Did you manually update your Secure Boot Keys ?

Almighty1 · Sep 25, 2025

gunrunnerjohn said:
You are correct, I had to use the Microsoft instructions to actually install the 2023 keys in the EFI boot partition. I did that and then ran the check... Pretty sure all my machines are booting using the 2023 keys. If they weren't, secure boot would be crashing since the Windows 2011 key is already in the DBX database.

Really, I just want to get the option certificate installed and add the 2011 option certificate to the DBX database.

View attachment 146579

I didn't mean the keys as those were handled by Mosby 100% for me except for the Microsoft option ROM which I added on my own directly in the BIOS using the .bin file thanks to @Akeo providing the instructions.

but I was talking about these two things in the mitigation section from How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support

which is basically the \efi\microsoft\boot\bootmgfw.efi file.

and this is the SVN:

gunrunnerjohn · Sep 25, 2025

Almighty1 said:
I didn't mean the keys as those were handled by Mosby 100% for me except for the Microsoft option ROM which I added on my own directly in the BIOS using the .bin file thanks to @Akeo providing the instructions.

but I was talking about these two things in the mitigation section from How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support

which is basically the \efi\microsoft\boot\bootmgfw.efi file.

and this is the SVN:

If I hadn't updated the boot manager on my machine, I wouldn't be typing this since secure boot is enabled and the 2011 Windows key has been revoked!

Almighty1 · Sep 25, 2025

gunrunnerjohn said:
If I hadn't updated the boot manager on my machine, I wouldn't be typing this since secure boot is enabled and the 2011 Windows key has been revoked!

True but your last response was talking about the keys which is supoosed to be taken care of by Mosby but you said you added them manually and not the boot manager. I'll try the Mosby -x soon and will report back what it added for the DBX section.

gunrunnerjohn · Sep 25, 2025

I just want to get the 2011 Windows cert revoked, I just missed the -x when I did my reading. However, since the option cert is going to be added to Mosby, hopefully that will do both in the same run.

Almighty1 · Sep 25, 2025

gunrunnerjohn said:
I just want to get the 2011 Windows cert revoked, I just missed the -x when I did my reading. However, since the option cert is going to be added to Mosby, hopefully that will do both in the same run.

When I read the README originally, my impression was running as Mosby installed the 3 keys but running Mosby -x only did the DBX part and not the key installing.

Akeo · Sep 25, 2025

Almighty1 said:
not the Microsoft Corporation UEFI CA 2011

Unlike PCA 2011, Microsoft UEFI CA 2011 has NOT been revoked.

PCA 2011, which is what Microsoft uses to sign their Windows bootloaders, and pretty much nothing else, was revoked as a shorthand to revoke ALL Windows bootloaders that are vulnerable to BlackLotus. Microsoft UEFI CA 2011, which is used to sign the Linux Shim, and a bunch of other stuff (including 2 bootloaders that I publish: UEFI:NTFS and uefi-md5sum, which I very much want to work on Secure Boot systems) has not been revoked.

Therefore it should NOT be in any DBX, and wanting to add it there means you don't understand how these certificates are being used in the context of Secure Boot.

Almighty1 · Sep 25, 2025

garlin said:

Not yet, because you guys keep jumping faster than I can do reasonable testing.
Remember, this thread started with "How do we do the update by following MS's exact instructions?".

But you can scroll down this block:

Code:

    $KEK_Certs = @((Get-SecureBootUEFI KEK | Get-UefiDatabaseSignatures).SignatureList.SignatureData.Subject | where { $_ -match 'Microsoft' } | foreach { $null = $_ -match $CN_regex; $Matches[2] })
    $db_Certs  = @((Get-SecureBootUEFI db  | Get-UefiDatabaseSignatures).SignatureList.SignatureData.Subject | where { $_ -match 'Microsoft' } | foreach { $null = $_ -match $CN_regex; $Matches[2] })
    $dbx_Certs = @((Get-SecureBootUEFI dbx | Get-UefiDatabaseSignatures).SignatureList.SignatureData.Subject | where { $_ -match 'Microsoft' } | foreach { $null = $_ -match $CN_regex; $Matches[2] })

And replace those lines with:

Code:

