Secure Boot Update failed

Hi, i'm a new zorin (and linux in general) user, just installed Zorin OS 17.3 Core a few days ago alongside my windows 11 install and made the process of dual boot install in same drive and was getting used with all

I logged in today and got this notification saying something about Software Updates failed:

Screenshot from 2025-06-12 09-58-29464×127 11.4 KB

then, when i went to the Updates tab in Software i had this download & update saying device cannot be used during update

Screenshot from 2025-06-13 18-34-39602×213 13.6 KB

but after clicking download or update it just disappear from the updates tab

Screenshot from 2025-06-13 18-38-26602×213 4.01 KB

and if i reboot i get the same error notification, has anyone been through this and know how to solve?

@AhavaLeaf has had the same issue. I did point to this askubuntu thread and wonder if the solution given there is of any import:

https://askubuntu.com/questions/1429678/impossible-to-update-uefi-dbx

There are a few rather sudden threads to pop up lately on this:

As you are now the third to appear in a short time, I sent an alert to the ZorinGroup regarding this issue as a package check may be necessary.

There are several things that can cause that generic error.
Secure Boot being disabled is one. I prefer it disabled, so my solution would just be to put a hold on the package.

Or you can remove the package if not using Secure Boot:

sudo apt remove secureboot-db

If you are using secure boot - so far, our normal methods of getting the package through like sudo fwupdmgr refresh --force do not seem to be working for many users.
Ubuntu Snap may be responsible (unconfirmed).

i tried the solution given there but my case is a bit different, the 'shimx64.efi' file is not present in the '/boot/efi/EFI/Boot/' directory, only in the '/boot/efi/EFI/ubuntu/', all with the date of when I installed Zorin

Screenshot from 2025-06-13 19-24-28497×316 17.9 KB

Just a note to say I have the same problem. Any advice would be appreciated.

i use secure boot because of my windows 11 main install. i just updated my bios and disabled and re-enabled secure boot to see if it changed anything but nothing

btw tried 'sudo fwupdmgr refresh --force' and got "Successfully downloaded new metadata: 1 local device supported", but nothing new too

is there anything to try related to ubuntu snap? or is it better to just put the package on a hold? (and how would i do this?)

Would be nice if the Zorin Group jumped in here and said something ...

I'm having the same issue -- update is failing for me after trying the same troubleshooting steps as above.

It looks like this firmware update might have been getting stuck on your installation. To try and resolve this issue, please first install the latest updates from the Software Updater or by opening the Terminal (Ctrl+Alt+T) and entering these two commands:

sudo apt update

sudo apt dist-upgrade

After installing these updates, restart your computer before continuing.

Next, it should be possible to manually install this firmware update and clear the pending database afterwards – so this message shouldn't appear again – by opening the Terminal and entering these four commands:

sudo fwupdmgr refresh

sudo fwupdmgr get-updates

sudo fwupdmgr update

Afterwards, restart the computer to apply the changes. Next, open the Terminal again and enter this command:

sudo rm /var/lib/fwupd/pending.db

Finally, restart the computer once more to resolve the issue.

If this still didn't resolve the issue, could you please post the text output after running the four commands (directly above) in the Terminal? If possible, please also include the text output from the following command as well:

fwupdmgr get-devices

In addition, could you please let us know if you've made some prior modification(s) to Zorin OS after installing it to your computer? These modifications may include one or more of the following:

• adding third-party software repositories to your system
• manually editing any system files
• executing unofficial scripts/commands

This information would help us to troubleshoot the issue.

Hi everyone,

I wasn't sure if I should start a whole new post (I noticed there were a few others), but I have the same exact issue with updating SecureBoot dbx. I also have outputs to provide. I hope it helps.

Manual system changes:

• (Maybe most relevant?) I enrolled the Nvidia driver with mokutil (the Software Updater did get the driver though).
• I disabled Wayland for all users to stop login screen glitchiness (using Xorg/X11 -- I don't know the difference).
• To fix Intel display glitchiness when the mouse is in a certain y line on the screen, I set a startup Kernel cmd to:
  • intel_iommu=igfx_off
• I made the swap file bigger 8GB I think.
• I turned off Intel Turboboost in rc.local
  • "echo 1 > /sys/devices/system/cpu/intel_pstate/no_turbo"

I also have the exact same update failure situation on a Lenovo Legion 5 Pro, also with an Nvidia card I MOK enrolled, but here are the outputs on my ASUS.

