why don't i have the 2023 secure boot keys

Hi Lincoln,

There is not much you can do in this, since Windows has already provided the code for the latest Secure Boot. The BIOS update from the manufacturer would complete the process of Secure boot keys updation since it is independent of the Operating System.

I hope this information helps. If you have any more questions, don't hesitate to reach out.

Otherwise, please take a moment to rate the answer. Wishing you good luck!

on error 1801 it says BucketConfidenceLevel: Under Observation - More Data Needed do i just need to wait?

registry manager has UEFICA2023Status set to NotStarted

Event ID 1801 means Windows has updated the Secure Boot certificates in the OS, but they have not yet been successfully applied to the device’s firmware. Updating Windows and the BIOS alone does not guarantee that the firmware has accepted and stored the new 2023 Secure Boot keys.

Key points from the event definition:

• Event source: TPM-WMI
• Event ID: 1801
• Message: “Secure Boot certificates have been updated but are not yet applied to the device firmware. Review the published guidance to complete the update and ensure full protection.”

This indicates one of the following:

1. The firmware is not applying the update correctly (for example, a firmware limitation or error).
2. The update process is still incomplete or failing on each attempt.

What to do next:

1. Check for Secure Boot error events:
   • Look in the System event log for related TPM‑WMI events, especially Event ID 1795.
   • Event 1795 is logged when the firmware returns an error while Windows is trying to update Secure Boot variables (DB, DBX, or KEK). The event includes a firmware error code that explains why the update failed.
2. If firmware errors are present (Event 1795):
   • The documented action is to contact the device or motherboard manufacturer to see if a newer firmware/BIOS is available or if they have guidance for applying the Secure Boot DB/DBX/KEK updates on that model.
3. Understand the impact if the 2023 certificates are not yet applied:
   • The PC will continue to boot and work normally, and standard Windows updates will still install.
   • However, new protections for the early boot process (Boot Manager updates, Secure Boot DB/DBX revocations, and mitigations for new boot‑level vulnerabilities) cannot be fully applied until the firmware accepts the new certificates.
4. Do not disable Secure Boot to work around this:
   • Disabling Secure Boot reduces protection and is not recommended as a fix for certificate‑update issues.

If Event 1801 persists after normal updates and reboots, and the firmware is already on the latest version, the next step is to review the related error events (such as 1795) and then work with the device manufacturer using those error codes, because the remaining work is on the firmware side rather than in Windows itself.

References:

• Secure Boot DB and DBX variable update events
• Registry key updates for Secure Boot: Windows devices with IT-managed updates
• When Secure Boot certificates expire on Windows devices
• Frequently asked questions about the Secure Boot update process