XPS 8950, Secure Boot Certificate update

I have this same issue but I am on an XPS 8940.

I see that there is a feature in the UEFI to load these secure boot keys myself. If I can fix this security issue myself, I want to do it manually and not wait for the UEFI update.

Is this possible to do myself?

I have followed the official instructions to check the BIOS updates for the key phrase "This BIOS contains the new 2023 Secure Boot Certificates" in the Important Information section of these updates. None of the "BIOS" (UEFI) updates for my device indicate that they include these certificates so far.

https://www.dell.com/support/kbdoc/en-us/000347876/microsoft-2011-secure-boot-certificate-expiration 

I've already followed Microsoft's official instructions to update the db key via a registry edit, the restarting of a service, and two reboots as listed here: https://techcommunity.microsoft.com/blog/windows-itpro-blog/updating-microsoft-secure-boot-keys/4055324 

Upon completion the command "[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023’" returns "True" indicating that the db key was successfully updated.

@RichardWrightGeorgeOrwellJohnSteinbeck  - If that's all you did, you only added the updated 2023 database (db) but you didn't revoke the existing database and activate the new one.

Open Windows Event Viewer and wait until Summary of Administrative Events box gets populated.  It might take ~1-2 min depending on how many events have been logged. 

Expand list under Errors and scroll down looking for Event ID 1801 with Source TPM-WMI.  If it's there you'll see this when you open it:

Secure Boot CA/keys need to be updated...

I did exactly what you did and got true in response to the PowerShell query: 

 "[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023’", but still get a new event 1801 logged at every boot.

So just updating the db isn't sufficient. There are steps to do the next step for updating dbx online.  Those steps require the latest BIOS for whichever PC model and it has to support manual updating. Manual updating can be risky if BIOS doesn't fully support it, and could brick the motherboard. We also don't know if Dell will release new versions with new security keys already included for models that are "end of life". 

The safest thing may be just to keep waiting and see if Windows Update rolls out automatic key updates for older BIOS...

@Charlie84​ I just checked at Dell Support and for the XPS8950 it is now BIOS 1.29.0 which says in the details that it now has the updated Secure Boot Keys .. There is also a new BIOS for the XPS8960 with updated keys (version number is different)

Unfortunately, mine is XPS 8930 and Dell hasn't released new BIOS since 2023. Probably won't release another one since it's long past its End of Life, even though Dell supports it with Win 11.  

Hopefully, Windows Update will eventually release an update for the secure boot keys.

I've the 2019 released Alienware Aurora R10 and it doesn't appear to be supported in the Alienware list. The Bot want me to pay £40 for a "Yes it will be supported" / "No it won't" when all these are listed for free.

Alienware

85rx7gslse​   I updated to this BIOS (1.29.0) on my 8950 but I don't see that it updated the secure boot key when running checks.

It looks as if the Key updates might be coming from Microsoft in a Windows update. Dell are dragging their knuckles.

Dell Tech support varies with 1 person - very kind and understanding to "JUST GIVE US YOUR MONEY TO SORT OUT DELL'S PROBLEM"

This is from Microsoft.

https://learn.microsoft.com/en-gb/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance?view=windows-11#14-signature-databases-db-and-dbx

Dell not even issuing "We're working on the following machines" and I also would understand "Unfortunately these machines are too old for updating". Dell's policy is "silence is golden". 

I've got a new machine personalised for me sitting in a company's basket. The support for my machine has been dreadful with Dell's dreadful software. No updates for chipset after 4 years. AMD didn't recognise their own processor it appears to be a bodge that Dell bought - AMD Ryzen 9 5900 the preferred model number is 5900X but AMD were very helpful - no charge.

Now this.

I'm lucky I can afford to buy a fresh machine.

@Bell98​ P.S. For the same price as one question to Dell support on a Dell issue, I'm getting 3 years support with the new computer.