Secure Boot will not turn on

Hi Nate Rohe,

I understand how frustrating this situation is, especially since you’ve already spent time re‑imaging the device and trying to change the Secure Boot settings in UEFI.

The red bar with the unlocked padlock means Secure Boot is currently turned off. In most cases, this can be re‑enabled directly from Surface UEFI by going to Security > Secure Boot > Change configuration and selecting Microsoft only. However, the message you’re seeing — “The system failed to update the Secure Boot certificate keyset” — tells us that the device isn’t able to update the Secure Boot keys at the firmware level.

When this happens, reinstalling or resetting Windows usually doesn’t help, because Secure Boot is controlled by the device firmware rather than the operating system. If the firmware can’t update those keys, it’s not something that can be fixed from within Windows.

As forum moderators, we appreciate your understanding that our access to internal development details is limited. Our primary role here is to help guide you toward the appropriate resources and support channels that can assist further.

At this point, the best next step would be to reach out to Microsoft Surface Support so they can take a closer look at the device. You can also submit a repair request or visit an authorized Surface service provider for further check and advice on repair options if needed.

I hope your issue gets resolved quickly once the device is assessed.

Thank you for your patience and understanding.

Best regards.

The red bar with an unlocked padlock on Surface Pro 9 indicates that Secure Boot is turned off. On Surface devices, Secure Boot configuration (including certificate keysets) is managed in Surface UEFI, and the supported remediation is to re‑enable Secure Boot from UEFI. If that fails with a certificate keyset error, the issue cannot be fixed from Windows; firmware and keys must be corrected at the device level.

For a Surface that shows this red bar, the supported steps are:

1. Shut down the Surface completely and wait about 10 seconds.
2. Press and hold the Volume Up button, then press and release the Power button.
3. Keep holding Volume Up until the Surface UEFI screen appears.
4. Go to Security.
5. Under Secure Boot, select Change Configuration.
6. Select a Secure Boot certificate keyset such as Microsoft only.
7. Select Exit > Restart now to save and reboot.

If these steps result in “The system failed to update the Secure Boot certificate keyset” and re‑imaging has not helped, this indicates a problem updating the Secure Boot keys in firmware. That cannot be repaired from the OS; the device must be serviced so the firmware and Secure Boot keys can be corrected.

Use the Surface “won’t turn on or start” guidance to reach the specific “Red bar with an unlocked lock icon” article and follow the instructions to submit a service order to Microsoft if the on‑device UEFI steps do not succeed.

References:

• Surface turns on but shows a red bar and an unlocked lock icon
• Surface won’t turn on or start
• Manage Surface UEFI settings
• Secure the Windows boot process
• Disabling Secure Boot
• Secure Boot certificate updates guidance for IT professionals and organizations