Did you manually update your Secure Boot Keys ?

gunrunnerjohn · Oct 3, 2025

FIREMEDIC2700 said:
thats what i said since he revoked the 2011 cert . and he has to do a clean install the only way he can boot is using a 2023 iso .

Well, the post showed the 2011 cert revoked, but you said...

FIREMEDIC2700 said:
The way your setup now is good . That will let you boot from either the 2011 or 2023 cert .
If you revoke the 2011 ca cert , and u have to do a clean install your system will not boot. As of right now they are no iso's with the 2023 cert .
You would have to manually edit the iso to the 2023 cert. when the time comes ms will prob remove it via windows update.

Like I say, past tense. The way the configuration was posted, the 2011 cert was already invalid. Since the boot was obviously working, one has to assume that the image being used has the 2023 Cert. Of course, we don't really have to assume, the post clearly showed that to be the case that Windows was booting using the 2023 Cert!

Margarita · Oct 3, 2025

@gunrunnerjohn Thank you very much. I believed I had done something wrong.

gunrunnerjohn · Oct 3, 2025

Margarita said:
@gunrunnerjohn Thank you very much. I believed I had done something wrong.

Looks OK from here. And the fact that you're booting from that configuration suggests you got it right. Secure Boot ON, and the 2011 cert revoked means if it's booting you must have the 2023 cert correctly installed. I cheated and used Mosby to do mine, but I got basically the same result.

FIREMEDIC2700 · Oct 3, 2025

same as mine with a few expections :
Secure Boot: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------

EFI Files
---------
Disk 1: Boot Manager [Windows UEFI CA 2023] is ALLOWED.

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] is in UEFI DB, and Windows is starting from CA 2023 Boot Manager.

I am just going to wait and see if ms will remove the pca 2011 . the way mine is set up i can either use a 2011 or 2023 cert

Margarita · Oct 3, 2025

@gunrunnerjohn Thank you again, that was helpful

andyc56 · Oct 3, 2025

bikemanAMD said:
Oh ok excellent, checks that.

Not sure how i got the Option Rom 2023, all of a sudden it was there---unless came with last MSI UEFi bios update in July, waiting for 2 more to come out of beta, then will install that security related UEFI bios update, along with Agesa 1.2.0.3f version

I recently updated the BIOS of my MSI motherboard (2 machines, each with a B450M Bazooka mobo) to the Sept 23, 2025 BIOS version, and both of them showed the 2023 Option ROM cert afterwards when they didn't before.

Watch out for the MSI secure boot implementation though. Both of my machines with the 2011 cert revoked would still boot old bootable media created using the 2011 cert. My experience with that is summarized in this post. The medium tested was an unmodified Macrium rescue USB stick.

The long and short of it is this - This MSI motherboard (not sure about other models) has three secure boot states as follows:

"Secure Mode" Standard setting: Incorrectly boots media using the 2011 cert in "Secure Mode" even though that cert is revoked
"Secure Mode" Custom, "Hardware/OS Compatibility" setting: Incorrectly boots media using the 2011 cert in "Secure Mode" even though that cert is revoked
Secure Mode Custom: "Maximum Security" setting: Correctly fails to boot media using the 2011 cert in Secure Mode when that cert is revoked

Bottom line: With my MSI motherboard, it's necessary to enable "Custom, "Maximum Security" mode in the BIOS for correct secure boot functionality. See this article and its sequel about lax MSI secure boot implementations for some background on that.

FIREMEDIC2700 · Oct 3, 2025

a 2025 bios version ?

andyc56 · Oct 3, 2025

FIREMEDIC2700 said:
a 2025 bios version ?

If you're referring to my post, then yes, the BIOS I used to update my machine was from Sept. 23, 2025. See below.

gunrunnerjohn · Oct 3, 2025

andyc56 said:
If you're referring to my post, then yes, the BIOS I used to update my machine was from Sept. 23, 2025. See below.

