Did you manually update your Secure Boot Keys ?

starchase · Jul 11, 2025

Cameraman1955 said:
This is the output of my laptop, I think I am ok now, thanks for the script @garlin

View attachment 138911

Did I misunderstand something way back in this thread - I thought that if the DBX doesn't state that the 2011 cert is disallowed that the system is still vulnerable?

garlin · Jul 11, 2025

This is a multiple step process.
1. Add the CA 2023 cert to DB (whitelist) to allow newer versions of boot files to work.
2. Switch to newer boot files in Window system.
3. Add the CA 2011 cert to DBX (blacklist) to disable older versions of boot file.

When you're at step 1, both old and new boot files are allowed. But you shouldn't disable CA 2011 until Windows has switched its own boot files over, otherwise the system isn't allowed to boot with Secure Boot enabled.

Canceling CA 2011 will prevent the known Black Lotus variants from running since they're signed using CA 2011. The point is to avoid bricking the system when you skipped one of the steps, or it didn't work correctly.

gunrunnerjohn · Jul 11, 2025

garlin said:
Canceling CA 2011 will prevent the known Black Lotus variants from running since they're signed using CA 2011. The point is to avoid bricking the system when you skipped one of the steps, or it didn't work correctly.

So, if I disable both of the 2011 versions, I should still be able to boot Windows or my USB recovery drives? I'm missing the Microsoft certificate for 2023.

EFI DB Certificates
-------------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Windows UEFI CA 2023

garlin · Jul 11, 2025

Any bootable drives (ISO or USB Recovery) created before this time will need to have replacement boot files copied to them. If you have the newer boot files installed on Windows, then make a new Macrium Recovery USB.

How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support

gunrunnerjohn · Jul 11, 2025

I have the new 2023 Windows certificate installed, but not the Microsoft 2023 certificate. I guess if I run into trouble with booting one of my recovery drives, I can always disable secure boot for the process.

AncientParadise · Jul 11, 2025

Do we need to have the newest version of the BIOS? If I don't have the newest version of the BIOS, would that cause a problem when Microsoft tries to automatically activate the new certificates with a future update?

Imagine that someone intentionally uses a version of the BIOS that is slightly older than the newest version, because people with the same computer have reported an unintended problem caused by the newest version. Would that ruin the process of adding the new certificates?

Is Microsoft's automatic testing of old models of computers (before the gradual roll-out) NOT reliant on a specific version of the BIOS that was tested? As long as the BIOS supports Secure Boot and UEFI, will the process be fine?

gunrunnerjohn · Jul 11, 2025

If this process is somewhat confusing for people that are actually reasonably computer proficient, what in the world with the tens of millions of unwashed masses going to do about this issue???

garlin · Jul 11, 2025

I don't know how many times it bears repeating, we're in the "opt in" stage. MS has to work with different OEM's to make sure the process works for as many PC's as they can cover. MS has provided the roadmap and framework for how it's supposed to be done, but your PC vendor is involved in this process.

Some of them will release newer BIOS updates which may include the certs & keys.
Others will test MS's method and see if it works. They have less than half a year left to iron out all the wrinkles.

AncientParadise · Jul 11, 2025

You didn't need to repeat it even once, because I haven't forgotten the previous time you've mentioned we're in the opt-in stage. My question about the installed version of the BIOS seemed unrelated to the fact that we're in the opt-in stage (regarding the activation of the new certificates), but your new message contains new information (the possibility of a new BIOS version being provided by the manufacturer of a very old computer), so I am thankful to you.

pseymour · Jul 11, 2025

It's entirely possible garlin was replying to the message immediately preceding his, regarding the people who don't take showers apparently.

gunrunnerjohn · Jul 11, 2025

pseymour said:
It's entirely possible garlin was replying to the message immediately preceding his, regarding the people who don't take showers apparently.

Lots of them in the world.

TairikuOkami · Jul 11, 2025

AncientParadise said:
Do we need to have the newest version of the BIOS?

Need, no, could use, yes. Latest BIOS/drivers updates fix security and features issues.
Latest AMD update fixes TPM vulnerability, not reversible, unless BIOS flashbios is used.

AMD Releases AGESA ComboAM5 1.2.0.3e to Patch fTPM Vulnerability

AMD began rolling out its latest AGESA ComboAM5 microcode for Socket AM5 platforms, as confirmed by an ASUS BIOS update for its ROG Crosshair X870E Hero motherboard. The company will likely get motherboard vendors and prebuilt OEMs to release BIOS updates with the new AGESA 1.2.0.3e microcode...

www.techpowerup.com

cheaterslick · Jul 11, 2025

lol ...