Updated packages

I made sure that I had all of the updates from the Software Updater.

Trying to install it from the Software "Updates" menu:

On reboot, the Software "updates" menu says:
"Detailed errors from the package manager follow:
failed to build result for 362301da643102b9f38477387e2193e57abaa590"

The four terminal commands:

sudo fwupdmgr refresh --force
[sudo] password for username:
Updating lvfs
Downloading… [***************************************]
Downloading… [***************************************]
Successfully downloaded new metadata: 2 local devices supported

sudo fwupdmgr get-updates
[sudo] password for username:
Devices with no available firmware updates:
• SD8SN8U512G1002
• System Firmware
Devices with the latest available firmware version:
• Unifying Receiver

Devices that were not updated correctly:

• UEFI dbx (466 → 20241101)

Uploading firmware reports helps hardware vendors to quickly identify failing and successful updates on real devices.
Upload report now? (Requires internet connection) [Y|n]:
n # did y for this the first time

Do you want to disable this feature for future updates? [y|N]:
n
Declined upload

sudo fwupdmgr update
[sudo] password for username:
Devices with no available firmware updates:
• SD8SN8U512G1002
• System Firmware
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade UEFI dbx from 466 to 20241101? ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ This updates the list of forbidden signatures (the "dbx") to the latest ║
║ release from Microsoft. ║
║ ║
║ An insecure version of Howyar's SysReturn software was added, due to a ║
║ security vulnerability that allowed an attacker to bypass UEFI Secure Boot. ║
║ ║
║ UEFI dbx and all connected devices may not be usable while updating. ║
╚══════════════════════════════════════════════════════════════════════════════╝

Perform operation? [Y|n]: y
Downloading… [***************************************]
Decompressing… [***************************************]
Decompressing… [***************************************]
Authenticating… [***************************************]
Authenticating… [***************************************]
Restarting device… [***************************************]
Writing… [***************************************]
Decompressing… [***************************************]
Writing… [***************************************]
Restarting device… [***************************************]
Waiting… [***************************************]
Successfully installed firmware
Devices with the latest available firmware version:
• Unifying Receiver

An update requires a reboot to complete. Restart now? [y|N]: n # I did reboot after all four commands.

sudo rm /var/lib/fwupd/pending.db
[sudo] password for username:

# Rebooted, update still present (in Software) and not installed successfully.

Tried installing it (again) via Software updater, rebooted, got these outputs:

fwupdmgr get-devices
P2440UQ
│
├─SD8SN8U512G1002:
│ Device ID: 64ec4cd1e1c9565e79b00f4e7221b1c689b33e96
│ Summary: ATA drive
│ Current version: X4131002
│ Vendor: SanDisk (ATA:0x15B7, OUI:001b44)
│ GUIDs: 17a85366-6316-503f-a203-624f1c655533
│ d5aaa1ea-cb09-56e9-919a-5f1f3c94e577
│ 49cface8-ecaf-520e-9634-30df19a60a47
│ Device Flags: • Internal device
│ • Updatable
│ • System requires external power source
│ • Needs a reboot after installation
│ • Device is usable for the duration of the update
│
├─System Firmware:
│ │ Device ID: a45df35ac0e948ee180fe216a5f703f32dda163f
│ │ Summary: UEFI ESRT device
│ │ Current version: 803
│ │ Minimum Version: 803
│ │ Vendor: ASUSTeK COMPUTER INC. (DMI:ASUSTeK COMPUTER INC.)
│ │ Update State: Success
│ │ GUIDs: 180bd2b6-7155-5cd1-8104-386e542c22b0
│ │ 230c8b18-8d9b-53ec-838b-6cfc0383493a
│ │ Device Flags: • Internal device
│ │ • Updatable
│ │ • System requires external power source
│ │ • Needs a reboot after installation
│ │ • Device is usable for the duration of the update
│ │
│ └─UEFI dbx:
│ Device ID: 362301da643102b9f38477387e2193e57abaa590
│ Summary: UEFI revocation database
│ Current version: 466
│ Minimum Version: 466
│ Vendor: UEFI:Linux Foundation
│ Install Duration: 1 second
│ Update State: Needs reboot
│ Last modified: 2025-06-17 16:08
│ GUIDs: 6c9777b8-19f2-5e2c-9210-66ef3691a9f3
│ c8749f7f-439b-5c3c-a2ea-3baacf663a5a
│ c6682ade-b5ec-57c4-b687-676351208742
│ f8ba2887-9411-5c36-9cee-88995bb39731
│ 7d5759e5-9aa0-5f0c-abd6-7439bb11b9f6
│ 0c7691e1-b6f2-5d71-bc9c-aabee364c916
│ Device Flags: • Internal device
│ • Updatable
│ • Supported on remote server
│ • Needs a reboot after installation
│ • Only version upgrades are allowed
│ • Signed Payload
│
└─Unifying Receiver:
Device ID: 5859fae972cb36551b299175761b33d8e6e7ce02
Summary: Miniaturised USB wireless receiver
Current version: RQR12.11_B0032
Bootloader Version: BOT01.04_B0016
Vendor: HIDRAW:0x046D|USB:0x046D
Install Duration: 30 seconds
GUIDs: 9d131a0c-a606-580f-8eda-80587250b8d6
fcf55bf5-767b-51ce-9c17-f6f538c4ee9f
279ed287-3607-549e-bacc-f873bb9838c4
Device Flags: • Updatable
• Supported on remote server
• Signed Payload

