Original publish date: June 15, 2022
KB ID: 5016061
|
Change date |
Description |
|
February 10, 2026 |
|
|
February 9, 2026 |
|
|
October 14, 2025 |
|
|
July 9, 2025 |
|
|
January 29, 2025 |
|
Summary
To help keep Windows devices secure, Microsoft maintains several Secure Boot related components, including the Secure Boot signature databases (DB and DBX), the key exchange key (KEK), and the Windows boot manager. Windows applies updates to these components when they are available and checks whether each update can be safely installed on the device. Windows will create event log entries when an update succeeds or when it detects an issue that prevents the update from being applied to the system firmware.
More information
When Windows updates one of these Secure Boot related components, it records a success event when the update is applied correctly. When Windows detects a condition that prevents an update from being applied, it generates a warning or error event that identifies the affected component and describes the issue. This can occur when firmware does not support a required update, when a vulnerable or untrusted bootloader is present, when Secure Boot keys have been customized, or when the boot manager requires corrective action. Each event includes diagnostic details such as the component name and the reason for success or failure, and may resemble the following examples:
|
Event log |
System |
|
Event source |
TPM-WMI |
|
Event ID |
<Event ID number> |
|
Level |
Error |
|
Event message text |
<message text> |
Generic Secure Boot events:
Event IDs
This event is logged when BitLocker on the system drive is configured in such a way that applying the Secure Boot update to the firmware would cause BitLocker to go into recovery mode. The resolution is to suspend BitLocker temporarily for 2 restart cycles to let the update install.
Take action
To resolve this issue, run the following command from an Administrator command prompt to suspend BitLocker for 2 restart cycles:
-
Manage-bde –Protectors –Disable %systemdrive% -RebootCount 2
Then, restart the device two times to resume BitLocker protection.
To make sure that BitLocker protection has been resumed, run the following command after restarting two times:
-
Manage-bde –Protectors –enable %systemdrive%
Event log information
Event ID 1032 will be logged when the configuration of BitLocker on the system drive would cause the system to go into BitLocker recovery if the Secure Boot update is applied. In this event, <event type> can be one of the following: "DB", "DBX", "SBAT", "Policy Update (SKU)", "Windows UEFI CA 2023 (DB)", "Option ROM CA 2023 (DB)", "3P UEFI CA 2023 (DB)", "KEK 2023", "DBX SVN", or "Revoke UEFI CA 2011 (DBX)".
|
Event log |
System |
|
Event source |
TPM-WMI |
|
Event ID |
1032 |
|
Level |
Error |
|
Event message text |
The Secure Boot update <event type> was not applied due to a known incompatibility with the current BitLocker configuration. |
When the updated DBX revocation list is installed on a device, Windows checks to determine whether the system depends on one of the vulnerable modules to start the device. If one of the vulnerable modules is detected, the update to the DBX list in the firmware is deferred. On each restart of the system, the device is rescanned to determine whether the vulnerable module has been updated and if it is safe to apply the updated DBX list.
Take action
In most cases, the vendor of the vulnerable module should have an updated version that addresses the vulnerability. Please contact your vendor to get the update.
Event log information
Event ID 1033 will be logged when a vulnerable boot loader that has been revoked by this update is detected on your device.
|
Event log |
System |
|
Event source |
TPM-WMI |
|
Event ID |
1033 |
|
Level |
Error |
|
Event message text |
Potentially revoked boot manager was detected in EFI partition. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931 |
|
Event Data BootMgr |
<path and name of vulnerable file> |
This event is logged when the Secure Boot DBX variable is updated successfully. The DBX variable is used to untrust Secure Boot components and is typically used to block vulnerable or malicious Secure Boot components such as boot managers and certificates used to sign boot managers.
Event 1034 indicates the standard DBX revocations are being applied to the firmware,
Event log information
|
Event log |
System |
|
Event source |
TPM-WMI |
|
Event ID |
1034 |
|
Level |
Information |
|
Event message text |
Secure Boot Dbx update applied successfully |
This event is logged when the Secure Boot DB variable is updated successfully. The DB variable is used to add trust for Secure Boot components and is typically used to trust certificates used to sign boot managers.
