Did you manually update your Secure Boot Keys ?

Almighty1 · Sep 24, 2025

After originally running Mosby, the first time I rebooted and ran the Check_EFIBootFile.ps1 script it worked OK, did not fail, and reported
only the expected entries. I saved the output, and here it is ...

Code:

C:\WINDOWS\system32>powershell -nop -ep bypass -f C:\Downloads\Check_EFIBootFile.ps1

Secure Boot: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011
    Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023

UEFI DBX Certs
--------------

EFI Files
---------
    Disk 1: Boot Manager [Production PCA 2011] is ALLOWED.

    Registry: WindowsUEFICA2023Capable = 1
        [Windows UEFI CA 2023] is in UEFI DB.

C:\WINDOWS\system32>pause done

it was only later after another reboot that when I ran this same script it now failed, because a MosbyKey entry appeared
under the DB category, and the script complained about the format of that entry being invalid. Here is what I got then....

Code:

C:\WINDOWS\system32>powershell -nop -ep bypass -f D:\Check_EFIBootFile\Check_EFIBootFile_Mosby.ps1
Secure Boot: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011
    Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023
    MosbyKey

UEFI DBX Certs
--------------

EFI Files
---------
    Disk 1: Boot Manager [Production PCA 2011] is ALLOWED.

    Registry: WindowsUEFICA2023Capable = 1
        [Windows UEFI CA 2023] is in UEFI DB.

C:\WINDOWS\system32>pause done
Press any key to continue . . .

using the 'Mosby' flavor of the script.

Can you let me know where as in post I can download the script you are using? I have Mosby installed and I want to see if the script works or not for me just as another data point.

Almighty1 · Sep 24, 2025

garlin said:
No. I said I can't figure out why the PS function doesn't decipher the returned bytes from the PK variable. There's a spec for the encoding format, so I didn't expect a proper tool like Mosby to help create an error. Now that it's strongly believed to be an usage error, it makes sense.

The "Mosby-only" script was a workaround until @Akeo was available to answer questions. There shouldn't be two versions of the script, the original should have worked in the first place. It threw an error, but since I'm not an UEFI expert, it wasn't possible for me to understand what would be the reason.

Let's remember this thread started with "this is how MS wants you to proceed", and the original script helped to address that approach. I didn't test with Mosby because most of the users are following the official Windows guide, or people who are giving the same advice.

Yes, I probably just misunderstood what you said as you know more about this than I do. The how Microsoft wants you to proceed only will add one key being Windows UEFI CA 2023 and not the other 3 keys as shown on the Microsoft article. Mosby adds 3 of the 4 keys, the only one missing is the option rom which I had to add manually with the hint provided by @Akeo as he did say Mosby shouldn't be needed. I just couldn't figure out how to get Mosby to add keys that it does not add by default.

When I said 4 keys, it was from a Microsoft article which shows the following at Act now: Secure Boot certificates expire in June 2026 - Windows IT Pro Blog under the section "The change: Expiring certificates":

Akeo · Sep 25, 2025

Almighty1 said:
what PK key is actually installed on the system

A UNIQUE key, that is autogenerated from the UEFI cryptographic engine each time the application is run and discarded after use.

Again, the whole point is that nobody, not you, not me, not the manufacturer (who have too often proven themselves unworthy of trust), not Microsoft, not anybody can use this PK to compromise your system, which is done to make this kind of crap go away (because if someone had used Mosby on any of these affected platforms, then the vulnerability would have been patched). And since it's unique, even if they somehow manage to compromise one PK, they won't be able to do the same for any another system you might have, even if you used the same Mosby executable (and the same USB dribe) to install the keys.

Now, there is a small drawback in having a PK that cannot be used by anyone else, as it means that the manufacturer cannot push KEK updates (which is actually something Microsoft is in the process of organising for the 2026 expiration apocalypse, because that's the only way they can get the new MS KEK installed, which they also need alongside the new MS DB certs), but considering that if you are trying to secure your platform, you probably want to be in control of who installs a new KEK, and that Mobsy will install the KEK used by Microsoft (which are really the only ones you really need to have), so not letting ill-defined third parties (when was the last time you checked if your motherboard manufacturer actually took security seriously?) install KEKs is probably a good thing.

