Did you manually update your Secure Boot Keys ?


Boy, that sounds like a handful. I would hope that Dell would just send us a new BIOS with all that done already. I know for sure that 85 percent of their customers, if left to them, would even know where to start with all that. Thanks for your help.

I will bump your post on "Guidance for blocking rollback of Virtualization" as it may have gotten lost in all my problems.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2 26200.8457
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Tower Plus EBT2250, DOB: 06/15/2025
    CPU
    Intel® Core™ Ultra 7 265 1.8GHz to 5.3GHz (Arrow Lake)
    Motherboard
    Dell Inc. 02D3NT A00 (U3E1)
    Memory
    SK Hynix 32GB DDR5 5600 Desktop RAM UDIMM Non-ECC PC5-5600B
    Graphics Card(s)
    Dell NVIDIA® GeForce RTX™ 4060 8GB GDDR6 & (iGPU) Integrated Intel® UHD Graphics
    Sound Card
    Chipset Realtek High-Definition Audio with Dolby Atmos
    Monitor(s) Displays
    Dell Ultra Sharp U2515H 25-Inch Screen LED-Lit
    Screen Resolution
    2560 X 1440
    Hard Drives
    Samsung (NVMe PM9C1a 1024GB) M.2 PCIe NVMe Solid State Drive (OS), with Samsung Piccolo (S4LY022) 6-Core 4 Channel Controller.

    Samsung T7 500GB SSD, USB-C External Drive
    PSU
    Dell 460W
    Case
    Dell Tower Plus EBT 2250
    Cooling
    Fan
    Keyboard
    Dell Wired Keyboard - KB216
    Mouse
    Logitech M510
    Internet Speed
    Intel Killer E3100G 2.5 Gigabit Ethernet Controller
    Browser
    Microsoft Edge
    Antivirus
    Microsoft Windows Security
    Other Info
    The Samsung NVMe PM9C1a 1024GB SSD does not use a Phison NAND controller. Instead, it uses Samsung's in-house developed Piccolo (S4LY022) 6-Core 4 Channel Controller. The PM9C1a utilizes a controller built using Samsung's 5-nanometer process and seventh-generation V-NAND technology. 🤔
  • Operating System
    Windows 11 Pro 25H2 26200.8457
    Computer type
    Laptop
    Manufacturer/Model
    Dell Inspiron 15 7000 (7591) 2-in-1, DOB: 11/30/2019
    CPU
    10th Generation Intel Core i7-10510U Processor (8MB Cache, up to 4.9 GHz) Comet Lake
    Motherboard
    Dell 0NNW5N
    Memory
    16GB DDR4 RAM
    Graphics card(s)
    NVIDIA® GeForce® MX250 with 2GB GDDR5 graphics memory
    Sound Card
    Chipset Realtek ALC3254 🤔🤣
    Monitor(s) Displays
    Dell 15.6-inch UHD Truelife Touch Narrow Border WVA Display with Active Pen support
    Screen Resolution
    3840 x 2160
    Hard Drives
    Intel NVME 512GB SSD with 32GB Intel Optane Memory, M.2 80mm PCIe 3.0 RAID

    SanDisk 256GB Extreme microSDXC UHS-I Memory Card
    PSU
    Dell 4-Cell Battery, 68 Whr (Integrated), 90 Watt AC Adapter
    Case
    Dell Inspiron 15 7000 2-in-1 (7591)
    Cooling
    Standard Dell Case Fan & Havit HV-F2056 USB Powered (3 Fans) Laptop Cooling Pad.
    Keyboard
    Dell
    Mouse
    Logitech Wireless Mouse M650L
    Internet Speed
    Wireless/Wired connectivity (WiFi 6 - 802.11 ax)
    Browser
    Microsoft Edge
    Antivirus
    Microsoft Windows Security
    Other Info
    From Dell: 512GB NVME Solid State Drive accelerated by 32GB Intel Optane Memory are the fastest as compared to NAND SSDs. Intel Optane H10 with SSD offers speedy storage and accelerates opening your programs.

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2 26200.8457
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Tower Plus EBT2250, DOB: 06/15/2025
    CPU
    Intel® Core™ Ultra 7 265 1.8GHz to 5.3GHz (Arrow Lake)
    Motherboard
    Dell Inc. 02D3NT A00 (U3E1)
    Memory
    SK Hynix 32GB DDR5 5600 Desktop RAM UDIMM Non-ECC PC5-5600B
    Graphics Card(s)
    Dell NVIDIA® GeForce RTX™ 4060 8GB GDDR6 & (iGPU) Integrated Intel® UHD Graphics
    Sound Card
    Chipset Realtek High-Definition Audio with Dolby Atmos
    Monitor(s) Displays
    Dell Ultra Sharp U2515H 25-Inch Screen LED-Lit
    Screen Resolution
    2560 X 1440
    Hard Drives
    Samsung (NVMe PM9C1a 1024GB) M.2 PCIe NVMe Solid State Drive (OS), with Samsung Piccolo (S4LY022) 6-Core 4 Channel Controller.

