I have the same problem. 

I have tested on a few different models

HP EliteBook 830 G6

HP EliteBook 830 G7

HP EliteBook 850 G8

HP EliteBook 840 G10

HP EliteBook 840 G1

HP EliteDesk 800 G1

HP EliteDesk 800 G6

HP Elite Mini 800 G9

HP Z4 G4 Workstation

All PC's have the latest BIOS version installed. They all fail with the same error, event ID 1795:

"The system firmware returned an error Unspecified error when attempting to update a Secure Boot variable. For more information, please see https://go.microsoft.com/fwlink/?linkid=216993" 
("Unspecified error" is -2147467259)

It completes succesfully on Dell machines and Hyper-V virtual PC's. The only way I have gotten any HP models to add the Windows UEFI CA 2023 certificate is if I go back to the May 2025 Windows update. Then it will add the 2023 certificate. But that's not a good solution.

If June, July or August 2025 Windows updates are installed it fails. Tested on Windows 10 22H2, Windows 11 23H2, Windows 11 24H2. Doesn't matter if I use our corporate domain image, or a clean ISO Windows install. Tried resetting BIOS settings to defaults, disable Credential Guard, HVCI, and all other Virtualization Based Security. No difference.

I run these commands (elevated PowerShell):

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x40 /f

Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Accoridng  to this article

How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-...
this will add the “Windows UEFI CA 2023” certificate to the UEFI “Secure Boot Signature Database” (DB). 

I think the next step might be to contact Microsoft or HP.

Anybody?

I'm seeing the exact same error in the event log. Has anyone figured out how to apply the secure boot update?

Have the same issue across elitebooks G6-G11, but only random devices. Have tested the mitigation on a single device of each model and that seemed to work a few months back, before rolling this out. But recently nothing will apply the mitigation, unless it is brand new and out of the box.

Error: 1795 The system firmware returned an error Unspecified error when attempting to update a Secure Boot variable.

Tried clearing-tpm, resetting bios, inplace upgrade, wipe and new OS. 

Any advice would be greatly welcomed.

Hello everyone. I originally posted this on 9/19/25, but somehow I can't see it as a reply on this thread.

I have edited my original post a bit, so here's take 2:

"

Here are my findings so far:

This is all on Win 11 24H2.

HP EliteBook 1040 G11 (with BIOS v1.06.01 - 4/22/25) - 2023 Cert is successfully added, regardless of OS patch level.

HP EliteBook 840 G10 (with BIOS v1.09.00) - 2023 Cert can be applied BEFORE OS updates ("base" build .1742 from 2024-10 if used as master image) OR if OS is updated, then Resetting the Secure Boot Keys in BIOS (NOT CLEAR THEM) will allow the 2023 Cert to be added manually. Two MAJOR PROBLEMS WITH 2ND OPTION - Sure Start Secure Boot Keys Protection must be DISABLED in order to be able to reset the keys to defaults AND this will also trigger a BitLocker Recovery Password prompt at boot (if it is enabled) ! Not really a way to automate/deploy this...

HP EliteBook 840 G9 (with BIOS v1.15.00) - Same as the G10...

HP EliteBook 840 G8 (with BIOS v1.20.00) - Only possible before OS is patched (if base build is from last year). Removing all updates to bring it back to old build level works, but not really practical. Plus, if the master image has been recently patched w/ reset base option then updates older than the cleanup date cannot be removed.

HP EliteBook 840 G7 (with BIOS v1.21.00) - Same as the G8...

I have tried clearing the keys and importing custom keys on the G7 via USB, but the import always fails. Searching for possible reason and solution in the HP forums only returns the same issue posted by other users with no replies."

A quick followup:

There is a BIOS update for the HP EliteBook 840 G7 - published today, 9/22/25 (v01.22.00 - 6/27/25). Also, new BIOS updates for the 840 G8, G9, and G10.

After applying it, I was able to successfully apply Step 1 (2023 Cert added to DB in firmware).

EDIT: This is on Windows 11 24H2, build .4946 (KB5065381, 2025-08).

I contacted HP about this issue, and they say it's "by design". More information from HP will go public in October 2025, so I probably shoudn't share anything yet. Like Marty_K noticed, many models have already or will get BIOS updates to fix this. BIOS version 01.10.00 that was released yesterday for HP EliteBook 840 G10 includes this fix:

"- Enables recent Windows cumulative updates to include the Windows UEFI CA 2023 certificate for platforms introduced in 2023 and earlier."

These kind of BIOS updates are what we need to add the 2023 certificates.

I did however find another way to add the 2023 Secure Boot certificates on HP models that have not yet, or never will get a BIOS update to fix this. Run this command:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v SkipDeviceCheck /t REG_DWORD /d 1 /f

then Microsoft's Secure Boot update process will not care about checking if the HP BIOS is fully ready for the new 2023 certificates.

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x40 /f

Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Important note: This information is not from HP. I figured it out myself and it worked on a few models I tested. Your mileage may vary. USE AT YOUR OWN RISK! I still recommend to wait until a BIOS update fixes this and to update the proper supported way. It the model is too old to get an updated BIOS from HP I might consider using the SkipDeviceCheck=1 registry value if there is no better way to add the certificates. I would still always update to the latest BIOS version first! There are at least a couple of previous issues fixed in BIOS updates on HP machines related to these new Secure Boot certificates:

https://support.hp.com/us-en/document/ish_9642671-9641393-16?jumpid=in_r11839_us-en/PCSecureBootErr

And if you use BitLocker suspend it before adding 2023 certs and switching the bootloader to a 2023 signed version.

Pisboi and Mart_K - thanks for the input.

Recent BIOS updates for the Elitebook range are now allowing the mitigation's to apply nicely. However.. i'm now struggling with the Elite Desk Mini's and EliteMini's G4 - G9. They do not appear to have had a recent BIOS update? If anyone from HP is reading this, any ideas when/if we might see additional BIOS update for desktops?

Using the "SkipCheck" regkey (which i believe is for ARM64 based devices) does appear to work and allows the mitigation's to apply. Would much prefer a BIOS update for the desktop mini's, just to make sure it doing a proper job.

On a side note and only if interested, you can also just apply (140) to the starting regkey and just let windows/users do there thing.

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x140 /f
(Enterprise Deployment Guidance for CVE-2023-24932 - Microsoft Support)

I did get some info about this, JonnyFeth. But I don't think I should share it without HP's approval yet. Wait until they publish info about this issue in October. Then I can tell you what I was told.