Also, you have to understand that the whole point of PK's and KEK's is to let someone who doesn't have physical access to the machine push Secure Boot updates "remotely", whereas Mosby is built on the very principle that you do in fact have physical access to the machine and can always put it in Setup Mode to install whatever keys you need, so there's little point in giving anyone, including yourself, access to a PK when you can just fire up Mosby and install whatever keys you need...

gtspeck · Sep 25, 2025

I was told by HP not to manually update the certificate or Secure Boot Keys but to wait. They don't have a date an update would be forthcoming. My laptop is a HP ENVY Laptop 17m-ch1013dxwas manufactured in 2021.

Buddywh · Sep 25, 2025

gtspeck said:
I was told by HP not to manually update the certificate or Secure Boot Keys but to wait. They don't have a date an update would be forthcoming. My laptop is a HP ENVY Laptop 17m-ch1013dxwas manufactured in 2021.

I think this whole thread is essentially for people with special needs... especially those who need to harden systems against Black Lotus. This isn't made very clear at the outset though. And based on some posts elsewhere, it's even strongly advised to not go all the way through with the manual updates by revoking trust of the 2011 certificate signed binaries; that's the step that actually protects against a Black Lotus attack.

But one thing that has popped out of reading through all this is that updating all the certificates correctly (which Microsoft will have to do at some point in '26) might require a BIOS update. That's going to be a major problem for a huge number of average users who're clueless about how to safely go about updating BIOS on their systems. And especially for those with one of the many, many, boards long since abandoned by their manufacturers. I wish I could get a clearer read on that, and how to handle it if you have one of the abandoned boards.

Akeo · Sep 25, 2025

Buddywh said:
And especially for those with one of the many, many, boards long since abandoned by their manufacturers. I wish I could get a clearer read on that, and how to handle it if you have one of the abandoned boards.

Well, if your board was made by one of the ~50 manufacturers listed here and if you are running Windows, then you should be okay, as Microsoft should be able to install the new KEK they need without you needing to do anything, even after their current 2011 KEK has expired (in June 2026), so that they can then install the new 2023 DB Secure Boot certificates that will be needed to boot anything Secure Boot that is going to be signed for Secure Boot in late 2026 (that last part being important, as the new KEKs/DBs are still not needed to the Windows 25H2 UEFI bootloaders, so, technically, you don't actually have to care about this until Microsoft releases Windows 11 26H2).

This is what I alluded to above: If you can get in touch with the manufacturers, and Microsoft are definitely doing that, then they should be able to sign a KEK update package for their platforms, which in turns allows OS makers like Microsoft to install said KEK (and ultimately the DB they need, which is the whole point of the KEK), "remotely", and regardless of whether everything else is expired.

So that's also why HP (who did provide a signed KEK update package to Microsoft) and most other vendors are currently saying to end users (who are not expected to be at that great a risk from BlackLotus and other vulnerabilities): "Just wait. Microsoft should take care of the Secure Boot key updates on their own..."

And the expectation is that, for most people, this should indeed be fine... as long as they are running Windows (not sure how Linux distro maintainers are going to address this, though the signed KEKs provided to Microsoft are not for Microsoft use only and can be used just as well by Linux distros to update KEKs and DBs for the new Secure Boot certs) and, more crucially, as long as they don't happen to go into their UEFI firmware and choose to reset their Secure Boot keys to vendor defaults, because, if you do that on pretty much every PC that was released before 2025, you're going to reset to the 2011 certs, and Secure Boot will produce a violation error with any post 26H2 signed bootloader (be them for booting Windows or Linux or anything else).

And, you should absolutely not count on manufacturers to release firmware updates, as they most certainly could, just to add the 2023 certs on anything they released more than 2 years ago...

Now, I guess the expectation of Microsoft (and others) is that, if/when that happens, the user will be smart enough to disable Secure Boot (and the irony is not lost on me that, at one stage, Microsoft were trying to champion platforms were Secure Boot could not be disabled by the user... ever, whereas they are now going to be relying on people being able to disable Secure Boot to fix a situation where Windows can no longer boot), then boot into Windows, which should be smart enough to look at the Secure Boot dabatases during every single boot to tell if the 2023 KEKs and DBs are missing and reinstall them automatically if that's the case (so that the user can re-enable Secure Boot on next reboot).

But of course, giving how obtuse or downright broken the Secure Boot Security Violation messages seem to be implemented (on one of the Gigabyte platform I use, you just get a weird 'OK' button, with no other text, when Secure Boot fails validation, so good luck to regular joes understanting that this is really Secure Boot complaining), 2027 and later years are likely to show that quite a few people will fall through the cracks of "Just let the OS handle that for you..."

Interesting times ahead.

But the takeway is that, if you can see your platform manufacturer here, then you should probably be okay, eventually, without doing anything...

Buddywh · Sep 25, 2025

Akeo said:
...

Now, I guess the expectation of Microsoft (and others) is that, if/when that happens, the user will be smart enough to disable Secure Boot (and the irony is not lost on me that, at one stage, Microsoft were trying to champion platforms were Secure Boot could not be disabled by the user... ever, whereas they are now going to be relying on people being able to disable Secure Boot to fix a situation where Windows can no longer boot), then boot into Windows, which should be smart enough to look at the Secure Boot dabatases during every single boot to tell if the 2023 KEKs and DBs are missing and reinstall them automatically if that's the case (so that the user can re-enable Secure Boot on next reboot).

...

THAT is what I've been hoping to see: a (relatively) simple way to recover from a mistake later on if I can't update BIOS... or simply don't want to. But, as you allude to, we don't know exactly what MS will do yet. I can hope it comes out as well as that process since I can handle it easily enough.

Linux will have their problems, but those are typically way more advanced users who can figure out how to deal with whatever is getting thrown at them. At least I like to think so since they're answering 90% of my questions about dealing with Win11 LOL.

gunrunnerjohn · Sep 25, 2025

Akeo said:
But of course, giving how obtuse or downright broken the Secure Boot Security Violation messages seem to be implemented (on one of the Gigabyte platform I use, you just get a weird 'OK' button, with no other text, when Secure Boot fails validation, so good luck to regular joes understanting that this is really Secure Boot complaining), 2027 and later years are likely to show that quite a few people will fall through the cracks of "Just let the OS handle that for you..."

Interesting times ahead.

But the takeway is that, if you can see your platform manufacturer here, then you should probably be okay, eventually, without doing anything...

This is exactly my problem! I'm getting that it's too late for someone that has already generated the keys with Mosby to "not do anything", my systems are already modified using Mosby to generate and install the certificates. If that's not correct, I'm all ears! Also, only two of my four systems appear on that platform list, my Nimo laptop and my AceMagic mini-PC are not on the list. The two Gigabyte systems appear on the list, but I've already updated those with Mosby.

While I get the general concept of secure boot and the certificate validation, the devil is in the details, and the details are far from easy to understand!

Akeo · Sep 25, 2025

gunrunnerjohn said:
This is exactly my problem! I'm getting that it's too late for someone that has already generated the keys with Mosby to "not do anything"

Well, the only difference with Mosby and "not doing anything" is that the 2023 KEK installation does not have to be handled by Microsoft and the platform manufacturer, since it is done by Mosby.

But once you have that, EVERYTHING ELSE can be handled by "not doing anything", as it's that KEK that grants the ability for Microsoft to fix things for you.

In short, if you want to not do anything, you can still use Mosby, because it will just do the first step that Microsoft has to do to handle everything, but, of course, Microsoft are not going to stop handling the rest just because they find their KEK already installed. On the contrary, it gives them exactly what they need to do everything else for you (and getting that KEK installed by Mosby might be crucial for people who, for one reason or another, may not get their KEK updated by Microsoft), such as installing the new 2023 DB if they aren't present (but of course, Mosby will have installed those as well, so they shouldn't need to do that) and updating the DBXs, as they already REGULARLY AND SILENTLY do as part of Windows updates.

So, by using Mosby, you just happen to be slightly further up the road than people who are waiting on stuff to happen on its own. However, it does not put you on a different road: you are still on the "If I don't want to do anything, then I should be able to just wait and let Microsoft do that for me" road.

gunrunnerjohn · Sep 25, 2025

Akeo said:
So, by using Mosby, you just happen to be slightly further up the road than people who are waiting on stuff to happen on its own. However, it does not put you on a different road: you are still on the "If I don't want to do anything, then I should be able to just wait and let Microsoft do that for me" road.

Very interesting, thanks! In that case, I suspect I can wait and see if Microsoft actually ends up updating the KEK and DBX certificates since that's what's left for me. I would like to get the Microsoft UEFI CA 2023 enabled as well.

I am already booting with Secure Boot and the Windows 2023 certificate. All of that was done by Mosby for all my systems, and I thank you for that!

Akeo · Sep 25, 2025

gunrunnerjohn said:
and see if Microsoft actually ends up updating the KEK and DBX certificates since that's what's left for me.

Not according to your screenshot. Your screenshot shows that the KEK and DB were updated (by Mosby). Microsoft are not going to re-update those.

I am not sure what you are expecting to happen at this stage. The one thing that Microsoft might eventually do for you is add the Option ROM cert, that Mosby does not currently install (but will do soon), but the rest should not change from your screenshot, since what you already have is what is Microsoft is aiming for.

Again, the goal of Mosby and what Microsoft will eventually do is the same. So the end result should be pretty similar, whether the Secure Boot databases were updated by one or the other.

itsme1 · Sep 25, 2025

Almighty1 said:
I wonder when they started including the 2023 certificates as the Precision 5530 BIOS I am using is from February 2025 and dated December 2024 and still does not have 2023 certificates either.

As for the BSOD, the same ISOs that work for everyone else without secure boot enabled and even worked on my original motherboard which died on May 28, 2025 did work without secure boot enabled does not work on the new motherboard as my system was rebooting from a minute to a few hours from the spinning circle until May 28, 2025 when the capacitor finally melted and also kill the chip on the otherside of the motherboard which is mounted upside down. I think OEMs want people to buy new systems as my system would be 7 years old in 2026.

The old XPS 13 9350 was released in late 2015, and the new 9350 with newer processors was released around September 2024.

Okay, thanks for the ISOs. I'll look into how to properly use Mosby with a Dell BIOS like mine and yours.

Edit: On the Dell page it is the one from 2024 which has a 2023 certificate: XPS 13 9350 (shipped 2024 or later)

gunrunnerjohn · Sep 25, 2025

Akeo said:
Not according to your screenshot. Your screenshot shows that the KEK and DB were updated (by Mosby). Microsoft are not going to re-update those.

I am not sure what you are expecting to happen at this stage. The one thing that Microsoft might eventually do for you is add the Option ROM cert, that Mosby does not currently install (but will do soon), but the rest should not change from your screenshot, since what you already have is what is Microsoft is aiming for.

Again, the goal of Mosby and what Microsoft will eventually do is the same. So the end result should be pretty similar, whether the Secure Boot databases were updated by one or the other.

The option ROM cert is exactly what I was shooting for. I know that today I'm not using it, but since I'm knee-deep in this process, I'd like to finish the configuration and be done with it for my systems. Since you're adding that to Mosby, I probably don't have to wait for Microsoft to put this to bed, so I'll wait for the updated Mosby version and put the final touch on the process. Will Mosby also add the 2011 Option cert to the DBX database?

