BIOS version 1.31.0 does indeed contain the 2023 Secure Boot Certificates. Since you'll be messing with the BIOS, I'd ensure you have access to your bitlocker recovery keys before making any changes or suspend it as needed. Otherwise, you may need to reinstall Windows if bitlocker is triggered and you don't have the key. 

Firstly, I would load the BIOS defaults so that we can restore the original settings. Should be a button in the BIOS reading Load Defaults or Restore settings, then BIOS defaults. I would then put the Secure Boot Option back to Deployed Mode. Deployed Mode should be selected for normal operation of Secure Boot. If you're still having issues, then you may need to Clear the TPM within the Security tab. 

Well, first of all ... just leave your Key Management in Custom Mode. There is no reason to switch it back or keep messing with it. I'm curious why you even WANT TO switch it back.

And just a FYI ... in general, if the computer is working properly and it asks you if you want to "Reset your Keys" you click NO.

Also ... on the XPS-8950, you could help by verifying your settings. They should be:
Secure Boot: ON

Secure Boot Mode: Deployed or Audit (this should ALWAYS be set to Deployed).

Microsoft UEFI CA: Enabled

Key Management as Custom Mode: On 

Or, it might look like:

Secure Boot Mode: Standard and Custom. You want Custom so that Key-Management menu-item appears for use or just viewing. Obviously, the "Firmware TPM" should be Enabled.

You speak about definitive answers ... yeah this is an unprecedented event.  

@DELL-Daniel V​ 

Thank you for your reply, but this suggestion would have given me more problems than solutions.  I can understand, having done over 30 years of user tech support myself, that it gets routine and saves time to just tell people to set things back to defaults, but in my case that would really mess things up for me.  It’s like telling users to just reboot instead of listening to them about what’s wrong.  I wrote this question because the online Dell XPS8950 Service Manual actually has the default settings listed for Secure Boot as disabled, and the Expert Key Management setting as disabled also.  I know enough to know that wouldn’t help me at all for having the best setting for security purposes.  I appreciate your other suggestions, but they didn’t really answer my question.

@Tesla1856​ 

Thank you for your detailed reply.  I will go ahead and leave my recent change as now set as Key Management - Custom Mode: Enabled

Yes, my current settings:

Secure Boot:  Enabled

Secure Boot Mode:  Deployed Mode

Key Management - Custom Mode: Enabled

Key Management - Enable Microsoft UEFI CA: Enabled

Will these settings allow for the AUTOMATIC application of the BIOS 1.31.0 Microsoft UEFI 2023 CA keys to be applied to my system, or do I have to apply the CA keys through the custom keys management menu myself?

@Truckfan​ ,

1. Thank you for your reply @DELL-Daniel V , but this suggestion would have given me more problems than solutions.  

2. I can understand, having done over 30 years of user tech support myself, that it gets routine and saves time to just tell people to set things back to defaults, but in my case that would really mess things up for me.

3. I wrote this question because the online Dell XPS8950 Service Manual actually has the default settings listed for Secure Boot as disabled, and the Expert Key Management setting as disabled also.

4. I know enough to know that wouldn’t help me at all for having the best setting for security purposes.  I appreciate your other suggestions, but they didn’t really answer my question.

1. I'm not even sure what Dell is talking about here because the "Default Keys" are already loaded as your "Current Keys" and that is what you are running-on now.

2. I say smart decision on your part. Especially since your computer is working fine now. There are other ramifications to resetting the keys and I'm not sure why Dell is not talking about it or concerned.

3. Really?! That is fairly lame.

4. Correct.

@Tesla1856​ 

Thank you for taking the time to address my questions.  I will leave well enough alone for now and just let the process play out like it is designed and let the keys be applied automatically.  Have a great day!

@Truckfan​ ,

@Tesla1856​ 

I will leave well enough alone for now and just let the process play out like it is designed and let the keys be applied automatically.  

Sounds good (AFAIK).

And for the other readers here, this is the preferred (and I think even recommended) way since the XPS-8950 is new-ish, and included in this list:

https://www.dell.com/support/kbdoc/en-us/000347876/microsoft-2011-secure-boot-certificate-expiration

This means the XPS-8950 either shipped with CA-2023 or one of the recent firmware-updates included them all for later provisioning.

To all who habe been interested enough to have read this far:

I found this informative article on Ars Technica that does the best job I’ve seen so far in explaining this Secure Boot Certificates Expiration in 2026 situation:

https://arstechnica.com/gadgets/2026/02/microsoft-sounds-the-alarm-about-secure-boot-certificates-expiring-later-this-year/

So, on your XPS-8950 running BIOS v1.31.0 ... did you get True,False or True,True ?

It's an OK article. They are asking you to check for one CA, in two different places. I guess they figure if you have that one in both places, you have the others?

It's really more like three CA's + the KEK = 4 items . To check for them in two places (Current and Default) that's more like 8 entries. That is why many of us are using the pre-written batch files that the open-source developers have written and are providing to power-users ... to quickly analyze and more comprehensively evaluate their systems.

This one I like to use checks for 16 keys (CA, KEK, PK) and 5 other important parameters. I've done 5 computers so far.

I had installed bios v1.31 but it didn't seem to have any immediate effect.

I question we really need to do anything manually and it will sort itself out with MS updates.