diff --git a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
index 7a42d971e0..83d69899f7 100644
--- a/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
+++ b/SecurityPkg/VariableAuthenticated/RuntimeDxe/Variable.c
@@ -58,7 +58,10 @@ BOOLEAN                mEndOfDxe              = FALSE;
 ///
 BOOLEAN                mEnableLocking         = TRUE;
 
-/**
+//
+// It will record the current boot error flag before EndOfDxe.
+//
+VAR_ERROR_FLAG         mCurrentBootVarErrFlag = VAR_ERROR_FLAG_NO_ERROR;
 
   SecureBoot Hook for auth variable update.
 
@@ -579,6 +582,17 @@ RecordVarErrorFlag (
     }
   );
 
+  if (!mEndOfDxe) {
+    //
+    // Before EndOfDxe, just record the current boot variable error flag to local variable,
+    // and leave the variable error flag in NV flash as the last boot variable error flag.
+    // After EndOfDxe in InitializeVarErrorFlag (), the variable error flag in NV flash
+    // will be initialized to this local current boot variable error flag.
+    //
+    mCurrentBootVarErrFlag &= Flag;
+    return;
+  }
+
   //
   // Record error flag (it should have be initialized).
   //
@@ -637,7 +651,7 @@ InitializeVarErrorFlag (
     return;
   }
 
-  Flag = VAR_ERROR_FLAG_NO_ERROR;
+  Flag = mCurrentBootVarErrFlag;
   DEBUG ((EFI_D_INFO, "Initialize variable error flag (%02x)\n", Flag));
 
   Status = FindVariable (