Skip to content

Instantly share code, notes, and snippets.

@MyITGuy

MyITGuy/BootMgrLastUpdate.md

Last active March 17, 2026 13:13
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save MyITGuy/7b4c6d941889b08d655ef6ff1beb2334 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save MyITGuy/7b4c6d941889b08d655ef6ff1beb2334 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
BootMgrLastUpdate.md

Microsoft UEFI CA 2023 Boot Manager Signature Database (DB) fails to retain certificates after system restart

Symtoms

  • After the Scheduled Task runs and prior to a reboot, the Signature Database (DB) shows the Microsoft UEFI CA 2023 certificates, but the entries do not exist after a reboot.
  • Under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing
    • BootMgrLastUpdateError = 0x80004005 (2147500037)
    • BootMgrLastUpdateErrorReason = PCA2023NotFoundInDB
  • The Key-Exchange (KEK) does contain the Microsoft UEFI CA 2023 certificate changes.

Cause

Certain HP BIOS updates contain disabled options that control Microsoft UEFI CA 2023 certificates within the Signature Database (DB).

For example:

BIOS:

Model  : HP EliteDesk 800 G6 Desktop Mini PC
Ver    : 2.25.00
Date   : 2026-01-12
Bin    : S21_02250000.bin
Sha384 : a68495dc5186f4b4a57e5688bda1bfaeebe30efb4481da0207b566838fde8ddb95edeea504ceaef1e0a4396b2220c8f3

Options:

Name                              PossibleValues    CurrentValue
----                              --------------    ------------
Microsoft Option ROM UEFI CA 2023 {Disable, Enable} Disable
Microsoft UEFI CA 2023            {Disable, Enable} Disable
Windows UEFI CA 2023              {Disable, Enable} Disable

Resolution

Enable the Microsoft UEFI CA 2023 BIOS options.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment