Did you manually update your Secure Boot Keys ?

antspants · Sep 14, 2025

Not sure why my output looks different to everyone else's after running @Sheikh's script. ~~Especially where it's referenced as EFI not~~ ~~UEFI~~

So EFI preceded UEFI. I get it. I get that I am also probably out of luck.

Powershell:

PS C:\Users\XXXXX> powershell -nop -ep bypass -f C:\Check_EFIBootFileUpdated.ps1
Secure Boot: DISABLED

EFI DB Certificates
-------------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Windows UEFI CA 2023

EFI KEK Certificates
--------------------
    Microsoft Corporation KEK CA 2011

EFI DBX Certificates
--------------------

AvailableUpdates: 0x40
----------------------
    Install the updated certificate definitions to the DB.
Mount the EFI partition to label X:
Validate that X:\EFI\Microsoft\Boot\bootmgfw.efi file is signed by the Microsoft Windows Production PCA 2011 certificate!
Unmount X: EFI partition!

EFI Files
---------
Boot Manager [Microsoft Windows Production PCA 2011] on Disk  is allowed.

garlin · Sep 14, 2025

antspants said:
Not sure why my output looks different to everyone else's after running @Sheikh's script. ~~Especially where it's referenced as EFI not~~ ~~UEFI~~

That's @uncyler825's bootleg version. I updated my script to say UEFI certs, since it's more accurate.

RJARRRPCGP · Sep 14, 2025

FFS! My ASRock B550 PG Velocita BIOS booting is slow! My Asus ROG Strix B550-F Gaming is a lot faster! I just updated that BIOS, and there's a 2025 that's not marked as a beta.

Finally!

Code:

PS C:\chkuefi> .\Check_EFIBootFile.ps1
Secure Boot: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
    Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Windows UEFI CA 2023

UEFI DBX Certs
--------------

EFI Files
---------
    Disk 0: Boot Manager [Production PCA 2011] is ALLOWED.

    Registry: WindowsUEFICA2023Capable = 1
        [Windows UEFI CA 2023] is in UEFI DB.
PS C:\chkuefi>

I was able to see it on a USB stick and was able to boot without being forced to clear CMOS, even when I selected the "Custom" preset.
That failure to boot problem, where the BIOS don't boot at all, is a known problem with the ASRock B550 PG Velocita.
Is it still F-ed up? I don't see a new PCA.

garlin · Sep 14, 2025

If you're having problems, go back into BIOS and delete the KEK cert. There's binary KEK files written specifically for the ASRock, but I wouldn't just randomly apply them since it might be a bad thing. ASUS is the one supposed to be providing guidance.

antspants · Sep 14, 2025

I pity any new member or member that isn’t very clued in on this (me) coming across this thread. It’s a total cluster duck

RJARRRPCGP · Sep 14, 2025

garlin said:
ASUS is the one supposed to be providing guidance.

The Asus seems very polished!

starchase · Sep 14, 2025

garlin said:
@bikemanAMD is done with CA 2023 migrations. Congrats!

@starchase and @RJARRRPCGP are halfway thru the process. They've entrusted CA 2023, but haven't banned CA 2011. But this is exactly where MS expects most users to be.

Some users will receive a "Microsoft KEK 2K CA 2023" certificate from a recent BIOS update.

Some users won't, because their vendor has abandoned their PC or motherboard model. You can manually add the Microsoft CA 2023 KEK, but generally its better if your vendor provides it.

@garlin Thanks for this post. I've read all the comments up to post #364. Concerning your post above, Garlin, I suppose that since I'm half way there that will be the farthest my machine will get, since HP won't be issuing an updated BIOS since the laptop is way out of date - 2016, and I'm thinking that if Microsoft does attempt to infuse all these changes in a Windows Update that it will bypass my machine. I don't think I'll make the effort to install the new KEK 2023 using the github download you've graciously posted, I'll just turn off secure boot for that machine, since I'm comfortable sitting behind a router and practice safe-hex.

garlin · Sep 14, 2025

RJARRRPCGP said:
Is it still F-ed up? I don't see a new PCA.

