I'm currently facing a frustrating issue with the Lenovo ThinkPad L14 Gen 2 while trying to deploy the Microsoft 2023 Secure Boot certificates. After applying the necessary certificates to the Database (DB) and Key Exchange Key (KEK) and successfully enabling Secure Boot, I activated Device Guard in the BIOS. This action caused all the 2023 certificates to disappear, resetting the DB and KEK to factory 2011 defaults, which rendered my machine unbootable. I can't restore the keys without disabling Device Guard first, and according to Lenovo's documentation, Device Guard shouldn't interfere with the certificate databases. Has anyone else experienced this? Is there any known workaround to prevent Device Guard from resetting the keys when enabled? Additionally, for those rolling out the 2023 certificates across multiple devices, how are you enabling Device Guard—through BIOS options or Windows registry?
1 Answer
I've encountered a similar issue while rolling out the Microsoft CA updates. It seems like the system firmware has different Secure Boot certificate databases, including the default one. If your BIOS doesn't include the 2023 CA in the default store, it can lead to an unbootable state if the Secure Boot settings are reverted to default. Make sure you're running the latest BIOS version, as Lenovo and Dell included the 2023 CA updates in their firmware updates around late 2025, which should prevent issues like this.
You can verify if the 2023 CA is in the default database using PowerShell. It's a good troubleshooting step to help ensure you're not missing the necessary certificates.
Exactly! Updating the BIOS is crucial. After that, make sure to reset the Secure Boot Keys within the BIOS to transfer the certificates from the default database to the active one. The L14 Gen 2 has a BIOS update available that includes the necessary certificates.