• ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
  • ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
Guidelines
Join the HP Community Solve‑a‑thon | Help Others & Share Your Solutions | Live on Zoom | 2:30 PM to 2:30 AM IST | Every Wednesday Click here to know more
Locked

‎04-14-2026 01:14 PM

HP Recommended

My system

  • Model: OMEN by HP 25L Gaming Desktop PC GT15-0xxx
  • Product number: 575M3AA#ABA
  • CPU: AMD Ryzen 7 5700G
  • OS: Windows 11 Home
  • Boot drive: WD_BLACK SN7100 1TB
  • BIOS mode: UEFI

Main problem

If Secure Boot is OFF, Windows boots normally.

If I enable Secure Boot, the system does not boot normally. The sequence is:

  1. Secure Boot Violation
  2. Message says something like invalid signature
  3. Then it falls through to PXE over IPv4
  4. Then finally shows HP 3F0 / Boot Device Not Found

So it looks like the BIOS can find Windows Boot Manager, but when Secure Boot actually verifies the boot chain, it rejects it and then falls back to network boot and finally 3F0.

Things I already confirmed

  • BIOS mode is UEFI
  • Windows is installed in UEFI mode
  • TPM 2.0 is now working again and shows Ready for use
  • Windows boots normally when Secure Boot is disabled
  • The boot option points to Windows Boot Manager (WD_BLACK SN7100 1TB)

What I already tried

I spent a long time troubleshooting and already tried all of these:

  1. Checked BIOS / Secure Boot / TPM status
    • BIOS mode confirmed as UEFI
    • TPM was temporarily lost during troubleshooting, but I later recovered it and now it shows TPM 2.0 ready for use
    • Secure Boot still fails
  2. Ran Windows Startup Repair
    • Startup Repair could not fix the issue
  3. Manually rebuilt EFI boot files
    • In WinRE, I used diskpart and identified:
      • EFI partition = FAT32 200MB
      • Windows partition in WinRE showed as D:\Windows

    • Then I ran:

       
      bcdboot D:\Windows /s S: /f UEFI /v
       
    • It completed successfully and said boot files were created successfully
  4. Checked BIOS boot order
    • Windows Boot Manager is first
    • I also saw that when local boot fails, BIOS falls through to PXE/network boot
  5. Updated BIOS
    • I updated BIOS through HP tools
    • Problem still remains
  6. Checked Secure Boot key status
    • In BIOS, Platform Key = Enrolled
    • Load HP Factory Default Keys was greyed out / unavailable
    • I did not clear all Secure Boot keys
  7. Recovered TPM
    • At one point Windows stopped seeing TPM at all
    • I reset/cleared TPM and eventually recovered it
    • Now tpm.msc shows TPM 2.0 ready for use
  8. Performed Windows repair reinstall / in-place repair
    • I ran a Windows 11 repair install (25H2 repair version)
    • Windows reinstall completed
    • But Secure Boot still gives Secure Boot Violation / invalid signature

Current state

  • Secure Boot OFF → Windows boots normally
  • Secure Boot ON → Secure Boot Violation / invalid signature → PXE over IPv4 → HP 3F0
  • TPM 2.0 is now working
  • UEFI is working
  • The issue seems specifically related to Secure Boot rejecting the current Windows boot chain
1 person had the same question
1 REPLY 1

‎04-15-2026 12:27 AM

HP Recommended

follow up to the question

 

I manually triggered Secure Boot certificate servicing and checked the System log. Windows is attempting to apply the 2023 Secure Boot certificates, but it fails with Event ID 1796 for KEK 2023, Windows UEFI CA 2023 (DB), Option ROM CA 2023 (DB), and 3P UEFI CA 2023 (DB). The event message explicitly says the failure reason is: “Secure Boot is not enabled on this computer.” I also get Event ID 1801, which says updated Secure Boot certificates are available on this device but have not yet been applied to firmware. My registry state also shows UEFICA2023Status=InProgress, WindowsUEFICA2023Capable=0, and the update has not completed. At the same time, if I actually enable Secure Boot in BIOS, the PC fails to boot with Secure Boot Violation / invalid signature, then falls through to PXE and finally 3F0. This makes it look like the firmware rejects the current Windows boot chain when Secure Boot is on, but Windows cannot complete the 2023 Secure Boot certificate migration while Secure Boot is off. Is this a known BIOS/firmware issue on HP OMEN 25L GT15-0xxx / AMI F.38, and is there any HP-specific fix involving MS UEFI CA key / Sure Start Secure Boot key protection / Secure Boot certificate handling?

Was this reply helpful? Yes No
Warning
Be alert for scammers posting fake support phone numbers and/or email addresses on the community.
If you think you have received a fake HP Support message, please report it to us by clicking on "Flag Post".
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.
Didn't find what you were looking for? Ask the community
† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.