    Samsung T7 500GB SSD, USB-C External Drive
    PSU
    Dell 460W
    Case
    Dell Tower Plus EBT 2250
    Cooling
    Fan
    Keyboard
    Dell Wired Keyboard - KB216
    Mouse
    Logitech M510
    Internet Speed
    Intel Killer E3100G 2.5 Gigabit Ethernet Controller
    Browser
    Microsoft Edge
    Antivirus
    Microsoft Windows Security
    Other Info
    The Samsung NVMe PM9C1a 1024GB SSD does not use a Phison NAND controller. Instead, it uses Samsung's in-house developed Piccolo (S4LY022) 6-Core 4 Channel Controller. The PM9C1a utilizes a controller built using Samsung's 5-nanometer process and seventh-generation V-NAND technology. 🤔
  • Operating System
    Windows 11 Pro 25H2 26200.8457
    Computer type
    Laptop
    Manufacturer/Model
    Dell Inspiron 15 7000 (7591) 2-in-1, DOB: 11/30/2019
    CPU
    10th Generation Intel Core i7-10510U Processor (8MB Cache, up to 4.9 GHz) Comet Lake
    Motherboard
    Dell 0NNW5N
    Memory
    16GB DDR4 RAM
    Graphics card(s)
    NVIDIA® GeForce® MX250 with 2GB GDDR5 graphics memory
    Sound Card
    Chipset Realtek ALC3254 🤔🤣
    Monitor(s) Displays
    Dell 15.6-inch UHD Truelife Touch Narrow Border WVA Display with Active Pen support
    Screen Resolution
    3840 x 2160
    Hard Drives
    Intel NVME 512GB SSD with 32GB Intel Optane Memory, M.2 80mm PCIe 3.0 RAID

    SanDisk 256GB Extreme microSDXC UHS-I Memory Card
    PSU
    Dell 4-Cell Battery, 68 Whr (Integrated), 90 Watt AC Adapter
    Case
    Dell Inspiron 15 7000 2-in-1 (7591)
    Cooling
    Standard Dell Case Fan & Havit HV-F2056 USB Powered (3 Fans) Laptop Cooling Pad.
    Keyboard
    Dell
    Mouse
    Logitech Wireless Mouse M650L
    Internet Speed
    Wireless/Wired connectivity (WiFi 6 - 802.11 ax)
    Browser
    Microsoft Edge
    Antivirus
    Microsoft Windows Security
    Other Info
    From Dell: 512GB NVME Solid State Drive accelerated by 32GB Intel Optane Memory are the fastest as compared to NAND SSDs. Intel Optane H10 with SSD offers speedy storage and accelerates opening your programs.
andyc56 said:
I'm not garlin, but I did notice you were using PowerShell 7.5.3 to run the script. When I do that, for the EFI output section I get:
Code: 
EFI Files
---------
    Disk 1: Boot Manager [] is BANNED.

    Registry: WindowsUEFICA2023Capable = 2
        [Windows UEFI CA 2023] is in UEFI DB, and Windows is starting from CA 2023 Boot Manager.

My boot disk is Disk 1. When I run it from Windows PowerShell (5.1), I get:

Code: 
EFI Files
---------
    Disk 1: Boot Manager [Windows UEFI CA 2023] is ALLOWED.

    Registry: WindowsUEFICA2023Capable = 2
        [Windows UEFI CA 2023] is in UEFI DB, and Windows is starting from CA 2023 Boot Manager.

So there appears to be something funky going on with one of the script functions when used with PowerShell 7.x.
Click to expand...
I'm guessing that's a compatibility problem between PS 5.1 and PS 7.5.3, not a problem with the boot manager. If that were the case, the system wouldn't boot with secure boot enabled.
 

