer to the FAQ below to apply the secure boot certificate manually.

MSI Global - The Leading Brand in High-end Gaming & Professional Creation

As a world leading gaming brand, MSI is the most trusted name in gaming and eSports. We stand by our principles of breakthroughs in design, and roll out the amazing gaming gear like motherboards, graphics cards, laptops and desktops.

www.msi.com

I can disable Secure Boot but then Bitlocker asks for recovery key before I enter the system.

According to the link you gave me, updates should have already gave me updated secure boot certificates, no?

 

[NoHouse91]

Can you enter the system currently? If not, then you would need to disable Secure Boot first to enter the system, and refer to the FAQ below to apply the secure boot certificate manually.

MSI Global - The Leading Brand in High-end Gaming & Professional Creation

As a world leading gaming brand, MSI is the most trusted name in gaming and eSports. We stand by our principles of breakthroughs in design, and roll out the amazing gaming gear like motherboards, graphics cards, laptops and desktops.

www.msi.com

Can you enter the system currently? If not, then you would need to disable Secure Boot first to enter the system, and refer to the FAQ below to apply the secure boot certificate manually.

MSI Global - The Leading Brand in High-end Gaming & Professional Creation

As a world leading gaming brand, MSI is the most trusted name in gaming and eSports. We stand by our principles of breakthroughs in design, and roll out the amazing gaming gear like motherboards, graphics cards, laptops and desktops.

www.msi.com

Edric, I managed to get in and I realized that indeed, the last Windows Update I installed (KB5079473) that had the new Secure Boot certificates are what led to this.

So I have to reinstall them manually? i am reading the process but it seems to complex for me, I am not IT

 

[Edric]

Hi, would you use the tool to check the current status and share the screenshot?
Download the tool: https://github.com/cjee21/Check-UEFISecureBootVariables
Right-click on the "Check UEFI PK, KEK, DB and DBX.cmd" and run as administrator.

 

[NoHouse91]

Hi, would you use the tool to check the current status and share the screenshot?
Download the tool: https://github.com/cjee21/Check-UEFISecureBootVariables
Right-click on the "Check UEFI PK, KEK, DB and DBX.cmd" and run as administrator.

EDIT: Attaching screenshot of the tool you gave me. I also checked in the Event Viewer and got Event 1801 - TPM-WMI “Secure Boot certificates have been updated but are not yet applied to the device firmware. Review the published guidance to complete the update and ensure full protection. This device signature information is included here.”
What I need is a way to apply those certificates but I don’t know how... And I am not sure if the tool may do something I don't want if I use it to apply them.

 

[Edric]

Thanks for sharing the information.
Refer to the steps carefully to manually apply the certificates:
1. Get into the registry editor by entering "registry" in the search bar
2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot, click on "AvailableUpdates", and enter the value "5944".
3. Reboot the system.
4. Enter the registry editor again, move to KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot, click on "AvailableUpdates", and enter the value "4100".
5. Reboot the system.
6. Connect to the internet and run Windows update.
After that, you should be able to enable secure boot in BIOS and enter the system properly.

 

[NoHouse91]

Thanks for sharing the information.
Refer to the steps carefully to manually apply the certificates:
1. Get into the registry editor by entering "registry" in the search bar
2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot, click on "AvailableUpdates", and enter the value "5944".
3. Reboot the system.
4. Enter the registry editor again, move to KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot, click on "AvailableUpdates", and enter the value "4100".
5. Reboot the system.
6. Connect to the internet and run Windows update.
After that, you should be able to enable secure boot in BIOS and enter the system properly.

I have done all the steps but because I have to disable Secure Boot, now I have Event 1796, TPM-WMI: “The Secure Boot update failed to update a Secure Boot variable with the error: Secure Boot is not enabled on this machine”.

When I enable it, I can’t boot and it gives me the original Secure Boot violation message again.

 

[Raju]

Refer to the steps below, quite complicated, but it should work.
1. Prepare a USB flash drive and format it as FAT32.
2. Download the Windows UEFI CA 2023 certificate data from Microsoft website. https://go.microsoft.com/fwlink/?linkid=2239776
Reference: https://learn.microsoft.com/en-us/w...=windows-11#14-signature-databases-db-and-dbx
3. Get into BIOS menu, press Right control + Right shift + Left Alt + F2 to open the hidden menu.
4. Follow the settings below:
Secure boot > Disabled
Secure boot mode > Custom
Key management - Authorized signatures > Append
Select "No" to load it from a file on external media - select the certificate data stored in the USB flash drive - select "public key certificate" - select "GUID"
Select "Yes" to execute the certificate until the screen shows "Append successful".
5. Set secure boot > Enabled
Secure boot mode > Standard
6. Save the changes and enter the system