From my brief research, the MSI "Hardware/OS Compatibility" it probably not the one to pick for true Secure Boot with 2023 only compatibility. It seems like that is almost like turning off Secure Boot.

gunrunnerjohn · Oct 3, 2025

Margarita said:
@gunrunnerjohn Thank you again, that was helpful

Glad to actually contribute to this thread, I'm usually sucking information out of it. :think:

Buddywh · Oct 6, 2025

Akeo said:
Bear in mind that, if you do that, then it means that you no longer want to use a PK that can't be hacked, but instead are happy with reverting to using a PK that you share with many, many other people...

That's a good point... and just an FYI.

I decided to update my MSI and Gigabyte motherboard BIOS' to their latest that were made available in September. Sure enough, they did add the Microsoft 2023 keys to KEK and DB.

But IN ADDITION to adding their own PK, which I expected, both Gigabyte and MSI doubled down by adding their own KEK and DB keys this time too. I don't know what all they intend for this but it sounds like they have created a back door that a clever hacker could easily and secretively use to do just about anything they wanted using their keys that will be inevitably "exfiltrated", as you put it.

I planned to before the update but re-running MOSBY seemed even more important after seeing this.

Buddywh · Oct 6, 2025

andyc56 said:
I recently updated the BIOS of my MSI motherboard (2 machines, each with a B450M Bazooka mobo) to the Sept 23, 2025 BIOS version, and both of them showed the 2023 Option ROM cert afterwards when they didn't before.

Watch out for the MSI secure boot implementation though. Both of my machines with the 2011 cert revoked would still boot old bootable media created using the 2011 cert. My experience with that is summarized in this post. The medium tested was an unmodified Macrium rescue USB stick.

The long and short of it is this - This MSI motherboard (not sure about other models) has three secure boot states as follows:

"Secure Mode" Standard setting: Incorrectly boots media using the 2011 cert in "Secure Mode" even though that cert is revoked
"Secure Mode" Custom, "Hardware/OS Compatibility" setting: Incorrectly boots media using the 2011 cert in "Secure Mode" even though that cert is revoked
Secure Mode Custom: "Maximum Security" setting: Correctly fails to boot media using the 2011 cert in Secure Mode when that cert is revoked

Bottom line: With my MSI motherboard, it's necessary to enable "Custom, "Maximum Security" mode in the BIOS for correct secure boot functionality. See this article and its sequel about lax MSI secure boot implementations for some background on that.

After reading this I updated BIOS on my MSI B450m Mortar. As you found, it did load up the 2023 keys as expected but I got another "gift" along with it. MSI put in their own KEK and DB keys, in addition to their PK key as before. I've no idea what they want to do now that they have complete chain of trust that doesn't rely on any Microsoft certificates. But it does seem to be something I wouldn't trust them to keep secure at any rate.

I am using MOSBY to create a unique PK and chain of trust using only Microsoft's SB keys, now with renewed concern. I'm not running anything of high interest to a hacker but I still don't want to get stuff planted on my computer to spy on my activities for a foreign power to profit from.

I've not revoked the 2011 certificate, I want to let Microsoft do that according to their schedule. I'm wondering if upon Microsoft entering the "enforcement phase" I'm going to have to do as you did to make sure it actually works.

gunrunnerjohn · Oct 6, 2025

Buddywh said:
I've not revoked the 2011 certificate, I want to let Microsoft do that according to their schedule.

Good thing you're not concerned about anyone hacking you're computer since you're leaving the door open.

Buddywh · Oct 6, 2025

gunrunnerjohn said:
Good thing you're not concerned about anyone hacking you're computer since you're leaving the door open.

Definitely not.

I've got total physical control of the computer behind lock and key, and it's not a laptop so never "travels", nobody but me uses it, not even WiFi networked. And I'm also not interesting enough that someone would want to take notice enough to dedicate the time and effort to crack into it anyway. I just don't like the idea of a drive-by dropping something on a system that might be way more wide open if they've managed to snag a compromised trust chain MSI's giving us.

KevTech · Oct 6, 2025

Revoking will happen automatically next year.