My Computers

System One System Two

  • OS
    Win 11 Pro 25H2, Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14500
    Motherboard
    Gigabyte B760M G P WIFI
    Memory
    64GB DDR4
    Graphics Card(s)
    GeForce RTX 4060
    Sound Card
    Chipset Realtek
    Monitor(s) Displays
    LG 45" Ultragear, Acer 24" 1080p
    Screen Resolution
    5120x1440, 1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 3D NAND NVMe M.2 SSD (O/S)
    Silicon Power 2TB US75 NVMe PCIe Gen4 M.2 2280 SSD (backup)
    Crucial BX500 2TB 3D NAND (2nd backup)
    Seagate 4TB Ironwolf, rotating HDD archive files
    External off-line backup Drives: 2 NVMe 4TB drives in external enclosures
    PSU
    Thermaltake Toughpower GF3 750W
    Case
    LIAN LI LANCOOL 216 E-ATX PC Case
    Cooling
    Lots of fans!
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
  • Operating System
    Win 11 Pro 25H2, Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14400
    Motherboard
    Gigabyte B760M DS3H AX
    Memory
    32GB DDR5
    Graphics card(s)
    Intel 700 Embedded GPU
    Sound Card
    Realtek Embedded
    Monitor(s) Displays
    27" HP 1080p
    Screen Resolution
    1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 eD NAND PCIe SSD
    Samsung EVO 990 2TB NVMe Gen4 SSD
    Samsung 2TB SATA SSD
    PSU
    Thermaltake Smart BM3 650W
    Case
    Okinos Micro ATX Case
    Cooling
    Fans
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
neves said:
They say they will (for officially supported systems - at least), the update it set for Mid 2026. That's at least 9 months till then.
Click to expand...
Gee, so they're going to update it at the 11th hour, and that's if nothing goes wrong! :rolleyes:
 

My Computers

System One System Two

  • OS
    Win 11 Pro 25H2, Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14500
    Motherboard
    Gigabyte B760M G P WIFI
    Memory
    64GB DDR4
    Graphics Card(s)
    GeForce RTX 4060
    Sound Card
    Chipset Realtek
    Monitor(s) Displays
    LG 45" Ultragear, Acer 24" 1080p
    Screen Resolution
    5120x1440, 1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 3D NAND NVMe M.2 SSD (O/S)
    Silicon Power 2TB US75 NVMe PCIe Gen4 M.2 2280 SSD (backup)
    Crucial BX500 2TB 3D NAND (2nd backup)
    Seagate 4TB Ironwolf, rotating HDD archive files
    External off-line backup Drives: 2 NVMe 4TB drives in external enclosures
    PSU
    Thermaltake Toughpower GF3 750W
    Case
    LIAN LI LANCOOL 216 E-ATX PC Case
    Cooling
    Lots of fans!
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
  • Operating System
    Win 11 Pro 25H2, Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14400
    Motherboard
    Gigabyte B760M DS3H AX
    Memory
    32GB DDR5
    Graphics card(s)
    Intel 700 Embedded GPU
    Sound Card
    Realtek Embedded
    Monitor(s) Displays
    27" HP 1080p
    Screen Resolution
    1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 eD NAND PCIe SSD
    Samsung EVO 990 2TB NVMe Gen4 SSD
    Samsung 2TB SATA SSD
    PSU
    Thermaltake Smart BM3 650W
    Case
    Okinos Micro ATX Case
    Cooling
    Fans
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
gunrunnerjohn said:
I'm guessing that's a compatibility problem between PS 5.1 and PS 7.5.3, not a problem with the boot manager. If that were the case, the system wouldn't boot with secure boot enabled.
Click to expand...

Yes, it was. Garlin came up with a fix for the script in a later post. I tried it out, and it did indeed fix it. It works in both 5.1 and 7.5.3 now.
 

My Computer

System One

  • OS
    Windows 11 pro 25h2
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    AMD Ryzen 7 5700G
    Motherboard
    MSI B450M Bazooka, BIOS version 7A38vHJ5 (latest beta as of 2025-09-23)
    Memory
    64 GB G.Skill (F4-3200C16Q-64GVK)
    Graphics Card(s)
    Integrated into CPU
    Sound Card
    Realtek (built into motherboard)
    Monitor(s) Displays
    Generic HDMI
    Screen Resolution
    1080p
    Hard Drives
    System and apps: SK hynix Gold P31 1TB M.2
    Data: Toshiba HDWQ140 4TB internal SATA
    PSU
    Seasonic 400W SS-400FL2 fanless
    Case
    Fractal Design Define R5
    Cooling
    Cooler Master Hyper 212 Evo
    Keyboard
    Lenovo Preferred Pro II Wired External USB Keyboard (4X30M86879)
    Mouse
    Belkin cheapo corded USB mouse
    Internet Speed
    300 MBit/sec
    Browser
    Firefox
    Antivirus
    Windows Defender
gunrunnerjohn said:
Gee, so they're going to update it at the 11th hour, and that's if nothing goes wrong! :rolleyes:
Click to expand...

That's just it - they're waiting for all the popular OEMs to have the BIOS/UEFI Keys ready with a stable firmware. Some (a lot of them even) - already issued this update (as can be seen even in this topic), Others, still taking their time. Like MSI, contacted support - and they said they're still to busy - so it might take some time tot release an update, If Windows was a limited OS (like Mac OSX) - designed to work only with Microsoft hardware - such as - Surface Books, we'd have this update since 2024. But most OEMs - only focus on latest hardware in terms of updates - especially since there's 9 around 9 months left till said update.
 