 

[NoHouse91]

Refer to the steps below, quite complicated, but it should work.
1. Prepare a USB flash drive and format it as FAT32.
2. Download the Windows UEFI CA 2023 certificate data from Microsoft website. https://go.microsoft.com/fwlink/?linkid=2239776
Reference: https://learn.microsoft.com/en-us/w...=windows-11#14-signature-databases-db-and-dbx
3. Get into BIOS menu, press Right control + Right shift + Left Alt + F2 to open the hidden menu.
4. Follow the settings below:
Secure boot > Disabled
Secure boot mode > Custom
Key management - Authorized signatures > Append
Select "No" to load it from a file on external media - select the certificate data stored in the USB flash drive - select "public key certificate" - select "GUID"
Select "Yes" to execute the certificate until the screen shows "Append successful".
5. Set secure boot > Enabled
Secure boot mode > Standard
6. Save the changes and enter the system

In the case I already have the certificates in my machine (according to the previous "Event 1801 - TPM-WMI"), can I append the authorized signatures from inside the machine instead of an external USB?

 

[Raju]

In the case I already have the certificates in my machine (according to the previous "Event 1801 - TPM-WMI"), can I append the authorized signatures from inside the machine instead of an external USB?

But you will still encounter the secure boot violation error and cannot boot into the system, right?
Does the Evet 1801 - TPM-WMI show "Updated Secure Boot certificates are available on this device but have not yet been applied to the firmware," or "Need to update Secure Boot CA/keys."?
If the certificates are already available, just need to apply, you can try to post the question on the Microsoft forum.
And please also share the link to the post. I would also be willing to know the method.

 

[Edric]

Hi, if you still haven't installed the certificate in BIOS, would you please assist in checking the status of the certificate currently on your laptop?

1. 1. C:\Windows\Boot\EFI
2. 2. Right click on "bootmgfw.efi" > Properties > Digital Signature > Details > View Certificate
3. 3. Share the screenshot of the Certificate page, and we can know the current version and the valid date.

 

[zamottra160102ec]

Refer to the steps below, quite complicated, but it should work.
1. Prepare a USB flash drive and format it as FAT32.
2. Download the Windows UEFI CA 2023 certificate data from Microsoft website. https://go.microsoft.com/fwlink/?linkid=2239776
Reference: https://learn.microsoft.com/en-us/w...=windows-11#14-signature-databases-db-and-dbx
3. Get into BIOS menu, press Right control + Right shift + Left Alt + F2 to open the hidden menu.
4. Follow the settings below:
Secure boot > Disabled
Secure boot mode > Custom
Key management - Authorized signatures > Append
Select "No" to load it from a file on external media - select the certificate data stored in the USB flash drive - select "public key certificate" - select "GUID"
Select "Yes" to execute the certificate until the screen shows "Append successful".
5. Set secure boot > Enabled
Secure boot mode > Standard
6. Save the changes and enter the system

I'm having the same problem as the original poster. Is this method the workaround for applying the secure boot certificates without Secure Boot enabled? And does this need to be done for more than jus twindows UEFI CA 2023, but all of what seem to be additional failed certificates (in my image attached)? It seems that without Secure Boot enabled, I cannot get the certificates to install via the expected Windows Update process.

After a BIOS update on a Crosshair 15 A11UEK (which I'm kicking myself severely for) I am unable to boot to windows without disabling Secure Boot.
I am getting event error 1801 (Certificates available but not applied to firmware) and error 1796 (Failed to update KEK 2023, Windows UEFI CA 2023, etc). I've attached event errors I'm seeing.

One thing that I find interesting is that I did receive a positive event code 1808 (Device has updated Secure Boot CA/keys) at 9:33pm on April 10th. This was in the midst of my troubleshooting to boot into Windows without having to disable Secure Boot. Since then I've only received the errors and cannot find a way to force these to apply.
I'm also no longer getting these event errors since 1:49pm today, despite numerous reboots in attempting to fix this. I'm a little concerned by that.

Any insight or suggestions at all would be hugely appreciated.
Also, worst case scenario, would a full system factory reset resolve this despite my BIOS update, which seemed to trigger this?

 

[zamottra160102ec]

Replying to say that this issue is now resolved for me, thanks to MSI support pointing me to: https://www.msi.com/faq/faq-11370 .

OP, if you're still having this problem, I hope this might help you also.

One thing to note is to make sure the boot64.exe file is saved to your flash drive in the EFI>Boot folder. Probably an obvious thing, but it didn't work for me originally because I had the boot64 file dropped directly into my USB drive, not within the EFI folder as downloaded.