HP Blatantly Lying about Secure Boot 2023 CA Support

Posted by Amomynou5@reddit | sysadmin | View on Reddit | 36 comments

We've just started deploying the new Secure Boot certs and just found out that the HP EliteBook x360 1030 G4 is NOT supported, contrary to HP's claims.

This model is clearly listed on the supported models page, with the minimum BIOS version of 01.33.00. However, when you check the History.txt in the associated softpaq (sp161775), there's no mention of the 2023 certs at all. Applying the BIOS update also does not show an "SBKPFV3" string in the SMBIOS version field, which HP stated is a requirement for the certs to apply.

If you try to deploy the certs anyway (via the AvailableUpdates regkey), you'd get an error 1802 ("The Secure Boot update 3P UEFI CA 2023 (DB) was blocked due to a known firmware issue on the device."). Manually triggering the Scheduled Task gives an error 1797 ("The Secure Boot update failed as the Windows UEFI CA 2023 certificate is not present in Db").

Another issue I've come across is that many of the BIOS updates do not actually copy the new certs to the dbDefault (EliteDesk 800 G5/G6, EliteBook 840 G6 etc), but my understanding is that the BIOS update is supposed to load the cert into the default dbs - yet this has not been my experience.

Furthermore, HP have stated:

For HP Commercial PCs that do not receive a BIOS update because they have reached their End of Service Life (EOSL) date (including select 2018 products and all HP PCs released 2017 and earlier), HP is developing a solution to allow you to update your system manually.

Then they go on to say:

HP might update this page with additional instructions about how to update the Secure Boot Certificates on these systems

June is only a couple of weeks away now, so I doubt whether HP will ever update the page with additional instructions for older machines...

Anyone else come across such lies and anomalies? What are your plans to address these?

Unfortunately, a good chunk of our machines consists of the G4 and other models released around the same time, and the current pricing of laptops means that we don't have the luxury of being able to replace them ASAP.

With the certs are expiring next month, and with AI-driven zero-days on the rise, I feel like it won't be long before we see a exploit worse than BlackLotus.

[-]

G305_Enjoyer@reddit

No better in Dell land. Only lunar lake and strix point got bios with both keys pre installed. Not even meteor lake has gotten it yet which is crazy. Everyone talks about loading them through os which is fine until your bios gets reset and keys blown out there's no way to boot the computer or remediate without reinstalling on a 2nd drive to repatch bios from the os. I will keep waiting not going to risk bricking my fleet for no reason. It's only an issue when trying to use newer boot media. The unpatched machines will continue to function no problem.

hexint@reddit

I have a meteor lake latitude 5550 that got the certs back in bios v1.16.2

This list tells you the versions that have the update https://www.dell.com/support/kbdoc/en-us/000347876/microsoft-2011-secure-boot-certificate-expiration#Lat

Future-Appeal@reddit

Please remove any BIOS password from EOL gear with no update when flooding EBay with old laptops. Some Linux guy would turn this artificial E waste into compute again.

cjchico@reddit

This and remove from autopilot in case the buyer wants to use Windows. I've seen too many posts about both of these

InsaneNutter@reddit

Indeed! on Lenovo ThinkCentre / ThinkStation devices you can update the BIOS and it breaks autopilot enrolment. Handy to know as the Tiny models are quite popular on /r/homelab

Lenovo even acknowledge this: https://support.lenovo.com/rs/en/solutions/ht515647

WobbleTheHutt@reddit

I just inherited a lenovo yoga 730-13" with 8gb of ram and an 8th Gen i5 quad core with a 256GB nvme ssd. Tossed catchyos on it and flies. What the hell has Microsoft been doing?

jimicus@reddit

It’s not just Microsoft. I have task manager open and I’m watching Webex - Webex, FFS - take 1.7GB.

There is no earthly way a product like Webex needs 1.7GB. Even if you prove it to me I won’t believe you.

TheMelwayMan@reddit

Microsoft Teams has entered the chat...

Surfin_Cow@reddit

How are you updating the bios? It seems HPIA is not correctly identifying some models. I manually rolled back to the published BIOS version on a pro desk G6 400 and it worked, if I did bios update with HPIA it would fail with 1797 error.

mrbios@reddit

Personally I have hpia version 5.1.11 still in my mecm task sequence specifically for doing bios updates, as I had issues with later version.

bs7ark@reddit

Think there’s issues with HPIA at the moment, they rolled back one version and now it’s a mess.

rcr_nz@reddit

Worth verifying that the new certificates and not available as an option to enable in the BIOS. I found the G6 desktops won't seem to let Windows enable the certs but and the most recent BIOS you can enable the new certs via bios option.