Event log information
|
Event log |
System |
|
Event source |
TPM-WMI |
|
Event ID |
1036 |
|
Level |
Information |
|
Event message text |
Secure Boot Db update applied successfully |
This event is logged when the Microsoft Windows Production PCA 2011 certificate is added to the UEFI Secure Boot Forbidden Signatures Database (DBX). When this occurs, any boot applications signed with this certificate will no longer be trusted when starting the device. This includes any boot applications used with system recovery media, PXE boot applications, and any other media utilizing a boot application signed by this certificate.
Error log information
|
Event log |
System |
|
Event source |
TPM-WMI |
|
Event ID |
1037 |
|
Level |
Information |
|
Error message text |
Secure Boot Dbx update to revoke Microsoft Windows Production PCA 2011 is applied successfully. |
This event is logged when the Secure Boot KEK variable is updated successfully with the Microsoft Corporation KEK CA 2023 certificate. The KEK variable is used to add trust for Secure Boot updates to the DB and DBX variables. Adding this new certificate to the KEK is necessary to help keep devices secure past the expiration of the existing Microsoft Corporation KEK CA 2011 certificate that is expiring in 2026.
Error log information
|
Event log |
System |
|
Event source |
TPM-WMI |
|
Event ID |
1043 |
|
Level |
Information |
|
Event message text |
Secure Boot KEK update applied successfully |
This event is logged when the Microsoft Option ROM CA 2023 certificate is added to the DB variable. The DB variable is used to add trust for Secure Boot components and is typically used to trust certificates used to sign boot managers. Adding the new Option ROM certificate to the DB is necessary to ensure continuity of support in advance of the expiration of the Microsoft UEFI CA 2011 in 2026.
Error log information
|
Event log |
System |
|
Event source |
TPM-WMI |
|
Event ID |
1044 |
|
Level |
Information |
|
Event message text |
Secure Boot DB update to install Microsoft Option ROM UEFI CA 2023 certificate applied successfully |
This event is logged when the Microsoft UEFI CA 2023 certificate is added to the DB variable. The DB variable is used to add trust for Secure Boot components and is typically used to trust certificates used to sign boot managers. Adding the new Microsoft UEFI CA 2023 certificate to the DB is necessary to ensure continuity of support in advance of the expiration of the Microsoft UEFI CA 2011 in 2026.
Error log information
|
Event log |
System |
|
Event source |
TPM-WMI |
|
Event ID |
1045 |
|
Level |
Information |
|
Event message text |
Secure Boot DB update to install Microsoft UEFI CA 2023 certificate applied successfully |
When the Secure Boot update is applied to a device, and an error occurs that is not covered by other events, an event is logged, and Windows will try to apply Secure Boot update to the firmware on the next system restart.
Event log information
Event ID 1796 occurs when an unexpected error is encountered. The event log entry will include the error code for the unexpected error. In this event, <event type> can be one of the following: "DB", "DBX", "SBAT", "Policy Update (SKU)", "Windows UEFI CA 2023 (DB)", "Option ROM CA 2023 (DB)", "3P UEFI CA 2023 (DB)", "KEK 2023", "DBX SVN", or "Revoke UEFI CA 2011 (DBX)".
|
Event log |
System |
|
Event source |
TPM-WMI |
|
Event ID |
1796 |
|
Level |
Error |
|
Event message text |
The Secure Boot update failed to update <event type> with error <error code>. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931 |
This event is logged during an attempt to add the Microsoft Windows Production PCA 2011 certificate to the UEFI Secure Boot Forbidden Signatures Database (DBX).
Before adding this certificate to the DBX, a check is made to ensure that the Windows UEFI CA 2023 certificate has been added to the UEFI Secure Boot Signature Database (DB). If the Windows UEFI CA 2023 has not been added to the DB, Windows will intentionally fail the DBX update. This is done to ensure that the device trusts at least one of these two certificates, which ensures that the device will trust boot applications signed by Microsoft.
When adding the Microsoft Windows Production PCA 2011 to the DBX, two checks are made to ensure the device continues to boot successfully: 1) ensure that Windows UEFI CA 2023 has been added to the DB, 2) Ensure that the default boot application is not signed by the Microsoft Windows Production PCA 2011 certificate.