Akeo · Sep 25, 2025

gunrunnerjohn said:
Will Mosby also add the 2011 Option cert to the DBX database?

It already does that if you run it with the -x option. This is documented in the README.

This is not enabled by default for obvious reasons. But if you want it, it's there.

Oh, and your screenshot shows that it was installed on the system you took the screenshot on...

gunrunnerjohn · Sep 25, 2025

Akeo said:
It already does that if you run it with the -x option. This is documented in the README.

This is not enabled by default for obvious reasons. But if you want it, it's there.

That's great, with the addition of the Option cert, I should be all set. I see a re-run of Mosby in my future!

Almighty1 · Sep 25, 2025

gunrunnerjohn said:
Very interesting, thanks! In that case, I suspect I can wait and see if Microsoft actually ends up updating the KEK and DBX certificates since that's what's left for me. I would like to get the Microsoft UEFI CA 2023 enabled as well.

I am already booting with Secure Boot and the Windows 2023 certificate. All of that was done by Mosby for all my systems, and I thank you for that!

View attachment 146524

I am not sure if this is 100% correct or not but even when using Mosby, one still has to manually enable the boot manager 2023 and the SVN portion as Mosby only handles the keys part.

Almighty1 · Sep 25, 2025

Akeo said:
It already does that if you run it with the -x option. This is documented in the README.

This is not enabled by default for obvious reasons. But if you want it, it's there.

Oh, and your screenshot shows that it was installed on the system you took the screenshot on...

That was where it got confusing because the README says this:
-x: Install the Microsoft update that invalidates Microsoft Windows Production PCA 2011. You should only use this if you know what you are doing, as you you may not be able to boot or reinstall Windows otherwise. You have been warned!

so it only says it does it for the Microsoft Windows Production PCA 2011, not the Microsoft Corporation UEFI CA 2011 which is what @gunrunnerjohn was referring to.

Almighty1 · Sep 25, 2025

itsme1 said:
The old XPS 13 9350 was released in late 2015, and the new 9350 with newer processors was released around September 2024.

Okay, thanks for the ISOs. I'll look into how to properly use Mosby with a Dell BIOS like mine and yours.

Edit: On the Dell page it is the one from 2024 which has a 2023 certificate: XPS 13 9350 (shipped 2024 or later)

Interesting they use the same 9350 model number that long. In their laptops, it seems like the model is only used for a few years or something. Feel free to ask questions if you decide to use Mosby since I should be able to guide you through it.

Almighty1 · Sep 25, 2025

neldog said:
Bump

It seems like the Microsoft article has been updated because in the elevenforum thread for that one, it used to be a way harder process and I have only gotten a BSOD from it when I tried over the last 2 years whenever I deployed the SkuSiPolicy.p7b.

It used to have this:
"Deploying an audit mode policy
The Microsoft-signed revocation policy (SkuSiPolicy.p7b) enforces user mode code integrity (UMCI) and Dynamic Code Security. These features may have compatibility issues with customer applications. Before deploying the mitigation, you should deploy an audit policy to detect compatibility issues." which is no longer mentioned.

There is no longer a SiPolicy.p7b involved.

and in the same Microsoft article, they completely changed the SkuSiPolicy.p7b instructions from:

to:

Code:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x20 /f

Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

gunrunnerjohn · Sep 25, 2025

Almighty1 said:
I am not sure if this is 100% correct or not but even when using Mosby, one still has to manually enable the boot manager 2023 and the SVN portion as Mosby only handles the keys part.

You are correct, I had to use the Microsoft instructions to actually install the 2023 keys in the EFI boot partition. I did that and then ran the check... Pretty sure all my machines are booting using the 2023 keys. If they weren't, secure boot would be crashing since the Windows 2011 key is already in the DBX database.

Really, I just want to get the option certificate installed and add the 2011 option certificate to the DBX database.

Did you manually update your Secure Boot Keys ?

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Similar threads