Entegy@reddit

Yup, this was my issue on HP machines. The Windows enablement would fail because the firmware added a new option to enable them. I used the HP BIOS Configuration Utility and found three new options related to the 2023 cert Jesus Christ HP.

syslurk@reddit

used the HP BIOS Configuration Utility and found three new options related to the 2023 cert

Can you elaborate? The HP BIOS Configuration Utility hasn't been upgraded since 2022.

The tool isn't preprogrammed with every single HP machine's firmware options. It reads all possible options from the machine it's running on.

I used HPBCU to export the list of options to a TXT file and just did a Ctrl+F for 2023. I then used the setvalue flag of HPBCU to enable them. After two more reboots, Windows reported using the new Secure Boot cert.

Appreciate your response.
I was expecting HP to update HP MIK with the options required, that'd be too easy wouldn't it.

Fallingdamage@reddit

I have several G10's that still wont take the new certificates.

Ive been tracking this since November. All of our fleet is updated and ready except HP devices. HP claims its installed and will be enabled at the appropriate time. Just a 'trust us bro'

Ive posted several times about my problems with HP. We've actually moved to Lenovo in the last year due to HP's overall incompetence in the enterprise space. Their damn support portal doesnt even work half the time and its a labyrinth of broken links.

I have little to no faith that these newer HP's will get the certificate compatibility in time for the push.

itskdog@reddit

Make sure you're not decrypting HTTPS for hp.com & its subdomains, that fixedmsime broken links for me.

bakonpie@reddit

the yellowkey bitlocker bypass disclosed this week is due to the secure boot database trusting the 2011 PCA cert, so the danger you are concerned about is unfortunately here now. great find! contact your reseller or HP account rep if you have one and grill them.

cspotme2@reddit

Unrelated

yup you are correct was conflating this with the bitunlocker tool which was also a headline yesterday. thanks for the correction

Electrical_Arm7411@reddit

I’ve noticed the same on certain HP models which should have had BIOS updates compatible with the new secure boot cert. In addition to the 1030 G4, I’m also having issues updating EliteBook 850 G5’s despite having the most up to date BIOS version installed

frenz48@reddit

Most/all of our g5s has a tpm issue that makes them nonviable anyways. This might be your underlying issue too.

hornetfig@reddit

There is a Infineon HP TPM firmware update but it’s not published as applicable for Elitebook G5s. Works though!

Smith6612@reddit

HPs and Firmware TPM issues. Name a better combo!

Still angry at them for never upgrading AGESA on my ENVY x360 bq100. Great laptop for how it performs. Buggy as heck though. A broken TPM is one of them.

KandevDev@reddit

HP documentation has been disconnected from their firmware reality for at least 5 years. the support pages are written by people who get a spreadsheet from product mgmt, not by people who actually tested the firmware. file the support case anyway and quote the page back to them. you will not get a fix but you will get a CSR-level acknowledgment that other people can point to.

utechnet@reddit

You might have to use Mosby. I had to use that on older desktops that barely don't have the specs for Windows 11 and won't be getting BIOS updates that include the certs.

dogeoholic@reddit

Same issue at our place we had g4s that said tbd for support then were removed. Also a lot of bios versions for our other models were removed that had the cert built in. As a stop gap will be trying: https://h30434.www3.hp.com/t5/Business-Notebooks/Enabling-new-UEFI-2023-CA-certificates-in-pre-2018-HP/td-p/9628370

bdam55@reddit

>Another issue I've come across is that many of the BIOS updates do not actually copy the new certs to the dbDefault (EliteDesk 800 G5/G6, EliteBook 840 G6 etc), but my understanding is that the BIOS update is supposed to load the cert into the default dbs - yet this has not been my experience.

Something I learned recently is that the BIOS/firmware update doesn't actually install the cert. The only way to get it installed is via Windows Update. And the Windows Update team is maintaining a list of literally every make/model and bios version. They do this to block devices that have a bug in the firmware that could cause various levels of failure. The vast majority of problems stem from OEMs not building their firmware to the _exact_ specs. It's bugs in code that has until now never been called.

So the general process is to update the BIOS, then wait for Windows Update to scan, realize the device now supports the new certs, and they get installed when the next LCU gets installed. The BIOS update itself is a precursor, not the thing that actually installs the certs.