Event log information
|
Event log |
System |
|
Event source |
TPM-WMI |
|
Event ID |
1797 |
|
Level |
Error |
|
Error message text |
The Secure Boot update failed as the Windows UEFI CA 2023 certificate is not present in Db. |
This event is logged during an attempt to add the Microsoft Windows Production PCA 2011 certificate to the UEFI Secure Boot Forbidden Signatures Database (DBX).
Before adding this certificate to the DBX, a check is made to ensure that the default boot application is not signed by the Microsoft Windows Production PCA 2011 signing certificate. If the default boot application is signed by the Microsoft Windows Production PCA 2011 signing certificate, Windows will intentionally fail the DBX update.
When adding the Microsoft Windows Production PCA 2011 to the DBX, two checks are made to ensure the device continues to boot successfully: 1) ensure that Windows UEFI CA 2023 has been added to the DB, 2) Ensure that the default boot application is not signed by the Microsoft Windows Production PCA 2011 certificate.
Event log information
|
Event log |
System |
|
Event source |
TPM-WMI |
|
Event ID |
1798 |
|
Level |
Error |
|
Error message text |
The Secure Boot Dbx update failed as boot manager is not signed with the Windows UEFI CA 2023 certificate. |
This event is logged when a boot manager is applied to the system that is signed by the Windows UEFI CA 2023 certificate
Event log information
|
Event log |
System |
|
Event source |
TPM-WMI |
|
Event ID |
1799 |
|
Level |
Information |
|
Error message text |
Boot Manager signed with Windows UEFI CA 2023 was installed successfully |
This event is logged when the system detects that applying a Secure Boot update in the current boot cycle could create a conflict with recent changes, such as a Boot Manager update or updates to Secure Boot variables on devices that use virtualization-based security. A restart clears these conditions so the update can proceed safely. In this event, <event type> can be one of the following: "DB", "DBX", "Policy Update (SKU)", "Windows UEFI CA 2023 (DB)", "Option ROM CA 2023 (DB)", "3P UEFI CA 2023 (DB)", "KEK 2023", "DBX SVN", or "Revoke UEFI CA 2011 (DBX)".
Event log information
|
Event log |
System |
|
Event ID |
1800 |
|
Level |
Warning |
|
Event message text |
A reboot is required before installing the Secure Boot update: <event type>. |
Device specific events:
The Device Specific Events include the following details:
DeviceAttributes describe characteristics of the device. These values are used when calculating the BucketID.
BucketID is a unique hash that identifies a group of equivalent devices. A device can move to a different bucket when its attributes change, for example after a firmware update.
BucketConfidenceLevel appears when the system has enough data to assess how confidently the device can accept the update. Possible values include High Confidence, Temporarily Paused, Not Supported – Known Limitation, Under Observation - More Data Needed, and No Data Observed - Action Required.
UpdateType will be either 0 or 22852 (0x5944). The value 0x5944 indicates a High Confidence update."
Descriptions for each of the BucketConfidenceLevel is as follows:
High Confidence: Devices in this group have demonstrated, through observed data, that they can successfully update firmware using the new Secure Boot certificates.
Temporarily Paused: Devices in this group are affected by a known issue. To reduce risk, Secure Boot certificate updates are temporarily paused while Microsoft and partners work toward a supported resolution. This may require a firmware update. Look for an 1802 event for more details.
Not Supported – Known Limitation: Devices in this group do not support the automated Secure Boot certificate update path due to hardware or firmware limitations. No supported automatic resolution is currently available for this configuration.
Under Observation - More Data Needed: Devices in this group are not currently blocked, but there is not yet enough data to classify them as high confidence. Secure Boot certificate updates may be deferred until sufficient data is available.
No Data Observed - Action Required: Microsoft has not observed this device in Secure Boot update data. As a result, automatic certificate updates cannot be evaluated for this device, and administrator action is likely required. For guidance, see: https://aka.ms/SecureBootStatus.
Event IDs
When a Secure Boot Signature Database (DB), a Revoked Signature Database (DBX), or a Key Exchange Key (KEK) update is applied to the firmware, the firmware may return an error. When an error occurs, an event is logged, and Windows will try to apply the update to the firmware on the next system restart.