My Computer

System One

  • OS
    WinDOS 25H2
    Computer type
    Laptop
    CPU
    Intel & AMD
    Memory
    SO-DIMM SK Hynix 15.8 GB Dual-Channel DDR4-2666 (2 x 8 GB) 1329MHz (19-19-19-43)
    Graphics Card(s)
    nVidia RTX 2060 6GB Mobile GPU (TU106M)
    Sound Card
    Onbord Realtek ALC1220
    Screen Resolution
    1920 x 1080
    Hard Drives
    1x Samsung PM981 NVMe PCIe M.2 512GB / 1x Seagate Expansion ST1000LM035 1TB
neldog said:
Boy, that sounds like a handful. I would hope that Dell would just send us a new BIOS with all that done already. I know for sure that 85 percent of their customers, if left to them, would even know where to start with all that. Thanks for your help.

I will bump your post on "Guidance for blocking rollback of Virtualization" as it may have gotten lost in all my problems.
Click to expand...
We have more problems on the Dell like the TPM Chip can go not detected even on a Dell notebook when there is no physical chip. My motherboard took 2 months to die. Basically Windows would seem like someone hit the physical reset button anywhere from 30 seconds to a few hours after the spinning circle. Eventually, the motherboard would have leds that flash CPU failure but in reality, the capacitor burned down and burn whatever was on the otherside of the motherboard as it's mounted upside down where the F5 key is.
 

My Computer

System One

  • OS
    WindowsXP/7/8/8.1/10/11,Linux,Android,FreeBSD Unix
    Computer type
    Laptop
    Manufacturer/Model
    Dell XPS 15 9570
    CPU
    Intel® Core™ i7-8750H 8th Gen 2.2Ghz up to 4.1Ghz
    Motherboard
    Dell XPS 15 9570
    Memory
    64GB using 2x32GB CL16 Mushkin redLine modules
    Graphics Card(s)
    Intel UHD 630 & NVIDIA GeForce GTX 1050 Ti with 4GB DDR5
    Sound Card
    Realtek ALC3266-CG
    Monitor(s) Displays
    15.6" 4K Touch UltraHD 3840x2160 made by Sharp
    Screen Resolution
    3840x2160 4K UltraHD
    Hard Drives
    Samsung MZ-V9P4T0B/AM 990 PRO 4TB PCIe®4.0 NVMe™ M.2 SSD was Toshiba KXG60ZNV1T02 NVMe 1TB SSD
    PSU
    Dell XPS 15 9570
    Case
    Dell XPS 15 9570
    Cooling
    Stock
    Keyboard
    Stock
    Mouse
    SwitftPoint ProPoint
    Internet Speed
    Comcast/XFinity 1.44Gbps/42.5Mbps
    Browser
    Microsoft EDGE (Chromium based) & Google Chrome
    Antivirus
    Windows Defender that came with Windows
Can someone post 1 command that will update the secure boot keys?
 

My Computer

System One

  • OS
    windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Antec/Case
    CPU
    Intel i5-10600kf
    Motherboard
    GIGABYTE Z590 UD AC
    Memory
    32gb corsair vengerance pro
    Graphics Card(s)
    AMD RX 6500XT
    Sound Card
    onboard
    Monitor(s) Displays
    40" Hisense
    Hard Drives
    Samsung 850
    Samsung 870
    Seagate 2TB
    PSU
    EVGA GQ 750
garlin said:
@Akeo, can you help us?

@AK6DN updated his UEFI using Mosby, and it's breaking the Get-UefiDatabaseSignatures function as provided by:

It's throwing an exception for:
Code: 
CN=Microsoft Corporation KEK CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft Corporation UEFI CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US
CN=MosbyKey [2025.09.15]
Cannot convert value "System.Byte[]" to type "System.Guid". Error: "Byte array for GUID must be exactly 16 bytes long."
Click to expand...

Do you guys still need help with that? My understanding (from trying to sieve through this super long thread) is that this was a script issue?

Also, PLEASE, PLEASE, PLEASE, if you want to report a potential issue with Mobsy, USE THE MOSBY ISSUE TRACKER. Do not expect me to be browsing this forum on regular basis or @notifications to work, as I only visit this forum very infrequently.

