Did you manually update your Secure Boot Keys ?

drminer · Oct 26, 2025

Thierry 83200 said:
Hello, this is what mine says, is it correct? Thank you.

Yes, you are all updated. Later, the 2011 certificate can be added to DBX, which revokes it. But it might be better to hold off until you are sure that all your external boot media have been updated. Revoking the 2011 certificate too soon breaks things! (Currently, it breaks the Windows version of Memtest and the Windows Secure Boot Recovery environment.)

Thierry 83200 · Oct 26, 2025

thank you very much

zbook · Oct 26, 2025

To check whether secure boot is or is not enabled see Option Three:

Check if Secure Boot is Enabled, Disabled, or Unsupported using PowerShell Command

Check if Secure Boot is Enabled, Disabled, or Unsupported in Windows 11

This tutorial will show you how to check if Secure Boot is currently enabled, disabled, or unsupported on your Windows 10 or Windows 11 PC. Windows 11 minimum system requirements include your system to be UEFI (Unified Extensible Firmware Interface) and Secure Boot capable. While the...

www.elevenforum.com

AK6DN · Oct 26, 2025

mort said:
Yes, I was concerned about that 0x4000 result on available updates. I ran these commands:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x100 /f

Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Now this is what I see:
View attachment 150461

Thank you

This page:

Secure Boot Certificate updates: Guidance for IT professionals and organizations - Microsoft Support

support.microsoft.com

describes what all the bits mean in the AvailableUpdates DWORD key in the registry.

mort · Oct 26, 2025

Thanks to everyone for sharing such helpful resources!

My main question now is: after using MOSBY, what happens if I reset the Secure Boot keys to their factory defaults?

Did whatever MOSBY wrote to the firmware become the new "factory defaults"?

Buddywh · Oct 26, 2025

mort said:
Thanks to everyone for sharing such helpful resources!

My main question now is: after using MOSBY, what happens if I reset the Secure Boot keys to their factory defaults?

Did whatever MOSBY wrote to the firmware become the new "factory defaults"?

The factory defaults remain factory defaults. Mosby's keys... and as well Microsoft's "pushed" keys... will be replaced by the defaults if you reset to defaults - or change from CUSTOM mode to STANDARD mode as I have found. If you have a recently updated BIOS installed it should reset to 2023 keys but if not it will reset to the 2011 default keys and no longer start up in secure boot until 2023 keys are recovered.

When you run MOSBY you should have created a USB drive that you can use to recover the MOSBY keys if you should ever reset to defaults. Keep that USB drive and run it again to recover the MOSBY keys, including the unique PK and signed KEK it generates.

For some good information about this go check Microsft's FAQ's concerning secure boot, linked below, jump to Q7. The result with MOSBY is no different, it just recovers differently since you use a MOSBY USB drive for it.

Frequently asked questions about the Secure Boot update process - Microsoft Support

support.microsoft.com

mort · Oct 26, 2025

Buddywh said:
When you run MOSBY you should have created a USB drive that you can use to recover the MOSBY keys if you should ever reset to defaults. Keep that USB drive and run it again to recover the MOSBY keys, including the unique PK it generates.

I'm familiar with and have successfully used the Microsoft recovery application (Q7), but I did not create this MOSBY recovery drive you have referenced. Could you please provide a link that has instructions for creating this recovery drive, as I think it's very important to have in my tool box !

manu198075 · Oct 26, 2025

Buddywh said:
The factory defaults remain factory defaults. Mosby's keys... and as well Microsoft's "pushed" keys... will be replaced by the defaults if you reset to defaults - or change from CUSTOM mode to STANDARD mode as I have found. If you have a recently updated BIOS installed it should reset to 2023 keys but if not it will reset to the 2011 default keys and no longer start up in secure boot until 2023 keys are recovered.

If you change from custom to standard, Secure boot keys won't get reset, provided you are on Gigabyte motherboards.

gunrunnerjohn · Oct 26, 2025

neves said:
Download the following (from upper right corner - 3rd option right to RAW):

Check-UEFISecureBootVariables/Check UEFI KEK, DB and DBX.ps1 at main · cjee21/Check-UEFISecureBootVariables

PowerShell scripts to check the UEFI KEK, DB and DBX Secure Boot variables. - cjee21/Check-UEFISecureBootVariables

github.com

Check-UEFISecureBootVariables/Check UEFI KEK, DB and DBX.cmd at main · cjee21/Check-UEFISecureBootVariables

PowerShell scripts to check the UEFI KEK, DB and DBX Secure Boot variables. - cjee21/Check-UEFISecureBootVariables

github.com

Copy both of them in C:/ partition and right click - open the Check UEFI KEK, DB and DBX.cmd file as Admin. Didn't give direct links - cause you should always check the content of a script - and this way - you can see the contents (and that it's a clean script - no external links to embed malware and such). You will get this:

As can be seen above - the Green Checked marks are Applied, the Red X-ed - are not. See what you have.

Hmm... Something wrong somewhere.

I get this with that script...

However, With a previous check script, all looks fine and I know that the 2011 cert is revoked as I tested that. Yes, everything is booting fine with Secure Boot enabled.

Buddywh · Oct 26, 2025

mort said:
I'm familiar with and have successfully used the Microsoft recovery application (Q7), but I did not create this MOSBY recovery drive you have referenced. Could you please provide a link that has instructions for creating this recovery drive, as I think it's very important to have in my tool box !

There are doubtless many ways, but I used RUFUS, v. 4.11 or later, to create a bootable USB; using UEFI Shell, ver. 2.2 option will also put MOSBY on that USB. Then follow MOSBY instructions: put your BIOS Secure Boot in SETUP MODE, disable Secure boot, boot into that USB drive, then run MOSBY.

If using the exact same USB drive you originally used to generate and populate your SB variables it will re-use keys originally installed, which is nice if you need to maintain a common PK across all your computers. But follow MOSBY instructions to know how this works and how to copy the signed keys to another MOSBY recovery USB if you update it.

Buddywh · Oct 26, 2025

@manu198075 : It seems obvious there are different behaviors across motherboard BIOS's, even amongst same MFR's. My Gigabyte board did reset to defaults when I changed from CUSTOM to STANDARD, and it's a fairly modern (AMD, B550m) motherboard.

Many of the experts have mentioned there are (sometimes major) inconsistencies with how closely MFR's adhere to the UEFI spec standards, this may just be another one of them. I understand that with many MSI boards it makes not a whit of a difference which keys you have installed since it starts up in SB regardless... UNLESS you flip a switch in BIOS Secure Boot options to enable "full security" or something similar. As installed, it's preset in an insecure mode which I'd have to think in violation of UEFI spec's.

manu198075 · Oct 26, 2025

Buddywh said:
@manu198075 : It seems obvious there are different behaviors across motherboard BIOS's, even amongst same MFR's. My Gigabyte board did reset to defaults when I changed from CUSTOM to STANDARD, and it's a fairly modern (AMD, B550m) motherboard.

I am on B760 (this is also a modern motherboard). Even in this board I am able to change from custom to standard. May be in your motherboard you may not be able to change.

Buddywh · Oct 26, 2025

manu198075 said:
I am on B760 (this is also a modern motherboard). Even in this board I am able to change from custom to standard. May be in your motherboard you may not be able to change.

Exactly: and for that reason alone no one should trust it will work that way for them unless they test it first. And even then a subsequent BIOS update might change behavior.

mort · Oct 26, 2025

Buddywh said:
I used RUFUS, v. 4.11 or later, to create a bootable USB; using UEFI Shell, ver. 2.2 option will also put MOSBY on that USB for you.

Then follow MOSBY instructions: put your BIOS Secure Boot in SETUP MODE, disable Secure boot, boot into that USB drive, then run MOSBY. If using the same exact USB drive you originally used to generate and populate you SB variables it will re-use all the keys originally installed if you want to maintain a common PK across all your computers.

Thank you very much for that information. If I understand correctly, this MOSBY recovery USB drive is the same MOSBY UEFI Shell drive I used to update the keys to begin with - it is not a new drive I have to create for recovery purposes. I did see three files that were generated around the time I ran the MOSBY update last night.

Hope I am on the right track as I would love to break it (reset to factory defaults) and fix it again LOL

Buddywh · Oct 26, 2025

mort said:
Thank you very much for that information. If I understand correctly, this MOSBY recovery USB drive is the same MOSBY UEFI Shell drive I used to update the keys to begin with - it is not a new drive I have to create for recovery purposes. I did see three files that were generated around the time I ran the MOSBY update last night.

View attachment 150480

Hope I am on the right track as I would love to break it (reset to factory defaults) and fix it again LOL

That's what I am using, I can't say that's the only way. But it is simple and I know how it works.

I think you can copy the MOSBY application files to any UEFI bootable USB disk though. So you can create your own recovery drive with any other EFI apps you want to have available on your own recovery drive.

I think those are the files needed to maintain a common PK across multiple systems, if you need that. Just keep them on the USB disk along with MOSBY and instead of generating a new PK and signing a new KEK it reuses those. It does spell this out better in the MOSBY readme.

OH YES... I forgot about BitLocker.

I have no idea what this does to a BitLocker encrypted drive. It might be a good idea to also save a copy of your bitlocker key on this recovery drive or another BL recovery drive so you can get back in to your system drive once you've recovered the SB keys. Someone with BL experience might chip in with this piece of it.

neves · Oct 26, 2025

gunrunnerjohn said:
Hmm... Something wrong somewhere.

Nah, it's not - you're covered for the 2023 mentioned in this topic (those too are shown - as can be seen in that screen you post it). But that check is more advanced - covering some of the latest releases covering more recent vulnerabilities:

Releases · microsoft/secureboot_objects

Secure boot objects recommended by Microsoft. Contribute to microsoft/secureboot_objects development by creating an account on GitHub.

github.com

v1.5.1 is actually from June - latest is v1.6.1 releases just 2 days ago - so they have to update the checker. This should be available/come with future BIOS updates - released by your OEM. If you have a system released more recently - OFC, if it's older... maybe if it's a Premium/Pro build - that too will get updated, if not... will stay vulnerable - like the majority. :) Microsoft made the 2023 Secure Boot Keys mandatory - for mid 2026, but the truth/reality is - most systems are actually widely vulnerable for all kinds of vulnerabilities - not yet patched by the OEMs (and "most" never will).

For example, even Intel has a publicly available tool: Intel® Converged Security and Management Engine Version Detection Tool (Intel® CSMEVDT) - which can detect if intel's firmware is patched for latest vulnerabilities concerning Intel's own Software/Hardware. But the majority don't even know about it. This too is up to the OEM to patch with a new IME Firmware release.

So hey, you're good for the mandatory keys and that one exploit - unless more are patched by your OEM (that is if your system is new or was rather premium/pro price wise - if released couple of years ago).

gunrunnerjohn · Oct 26, 2025

I guess I'm not getting that the script is showing me errors when I'm pretty sure that everything is Jake as far as the certs and Secure Boot.
My system is a home brew, it has the lastest BIOS from Gigabyte and what I believe is the latest firmware patches from Intel for the i5-14450.

drminer · Oct 27, 2025

I wish I had not gone ahead and revoked the Production PCA 2011 certificate. I now realize that any form of in-place repair will reinstall the older 2011-signed bootloader files into the EFI partition, and the system will not boot with Secure Boot enabled. So, if I have to do an in-place repair, I will have to disable Secure Boot first, and then the repair is complete, manually install copies of the 2023-signed bootloader into the EFI partition. This will all be fixed in June 2026. But in the meantime, I seem to have made my life more difficult. At least, I am protected from BlackLotus!

Steve C · Oct 27, 2025

How many people have screwed up their PCs following the above instructions? I'm waiting to see what is issued via Windows update.

manu198075 · Oct 27, 2025

Steve C said:
How many people have screwed up their PCs following the above instructions? I'm waiting to see what is issued via Windows update.

Anyone who follwed the instructions correctly will not get any problem. I am a system builder and I have added the certs to UEFI to my 2 desktops and 2 laptops. I have done this for many customers who wanted Windows 25 H2 with latest secure boot. Never faced any issues with different manufacturers/laptops/desktops. Anyone can follow the instruction from this link

How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support

support.microsoft.com

Follow commands from 'Mitigation deployment guidelines' step 1 'Install the updated certificate definitions to the DB' and step 2 'Update the Boot Manager on your device'. A restart is required after each step. You can also do the step 3 'Enable the revocation' which will completely protect you from BlackLotus. But you may have to follow what is told by "@drminer" in the post #1258 in case of any in-place repair. You can also use Mosby an easy tool to do all these things. But for revocation you need to follow step 3 from 'Mitigation deployment guidelines'

Manu

Did you manually update your Secure Boot Keys ?

Well-known member

My Computer

Active member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Member

My Computer

Well-known member

My Computers

Member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

​

My Computers

Similar threads