Take action
Contact your device manufacturer to determine if a firmware update is available.
Event log information
Event ID 1795 will be logged when the firmware in the device returns an error. The event log entry will include the error code returned from the firmware.
|
Event log |
System |
|
Event source |
TPM-WMI |
|
Event ID |
1795 |
|
Level |
Error |
|
Event message text |
The system firmware returned an error <firmware error code> when attempting to update a Secure Boot variable <DB, DBX, or KEK>. This device signature information is included here. DeviceAttributes: <attributes> BucketId: <unique device bucket ID> BucketConfidenceLevel: <bucket confidence level> For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931 |
This is an error event that indicates that the updated certificates have not been applied to the device’s firmware. This event gives some details about the device, including device attributes and device bucket ID, that will help in correlating which devices still need updating.
Event log information
|
Event log |
System |
|
Event source |
TPM-WMI |
|
Event ID |
1801 |
|
Level |
Error |
|
Event message text |
Secure Boot certificates have been updated but are not yet applied to the device firmware. Review the published guidance to complete the update and ensure full protection. This device signature information is included here. DeviceAttributes: <attributes>BucketId: <bucket ID>BucketConfidenceLevel: <confidence level>UpdateType: <update type> For more information, please see https://go.microsoft.com/fwlink/?linkid=2301018. |
This event indicates that the Secure Boot update was intentionally blocked because the device matches a known firmware or hardware condition that prevents the update from completing safely. These conditions are based on issues reported by device manufacturers or identified through Microsoft testing, where applying the update would fail or could lead to more serious problems. The event identifies the specific reason so administrators can understand why the update did not proceed. In this event, <event type> can be one of the following: "DB", "DBX", "Policy Update (SKU)", "Windows UEFI CA 2023 (DB)", "Option ROM CA 2023 (DB)", "3P UEFI CA 2023 (DB)", "KEK 2023", "DBX SVN", or "Revoke UEFI CA 2011 (DBX)". Details about <known issue ID> and guidance for remediation are available at https://go.microsoft.com/fwlink/?linkid=2339472.
Event log information
|
Event log |
System |
|
Event ID |
1802 |
|
Level |
Error |
|
Event message text |
The Secure Boot update <event type> was blocked due to a known firmware issue on the device. Check with your device vendor for a firmware update that addresses the issue. This device signature information is included here.DeviceAttributes: <attributes>BucketId: <bucket ID>BucketConfidenceLevel: <confidence level>SkipReason: <known issue ID> For more information, please see https://go.microsoft.com/fwlink/?linkid=2339472 |
Secure Boot can only update the Key Exchange Key when the KEK is properly signed by the Platform Key. Device manufacturers or other owners of the Platform Key sign the Microsoft KEK and provide that signed KEK to Microsoft so it can be included in Windows updates. This event means that a PK signed KEK for this device was not found in the cumulative update, so the KEK update cannot proceed. Customers can check with their device manufacturer for the status of a PK signed KEK for their model. More information is available at https://go.microsoft.com/fwlink/?linkid=2339472.
|
Event log |
System |
|
Event ID |
1803 |
|
Level |
Error |
|
Event message text |
A PK-signed Key Exchange Key (KEK) cannot be found for this device. Check with the device manufacturer for proper key provisioning. This device signature information is included here.DeviceAttributes: <attributes>BucketId: <bucket ID>BucketConfidenceLevel: <confidence level> For more information, please see https://go.microsoft.com/fwlink/?linkid=2339472 |
This is an informational event that indicates that the device has the required new Secure Boot certificates applied to the device’s firmware. This event will be logged when all needed certificates have been applied to the firmware, and the boot manager has been updated to the boot manager signed by the “Windows UEFI CA 2023” certificate.
Event log information
|
Event log |
System |
|
Event source |
TPM-WMI |
|
Event ID |
1808 |
|
Level |
Information |
|
Event message text |
This device has updated Secure Boot CA/keys. This device signature information is included here. DeviceAttributes: <attributes>BucketId: <bucket ID>BucketConfidenceLevel: <confidence level>UpdateType: <update type> For more information, please see https://go.microsoft.com/fwlink/?linkid=2301018. |