There's two CA 2023 certs. "Windows" obviously signs Windows images, the "Microsoft" version is for trusted non-MS parties to sign their images (like Linux distros).

RJARRRPCGP · Sep 14, 2025

garlin said:
There's two CA 2023 certs. "Windows" obviously signs Windows images, the "Microsoft" version is for trusted non-MS parties to sign their images (like Linux distros).

This was the best I got so far. Why was there another option called install as a variable or something like that? When I was in the BIOS. I chose the other option, and it reported success. The BIOS on the ASRock B550 PG Velocita, can be difficult, even for PC users who are not PC noobs!

garlin · Sep 14, 2025

No the "Microsoft UEFI CA 2023" is yet another file. Normally the update process is supposed to install these certs, and you don't need to do anything except set reg keys, run a scheduled task and reboot a few times.

antspants · Sep 14, 2025

I think I'm digging myself a hole. Output text:

Code:

Secure Boot: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
    Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Windows UEFI CA 2023

UEFI DBX Certs
--------------

EFI Files
---------
    Disk 4: Boot Manager [Production PCA 2011] is ALLOWED.

    Registry: WindowsUEFICA2023Capable = 1
        [Windows UEFI CA 2023] is in UEFI DB.

bo elam · Sep 15, 2025

garlin said:
It's a PowerShell script, and for security reasons Windows doesn't allow you to double-click PS scripts to run.

You can open an Administrator's CMD or PowerShell session. To run the script, and save the output into a text file:

From Powershell (as Admin):

Code:

\path\to\save\folder\Check_EFIBootFile.ps1 > C:\Users\BoElam\Desktop\output.txt

From CMD (as Admin):

Code:

powershell -ep bypass -f \path\to\save\folder\Check_EFIBootFile.ps1 > C:\Users\BoElam\Desktop\output.txt

Thanks, appreciate the reply, garlin. I see in post#307 you posted what you called "a clickable batch file". Do that means, this particular script can be run by double clicking it. Does it means that MS/Windows will allow it to run by double clicking it?

Also. in this computer I only have 1 account, a Local Administrator account. In Settings/Accounts it appears as BOELAM. In Windows, it appears as.... C:\Users\BoElam

So, if the 2nd script you posted in this thread, it is indeed clickable, Do I run the clickable script, and then afterward, run either the PS or CMD prompt with the corresponding code to create the text file (using code you posted in post#301), that has the results that were created after running the script?

Thanks in advance, garlin. I read many of your post, your willingness to help is impressive and commendable. I am in AWE, thank you.

Bo

garlin · Sep 15, 2025

antspants said:

I think I'm digging myself a hole. Output text:

Code:

Secure Boot: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
    Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Windows UEFI CA 2023

UEFI DBX Certs
--------------

EFI Files
---------
    Disk 4: Boot Manager [Production PCA 2011] is ALLOWED.

    Registry: WindowsUEFICA2023Capable = 1
        [Windows UEFI CA 2023] is in UEFI DB.

What happened to your KEK CA 2011? Ideally it should be there, unless it got accidentally nuked. Your UEFI should have some reset to factory, which should put back 2011 unless your PC is extremely new.

Old PC's going back a decade will have CA 2011 out of the box (2023 was years after the fact).
New PC's can ship with only CA 2023 to be super secure.
But vendors may opt for CA 2011 + 2023 to allow their users to boot older OS'es. Otherwise some users will avoid buying those systems.

bo elam · Sep 15, 2025

antspants said:
I pity any new member or member that isn’t very clued in on this (me) .........

You are not alone. I am in team Ants...Can you imagine, if to us who at least read about this kind of stuff and have some knowledge, taking care of this coming issue is difficult, can you imagine people like my brother (who is like most people in the world), we live in different countries, I asked him the other day to tell me whether his two computers were W10 or W11. He did not know and did not care knowing.

