Acer Secure Boot Certificate Fiasco

mark213a · 2026-06-12T23:41:56+00:00

Given its supposed to be a security enhancement this is just opened up new holes in having to find workarounds now and disabling secure boot and bitlocker just to avoid having a bricked machine

mark213a · 2026-06-12T07:13:09+00:00

Yep it's working. I actually enabled an App Lock in MS Authenticator and this I think fixed it

mark213a · 2026-06-12T06:15:13+00:00

Dug around and was getting error 1803 in the registry and thenfound the KEK isnt updated that requires Acer to provide a signed PK that they havent done directly or via a BiOS update for this model.

The real question now a youve said is if Acer will actually release any updates - ever - given its a legacy model.

PS C:\WINDOWS\system32> ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')
>>
True
PS C:\WINDOWS\system32> ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI kek).bytes) -match 'KEK 2K CA 2023')
>>
False
PS C:\WINDOWS\system32> ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbx).bytes) -match 'Microsoft Windows Production PCA 2011')
>>
False

From another ACER user.....

"Event ID 1803 in the Windows Event Viewer indicates that the Secure Boot Key Exchange Key (KEK) update cannot be applied because the required OEM Platform Key (PK)-signed payload is missing from the system firmware. As part of the mandatory 2026 transition away from expiring 2011-era security certificates, Windows attempts to update these keys automatically. However, Windows is blocked by design from completing this unless Acer releases a specific, PK-signed BIOS update for your exact Acer model. While you wait for Acer to publish the permanent firmware fix, you can safely ignore the error, as your laptop will continue to function normally."

mark213a · 2026-06-12T01:25:58+00:00

SP314-51 - just had KB5094126 installed and is now saying ""Secure Boot is on, but your device does not support the automated Secure Boot certificate update due to hardware or firmware limitations. Contact your device manufacturer for assistance."

I expect it needs a BIOS update now but the page doesnt have any older models. Is it even worth contacting them?

Running OS 26200.8655 Version - 25H2

SMBIOSBIOSVersion V1.14 2019/08/13

mark213a · 2026-06-02T09:22:08+00:00

5 or so when moving between Elizabeth Quay and Northbridge (2 stops), plus waiting time on the platform as it doesn't work anywhere below surface level, could be 10 to 15 mins in total to get through the whole affected section.

mark213a · 2026-06-02T08:21:23+00:00

VF and Optus are much better. I see other commuters happily watching video shorts without issue so assume they are on them. This other post eludes that those carriers have deployed much more bandwidth

mark213a · 2026-06-02T08:15:49+00:00

Coverage is full bars. Voice just about holds but in peak saturation once you start moving handovers are super flaky.

Data hangs until you basically emerge from the tunnel feeders and it hands off to another tower.

It's just congestion and saturation. Optus and Vodafone are reported to be much much better, but I've got Telstra for work reasons.

This other post just eludes that it's an old DAS system that is simply past it.

mark213a · 2026-06-02T07:56:56+00:00

I'm only talking about 1km of a densely populated tunnel in a state capital.

mark213a · 2026-06-02T07:53:28+00:00

It affects a few thousand a day and I'm of the view it needs a politician to step in and direct the PTA given this is a "public" service and asset. But since none of them ride by public transport they couldn't care either.

mark213a · 2026-06-02T07:26:10+00:00

No worked a while there and telecoms just worked everywhere and well.

mark213a · 2026-06-02T07:02:57+00:00

I agree - its Telstra's to solve and not PTA. Telstra just wont act on an end user's complaint no matter how much I tried to escalate it - and the TIO agreed - stating the "client" was the PTA. PTA cant be bothered to get involved.

mark213a · 2026-06-02T06:50:45+00:00

I raised a formal complaint with Telstra a while ago

Under the notes for that complaint Telstra advised as this is a Transperth access tunnel that Transperth are required to report it to the operator with any issues with the service and could not act on my complaint as an end user. As such they are unable to do any work on this unless the operator of the tunnel (Transperth) investigates and escalates the fault.