And just so you know, I am planning to add the Option ROM cert in the next release of Mosby (and therefore in the 25H2 release of the UEFI Shell, which will include the latest Mosby). But it's going to take a little more time...
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Built
    Screen Resolution
    4k
Just updated them. Thanks for the commands
 

My Computer

System One

  • OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self Built
    CPU
    Intel i7 14700K
    Motherboard
    ASUS TUF GAMING B660M-E D4
    Memory
    64GB Corsair Vengeance RGB Pro 3200MT/s DDR4
    Graphics Card(s)
    ASUS RTX 3060Ti TUF Gaming OC 8GB
    Monitor(s) Displays
    Samsung CF390 Curved 24' 1080P
    Screen Resolution
    1080P
    Hard Drives
    Samsung 980 Pro M.2 PCI-E Gen4 NVME 500GB
    Samsung 980 M.2 PCI-E Gen3 NVME 1TB
    PSU
    Corsair RM850e 80+ Gold 850W
    Case
    Corsair 4000D Airflow Black
    Cooling
    Corsair iCUE Link H100i LCD + 4 case fans
    Keyboard
    Corsair K65 Plus
    Mouse
    Logitech MX Master 3S
    Internet Speed
    26Mpbs
    Browser
    Firefox
    Antivirus
    BitDefender Total Security
I was very lucky to find this forum and learn about @Akeo's Mosby.

I was able to successfully update the Secure Boot keys on my old PC, which did not have the keys included in KEKUpdateCombined.bin. Initially, typing just "Mosby" didn't work, but it ran and updated everything when I typed "Mosby_x64.efi".

This PC also had a "PK Fail" issue with an AMI TEST PK, so this brings me double relief.

I would like to express my gratitude to @Akeo.
 

My Computer

System One

  • OS
    Windows11
Akeo said:
And just so you know, I am planning to add the Option ROM cert in the next release of Mosby (and therefore in the 25H2 release of the UEFI Shell, which will include the latest Mosby). But it's going to take a little more time...
Click to expand...
First off, I want to thank you again for the valuable service you've provided with Mosby, it makes a complicated procedure simple. Adding the option ROM is great news, I do have a question.

If I already have everything but the option ROM finished, can I run Mosby again and let it finish the job, or will that screw something else up.
 

My Computers

System One System Two

  • OS
    Win 11 Pro 25H2, Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14500
    Motherboard
    Gigabyte B760M G P WIFI
    Memory
    64GB DDR4
    Graphics Card(s)
    GeForce RTX 4060
    Sound Card
    Chipset Realtek
    Monitor(s) Displays
    LG 45" Ultragear, Acer 24" 1080p
    Screen Resolution
    5120x1440, 1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 3D NAND NVMe M.2 SSD (O/S)
    Silicon Power 2TB US75 NVMe PCIe Gen4 M.2 2280 SSD (backup)
    Crucial BX500 2TB 3D NAND (2nd backup)
    Seagate 4TB Ironwolf, rotating HDD archive files
    External off-line backup Drives: 2 NVMe 4TB drives in external enclosures
    PSU
    Thermaltake Toughpower GF3 750W
    Case
    LIAN LI LANCOOL 216 E-ATX PC Case
    Cooling
    Lots of fans!
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
  • Operating System
    Win 11 Pro 25H2, Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14400
    Motherboard
    Gigabyte B760M DS3H AX
    Memory
    32GB DDR5
    Graphics card(s)
    Intel 700 Embedded GPU
    Sound Card
    Realtek Embedded
    Monitor(s) Displays
    27" HP 1080p
    Screen Resolution
    1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 eD NAND PCIe SSD
    Samsung EVO 990 2TB NVMe Gen4 SSD
    Samsung 2TB SATA SSD
    PSU
    Thermaltake Smart BM3 650W
    Case
    Okinos Micro ATX Case
    Cooling
    Fans
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
Akeo said:
Do you guys still need help with that? My understanding (from trying to sieve through this super long thread) is that this was a script issue?

Also, PLEASE, PLEASE, PLEASE, if you want to report a potential issue with Mobsy, USE THE MOSBY ISSUE TRACKER. Do not expect me to be browsing this forum on regular basis or @notifications to work, as I only visit this forum very infrequently.

And just so you know, I am planning to add the Option ROM cert in the next release of Mosby (and therefore in the 25H2 release of the UEFI Shell, which will include the latest Mosby). But it's going to take a little more time...
Click to expand...
@AK6DN used Mosby, and now the reference script Get-UefiDatabaseSignatures.ps1 can't parse the updated DB byte contents.

AFAIK, it's not a problem with the function because it's always worked for non-Mosby examples. I have kludged a workaround using basic string matching on the raw bytes to report on Mosby PC's, but obviously that's not a good method for confirming the DB's integrity.

I don't understand the nuts & bolts other than I call "Get-SecureBootUEFI db | Get-UefiDatabaseSignatures", and parse the structured data. The first part of the code looks straightforward, it's expecting to see certain byte offsets.

