FDE Missing UEFI SecureBoot certificate

[Roul Steigauf 1]

Hallo in die Runde,

wir haben inzwischen zwei HP-Geräte-Typen, bei welchen wir FDE nicht aktivieren können. Ein Gerät ist ein "HP Pro Mini 400 G9 Desktop PC" (Angabe aus ESET). Bei allen Versuchen auf allen Geräten haben wir im Status-Log einen gelben Status mit Scope "Compatibility" und dem Text "Missing UEFI SecureBoot certificate". Zudem beim Scope "Encryption" heißt es "Missing UEFI SecureBoot certificate" (Hardcopy anbei). Am Client kommt die Fehlermeldung "Fehler beim Starten der Verschlüsselung" (Hardcopy anbei), welche sagt, dass man im BIOS die externe Zertifizierungsstelle aktivieren soll (keine Ahnung wie) oder das Secure Boot deaktivieren soll (ebenfalls unklar wie). Im Log-File heißt es zum Schluss dann nur noch: "[inspector] [error] [3500] This system is not compatible with EFDE". Vor allem das o.g. Gerät ist komplett neu, getestet an zwei von zehn vorhandenen Kisten. Insgesamt an vier PCs mit dem gleichen Fehler, andere Geräte (rund 20 Stück) funktioniert problemfrei.

Hat jemand HP und kann mir sagen, was das Problem ist? 

Danke Euch.

 

Machine translation:

We now have two HP device types on which we cannot activate FDE. One device is an "HP Pro Mini 400 G9 Desktop PC" (information from ESET). In all attempts on all devices, we have a yellow status in the status log with the scope "Compatibility" and the text "Missing UEFI SecureBoot certificate". In addition, the scope "Encryption" says "Missing UEFI SecureBoot certificate" (hard copy attached). The client displays the error message "Error starting encryption" (hard copy attached), which says that you should activate the external certification authority in the BIOS (no idea how) or deactivate Secure Boot (also unclear how). At the end of the log file it just says: "[inspector] [error] [3500] This system is not compatible with EFDE". Above all, the above-mentioned device is completely new, tested on two of ten existing boxes. A total of four PCs have the same error, other devices (around 20) work without any problems.

Does anyone have HP and can tell me what the problem is?

[Kstainton 38]

Hi @Roul Steigauf,

You'll need to look for and enable something similar to "Allow Microsoft 3rd Party UEFI CA" on your HP machines. Here is a KB for reference as to what I am talking about:

https://support.eset.com/en/kb8389-enable-3rd-party-certificates-in-secure-boot-for-eset-endpoint-encryption-and-eset-full-disk-encryption

I think on HPs I have seen it called "Enable MS UEFI CA key" in the past under the Advanced -> Secure Boot Configuration settings in the BIOS. To access the BIOS, I believe on the majority of HPs you need to press F10 during the initial boot process.

Once this is enabled to allow MS 3rd Party UEFI CA, please re-attempt encryption.

Thank you,

Kieran

Edited September 13 by Kstainton

[Roul Steigauf 1]

Hello Kieran,

it's nice to be able to work with specialists. Thank you for the super-fast and extremely perfect response. I found the value ‘Enable MS UEFI CA key’ in the BIOS Setup (F10), Security, ‘Secure Boot Configuration’. After I activated it, everything works.
Thank you very much and have a nice weekend.

[Kstainton 38]

8 minutes ago, Roul Steigauf said:

Hello Kieran,

it's nice to be able to work with specialists. Thank you for the super-fast and extremely perfect response. I found the value ‘Enable MS UEFI CA key’ in the BIOS Setup (F10), Security, ‘Secure Boot Configuration’. After I activated it, everything works.
Thank you very much and have a nice weekend.

HI @Roul Steigauf,

No worries at all, glad to be of assistance and great to hear that it resolved your issue.

Have a great weekend.

Thank you,

Kieran