- well, speak of the devil...

July 8, 2025—KB5062554 (OS Builds 19044.6093 and 19045.6093) - Microsoft Support

Well that one is for Windows 10 22H2. That just came in, so....

I guess AI was reading my mind, huh?

garlin · Jul 11, 2025

pseymour said:
It's entirely possible garlin was replying to the message immediately preceding his

Thanks.

Two things can happen at the same time:
1. You can be composing a reply to a specific comment or user, and someone else posts an unrelated comment before you get a chance to submit.
2. Some folks just dive straight to the end, because they hate reading a long thread from the start.

If I sound impatient, it's usually directed at someone who I've been directly answering for a while. And they're still not convinced.

gunrunnerjohn · Jul 11, 2025

garlin said:
Thanks.

Two things can happen at the same time:
1. You can be composing a reply to a specific comment or user, and someone else posts an unrelated comment before you get a chance to submit.
2. Some folks just dive straight to the end, because they hate reading a long thread from the start.

If I sound impatient, it's usually directed at someone who I've been directly answering for a while. And they're still not convinced.

Maybe you should quote a little of the message so we know who you're slapping around.

garlin · Jul 11, 2025

gunrunnerjohn said:
Maybe you should quote a little of the message so we know who you're slapping around.

You're the one who types too fast to keep up with.

pseymour · Jul 11, 2025

If I sound impatient, it's usually directed at someone who I've been directly answering for a while. And they're still not convinced.

If I sound impatient, it's because I'm impatient.

glasskuter · 2025-07-17T11:03:49-0400

pseymour said:
It's entirely possible garlin was replying to the message immediately preceding his, regarding the people who don't take showers apparently.

Everybody in Texas knows bath day ain't until Satitidy so guess I'm one of the stinky-est folks here.

garlin said:
Some of them will release newer BIOS updates which may include the certs & keys.

Dell must be one of the OEMs actively working to address these CVEs in a timely manner to get these certificates out to the masses. I have had 31 bios updates from Dell since I bought this PC in 7/2020, 15 of them since 2023 and all addressing CVEs.

While I do understand what will happen IF Black Lotus strikes me and it's possible I am sitting on a timebomb, I have chosen to keep secure boot off..
But that's just me. Sure, my system could be compromised, and I do understand the ramifications of what will happen if it is, but IMO Black Lotus hackers are more interested in corporate environments where they can do the most damage, especially if they can access that corporate network (and I believe MS and the OEMs are dealing with this so strongly mainly for the sake of corporate users)

It is my understanding hackers need remote administrative privileges on a target machine or physical access to the device. They are SOL when it comes to me. If I am wrong about that, please correct me.

bikemanAMD · 2025-07-17T11:47:47-0400

Re Checked mine since i had to turn off Secure Boot briefly to get the Samsung to update Firmware on my Samsung 990 Pro 2TB NVMe to install a few days ago

Think mine still looks to be correctly all set as far as i know, unless there is something else i need to do or missed on my Windows 11 Desktop

garlin · 2025-07-17T11:53:58-0400

glasskuter said:
It is my understanding hackers need remote administrative privileges on a target machine or physical access to the device. They are SOL when it comes to me. If I am wrong about that, please correct me.

Hackers use chained attacks to increase their footprint on your system. First, they convince you to browse some fake website that looks very real or to open a file (image, PDF, doc, etc.) that has a small exploit. Now running as you, the first-level hack downloads another software from a remote site. This next app tries a different set of exploits. Hopefully one of them will grant them system privileges.

You're thinking: Fine, I will wipe the system and re-install from scratch. And not restore from backups, because your backup could be already infected and maybe you don't know how far back in time. A higher class of hacker can infect your UEFI with persistent code, making it easier for them to return the next time and automatically be trusted.

As a matter of probability, the crowds of no-name users are not targeted. But you don't know if you'll get ensnared. It's like whether to buy insurance. If you're fortunate in life, maybe you don't really insurance. Then one day you're unlucky and unprepared.

If the preventative action on your part isn't too costly, then just do it.

Did you manually update your Secure Boot Keys ?

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Member

My Computer

who wants pizza?

My Computer

Well-known member

My Computers

Microsoft 365 Basic

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

who wants pizza?

My Computer

aka Mama Glass

My Computers

Well-known member

My Computers

Well-known member

My Computer

Similar threads