Maybe you can work with @AK6DN to confirm they used Mosby correctly. I don't know if this an outlier case, or all Mosby users will get broken results when running the script.
 

My Computer

System One

  • OS
    Windows 7
gunrunnerjohn said:
First off, I want to thank you again for the valuable service you've provided with Mosby, it makes a complicated procedure simple. Adding the option ROM is great news, I do have a question.

If I already have everything but the option ROM finished, can I run Mosby again and let it finish the job, or will that screw something else up.
Click to expand...
I already tried it and basically it will only replace what isn't already there.
 

My Computer

System One

  • OS
    WindowsXP/7/8/8.1/10/11,Linux,Android,FreeBSD Unix
    Computer type
    Laptop
    Manufacturer/Model
    Dell XPS 15 9570
    CPU
    Intel® Core™ i7-8750H 8th Gen 2.2Ghz up to 4.1Ghz
    Motherboard
    Dell XPS 15 9570
    Memory
    64GB using 2x32GB CL16 Mushkin redLine modules
    Graphics Card(s)
    Intel UHD 630 & NVIDIA GeForce GTX 1050 Ti with 4GB DDR5
    Sound Card
    Realtek ALC3266-CG
    Monitor(s) Displays
    15.6" 4K Touch UltraHD 3840x2160 made by Sharp
    Screen Resolution
    3840x2160 4K UltraHD
    Hard Drives
    Samsung MZ-V9P4T0B/AM 990 PRO 4TB PCIe®4.0 NVMe™ M.2 SSD was Toshiba KXG60ZNV1T02 NVMe 1TB SSD
    PSU
    Dell XPS 15 9570
    Case
    Dell XPS 15 9570
    Cooling
    Stock
    Keyboard
    Stock
    Mouse
    SwitftPoint ProPoint
    Internet Speed
    Comcast/XFinity 1.44Gbps/42.5Mbps
    Browser
    Microsoft EDGE (Chromium based) & Google Chrome
    Antivirus
    Windows Defender that came with Windows
garlin said:
@AK6DN used Mosby, and now the reference script Get-UefiDatabaseSignatures.ps1 can't parse the updated DB byte contents.
Click to expand...

Almighty1 said:
I already tried it and basically it will only replace what isn't already there.
Click to expand...
I don't know that he's added the additional capability yet. If Mosby didn't cause any issues when you ran it again, that's a good thing.
 

My Computers

System One System Two

  • OS
    Win 11 Pro 25H2, Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14500
    Motherboard
    Gigabyte B760M G P WIFI
    Memory
    64GB DDR4
    Graphics Card(s)
    GeForce RTX 4060
    Sound Card
    Chipset Realtek
    Monitor(s) Displays
    LG 45" Ultragear, Acer 24" 1080p
    Screen Resolution
    5120x1440, 1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 3D NAND NVMe M.2 SSD (O/S)
    Silicon Power 2TB US75 NVMe PCIe Gen4 M.2 2280 SSD (backup)
    Crucial BX500 2TB 3D NAND (2nd backup)
    Seagate 4TB Ironwolf, rotating HDD archive files
    External off-line backup Drives: 2 NVMe 4TB drives in external enclosures
    PSU
    Thermaltake Toughpower GF3 750W
    Case
    LIAN LI LANCOOL 216 E-ATX PC Case
    Cooling
    Lots of fans!
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
  • Operating System
    Win 11 Pro 25H2, Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14400
    Motherboard
    Gigabyte B760M DS3H AX
    Memory
    32GB DDR5
    Graphics card(s)
    Intel 700 Embedded GPU
    Sound Card
    Realtek Embedded
    Monitor(s) Displays
    27" HP 1080p
    Screen Resolution
    1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 eD NAND PCIe SSD
    Samsung EVO 990 2TB NVMe Gen4 SSD
    Samsung 2TB SATA SSD
    PSU
    Thermaltake Smart BM3 650W
    Case
    Okinos Micro ATX Case
    Cooling
    Fans
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
garlin said:
@AK6DN used Mosby, and now the reference script Get-UefiDatabaseSignatures.ps1 can't parse the updated DB byte contents.
Click to expand...