Bonus debug command

fwupdmgr get-history
P2440UQ
│
└─UEFI dbx:
│ Device ID: 362301da643102b9f38477387e2193e57abaa590
│ Previous version: 466
│ Update State: Failed
│ Update Error: failed to run update on reboot
│ Last modified: 2025-06-17 16:24
│ GUID: 6c9777b8-19f2-5e2c-9210-66ef3691a9f3
│ Device Flags: • Internal device
│ • Updatable
│ • Supported on remote server
│ • Needs a reboot after installation
│
└─Secure Boot dbx:
New version: 20241101
Remote ID: lvfs
Release ID: 108324
Summary: UEFI Secure Boot Forbidden Signature Database
Variant: x64-compat
License: Proprietary
Size: 23.3 kB
Created: 2023-05-09
Urgency: High
Vendor: Linux Foundation
Duration: 1 second
Release Flags: • Is upgrade
Description:
This updates the list of forbidden signatures (the "dbx") to the latest release from Microsoft.

    An insecure version of Howyar's SysReturn software was added, due to a security vulnerability that allowed an attacker to bypass UEFI Secure Boot.

*Edited for Markdown formatting and then to include the whole UEFI dbx id in Software output.

Thank you for your help,
ChronosJ

It unfortunatelly didn't resolve the problem...

here is the text output from the Terminal:

tempestas@tempestas:~$ sudo fwupdmgr refresh
Firmware metadata last refresh: 5 hours ago. Use --force to refresh again.
tempestas@tempestas:~$ sudo fwupdmgr get-updates
Devices with no available firmware updates: 
 • SA400S37240G
 • System Firmware
 • WD Green SN350 1TB 2G0C
 • WDC WD10EZEX-08WN4A0
System Product Name
│
└─UEFI dbx:
  │   Device ID:          362301da643102b9f38477387e2193e57abaa590
  │   Summary:            UEFI revocation database
  │   Current version:    482
  │   Minimum Version:    482
  │   Vendor:             UEFI:Linux Foundation
  │   Install Duration:   1 second
  │   GUID:               fda6234b-adcb-5105-8515-9af647d29775 ← UEFI\CRT_D7F66BE77CEF858C174BF4338A99263C8795B74E02026411F5F532F716AE3263
  │                       f8ff0d50-c757-5dc3-951a-39d86e16f419 ← UEFI\CRT_D7F66BE77CEF858C174BF4338A99263C8795B74E02026411F5F532F716AE3263&ARCH_X64
  │                       c6682ade-b5ec-57c4-b687-676351208742 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503
  │                       f8ba2887-9411-5c36-9cee-88995bb39731 ← UEFI\CRT_A1117F516A32CEFCBA3F2D1ACE10A87972FD6BBE8FE0D0B996E09E65D802A503&ARCH_X64
  │                       7d5759e5-9aa0-5f0c-abd6-7439bb11b9f6 ← UEFI\CRT_ED1FE72CB9CA31C9AF5B757AFCD733323D675825032E6CED7FE1AE9EB767998C
  │                       0c7691e1-b6f2-5d71-bc9c-aabee364c916 ← UEFI\CRT_ED1FE72CB9CA31C9AF5B757AFCD733323D675825032E6CED7FE1AE9EB767998C&ARCH_X64
  │   Device Flags:       • Internal device
  │                       • Updatable
  │                       • Supported on remote server
  │                       • Needs a reboot after installation
  │                       • Only version upgrades are allowed
  │                       • Signed Payload
  │ 
  └─Secure Boot dbx:
        New version:      20241101
        Remote ID:        lvfs
        Release ID:       108324
        Summary:          UEFI Secure Boot Forbidden Signature Database
        Variant:          x64-compat
        License:          Proprietary
        Size:             23,3 kB
        Created:          2023-05-09
        Urgency:          High
        Vendor:           Linux Foundation
        Duration:         1 second
        Release Flags:    • Is upgrade
        Description:      
        This updates the list of forbidden signatures (the "dbx") to the latest release from Microsoft.
        
