Applies ToWindows Server 2012 ESU Windows Server 2012 R2 ESU Windows 10 Windows Server 2016 Windows Server 2019 Windows 10 Home and Pro, version 21H2 Windows 10 Enterprise and Education, version 21H2 Windows 10 IoT Enterprise, version 21H2 Windows 10 Home and Pro, version 22H2 Windows 10 Enterprise Multi-Session, version 22H2 Windows 10 Enterprise and Education, version 22H2 Windows 10 IoT Enterprise, version 22H2 Windows Server 2022 Windows 11 SE, version 21H2 Windows 11 Home and Pro, version 21H2 Windows 11 Enterprise and Education, version 21H2 Windows 11 IoT Enterprise, version 21H2 Windows 11 SE, version 22H2 Windows 11 Home and Pro, version 22H2 Windows 11 Enterprise Multi-Session, version 22H2 Windows 11 Enterprise and Education, version 22H2 Windows 11 IoT Enterprise, version 22H2 Windows 11 SE, version 23H2 Windows 11 Home and Pro, version 23H2 Windows 11 Enterprise and Education, version 23H2 Windows 11 Enterprise Multi-Session, version 23H2 Windows 11 IoT Enterprise, version 23H2 Windows Server, version 23H2

Summary

To help keep Windows devices secure, Microsoft adds vulnerable bootloader modules to the Secure Boot DBX revocation list (maintained in the system UEFI-based firmware) to invalidate the vulnerable modules. When the updated DBX revocation list is installed on a device, Windows checks to determine whether the system is in a state where the DBX update can be successfully applied to the firmware and will report event log errors if an issue is detected. 

More information

When one of these vulnerable modules is detected on the device, an event log entry is created warning about the situation and includes the name of the detected module. The event log entry contains details that resemble the following:

Event log

System

Event source

TPM-WMI

Event ID

<Event ID number>

Level

Error

Event message text

<message text>

Event IDs

This event is logged when BitLocker on the system drive is configured in such a way that applying the Secure Boot DBX list to the firmware would cause BitLocker to go into recovery mode. The resolution is to suspend BitLocker temporarily for 2 restart cycles to let the update install.

Take action

To resolve this issue, run the following command from an Administrator command prompt to suspend BitLocker for 2 restart cycles:

  • Manage-bde –Protectors –Disable %systemdrive% -RebootCount 2

Then, restart the device two times to resume BitLocker protection.

To make sure that BitLocker protection has been resumed, run the following command after restarting two times:

  • Manage-bde –Protectors –enable %systemdrive%

Event log information

Event ID 1032 will be logged when the configuration of BitLocker on the system drive would cause the system to go into BitLocker recovery if the Secure Boot update is applied.

Event log

System

Event source

TPM-WMI

Event ID

1032

Level

Error

Event message text

The Secure Boot update was not applied due to a known incompatibility with the current BitLocker configuration.

When the updated DBX revocation list is installed on a device, Windows checks to determine whether the system depends on one of the vulnerable modules to start the device. If one of the vulnerable modules is detected, the update to the DBX list in the firmware is deferred. On each restart of the system, the device is rescanned to determine whether the vulnerable module has been updated and if it is safe to apply the updated DBX list.

Take action

In most cases, the vendor of the vulnerable module should have an updated version that addresses the vulnerability. Please contact your vendor to get the update.

Event log information

Event ID 1033 will be logged when a vulnerable boot loader that has been revoked by this update is detected on your device.

Event log

System

Event source

TPM-WMI

Event ID

1033

Level

Error

Event message text

Potentially revoked boot manager was detected in EFI partition. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931

Event Data BootMgr

<path and name of vulnerable file>

This event is logged when the Secure Boot DBX variable is updated successfully. The DBX variable is used to untrust Secure Boot components and is typically used to block vulnerable or malicious Secure Boot components such as boot managers and certificates used to sign boot managers.

Event 1034 indicates the standard DBX revocations are being applied to the firmware,

Event log information

Event log

System

Event source

TPM-WMI

Event ID

1034

Level

Information

Event message text

Secure Boot Dbx update applied successfully

This event is logged when the Secure Boot DB variable is updated successfully. The DB variable is used to add trust for Secure Boot components and is typically used to trust certificates used to sign boot managers.

