Applies To
Windows 10 Windows 10, version 1607, all editions Win 10 Ent LTSC 2019 Win 10 IoT Ent LTSC 2019 Windows 10 IoT Core LTSC Windows 10 Enterprise LTSC 2021 Windows 10 IoT Enterprise LTSC 2021 Windows 10, version 22H2, all editions Windows 11 Home and Pro, version 21H2 Windows 11 Enterprise Multi-Session, version 21H2 Windows 11 Enterprise and Education, version 21H2 Windows 11 IoT Enterprise, version 21H2 Windows 11 Home and Pro, version 22H2 Windows 11 Enterprise Multi-Session, version 22H2 Windows 11 Enterprise and Education, version 22H2 Windows 11 IoT Enterprise, version 22H2 Windows 11 SE, version 23H2 Windows 11 Home and Pro, version 23H2 Windows 11 Enterprise and Education, version 23H2 Windows 11 Enterprise Multi-Session, version 23H2 Windows 11 SE, version 24H2 Windows 11 Enterprise and Education, version 24H2 Windows 11 Enterprise Multi-Session, version 24H2 Windows 11 Home and Pro, version 24H2 Windows 11 IoT Enterprise, version 24H2 Windows Server 2012 ESU Windows Server 2012 R2 ESU Windows Server 2016 Windows Server 2019 Windows Server 2022 Windows Server 2025

Original publish date: March 6, 2026

KB ID: 5083344

Overview

Secure Boot updates may be blocked when Windows detects firmware conditions that would prevent the update from completing. When this happens, Windows logs either an Event 1802 or Event 1803. For information about the structure and format of these events, see Secure Boot DB and DBX variable update events.

This page explains why a Secure Boot update was stopped and includes device signature information to help identify the underlying cause. Event 1802 indicates a known issue affecting specific devices where the update is intentionally skipped. Event 1803 occurs when Windows cannot find a Key Exchange Key (KEK) that is properly signed by the Platform Key (PK), which prevents the KEK update from proceeding.

Event 1802 is reported when a device with a known issue is detected. Included in the event is a SkipReason of the form KI_nn where nn is the number of the known issue. The known issues are documented here.

  • KI_2: Apple Virtualized Firmware Mac computers that have the Apple T2 Security Chip support Secure Boot. However, updating UEFI security related variables is available only as part of macOS updates. Boot Camp users are expected to see an event log entry of Event ID 1802 in Windows related to these variables. For more information about this log entry, see Secure Boot DB and DBX variable update events.

  • KI_3: Fujitsu FCCL Firmware Certain Fujitsu FCCL devices made ~2015-2017 have firmware issues that prevent the Secure Boot variables from being updated. 

    Please refer to following pages:

    (FM World - Japanese only) and (FM Support - Japanese only)

  • KI_4: Insyde Firmware Devices that use Insyde-based firmware might experience known compatibility problems during Secure Boot updates. Applying updates on these systems can lead to boot failures or firmware corruption, so the update is skipped to maintain stability. Customers can check with their device manufacturer to see whether updated firmware is available that resolves this issue and allows the Secure Boot update to proceed.

  • KI_5: Toshiba Firmware This Toshiba device has a known compatibility problem during Secure Boot updates. Updates are skipped on affected models to prevent issues that can occur if the required firmware update is missing. Customers can check with Dynabook to see whether updated firmware is available that resolves this issue and allows the Secure Boot update to proceed.

  • KI_6: ASUS Firmware This Asus device has a known compatibility problem during Secure Boot updates. Updates are skipped on affected models to prevent issues that can occur if the required firmware update is missing. Customers can check with Asus to see whether updated firmware is available that resolves this issue and allows the Secure Boot update to proceed.

  • KI_7, KI_8, KI_9: HP Firmware This HP device has a known compatibility problem during Secure Boot updates. Updates are skipped on affected models to prevent issues that can occur if the required firmware update is missing. Customers can check with HP to see whether updated firmware is available that resolves this issue and allows the Secure Boot update to proceed. For more information, please reference: HP PCs - Prepare for new Windows Secure Boot certificates | HP® Support.

  • KI_10: Qualcomm firmware This device uses Qualcomm firmware and has a known compatibility problem during Secure Boot updates. Updates are skipped on affected models to prevent issues that can occur if the required firmware update is missing. Customers can check with the device manufacturer to see whether updated firmware is available that resolves this issue and allows the Secure Boot update to proceed.

Event 1803 is reported when Windows cannot find a Key Exchange Key that is properly signed by the Platform Key for the device. Windows looks for the KEK in the monthly cumulative security updates, and if a PK signed KEK is not present, the KEK update cannot proceed. In most cases, the absence of a PK signed KEK means the device manufacturer has not yet provided it to Microsoft. Customers can check with their device manufacturer to see whether a PK signed KEK is available that includes the required key information and allows the Secure Boot update to proceed.

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center