Secure Boot update problems "The system firmware returned an error The parameter is incorrect" Event ID 1795.

Posted by Internal-tech956@reddit | sysadmin | View on Reddit | 4 comments

We're trying to update the secure boot certificates on some of our workstations.

We've got a lot of systems 2017 and older. All fully updated etc.

We picked two Dell OptiPlex 3050's and ran the registry commands from Microsoft to manually update the certs. These worked on the Optiplex 3060s (from 2019).

On the 3050's though, after running the steps, we get Event ID 1795:

The system firmware returned an error The parameter is incorrect. when attempting to update a Secure Boot variable KEK 2023. This device signature information is included here.

DeviceAttributes: FirmwareManufacturer:Dell Inc.;FirmwareVersion:1.32.0;OEMManufacturerName:Dell Inc.;OEMModelSKU:07A3;OSArchitecture:amd64;

We checked to make sure the BIOS has the latest version available (dated 2024).

There's doesn't seem to be any details online for this particular event ID error.

Has anyone come across it during their secure boot update activities?

[-]

seannyc3@reddit

Optiplex 3050 shipped with 7th Gen Intel maximum, are you running an LTS build of Windows 10?

Gakamor@reddit

Check to see if UEFI has the 2023 KEK in the default database with the following PowerShell:

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI kekdefault).bytes) -match 'Microsoft Corporation KEK 2K CA 2023'

If it returns true, then resetting the Secure Boot keys to factory default in UEFI (exact terminology varies) should place the 2023 KEK into the active certificate database.

That said, Dell doesn't have the 3050's listed as having firmware with the updated certificates. https://www.dell.com/support/kbdoc/en-us/000347876/microsoft-2011-secure-boot-certificate-expiration

As a last resort, you can try this registry change then run the Secure-Boot-Update task.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot
"SkipDeviceCheck"=dword:00000001

quiet-peak-7040@reddit

Funny story — I tried this approach a while back and completely botched it. Round two went much better though. Would love to hear other perspectives on this.

Walbabyesser@reddit

Had one Client stuck with 1795 - solved it with this:

https://community.aagon.com/forum/index.php?thread/3977-aktualisierung-der-uefi-zertifikate-lenovo/

(Sorry, it‘s in german - but you could use google translate or something like that)