Well, I'm not seeing any issue on a platform I recently updated with Mosby -x, be it with the script posted in post 644215 or when piping to the Get-UefiDatabaseSignatures function from Check-UEFISecureBootVariables/Get-UEFIDatabaseSignatures.ps1 at main · cjee21/Check-UEFISecureBootVariables:

Code: 
PS C:\SB> . .\Get-UefiDatabaseSignatures.ps1
PS C:\SB> Get-SecureBootUEFI db | Get-UefiDatabaseSignatures

SignatureType      SignatureList
-------------      -------------
EFI_CERT_X509_GUID @{SignatureOwner=45a0fa32-6047-73c8-2433-c3b7d59e7466; SignatureData=[Subject]...
EFI_CERT_X509_GUID @{SignatureOwner=46def63b-5ce6-1cf8-ba0d-e2e6639c1019; SignatureData=[Subject]...
EFI_CERT_X509_GUID @{SignatureOwner=b5eeb4a6-7060-4807-3f0e-d296e7f580a7; SignatureData=[Subject]...
EFI_CERT_X509_GUID @{SignatureOwner=73e4ab21-55a9-2ab6-9a33-82c77f95acda; SignatureData=[Subject]...


PS C:\SB> .\Check_EFIBootFile.ps1
Secure Boot: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011
    Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023

UEFI DBX Certs
--------------
    Microsoft Windows Production PCA 2011

EFI Files
---------
    Disk 0: Boot Manager [Windows UEFI CA 2023] is ALLOWED.

    Registry: WindowsUEFICA2023Capable = 2
        [Windows UEFI CA 2023] is in UEFI DB, and Windows is starting from CA 2023 Boot Manager.

Maybe if the people who experience the issue could save the DB with Get-SecureBootUEFI db -OutputFilePath DB.var and post the resulting DB.var somewhere, because it sure looks like a pure environmental issue to me right now.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Built
    Screen Resolution
    4k
The latest version of Rufus out today V 4.10.2279...
Add support for creating Windows CA 2023 compatible media (requires a Windows 11 25H2 ISO).

Rufus - Create bootable USB drives the easy way

Rufus: Create bootable USB drives the easy way
rufus.ie
 

My Computer

System One

  • OS
    Win 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    N/A
    CPU
    AMD Ryzen 7 9700X
    Motherboard
    ASUS Crosshair Viii Hero Wi Fi
    Memory
    G.Skill Trident Z5 Neo RGB 64GB Kit (2x32GB) DDR5-6000 C30
    Graphics Card(s)
    PowerColor Radeon RX 9060 XT Reaper GDDR6 16GB
    Sound Card
    USB Out NAD M51 DAC with Adams A8 powered speakers
    Monitor(s) Displays
    Dell 3219Q
    Screen Resolution
    3840 x 2160
    Hard Drives
    5 x WD_BLACK SN850x PCIe Gen4 NVMe M.2 SSD - 4TB
    PSU
    be quiet! DARK POWER 13 1000W Titanium PCIe 5.0 ATX Modular PSU
    Case
    Fractal Design Define 7 Full Tower Case (Black)
    Cooling
    Noctua NH-D15 G2 LBC - High Performance Multi-Socket PWM CPU Cooler
    Keyboard
    Razer Huntsman V2
    Mouse
    Razer Viper Ultimate
    Internet Speed
    Starlink 94Mbps down 20Mbps up
    Browser
    Brave
    Antivirus
    ESET
Akeo said:
Well, I'm not seeing any issue on a platform I recently updated with Mosby -x, be it with the script posted in post 644215 or when piping to the Get-UefiDatabaseSignatures function from Check-UEFISecureBootVariables/Get-UEFIDatabaseSignatures.ps1 at main · cjee21/Check-UEFISecureBootVariables:

...

Maybe if the people who experience the issue could save the DB with Get-SecureBootUEFI db -OutputFilePath DB.var and post the resulting DB.var somewhere, because it sure looks like a pure environmental issue to me right now.
Click to expand...

The problem occurred because I used Mosby v2.3 to add a PK (corrected) DB entry that was named 'MosbyKey' (by default).

Code: 
CN=MosbyKey [2025.09.15]
Cannot convert value "System.Byte[]" to type "System.Guid". Error: "Byte array for GUID must be exactly 16 bytes long."

In the script it shows up under the DB entry when printed out.
Your example shows only the standard certs, no custom MosbyKey certificate

I'll see if I can run the code you posted above on that system and post the data.
 
Last edited:

My Computers

System One System Two

  • OS
    Win11 25H2 26200.7623
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo P520
    CPU
    Intel XEON W-2245 8c/16t
    Memory
    128GB DDR4-2933 ECC
    Graphics Card(s)
    Nvidia Quadro K4200
    Sound Card
    Bultin
    Monitor(s) Displays
    LCD 24in
    Screen Resolution
    1920x1200
    Hard Drives
    1TB SSD system, 16TB data 3.5in HDD, 16TB backup 3.5in HDD
    PSU
    900W
    Cooling
    Air
    Internet Speed
    1Gb
    Browser
    Firefox & Chrome
    Antivirus
    MalwareBytes
  • Operating System
    Win10 22H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo T530
    CPU
    Intel Core i7-3520m
    Memory
    16GB
    Graphics card(s)
    integrated CPU graphics
    Hard Drives
    1TB SSD
    Internet Speed
    1Gb
    Browser
    Fiefox & Chrome
    Antivirus
    Malwarebytes
AK6DN said:
because I used Mosby v2.3 to add a PK entry that was named 'MosbyKey' (by default).
Click to expand...