Did you manually update your Secure Boot Keys ?

You still have 9 months, Mosby takes less than 2 minutes flat and you will also learn something at the same time. I followed MS instructions and it took me maybe 2 minutes max without having to disable or put secure boot into setup mode. Everything you need can also be found in Microsoft github.

www.elevenforum.com

BrianInEngland · Oct 6, 2025

Buddywh said:
Definitely not.

I've got total physical control of the computer behind lock and key, and it's not a laptop so never "travels", nobody but me uses it. And I'm also not interesting enough that someone would want to take notice enough to dedicate the time and effort to crack into it anyway. I just don't like the idea of a drive-by dropping something on a system that might be way more wide open if they've managed to snag a compromised trust chain MSI's giving us.

Same here, desktop PC (weighing in at 30kg!)
I'm the only user
BIOS updates come direct from MSI
Software updates come from MS/vendor only
I don't click on any iffy sites or illegally stream content

I NEVER click on an email link unless I know who's sent it (MS Safelinks covers that as well)

Buddywh · Oct 6, 2025

KevTech said:
Revoking will happen automatically next year.

Did you manually update your Secure Boot Keys ?

You still have 9 months, Mosby takes less than 2 minutes flat and you will also learn something at the same time. I followed MS instructions and it took me maybe 2 minutes max without having to disable or put secure boot into setup mode. Everything you need can also be found in Microsoft github.

www.elevenforum.com

I'm curious how MS will enforce the "...no option to be disabled." part (at the very end) if something as simple as deleting all keys (in BIOS settings, done to put it in SETUP mode) will delete the DBX variable too? It did when I wanted to back out of revoking the 2011 certificate as I was experimenting at first.

Afterwords, restoring default keys gets you right back where you were but without the revoked key in DBX any more.

gunrunnerjohn · Oct 6, 2025

Buddywh said:
I'm curious how MS will enforce the "...no option to be disabled." part (at the very end) if something as simple as deleting all keys (in BIOS settings, done to put it in SETUP mode) will delete the DBX variable too? It did when I wanted to back out of revoking the 2011 certificate as I was experimenting at first.

Afterwords, restoring default keys gets you right back where you were but without the revoked key in DBX any more.

I believe MS is saying no option to refuse that update, not that you can't unwind it after the fact. Obviously, it's very easy to unwind it, just set your BIOS back to the Secure Boot defaults. If you have physical possession of the machine, no modification is possible to block.

Margarita · Oct 6, 2025

I am confused about those people who are taking the all steps and stopping at the revocation of the old cert “Windows Production CA 2011”, assuming that Microsoft will do so later.
Isn't Not doing revocation this certificate just as dangerous as doing nothing at all? Am I missing something?

Buddywh · Oct 6, 2025

Margarita said:
I am confused about those people who are taking the all steps and stopping at the revocation of the old cert “Windows Production CA 2011”, assuming that Microsoft will do so later.
Isn't Not doing revocation this certificate just as dangerous as doing nothing at all? Am I missing something?

In so far as I know, the reason for revoking trust in the 2011 key at all is to harden protection against one single threat which is BlackLotus. Not to downplay the threat it represents to corporate networks but what I've read is it needs physical access to the computer by a person with full admin rights to plant it. That makes it a fairly low to non-existent threat for a privately owned desktop computer located in a locked home and one single user who as access to it.

But once the 2011 cert's trust is revoked then any time Microsoft might need to do a security (or whatever) update that puts in place new secure boot binaries it can't validate signatures with it. I figure (or would hope) that the update fails, leaving me possibly more exposed to the security issues that prompted that update than I ever was to BlackLotus. Once Microsoft enters the phase where they are using only 2023 signed secure boot binaries I'll probably go ahead and revoke it; but then Microsoft probably will anyway about then, I don't know.

That's my reasoning. Others may have their own.

Did you manually update your Secure Boot Keys ?

Well-known member

My Computers

Active member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Active member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Active member

My Computer

Well-known member

My Computers

Similar threads