Re: BIOS F.38 - Secure Boot and Platform Key Issue - HP Support Community

Bolt_B · ‎10-07-2025

I have an HP TP01-2000 series desktop. The CPU and graphics are AMD. A couple of weeks ago, the HP Support Assistant app informed that a BIOS update F.38 was available. I downloaded and installed the update and it seemed to go ok. However, ever since that BIOS update, secure boot has not been working at all and Windows does not recognize the secure boot state as on. I have tried the following to no avail:

-Ensuring that Windows is updated and any updates by HP are installed

-Making sure the Mode is UEFI

-Loading the defaults in BIOS

-Loading default HP keys in BIOS

-Resetting to factory settings in BIOS

-Clearing the TPM in both the BIOS and Windows

-Clearing the CMOS

-Unplugging electrical cord and depressing the power button to clear

-Installing the BIOS from a USB stick

-Reinstalling with the standalone Windows executable

When entering the BIOS, the Secure Boot is always greyed out, so if you load with default HP keys, it then makes the secure boot available for changing. However, as mentioned, when Windows boots up it never ends up recognizing the secure boot as “on” (determined by msinfo32.exe).

The one constant I see (other than the obvious, i.e., secure boot does not seem to be working), is that the Platform Key in the BIOS always says “not enrolled” and the cursor passes over it so there is no option to do anything. I have seen that other people with HP products are having the same issue and that it is perhaps because something is going on with AMD certificates. Whether that is the culprit or not, it is clear that the Platform Keys do not appear to be enrolling no matter what I try.

Has HP acknowledged that this is a known issue and that they are working on a fix?

NonSequitur777 · ‎10-07-2025

@Bolt_B,

Welcome to our HP Community forum!

Hat-tip to you -you've done an impressive amount of troubleshooting already, and your detailed account helps narrow this down quite a bit!

So, you're correct that what you're seeing -Secure Boot showing as "Off" after BIOS F.38 on certain AMD-based HP Pavilion TP01-2000 series systems -has indeed been reported by other users as well. The key indicator is exactly what you mentioned: Platform Key (PK) → “Not Enrolled” and greyed out, even after restoring factory keys.

This suggests to me a problem with how the F.38 firmware handles Secure Boot key enrollment on AMD systems (especially those using fTPM).

At this point in time:

As far as I am able to ascertain, HP has not yet issued an official advisory (as of early October 2025) that this is a confirmed, system-wide defect, but several customers have reported identical behavior after applying BIOS F.38 on AMD Pavilion and ENVY desktops.
The most plausible cause is a mismatch or corruption in the embedded Secure Boot key database during the update -possibly related to updated AMD AGESA firmware or certificate chain handling in F.38.
Re-flashing F.38 (even via USB) will not fix it, because the firmware appears to skip re-enrolling the factory PK during the post-flash sequence.

Recommended actions:

Do not attempt to manually inject keys using third-party tools -this can permanently brick Secure Boot or the TPM.
Stay on BIOS F.38 for now, as downgrading is generally blocked on HP platforms such as yours.
Use the HP Feedback tool within HP Support Assistant to submit a report describing the "Secure Boot not working after F.38 update" issue. This will help motivate HP's firmware team collect affected system IDs -one can hope.
Keep monitoring HP's driver page for your exact model: HP Pavilion Desktop PC TP01-2000a (2Z6C9AV) Software and Driver Downloads | HP® Support. I suspect that when HP releases an F.39 or F.40 BIOS revision, that will likely include the fix.
Meanwhilst, your system remains fully functional and secure so long as you continue running in UEFI mode with TPM enabled -Secure Boot adds an extra signature layer, but the rest of Windows 11's core security still applies.

If you prefer to confirm the condition:

Run msinfo32.exe → "Secure Boot State: Off".
In BIOS → Advanced → Secure Boot Configuration → note "Platform Key: Not Enrolled."

That combination confirms this known Secure Boot key enrollment issue.

Hopefully HP's next BIOS update will re-enroll the factory Platform Key properly. Until then, your system will continue to function normally, just sans Secure Boot verification active.

Kind Regards,

NonSequitur777

Bolt_B · ‎10-08-2025

NonSequitur777,

Thank you for the kind words and very detailed response. I very much appreciate it! One thing I neglected to mention in my original post was that I had also looked at the Event Viewer and there were quite a few TPM-WMI errors which I think are related to the issue at hand.

Anyway, thanks for the helpful advice. I will not try to inject keys. I do like to tinker/experiment but I am not brave enough to do so with a BIOS issue!

Cheers.

NonSequitur777 · ‎10-08-2025

@Bolt_B,

You are welcome -glad I could assist in some way!

Best wishes,

NonSequitur777

Bolt_B · ‎10-18-2025

This is still an issue, I have not seen a BIOS update yet. Yesterday, the PC would not apply Windows Update KB5066835. After doing some research, it appears that this update had something to do with Secure Boot certificates, so not a surprise I guess that it would not install as it appears the platform key is not enrolling in BIOS. Also, I tried to apply Windows 25H2 and it also failed.

NonSequitur777 · ‎10-18-2025

@Bolt_B,

Yes, we as Community Experts are quite aware that this issue is unfortunately dragging on...

We have done what we could to urge/nudge HP to fix this issue ASAP.

Kind Regards,

NonSequitur777

Bolt_B · ‎10-18-2025

NonSequitur777,

Yeah, sorry about that. My main objective was to provide an update about the issue now apparently affecting Windows Update, but I guess a little frustration leaked out too. It's all good, appreciate the nudges to raise the issue.

Bolt_B

SapphireMirai · ‎11-13-2025

Thank you for your reply, which rescued me from an afternoon of confusion and frustration.

May I ask if there are any updates on the fix for this issue? Today, COD BO7 required me to update to the latest BIOS (F.38 Rev.A) to run the game, but now I can't even launch it without Secure Boot enabled.

NonSequitur777 · ‎11-13-2025

@Riddle_Decipher,

Are there perchance any updates yet -or is it still 'mid-November' -wait: it is mid-November! (Just trying to make light of a rather sensitive issue)

Kind Regards,

NonSequitur777

Riddle_Decipher · ‎11-14-2025

Hi @NonSequitur777 Thanks for highlighting this, I've sent out another follow-up to the research team, and they are working on the same, I'll share an update here as soon as I hear from them.

@Bolt_B & @SapphireMirai please bear with us, we should have an update, soon.

Riddle_Decipher
I am an HP Employee

Learning is a journey, not a destination.
Let's keep asking questions and growing together.

BIOS F.38 - Secure Boot and Platform Key Issue

Create an account on the HP Community to personalize your profile and ask a question

Recommended actions: