Did you manually update your Secure Boot Keys ?

garlin · May 27, 2025

You should running the command from a CMD or Terminal window, as Admin. If you get a path error, add .\Check_EFIBootFile.ps1 to say the script is in the current folder you're in.

XxXxX · May 27, 2025

i had to install PowerShell preview on my wife's system to get this secure boot update to install.
as the old PowerShell just wouldn't do the upgrade.
i have no idea why?

best of luck, Steve ..

Tink009 · May 27, 2025

I checked my computer by running the check command first. It returned with a "False", so I ran the other two commands and now the Secure Boot keys are updated. I do run Bitlocker and had no problem updating. System restarted normally.

Levitate11 · May 27, 2025

starchase said:
running the script results in:
The argument 'Check_EFIBootFile.ps1' to the -File parameter does not exist. Provide the path to an existing '.ps1' file as an argument to the -File parameter.

And running Check EFIBootFile.ps1 results in a display that disappears too fast to hit Ctrl-A then CTLR-C

Save the .ps1 file to your hard drive in a favorite directory e.g. c:\temp
Run a Powershell as Administrator (or start a command window and use the drop down menu and Ctrl-Click)\ to start an Admin Powershelll window)
At the prompt: c:\> cd c:\temp <enter>
At the Powershell prompt: c:\temp> Unblock-File Check_EFIBootFile.ps1 <enter>
At the Powershell prompt: c:\temp> Check_EFIBootFile.ps1 <enter>

That should get you the output

Levitate11 · May 27, 2025

garlin said:
The steps to protect W10 systems are identical to W11, the newer boot files are already available from the current Monthly Updates.

Because W10 22H2 will enter End-of-Life for consumer Windows on Oct. 2025, it's not clear whether MS will force an update before then, or expect users to perform the mitigation as a voluntary procedure.

The script posted above will report what certificates are present in the DB (allowed) and DBX (banned) lists.

Ideally, you will have both CA 2011 & CA 2023 as added (both boot files allowed), and DBX may or may not have CA 2011 banned. Not banning CA 2011 doesn't impact Windows, as long as you have both certificates for DB. It just means your system is still vulnerable to an UEFI attack.

@garlin : Here's my output:


EFI DB Certificates
-------------------
    Microsoft Windows Production PCA 2011
    Windows UEFI CA 2023
    Microsoft Corporation UEFI CA 2011
    Microsoft UEFI CA 2023

So, the fact that they installed in the 2011 certificate before they installed the 2023 certificate means that I'm still vulnerable to the BlackLotus hack around Secure Boot?

garlin · May 27, 2025

The reported order doesn't matter. When you try booting from a device (HDD, SSD, USB, DVD or PXE), the BIOS examines the signing cert and checks if it's found on the DB list, BUT NOT BANNED on the DBX list. It's not scanned in any particular order, but does the UEFI have a matching cert or not.

Levitate11 · May 27, 2025

garlin said:
The reported order doesn't matter. When you try booting from a device (HDD, SSD, USB, DVD or PXE), the BIOS examines the signing cert and checks if it's found on the DB list, BUT NOT BANNED on the DBX list. It's not scanned in any particular order, but does the UEFI have a matching cert or not.

But just to clarify for my simple minded brain... if MS (or the hardware manufacturer) has not placed our 2011 certificates in the DBX, and has not removed them from the DB list, Black Lotus can still walk right in, correct?

If true, it seems like MS is only worrying that everyone will be able to boot. But they're not making us more secure. Seems shortsighted on their part since the hacks are already out there.

garlin · May 27, 2025

Black Lotus can attack any PC which allows the CA 2011 certificate to work. For the most part you don't delete an existing cert from the DB list, you just ban it from the DBX list.

MS thought they were ready to move forward and automatically do this last year, but enough important players out there complained. They've signaled this Fall is the new target date, but it can be delayed until Oct. 2026, when the CA 2011 would have expired ANY WAY.

Which means you need to complete this before Oct. 2026 or none of your PC's will boot (without turning off Secure Boot mode).

Levitate11 · May 27, 2025

garlin said:
Black Lotus can attack any PC which allows the CA 2011 certificate to work. For the most part you don't delete an existing cert from the DB list, you just ban it from the DBX list.

MS thought they were ready to move forward and automatically do this last year, but enough important players out there complained. They've signaled this Fall is the new target date, but it can be delayed until Oct. 2026, when the CA 2011 would have expired ANY WAY.

Which means you need to complete this before Oct. 2026 or none of your PC's will boot (without turning off Secure Boot mode).

Thanks. My PC is new... post the creation of the 2023 certificate... and yet MS still included the 2011 certificate.