        An insecure version of Howyar's SysReturn software was added, due to a security vulnerability that allowed an attacker to bypass UEFI Secure Boot.
      
tempestas@tempestas:~$ sudo fwupdmgr update
Devices with no available firmware updates: 
 • SA400S37240G
 • System Firmware
 • WD Green SN350 1TB 2G0C
 • WDC WD10EZEX-08WN4A0
╔══════════════════════════════════════════════════════════════════════════════╗
║ Upgrade UEFI dbx from 482 to 20241101?                                       ║
╠══════════════════════════════════════════════════════════════════════════════╣
║ This updates the list of forbidden signatures (the "dbx") to the latest      ║
║ release from Microsoft.                                                      ║
║                                                                              ║
║ An insecure version of Howyar's SysReturn software was added, due to a       ║
║ security vulnerability that allowed an attacker to bypass UEFI Secure Boot.  ║
║                                                                              ║
║ UEFI dbx and all connected devices may not be usable while updating.         ║
╚══════════════════════════════════════════════════════════════════════════════╝

Perform operation? [Y|n]: y
Downloading…             [***************************************]
Downloading…             [***************************************]
Descompactando…          [***************************************]
Descompactando…          [***************************************]
Authenticating…          [***************************************]
Authenticating…          [***************************************]
Reiniciando dispositivo… [***************************************]
Escrevendo…              [***************************************]
Descompactando…          [***************************************]
Escrevendo…              [***************************************]
Reiniciando dispositivo… [***************************************]
Waiting…                 [***************************************]
Successfully installed firmware

