KB5016061: Secure Boot DB and DBX variable update events

Event log	System
Event source	TPM-WMI
Event ID	<Event ID number>
Level	Error
Event message text	<message text>

This event is logged when BitLocker on the system drive is configured in such a way that applying the Secure Boot DBX list to the firmware would cause BitLocker to go into recovery mode. The resolution is to suspend BitLocker temporarily for 2 restart cycles to let the update install.

Take action

To resolve this issue, run the following command from an Administrator command prompt to suspend BitLocker for 2 restart cycles:

• Manage-bde –Protectors –Disable %systemdrive% -RebootCount 2

Then, restart the device two times to resume BitLocker protection.

To make sure that BitLocker protection has been resumed, run the following command after restarting two times:

• Manage-bde –Protectors –enable %systemdrive%

Event log information

Event ID 1032 will be logged when the configuration of BitLocker on the system drive would cause the system to go into BitLocker recovery if the Secure Boot update is applied.

Event log	System
Event source	TPM-WMI
Event ID	1032
Level	Error
Event message text	The Secure Boot update was not applied due to a known incompatibility with the current BitLocker configuration.

When the updated DBX revocation list is installed on a device, Windows checks to determine whether the system depends on one of the vulnerable modules to start the device. If one of the vulnerable modules is detected, the update to the DBX list in the firmware is deferred. On each restart of the system, the device is rescanned to determine whether the vulnerable module has been updated and if it is safe to apply the updated DBX list.

Take action

In most cases, the vendor of the vulnerable module should have an updated version that addresses the vulnerability. Please contact your vendor to get the update.

Event log information

Event ID 1033 will be logged when a vulnerable boot loader that has been revoked by this update is detected on your device.

Event log	System
Event source	TPM-WMI
Event ID	1033
Level	Error
Event message text	Potentially revoked boot manager was detected in EFI partition. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931
Event Data BootMgr	<path and name of vulnerable file>

This event is logged when the Secure Boot DBX variable is updated successfully. The DBX variable is used to untrust Secure Boot components and is typically used to block vulnerable or malicious Secure Boot components such as boot managers and certificates used to sign boot managers.

Event 1034 indicates the standard DBX revocations are being applied to the firmware,

Event log information

Event log	System
Event source	TPM-WMI
Event ID	1034
Level	Information
Event message text	Secure Boot Dbx update applied successfully

This event is logged when the Secure Boot DB variable is updated successfully. The DB variable is used to add trust for Secure Boot components and is typically used to trust certificates used to sign boot managers.

Event log information

Event log	System
Event source	TPM-WMI
Event ID	1036
Level	Information
Event message text	Secure Boot Db update applied successfully

This event is logged when the Microsoft Windows Production PCA 2011 certificate is added to the UEFI Secure Boot Forbidden Signatures Database (DBX). When this occurs, any boot applications signed with this certificate will no longer be trusted when starting the device. This includes any boot applications used with system recovery media, PXE boot applications, and any other media utilizing a boot application signed by this certificate.

Error log information

Event log	System
Event source	TPM-WMI
Event ID	1037
Level	Information
Error message text	Secure Boot Dbx update to revoke Microsoft Windows Production PCA 2011 is applied successfully.

When the updated DBX revocation list is applied to the firmware, the firmware may return an error. When an error occurs, an event is logged, and Windows will try to apply the DBX list to the firmware on the next system restart.

Take action

Contact your device manufacturer to determine if a firmware update is available.

Event log information

Event ID 1795 will be logged when the firmware in the device returns an error. The event log entry will include the error code returned from the firmware.

Event log	System
Event source	TPM-WMI
Event ID	1795
Level	Error
Event message text	The system firmware returned an error <firmware error code> when attempting to update a Secure Boot variable. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931

When the updated DBX revocation list is applied to a device, and an error occurs that is not covered by the events above, an event is logged, and Windows will try to apply the DBX list to the firmware on the next system restart.

Event log information

Event ID 1796 occurs when an unexpected error is encountered. The event log entry will include the error code for the unexpected error.

Event log	System
Event source	TPM-WMI
Event ID	1796
Level	Error
Event message text	The Secure Boot update failed to update a Secure Boot variable with error <error code>. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931

This event is logged during an attempt to add the Microsoft Windows Production PCA 2011 certificate to the UEFI Secure Boot Forbidden Signatures Database (DBX). Before adding this certificate to the DBX, a check is made to ensure that the Windows UEFI CA 2023 certificate has been added to the UEFI Secure Boot Signature Database (DB). If the Windows UEFI CA 2023 has not been added to the DB, Windows will intentionally fail the DBX update. This is done to ensure that the device trusts at least one of these two certificates, which ensures that the device will trust boot applications signed by Microsoft. When adding the Microsoft Windows Production PCA 2011 to the DBX, two checks are made to ensure the device continues to boot successfully: 1) ensure that Windows UEFI CA 2023 has been added to the DB, 2) Ensure that the default boot application is not signed by the Microsoft Windows Production PCA 2011 certificate.

Event log information

Event log	System
Event source	TPM-WMI
Event ID	1797
Level	Error
Error message text	The Secure Boot Dbx update failed to revoke Microsoft Windows Production PCA 2011 as the Windows UEFI CA 2023 certificate is not present in DB.

This event is logged during an attempt to add the Microsoft Windows Production PCA 2011 certificate to the UEFI Secure Boot Forbidden Signatures Database (DBX). Before adding this certificate to the DBX, a check is made to ensure that the default boot application is not signed by the Microsoft Windows Production PCA 2011 signing certificate. If the default boot application is signed by the Microsoft Windows Production PCA 2011 signing certificate, Windows will intentionally fail the DBX update. When adding the Microsoft Windows Production PCA 2011 to the DBX, two checks are made to ensure the device continues to boot successfully: 1) ensure that Windows UEFI CA 2023 has been added to the DB, 2) Ensure that the default boot application is not signed by the Microsoft Windows Production PCA 2011 certificate.

Event log information

Event log	System
Event source	TPM-WMI
Event ID	1798
Level	Error
Error message text	The Secure Boot Dbx update failed to revoke Microsoft Windows Production PCA 2011 as boot manager is not signed with the Windows UEFI CA 2023 certificate

This event is logged when a boot manager is applied to the system that is signed by the Windows UEFI CA 2023 certificate

Event log information

Event log	System
Event source	TPM-WMI
Event ID	1799
Level	Information
Error message text	Boot Manager signed with Windows UEFI CA 2023 was installed successfully