Do the certificates have a start date? Are the 2023 certificates valid now? Could they have left out the old certificate?

garlin · May 27, 2025

The start date is included in the certificate's name. A certificate's end date is determined the Certificate Authority which issued it. CA 2011 has a 15-year lifetime so it expires on 2011 + 15 = 2026. They could have picked any number of years, but 15 years seemed like a good length for a HW-based cert to minimize the number of UEFI updates.

Nobody anticipated Black Lotus, which set off a panic because of the chain reaction that had to happen afterwards.

If you bought a PC with only a CA 2023 cert then you can't run W7 or W8 with Secure Boot enabled. Because they're signed with the CA 2011, and hacking the boot file back into W7 or W8 isn't officially supported. So it doesn't make sense not to include it.

The PC maker isn't responsible for blocking CA 2011, because once they do that it, you can't easily undo the change. Would you buy a PC sold that way? It's more secure, but you don't have the option of running a legacy OS.

Scott · May 28, 2025

garlin said:
For the most part you don't delete an existing cert from the DB list, you just ban it from the DBX list.

What's the difference between UEFI CA 2011 and PCA 2011. Only PCA 2011 has been banned on my computer.

garlin · May 28, 2025

- UEFI CA 2011 is used to sign 3rd-party UEFI modules
- UEFI Production PCA 2011 is used to sign the Windows boot file

Normally the UEFI module & boot file certs are installed as a pair. Thus you have two CA 2023 certs.

The DB list of certs are always appended to, they're not deleted (that's how the UEFI org wants it done). Your PC has revoked the CA 2011, and that's confirmed in the last line that the old boot manager is no longer trusted. You're done with changes.

If Windows begins the mandatory steps later this year, your PC will skip them since all the conditions are met.

suatcini54 · May 28, 2025

garlin said:
Run this PowerShell script as Admin:

Code:

powershell -nop -ep bypass -f Check_EFIBootFile.ps1

The script will report which CA certificates have been added to the DB & DBX lists, and which boot file you currently have installed for the system drive.

Hi garlin,

Thanks for heads-up.

I ran the .ps1 script you provided and it returned the result in the below screenshot. EFI DBX Certificates section is empty. I think it is because I have not yet revoked the CA 2011 certificate.

suatcini54 · May 28, 2025

I am now at the SVN update to the firmware phase. Since it is regarded optional by the MS documentation How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support I think I will skip it for now because I am not clear about what that update does to the PC.

suatcini54 · May 28, 2025

Tink009 said:
I checked my computer by running the check command first. It returned with a "False", so I ran the other two commands and now the Secure Boot keys are updated. I do run Bitlocker and had no problem updating. System restarted normally.

Hi.

By executing the two commands, you updated the certificate on your Windows installation. But it seems your PC still boots on the older CA 2011 certificate.

If you do certificate updates on other areas and revoke the older certificate, you may need your Bitlocker key. After you revoke the CA 2011, your PC will attempt to boot on CA 2023. Then you may need your Bitlocker key. And unless you revoke the old certificate, you are still vulnerable.

Hope this helps.

starchase · May 28, 2025

garlin said:
You should running the command from a CMD or Terminal window, as Admin. If you get a path error, add .\Check_EFIBootFile.ps1 to say the script is in the current folder you're in.

Thanks, I'll check this later this AM when I can get to the PC.

starchase · May 28, 2025

garlin said:
You should running the command from a CMD or Terminal window, as Admin. If you get a path error, add .\Check_EFIBootFile.ps1 to say the script is in the current folder you're in.

Thanks Garlin. Adding the path worked and I see that I do have Secure Boot and it is enabled, though I cn't see from the BIOS where its Enable/Disable switch is located. Thanks for the script!

Code:

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\WINDOWS\system32> powershell -nop -ep bypass -f C:\Users\theislands\Downloads\Check_EFIBootFile.ps1
Secure Boot: ENABLED

EFI DB Certificates
-------------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011

EFI DBX Certificates
--------------------

AvailableUpdates: 0x0
---------------------

EFI Files
---------
Boot Manager [Microsoft Windows Production PCA 2011] on Disk 0 is allowed.

PS C:\WINDOWS\system32>

Sheikh · Tuesday at 1:24 AM

suatcini54 said:
Hi.
Current Microsoft Secure Boot Keys will expire in 2026. Therefore, it may be advisable to update the keys manually in advance.
Hope you find this post helpful.

Hi there
Thank you.
This solved my problem whenever I tried to install windows from UUPDump. I had to disable secure boot before installation :)

Sheikh · Tuesday at 1:25 AM

Can anyone convert these commands to cmd?

garlin · Tuesday at 2:14 AM

Sheikh said:
Hi there
Thank you.
This solved my problem whenever I tried to install windows from UUPDump. I had to disable secure boot before installation :)

ConvertConfig.ini -> UpdtBootFiles=1

Did you manually update your Secure Boot Keys ?

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Similar threads