MobsyKey is NOT a PK. It's a DB. It should NOT be used as a PK, ever.

Unless you provide your own (but then don't use MosbyKey for that as again, it is NOT meant to be used as a PK) the PK is never saved. It is generated each time, and then, after the public key is saved as the PK, discarded from memory. This is how we ensure that a platform can not be compromised from the root of the chain, ever, because, with the Mosby defaults, nobody, including yourself or your motherboard's manufacturer, has the private key associated with the PK.

MosbyKey is what you can use to sign UEFI bootloaders for Secure Boot (as documented in the README). It will be automatically reinstalled as a DB key if present on your media. But it should never, ever be used as a PK.

Therefore, if you experience an issue after installing MosbyKey as the PK, I'm afraid you misunderstood how to use Mosby, and the error is on you...
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Built
    Screen Resolution
    4k
Akeo said:
MobsyKey is NOT a PK. It's a DB. It should NOT be used as a PK, ever.

Unless you provide your own (but then don't use MosbyKey for that as again, it is NOT meant to be used as a PK) the PK is never saved. It is generated each time, and then, after the public key is saved as the PK, discarded from memory. This is how we ensure that a platform can not be compromised from the root of the chain, ever, because, with the Mosby defaults, nobody, including yourself or your motherboard's manufacturer, has the private key associated with the PK.

MosbyKey is what you can use to sign UEFI bootloaders for Secure Boot (as documented in the README). It will be automatically reinstalled as a DB key if present on your media. But it should never, ever be used as a PK.

Therefore, if you experience an issue after installing MosbyKey as the PK, I'm afraid you misunderstood how to use Mosby, and the error is on you...
Click to expand...

Well maybe I misspoke about MosbyKey being in PK. It shows up under the DB entries using the modified Check_MosbyEFIBootFile.ps1 script.
I get these entries:
Code: 
UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023
    MosbyKey

and it is that MosbyKey entry that borked the original Check_EFIBootFile.ps1 script.

As to my misunderstanding or misusing Mosby, I followed the directions in the Mosby README.md exactly:
Code: 
3. Boot the computer where you want to install the keys into the UEFI firmware settings and
   make sure that your platform is in *Setup Mode*. Please refer to your manufacturer's
   documentation if you don't know how to enable *Setup Mode*.

4. Boot into the UEFI Shell media you created and type: `Mosby` (without any extension). The
   executable relevant to your platform will automatically launch and will guide you through
   the installation of the UEFI Secure Boot keys.

5. Once the installation is complete, reboot into UEFI firmware settings, and make sure that
   Secure Boot is enabled.
In the Mosby screen dialog when it asked if I wanted to generate new platform keys, I said yes.
I got MosbyKey.crt/.pem/.pfx generated on the USB key and I saved those away.

Maybe if I had used the Mosby option to NOT generate a unique MosbyKey this whole problem would not exist. IDK.

Attached is a .zip of the DB.var file generated from running Get-SecureBootUEFI db -OutputFilePath DB.var
 

Attachments

My Computers

System One System Two

  • OS
    Win11 25H2 26200.7623
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo P520
    CPU
    Intel XEON W-2245 8c/16t
    Memory
    128GB DDR4-2933 ECC
    Graphics Card(s)
    Nvidia Quadro K4200
    Sound Card
    Bultin
    Monitor(s) Displays
    LCD 24in
    Screen Resolution
    1920x1200
    Hard Drives
    1TB SSD system, 16TB data 3.5in HDD, 16TB backup 3.5in HDD
    PSU
    900W
    Cooling
    Air
    Internet Speed
    1Gb
    Browser
    Firefox & Chrome
    Antivirus
    MalwareBytes
  • Operating System
    Win10 22H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo T530
    CPU
    Intel Core i7-3520m
    Memory
    16GB
    Graphics card(s)
    integrated CPU graphics
    Hard Drives
    1TB SSD
    Internet Speed
    1Gb
    Browser
    Fiefox & Chrome
    Antivirus
    Malwarebytes
You must log in or register to reply here.

Similar threads

Solved Secure boot update HowTo
30 31 32
Replies
622
Views
101K
XxXxX
XxXxX
  • Sticky
  • Article Article
Updating Microsoft Secure Boot keys before expiration in June 2026
26 27 28
Replies
556
Views
108K
Phirevixen
P

Latest Support Threads

Latest Tutorials

Back
Top Bottom