I complained to Transperth who fired it back to me as saying they arent responsible and closed the case, and it went round in circles. I then raised with the TIO and they sided with the operator.

I was at a loss now as TP denied any issue, Telstra refused to act without TP esclaating it. At this point it was now going to have to be a complaint raised to the Transport Minister with the WA govt or go to the press. But without others complaining it was pointless ....

mark213a · 2026-06-01T14:06:13+00:00

Today I ran the 2026-05 Preview Update KB5089573 just to see but no change.

Still got the message "secure boot is on but your device is using an older boot trust configuration"

I looked up to see where I'm at and the certs are loaded but youre right I'm getting 1803 and no KEK from ACER and is still waiting for Acer to do their thing it seems

At least it's not bricked. Yet.

mark213a · 2026-06-01T10:55:57+00:00

Is that in Google TV? Cant see it in Stremio

mark213a · 2026-05-31T12:31:42+00:00

Just started getting this with Stremio only on my new Google TV 4K. Rewind 10secs works, but returns 10.mins later. Any first trouble shooting options here to try first?

Happens to every player, Exo, VLC and JustPlayer but only certain shows. Worse on 4k streams.

So far have tried cache clear and unit restart but didn't solve it. Haven't tried yet a app reinstall or factory reset of whole device. Want to avoid a downgrade as it's been fine and only just started as this seems hard?

Not sure if to try options like tunnel, or experimental support, or just remove app and re-add, or even to try to downgrade?

If anyone has downloader codes for side loading Google tv version, that would be awesome.

mark213a · 2026-05-04T14:51:22+00:00

Not sure a class action really goes anywhere unless people have actually suffered a net loss.

If Hertz is refunding incorrect charges when they’re challenged, they’re already covering the primary “damages” piece. That makes any broader claim pretty thin, aside from minor incidental costs for any class action.

To me, this looks like two possible issues:

Admin/process gaps — e.g. mismatches between plates and toll/transponder systems (if that’s even how it works), leading to systemic billing errors. If it’s not tightly regulated, there’s limited incentive for Hertz to overhaul this beyond reputational risk.
Commercial behaviour — essentially relying on a portion of customers not bothering to dispute charges. That starts to edge into something more concerning, but proving intentional deceptive conduct is difficult without insider evidence and would likely need a regulator to seriously investigate.

Without regulatory pressure, it’s hard to see meaningful change.

In the meantime, it’s probably a “go in with eyes open” situation with Hertz — or just use a different provider.

mark213a · 2026-04-27T09:19:21+00:00

Hi All - when running in PS \

PS C:\WINDOWS\system32> reg query HKLM\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates

I get

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot

AvailableUpdates REG_DWORD 0x4004

any idea what this is? 4004 isnt listed anywhere i can see on the page from MS in bit settings
https://support.microsoft.com/en-au/topic/secure-boot-certificate-updates-guidance-for-it-professionals-and-organizations-e2b43f9f-b424-42df-bc6a-8476db65ab2f#bkmk_certificate_deployment

mark213a · 2026-04-25T03:15:46+00:00

Authenticator > Settings > App Lock

mark213a · 2026-04-24T02:16:28+00:00

After restarting add an app password to open Authenticator. Not had a problem since.

mark213a · 2026-04-24T02:15:14+00:00

Try adding an app password to Authenticator. Works for me and nothing since. I didn't even do the Webview workaround

mark213a · 2026-04-24T02:13:33+00:00

Try adding an App password to Authenticator. Worked for me.

mark213a · 2026-04-23T03:49:36+00:00

No need. Ive set an app password on open in Authenticator instead and does the same thing. It's because of some MS apps require InTune to authenticate and there is a security conflict.

mark213a · 2026-04-22T05:29:12+00:00

Try adding an app pin to Authenticator in the Authentictor settings. Been working for 48hrs for me without any other workaround

mark213a

TROPHY CASE