• ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
  • ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
Guidelines
Join the HP Community Solve‑a‑thon | Help Others & Share Your Solutions | Live on Zoom | 2:30 PM to 2:30 AM IST | Every Wednesday Click here to know more
HP Recommended

Device: OMEN Laptop 15-en0xxx
BIOS Version: F.26 (confirmed latest available on HP's support site)
OS: Windows 11, fully updated

Issue:
I need to enable UEFI Secure Boot to play Valorant (Riot Vanguard anti-cheat requirement). When I enable Secure Boot in BIOS and save/exit, I get "Secure Boot Violation - Invalid Signature Detected. Check Secure Boot Policy in Setup." I've had to disable Secure Boot again just to boot into Windows.

Troubleshooting already completed:
- Confirmed Windows is in UEFI mode (GPT), not Legacy/CSM
- Tried "Restore Secure Boot to Factory Keys" in BIOS before re-enabling — no change
- Confirmed BIOS F.26 is the newest version available for this model on HP's site
- Confirmed TPM is "ready for use" via tpm.msc
- Confirmed BitLocker/Device Encryption is fully off on all volumes (manage-bde -status shows Protection Off on both C: and D:)
- Ran diagnostic check: Windows UEFI CA 2023 certificate is NOT present in the Secure Boot DB
- Manually triggered the Microsoft Secure Boot certificate update (AvailableUpdates registry key set to 0x5944 + Secure-Boot-Update scheduled task) multiple times over several restarts
- Task Scheduler shows the Secure-Boot-Update task's Last Run Result as "The operation completed successfully. (0x0)" — but no actual progress occurs
- Observed inconsistent/failing state transitions: status moved from NotStarted -> InProgress (no error code) across restarts, then reset itself back to NotStarted with AvailableUpdates returning to 0 -- without ever reaching "Updated"
- WindowsUEFICA2023Capable remains 0 throughout (certificate never lands in DB)
- Checked Event Viewer (System log, TPM-WMI source) — no relevant error events logged (no 1795/1796/1801)
- Registry shows ConfidenceLevel: "High Confidence" (device is flagged as eligible for the automatic rollout), yet the certificate write never completes

This points to the firmware silently failing to commit the Windows UEFI CA 2023 certificate write, despite being on the latest available BIOS, with no error surfaced anywhere in Windows. This matches the industry-wide Secure Boot 2011->2023 certificate rollout (2011 certs expiring June 2026), which requires OEM firmware support. Could you please confirm:

1. Is there a BIOS update in development/testing for the OMEN 15-en0xxx series that addresses Secure Boot UEFI CA 2023 certificate support?
2. Is there a known timeline for this release?
3. Is there a beta/pre-release BIOS available that I could test in the meantime?

Happy to provide additional logs, a screen recording, or run further diagnostics if useful.

3 REPLIES 3
HP Recommended

Hi @qiuqiuqi,

Welcome to the HP Support Community.

Thank you for posting your query. I will be glad to help you.

I hear that the Secure Boot 'Invalid Signature' error the UEFI CA 2023 cert fails to apply on the OMEN 15.

 
To regain access to Windows and attempt to forcefully sync the Secure Boot keys, try resetting the key database manually: 
 

  1. Turn on your laptop and immediately press F10 to enter the BIOS Setup.
     
  2. Navigate to the Security or Advanced tab (depending on your specific BIOS menu) and find the Secure Boot Configuration.
     
  3. Locate and select Clear All Secure Boot Keys.
     
  4. Select Reset Secure Boot keys to Factory Default Keys. (If there is a prompt to "Install HP Default Keys", do that instead).
     
  5. Save changes and exit.
     

I hope this will help.

 

Take care and have a good day.

I'm an HP Employee.


If this reply helped resolve your issue, please select the Accept as Solution as it helps others in the community quickly find the answer they’re looking for.


And if you found this reply helpful, clicking Yes below is a great way to let us know we’re providing the support you need, as it encourages us to keep improving and sharing helpful guidance.

HP Recommended

Hi, thank you for the suggestion. I tried this exactly as described (Clear All Secure Boot Keys, then Restore/Install HP Default Keys, save and exit) - unfortunately the same "Secure Boot Violation - Invalid Signature Detected" error returned immediately.

Since this didn't resolve it, I did further diagnostics to narrow down the actual cause, and I think I've isolated something more specific that would help an engineer look into this:

1. I confirmed the Secure Boot database (db) itself is healthy - the original Microsoft 2011 UEFI CA certificate is present and intact. This rules out database corruption.

2. However, the newer "Windows UEFI CA 2023" certificate (part of Microsoft's ongoing Secure Boot certificate rollout) is confirmed absent from the db.

3. I manually triggered Microsoft's certificate update mechanism (Secure-Boot-Update scheduled task under Microsoft\Windows\PI, via the AvailableUpdates registry value). Checking HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing afterward shows the status cycling from NotStarted to InProgress and then back to NotStarted on its own, without ever reaching "Updated." WindowsUEFICA2023Capable remains 0 throughout. No errors are logged anywhere (Event Viewer TPM-WMI shows nothing relevant).

4. Importantly, I also updated the BIOS to F.26 Rev.A (SoftPaq sp158697, effective date 05/08/2025) and checked the on-device EFI update log directly (S:\EFI\HP\BIOSUpdate\HpBiosUpdate.log). This confirms the BIOS flash itself completes successfully end-to-end, including a post-write verification step against the signature ("Verifying Written BIOS Image" -> "EfiBiosUpdateLibEntry(): Result is 0x0" -> "BIOS Update Successful"), and this has now succeeded 3 separate times, most recently this morning.

So general firmware writes are working correctly on this system - this isn't a corrupted or non-functional firmware chip. The one specific thing that never succeeds is the Windows UEFI CA 2023 Secure Boot certificate update. This looks like a firmware feature gap rather than a hardware fault: F.26 (including Rev.A) may simply not implement the authenticated variable update path needed to accept the 2023 certificate into db, even though it handles ordinary BIOS image flashing without issue.

Could someone confirm:
1. Does BIOS F.26 (or Rev.A) for the OMEN 15-en0xxx actually include support for writing the Windows UEFI CA 2023 certificate to the Secure Boot database?
2. Is there a newer BIOS version in development or testing that adds this specific support?
3. Is there a known timeline for such a release?

Device: OMEN Laptop 15-en0xxx
BIOS: F.26 Rev.A (SoftPaq sp158697)
OS: Windows 11, fully updated

HP Recommended

Thank you for your response.

Answer to your specific questions:

1. Does BIOS F.26 (or Rev.A) for the OMEN 15-en0xxx actually include support for writing the Windows UEFI CA 2023 certificate to the Secure Boot database?

No. It lacks the necessary firmware hooks to accept the Windows UEFI CA 2023 update.

2. Is there a newer BIOS version in development or testing that adds this specific support?

Currently, the F.26 BIOS version is listed on the HP Support page.

3. Is there a known timeline for such a release?

The team is working on it; please wait for the latest BIOS release.

I'm an HP Employee.


If this reply helped resolve your issue, please select the Accept as Solution as it helps others in the community quickly find the answer they’re looking for.


And if you found this reply helpful, clicking Yes below is a great way to let us know we’re providing the support you need, as it encourages us to keep improving and sharing helpful guidance.

† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.