Share via

Surface Laptop 5 - Firmware/SMBIOS corruption (Secure Boot keys missing + wrong device identification)

Bruno 0 Reputation points
2026-06-15T18:24:46.8166667+00:00

Secure Boot cannot be enabled on this Surface Laptop 5. Error: "The system failed to update the Secure Boot certificate keyset" (both Microsoft Only and 3rd Party options fail).

Troubleshooting performed so far:

  1. Confirmed via PowerShell that SecureBootUEFI variables are completely missing (Confirm-SecureBootUEFI returns error 0xC0000100).
  2. Downloaded official Surface recovery image for this exact serial (0F0016923213FB) - Surface Laptop 5 13in i7/16/512, Windows 11 Pro 25H2.
  3. Performed full Bare Metal Recovery (BMR) via "Recover from a drive" / "Just remove my files" using the recovery USB.
  4. After BMR, Secure Boot error persists unchanged.
  5. Installed all Windows Updates including optional/driver updates (Surface UEFI firmware update via Windows Update).
  6. Tried official Surface Laptop 5 firmware MSI from microsoft.com/download/details.aspx?id=104679 - installer fails with "This hardware platform must be one of the following: Surface Laptop 5. Aborting this operation."
  7. Found root cause for #6: Win32_ComputerSystemProduct shows Name="OEMID Product", garbled Version string, and IdentifyingNumber=123123123 (incorrect serial), instead of correct Surface Laptop 5 / serial 0F0016923213FB.

Conclusion: This is UEFI/SMBIOS firmware-level corruption. Both Secure Boot certificate storage AND device identification (SMBIOS) appear wiped/corrupted at firmware level. Requires firmware reflash or hardware service.

Can anyone help, or has anyone else faced this issue?
Visualização de image.jpg

User's imageUser's image

Surface | Other
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Lychee-Ng 21,585 Reputation points Microsoft External Staff Moderator
    2026-06-16T13:21:30.97+00:00

    Hi Bruno,

    Thanks for your detailed diagnostics and clear visual examples. It seems like your system no longer identifies itself as a valid Surface Laptop 5, which breaks firmware validation checks. If none of the software fixes work anymore, you suspicion on a firmware-level issue might be correct.

    If that's the case, the best next step at that point would be Surface service. The Support team can help determine whether this requires firmware reprogramming using internal tools, or a system board replacement (if the firmware storage is damaged). To contact Microsoft Support:

    1. Visit Contact Us – Microsoft Support and sign in.
    2. Type in your problem > click Get Help to make a request.
    3. Scroll to the bottom > click Contact Support to connect with an agent.
    4. Select the category again and continue > you should be added to a chat queue.

    Note: The support team operates only during certain hours. If the last window shows “unavailable,” try again the next day. If you prefer phone support, you can leave your number so they can call you directly.

    If you can’t reach Support or want to request repair immediately (if the device is still under warranty, or fee depends), refer to How to get service or repair for Surface – Microsoft Support. Here are the steps to make a service order:

    1. Sign in at account.microsoft.com/devices/select-device-for-repair.
    2. If your Surface isn’t registered, select Register device.
    3. If it is registered, choose it and click Next.
    4. Follow the instructions to finish.

    So if you have tried everything and still face the same issue, the best step for hardware issue is to proceed with official service. That way, the right tools and expertise can be applied to resolve the firmware problem.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Was this answer helpful?

  2. Greg F 0 Reputation points
    2026-06-16T13:04:52.9466667+00:00

    Hi Bruno,

    Between step 5 and 6, I would make sure you have this installed...

    https://support.microsoft.com/en-US/surface/updates/surface-laptop-5-update-history

    January 2026 updates

    January 26 release

    The following update is available for Surface Laptop 5 devices running Windows 11, Version 23H2 or greater.

    Improvements and fixes:

    Security:

    • Addresses potential security vulnerabilities that may allow denial of service, escalation of privilege, code execution, or information disclosure.
    • Reliability:
      • Prevents an issue with incorrect serial numbers and model names for the device.

    This release contains the following components. The specific components installed are based on your device’s configuration:

    Windows Update Name Device Manager
    Intel Driver Update (2540.8.7.0) Intel(R) Management Engine Interface #1 - System devices
    Intel Driver Update (2540.8.7.0) Intel(R) Management Engine Interface #1 - System devices
    Surface Driver Update (23.101.143.0) Surface UEFI - Firmware
    Surface Driver Update (1.40.2765.1) Surface ME - Firmware

    Hope this helps,

    Greg

    Was this answer helpful?

  3. AI answer

    2026-06-15T18:25:07.4833333+00:00

    The behavior described (SecureBootUEFI variables missing, Secure Boot certificate keyset update failing, and incorrect SMBIOS information so that Surface firmware MSI will not install) indicates a firmware/UEFI issue that cannot be corrected from within Windows or by using the Surface recovery image.

    Surface recovery images and bare‑metal recovery only reset Windows and BitLocker configuration on the drive. They do not rewrite the UEFI firmware, Secure Boot key databases (PK/KEK/DB/DBX), or SMBIOS tables. Similarly, the Surface firmware MSI checks the device identity (from SMBIOS) and will refuse to run when that identity is invalid, which matches the symptoms.

    For Secure Boot itself, Microsoft documents that:

    • Secure Boot requires valid PK/KEK/DB/DBX keys in firmware and a supported UEFI version for the specific Surface model.
    • When Secure Boot certificate updates fail due to firmware problems, the recommended next step is to work with the device OEM for a firmware update or repair, because the keys and variables are owned and applied by the firmware, not by Windows.

    Given that:

    1. SecureBootUEFI variables are missing and cannot be recreated from Windows.
    2. SMBIOS data (product name and serial) is corrupted so that the device is no longer recognized as a Surface Laptop 5 by the official firmware package.
    3. A full Surface recovery and all available Windows/Surface updates do not restore Secure Boot or correct the identity.

    This is consistent with a corrupted or misprogrammed UEFI firmware region that holds both Secure Boot key databases and SMBIOS data. There is no supported end‑user tool to reflash or repair that region on Surface devices.

    The only viable resolution path is hardware service so that the firmware and device identity can be reprogrammed or the system board replaced. Contact Microsoft Surface Support or the original point of purchase and provide the serial number and the details already collected (SecureBootUEFI error, incorrect Win32_ComputerSystemProduct data, and failure of the Surface Laptop 5 firmware MSI to detect the platform). They can determine whether the device is eligible for repair or replacement and perform the necessary firmware reprogramming.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.