An update requires a reboot to complete. Restart now? [y|N]: Y

-- After restart --
tempestas@tempestas:~$ sudo rm /var/lib/fwupd/pending.db

tempestas@tempestas:~$ fwupdmgr get-devices
System Product Name
│
├─SA400S37240G:
│     Device ID:          f78273dfd86c017eb3fdac51ca76f149af4aa87f
│     Summary:            ATA drive
│     Current version:    S1Z40102
│     Vendor:             Kingston (ATA:0x2646, OUI:0026b7)
│     GUID:               003fe7f7-14d7-507d-824f-955ea6e6de3b
│                         2a76fab0-59b3-53a9-bdc6-7ba2cc24ee37
│                         5bfd3e07-4ee5-5934-85e6-7aa10b2eca42
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Needs a reboot after installation
│                         • Needs shutdown after installation
│                         • Device is usable for the duration of the update
│   
├─System Firmware:
│ │   Device ID:          a45df35ac0e948ee180fe216a5f703f32dda163f
│ │   Summary:            UEFI ESRT device
│ │   Current version:    25138
│ │   Minimum Version:    25138
│ │   Vendor:             System manufacturer (DMI:American Megatrends Inc.)
│ │   Update State:       Success
│ │   GUID:               3fe9d65b-33df-520a-8b3d-26f4bd03d95c
│ │                       230c8b18-8d9b-53ec-838b-6cfc0383493a
│ │   Device Flags:       • Internal device
│ │                       • Updatable
│ │                       • System requires external power source
│ │                       • Needs a reboot after installation
│ │                       • Cryptographic hash verification is available
│ │                       • Device is usable for the duration of the update
│ │ 
│ └─UEFI dbx:
│       Device ID:        362301da643102b9f38477387e2193e57abaa590
│       Summary:          UEFI revocation database
│       Current version:  482
│       Minimum Version:  482
│       Vendor:           UEFI:Linux Foundation
│       Install Duration: 1 second
│       GUID:             fda6234b-adcb-5105-8515-9af647d29775
│                         f8ff0d50-c757-5dc3-951a-39d86e16f419
│                         c6682ade-b5ec-57c4-b687-676351208742
│                         f8ba2887-9411-5c36-9cee-88995bb39731
│                         7d5759e5-9aa0-5f0c-abd6-7439bb11b9f6
│                         0c7691e1-b6f2-5d71-bc9c-aabee364c916
│       Device Flags:     • Internal device
│                         • Updatable
│                         • Supported on remote server
│                         • Needs a reboot after installation
│                         • Only version upgrades are allowed
│                         • Signed Payload
│     
├─WD Green SN350 1TB 2G0C:
│     Device ID:          71b677ca0f1bc2c5b804fa1d59e52064ce589293
│     Summary:            NVM Express solid state drive
│     Current version:    236050WD
│     Vendor:             Sandisk Corp (NVME:0x15B7)
│     GUID:               4daa48a2-c867-5a38-90f0-2fd5b3448983
│                         6b413aa3-f2bc-5b93-a00e-bcaaf4302d99
│                         efbcd198-ce77-5411-9a0b-2e1c60489b09
│                         19d5cc18-116f-5f0b-9416-57ad849f2a19
│                         253fb641-2155-5022-a9d0-2cb8fc098b0f
│     Device Flags:       • Internal device
│                         • Updatable
│                         • System requires external power source
│                         • Needs a reboot after installation
│                         • Device is usable for the duration of the update
│   
└─WDC WD10EZEX-08WN4A0:
      Device ID:          8bc59085c6a4d0a629e09148bfbd2c177b4d0282
      Summary:            ATA drive
      Current version:    02.01A02
      Vendor:             Western Digital (ATA:0x101C, OUI:0014ee)
      GUID:               b6a0f81d-d8d3-5ed7-b087-4b89772cdf9c
                          34f24777-4d6c-52cb-8bf4-47be7f6174f1
                          f4983b7b-519b-5b7f-96c9-4e65679d668a
      Device Flags:       • Internal device
                          • Updatable
                          • System requires external power source
                          • Needs a reboot after installation
                          • Device is usable for the duration of the update
    
Ocioso…                  [***************************************]
Update failure is a known issue, visit this URL for more information: https://github.com/fwupd/fwupd/wiki/LVFS-Triaged-Issue:-Failed-to-run-update-on-reboot
Successfully uploaded 1 report

-The only software I installed outside the Softwares app was TeamViewer with the .deb package from the official website.
-Didn't editted any files nor executed unofficial scripts or commands
-Switched today from Wayland to X11 when I logged in

Hi everyone,

I was looking at various pre-existing git issues, and I think the solution might be to have fwupd at a version of at least 1.9.4-2 (rather than 1.7.9).

Could that package be updated, or are there obvious incompatibilities?

Best,
ChronosJ

This procedure seems to have worked on my old Dell Inspiron 15 5559 and my Dell Inspiron 5680 Tower. The only difference I noted was that after entering sudo fwupdmgr update, a prompt is returned that offers to install the update and restart (Y/N). I found it was best to say Y and let the computer restart before entering sudo re /var/lib/fwupd/pending.db One more restart cleared the "failed update message."

I appreciate your posting this fix, as it was really beginning to annoy me. Obviously, Zorin OS is great for new users moving from Windows, but if they encounter an error like this one and have to use the CL? Well, that could be a deal breaker.

Thanks again!

In my well over a decade and a half on Windows OS, I not only had to use the CMD prompt, I had to pretty often.

Thank you for your help - I had the Secure Boot Update failed message too, and for me the commands you suggested worked just fine!

Thank you for the help. Worked perfectly on Dell XPS 9560. One thing. I was following instructions on a phone. It seemed to have failed. Then I realised that the final command did not display in full. Turned phone sideways and bingo. Thanks again.

I am getting the same issue and no matter what I try I can't fix this. I have tried quite a few different ways and none of them are fixing this issue.

@jbehling Did you add the ppa and try this solution (click on the title of the link)?

Is secure boot disabled in your BIOS settings?

Yes it is on. I need to look at my logs because I rebuilt the system. In the last set of logs I was failing with TPM errors. I will update with info here in a few.