Bo

FIREMEDIC2700 · Sep 15, 2025

i gave up its to f*************************************************complex for me . i will stick to what i know best and thats fixing people lol . power shell is to dam confusing . people like me just need a simple reg hack . maybe ms will just update the keys (lol right have a better chance of hitting it big on power ball than that ). i was so concered i just did a clean install and cmos reset to be safe i did not do damage .

antspants · Sep 15, 2025

garlin said:
What happened to your KEK CA 2011? Ideally it should be there, unless it got accidentally nuked. Your UEFI should have some reset to factory, which should put back 2011

I may have read the thread incorrectly with some posts and deleted it. BIOS allowed me to load the default, which I assumed is the 2011 key.
However I assumed it was supposed to read:

Code:

UEFI KEK Certs
--------------
    Microsoft Corporation KEK 2K CA 2023

So after loading the default, I believe I am back to base? I have no idea what the registry mention is.

Also, I appreciate your help.

Code:

Secure Boot: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Windows UEFI CA 2023

UEFI DBX Certs
--------------

EFI Files
---------
    Disk 4: Boot Manager [Production PCA 2011] is ALLOWED.

    Registry: WindowsUEFICA2023Capable = 1
        [Windows UEFI CA 2023] is in UEFI DB.

antspants · Sep 15, 2025

bo elam said:
I asked him the other day to tell me whether his two computers were W10 or W11. He did not know and did not care knowing.

Bo, I get that answer from people, a lot.

garlin · Sep 15, 2025

antspants said:

Code:

Secure Boot: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Windows UEFI CA 2023

UEFI DBX Certs
--------------

EFI Files
---------
    Disk 4: Boot Manager [Production PCA 2011] is ALLOWED.

    Registry: WindowsUEFICA2023Capable = 1
        [Windows UEFI CA 2023] is in UEFI DB.

You're back to the normal baseline, and can re-run @Sheikh's script if that worked before.

If you read the MS instructions, they talk about setting a reg value for "AvailableUpdates". My script originally reported it because the reg value is supposed to be cleared after running the scheduled task (and rebooting). Say you set it to 0x100, run the task, and reboot. Assuming it worked correctly, the AvailableUpdates should read 0x0.

But if something went wrong, you get these other hex values that aren't explained. So I replaced it with "WindowsUEFICA2023Capable", which is the way Windows recognizes if you passed the steps correctly. AvailableUpdates is something you can set, and Windows can return an return status. So it's less useful in a reporting script than it first appears.

garlin · Sep 15, 2025

bo elam said:
Thanks, appreciate the reply, garlin. I see in post#307 you posted what you called "a clickable batch file". Do that means, this particular script can be run by double clicking it. Does it means that MS/Windows will allow it to run by double clicking it?

Also. in this computer I only have 1 account, a Local Administrator account. In Settings/Accounts it appears as BOELAM. In Windows, it appears as.... C:\Users\BoElam

So, if the 2nd script you posted in this thread, it is indeed clickable, Do I run the clickable script, and then afterward, run either the PS or CMD prompt with the corresponding code to create the text file (using code you posted in post#301), that has the results that were created after running the script?

Thanks in advance, garlin. I read many of your post, your willingness to help is impressive and commendable. I am in AWE, thank you.

Bo

Here's a clickable batch file that writes a report to the desktop. If you click on the script, it may ask you for Administrator rights.

The script takes more than a few seconds to run. If you click the report file on the Desktop too early, NotePad will warn you the file is still in use. Just wait another 10 seconds, and then open the file. The desktop icon for the report always appears before the script is actually done running.

Be patient.

UPDATE 2025-11-25:
Replaced the 7z.exe download source, as abbodi1406's GitHub account has been banned.

Scott · Sep 15, 2025

@garlin thanks for the modified script. Here are my results, along with two of my
bootable media for MTPW and Macrium Reflect.

Did you manually update your Secure Boot Keys ?

Like a rolling drone.

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Like a rolling drone.

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Like a rolling drone.

My Computers

Active member

My Computer

Well-known member

My Computer

Active member

My Computer

Well-known member

My Computer

Like a rolling drone.

My Computers

Like a rolling drone.

My Computers

Well-known member

My Computer

Well-known member

Attachments

My Computer

Well-known member

My Computers

Similar threads