Event log information

Event log

System

Event source

TPM-WMI

Event ID

1036

Level

Information

Event message text

Secure Boot Db update applied successfully

This event is logged when the Microsoft Windows Production PCA 2011 certificate is added to the UEFI Secure Boot Forbidden Signatures Database (DBX). When this occurs, any boot applications signed with this certificate will no longer be trusted when starting the device. This includes any boot applications used with system recovery media, PXE boot applications, and any other media utilizing a boot application signed by this certificate.

Error log information

Event log

System

Event source

TPM-WMI

Event ID

1037

Level

Information

Error message text

Secure Boot Dbx update to revoke Microsoft Windows Production PCA 2011 is applied successfully.

When the updated DBX revocation list is applied to the firmware, the firmware may return an error. When an error occurs, an event is logged, and Windows will try to apply the DBX list to the firmware on the next system restart.

Take action

Contact your device manufacturer to determine if a firmware update is available.

Event log information

Event ID 1795 will be logged when the firmware in the device returns an error. The event log entry will include the error code returned from the firmware.

Event log

System

Event source

TPM-WMI

Event ID

1795

Level

Error

Event message text

The system firmware returned an error <firmware error code> when attempting to update a Secure Boot variable. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931

When the updated DBX revocation list is applied to a device, and an error occurs that is not covered by the events above, an event is logged, and Windows will try to apply the DBX list to the firmware on the next system restart.

Event log information

Event ID 1796 occurs when an unexpected error is encountered. The event log entry will include the error code for the unexpected error.

Event log

System

Event source

TPM-WMI

Event ID

1796

Level

Error

Event message text

The Secure Boot update failed to update a Secure Boot variable with error <error code>. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931

This event is logged during an attempt to add the Microsoft Windows Production PCA 2011 certificate to the UEFI Secure Boot Forbidden Signatures Database (DBX). Before adding this certificate to the DBX, a check is made to ensure that the Windows UEFI CA 2023 certificate has been added to the UEFI Secure Boot Signature Database (DB). If the Windows UEFI CA 2023 has not been added to the DB, Windows will intentionally fail the DBX update. This is done to ensure that the device trusts at least one of these two certificates, which ensures that the device will trust boot applications signed by Microsoft. When adding the Microsoft Windows Production PCA 2011 to the DBX, two checks are made to ensure the device continues to boot successfully: 1) ensure that Windows UEFI CA 2023 has been added to the DB, 2) Ensure that the default boot application is not signed by the Microsoft Windows Production PCA 2011 certificate.

Event log information

Event log

System

Event source

TPM-WMI

Event ID

1797

Level

Error

Error message text

The Secure Boot Dbx update failed to revoke Microsoft Windows Production PCA 2011 as the Windows UEFI CA 2023 certificate is not present in DB.

This event is logged during an attempt to add the Microsoft Windows Production PCA 2011 certificate to the UEFI Secure Boot Forbidden Signatures Database (DBX). Before adding this certificate to the DBX, a check is made to ensure that the default boot application is not signed by the Microsoft Windows Production PCA 2011 signing certificate. If the default boot application is signed by the Microsoft Windows Production PCA 2011 signing certificate, Windows will intentionally fail the DBX update. When adding the Microsoft Windows Production PCA 2011 to the DBX, two checks are made to ensure the device continues to boot successfully: 1) ensure that Windows UEFI CA 2023 has been added to the DB, 2) Ensure that the default boot application is not signed by the Microsoft Windows Production PCA 2011 certificate.

Event log information

Event log

System

Event source

TPM-WMI

Event ID

1798

Level

Error

Error message text

The Secure Boot Dbx update failed to revoke Microsoft Windows Production PCA 2011 as boot manager is not signed with the Windows UEFI CA 2023 certificate

This event is logged when a boot manager is applied to the system that is signed by the Windows UEFI CA 2023 certificate

Event log information

Event log

System

Event source

TPM-WMI

Event ID

1799

Level

Information

Error message text

Boot Manager signed with Windows UEFI CA 2023 was installed successfully

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Discover Community

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Ask the Microsoft Community

Microsoft Tech Community

Windows Insiders

Microsoft 365 Insiders