Secure Boot Update Fails after KB5058405 Installed

Topic

New Reply

I successfully installed KB5058405 (May Cumulative Update) and now I’m seeing a single TPM-WMI Error about five minutes after reboot, as follows:

The Error indicates that the Secure Boot update failed. This is the first time seeing this Error on this machine, and the computer runs fine and seems to have no other issues.

Any advice on how to get the Secure Boot update to succeed? Will the update failure be a problem for the eventual upgrade to 24H2, or should this Error message just be ignored?

The computer is an HP desktop, with the latest BIOS update applied, and the Secure Boot State is On according to msinfo32.

Reply | Quote

Replies

AFAIK the secure boot update is new certificates in the EFI. Not having the new certificates will not affect the machine in any way, but it does make it vulnerable to being booted with malware using a compromised loader. Mind you, if an attacker can gain physical access they can probably turn secure boot off anyway.

cheers, Paul

1 user thanked author for this post.

SteveIT

Reply | Quote

If I look in my SecureBootUpdates folder, I see 8 binary files, 3 modified today (when I installed KB5058405). There are also 2 certificates, modified May 3, when I installed the April Cumulative Update (KB5055528).

The TPM-WMI Error is being generated by the Secure-Boot-Update Task, which runs at Startup, and every 12 Hours after that. Last Run Result of this Task was (0x900700C1).

Reply | Quote

Note: The Secure Boot update failure indicates Windows was unable to update some of the certificates stored on the Motherboard.

One possible solution is to enter BIOS > Secure Boot and select the Restore Factory Keys option to “clear” all the existing certificates back to their default settings.

Then when Windows boots, it’ll attempt to update them again (using the certificates stored in that folder) which “should” now succeed.

The other option, as pointed out by @Paul T, is to simply ignore the error as it won’t really effect how Windows functions.

1 user thanked author for this post.

SteveIT

Reply | Quote

FWIW i’m getting the same error message after the corresponding update on my Windows 11 Pro 24H2 12th generation Intel Core i7 laptop.

1 user thanked author for this post.

SteveIT

Reply | Quote

Just FYI, I have submitted a Problem Report to Microsoft for this using their Feedback Hub app (nothing to lose). Hoping that this is something they broke changing the Secure Boot code, and will fix at some point.

Reply | Quote

My Secure Boot Update runs without issue, W10 22H2 Home.

cheers, Paul

1 user thanked author for this post.

SteveIT

Reply | Quote

https://support.microsoft.com/en-us/topic/may-31-2025-kb5062170-os-builds-22621-5415-and-22631-5415-out-of-band-fb7ab9b6-c874-41cf-b962-c674482aa24d

 

Can you try the out of band update?

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

SteveIT

Reply | Quote

The OOB Update (KB5062170) addresses a recovery error issue installing KB5058405, and includes the non-security preview updates in KB5058502. As it indicates that “It’s not necessary to install this update on systems that successfully applied KB5058405,” it doesn’t seem likely that KB5062170 includes a Secure Boot Update fix.

Am I correct in assuming you’re suggesting to try the OOB Update as all changes in the update should be included in next month’s Cumulative Rollup?

Reply | Quote

Correct.  Given that it’s cumulative and the latest rollup of “stuff” at this time.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

SteveIT

Reply | Quote

As Patch Tuesday is less than a week away, I’ll probably hold off until then to try the next Cumulative Rollup. Getting one Error a day, with no current impact, is not much of an issue (Secure Boot is currently working). But I believe I will eventually need to find a solution to updating the current Certificates, as I’ve read that these Certificates will expire in 2026.

The May Cumulative Update for Windows 11 24H2 (KB5058411) specifically mentions Secure Boot under Improvements. Douglas, in post #2779370 above, mentions he’s getting the same error message after applying this update. So it would seem that Microsoft is updating their Secure Boot code, although there was no mention of it changing for Windows 11 23H2 (KB5058405).

Reply | Quote

n0ads wrote:

The other option, as pointed out by @Paul T, is to simply ignore the error as it won’t really effect how Windows functions.

By not really affecting Windows, would you know if this Secure Boot Update failure would have any effect on the process of upgrading a desktop from Windows 11 23H2 to Windows 11 24H2?

Reply | Quote

As pointed out by @Paul T, the whole purpose of Secure Boot is to block untrusted firmware and bootloaders (signed or unsigned) from being able to start the system.

The Secure Boot update simply updates the certificates stored on the motherboard that Secure Boot uses to determine if something is authorized to boot the system or not.

So, unless you’re trying to update using version of Windows 11 24H2 that “may” be infected with some malware that’s not yet been blocked via the Secure Boot update (i.e. a non-Microsoft approved update), it won’t cause any problems.

3 users thanked author for this post.

TechTango, Paul T, SteveIT

Reply | Quote

Thanks for the explanation and clarification. Some time before November I will use Windows Update to upgrade my machine to Windows 11 24H2. It will very much be a Microsoft approved upgrade, with all the AskWoody experts providing invaluable advice, tips and warnings.

Reply | Quote

After some further research, Microsoft’s best guide on this subject appears to be How to Manage the Windows Boot Manager Revocations for Secure Boot Changes Associated with CVE-2023-24932 (KB5025885).

The Mitigation Deployment Guidelines have four steps. The first step is to Install the Updated Certificate Definitions to the DB, using the following two commands, in an Administrator Command Prompt.

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x40 /f
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Running the following PowerShell command, as an Administrator, will verify if the DB has been successfully updated (should return True).

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'

Running the PowerShell command on my desktop, False is returned, indicating that the updated Windows UEFI CA 2023 Certificates are not present in the UEFI Secure Boot Signature Database. Further, when I look at the AvailableUpdates registry key noted above, it currently has a value of 0x400 (1024).

As Secure Boot is currently working on my desktop, my question is, should I continue to troubleshoot this, and attempt to manually update the Certificates and the Boot Manager (which would be the next step), or should I wait and see if Microsoft is able to successfully address these issues through Windows Update, and their Monthly Cumulative Updates?

Reply | Quote

I would suggest you leave it alone. If it won’t update without intervention it may not be happy and I usually choose the “do nothing” option in these circumstances.

What you can do it check with the manufacturer to see if it’s a machine issue. Maybe they have a firmware fix.

cheers, Paul

1 user thanked author for this post.

SteveIT

Reply | Quote

The desktop is an HP ENVY All-in-One 34-c0029 (11th Gen Intel(R) Core(TM) i7-11700). HP released their latest Consumer Desktop PC BIOS Update for this product May 6, 2025 (ROM Family SSID 8927, Version F.24 Rev.A). I successfully installed this BIOS and Firmware update prior to installing KB5058405, and the desktop rebooted without Error messages. After installing the May Cumulative Update (KB5058405), the TPM-WMI Error messages shown in post #2779324 above began.

In addition, I’ve used both the HP Support Assistant tool, and the HP Support page to verify that all Software & Driver updates currently offered by HP have been applied.

At this point my plan is to take your advice (to not attempt the manual steps suggested by Microsoft), and to see if anything changes with next Tuesday’s Monthly Cumulative Update.

Reply | Quote