    $KEK_Certs = @((Get-SecureBootUEFI KEK | Get-UefiDatabaseSignatures).SignatureList.SignatureData.Subject | where { $_ -match 'Microsoft|Mosby' } | foreach { $null = $_ -match $CN_regex; $Matches[2] })
    $db_Certs  = @((Get-SecureBootUEFI db  | Get-UefiDatabaseSignatures).SignatureList.SignatureData.Subject | where { $_ -match 'Microsoft|Mosby' } | foreach { $null = $_ -match $CN_regex; $Matches[2] })
    $dbx_Certs = @((Get-SecureBootUEFI dbx | Get-UefiDatabaseSignatures).SignatureList.SignatureData.Subject | where { $_ -match 'Microsoft|Mosby' } | foreach { $null = $_ -match $CN_regex; $Matches[2] })

i am using your latest provided script at Did you manually update your Secure Boot Keys ? and the first line does not exist so I will probably wait until you post the file later to be on the safe side.

Akeo · Sep 25, 2025

Almighty1 said:
When I read the README originally, my impression was running as Mosby installed the 3 keys but running Mosby -x only did the DBX part and not the key installing.

You are incorrect. Please double check what you are saying before trying to speak authoratively, because you are 100% wrong here, and I'm growing tired of having to correct misconception and approximations in this thread.

This is the actual output from running Mosby -x, which shows that you are incorrect:

Code:

Installing SSPV: 'SkuSiPolicyVersion [2023.04.29]'
Installing SSPU: 'SkuSiPolicyUpdateSigners [2023.04.29]'
Installing SBAT: 'SbatLevel.txt [2024.01.09]'
Installing DBX:  'Revocation of 'Microsoft Windows Production PCA 2011''
Installing DBX:  'Microsoft's 'Secure Version Number' DBX entries [2025.01]'
Installing DBX:  'DBX for x86 (64 bit) [2025.06.11]'
Installing DB:   'Windows UEFI CA 2023'
Installing DB:   'Microsoft Corporation UEFI CA 2011'
Installing DB:   'Microsoft UEFI CA 2023'
Installing DB:   From 'MosbyKey.crt'
Installing KEK:  'Microsoft Corporation KEK CA 2011'
Installing KEK:  'Microsoft Corporation KEK 2K CA 2023'
Installing PK:   'Mosby Generated PK [2025.09.25]'

Almighty1 · Sep 25, 2025

Akeo said:
Unlike PCA 2011, Microsoft UEFI CA 2011 has NOT been revoked.

PCA 2011, which is what Microsoft uses to sign their Windows bootloaders, and pretty much nothing else, was revoked as a shorthand to revoke ALL Windows bootloaders that are vulnerable to BlackLotus. Microsoft UEFI CA 2011, which is used to sign the Linux Shim, and a bunch of other stuff (including 2 bootloaders that I publish: UEFI:NTFS and uefi-md5sum, which I very much want to work on Secure Boot systems) has not been revoked.

Therefore is should NOT be in any DBX, and wanting to add it there means you don't understand how these certificates are being used in the context of Secure Boot.

What you said is exactly what I thought as even in Microsoft's instructions, Mosby -x does exactly the same thing as this:

@gunrunnerjohn wanted to revoke Microsoft UEFI CA 2011 in addition to PCA2011 which was what he was asking earlier when he said the 2011 ROM so I was surprised you said Mosby with -x did revoke it as I had not found any instructions anywhere to revoke Microsoft UEFI CA 2011 as I am sure it would have been mentioned somewhere if it needs to be revoked.

gunrunnerjohn · Sep 25, 2025

Akeo said:
Unlike PCA 2011, Microsoft UEFI CA 2011 has NOT been revoked.

PCA 2011, which is what Microsoft uses to sign their Windows bootloaders, and pretty much nothing else, was revoked as a shorthand to revoke ALL Windows bootloaders that are vulnerable to BlackLotus. Microsoft UEFI CA 2011, which is used to sign the Linux Shim, and a bunch of other stuff (including 2 bootloaders that I publish: UEFI:NTFS and uefi-md5sum, which I very much want to work on Secure Boot systems) has not been revoked.

Therefore is should NOT be in any DBX, and wanting to add it there means you don't understand how these certificates are being used in the context of Secure Boot.

Very true!

OK, so we don't want to revoke the Microsoft UEFI CA 2011, obviously good to know! I realized that it wasn't used to boot Windows, but since they had a new 2023 version of the certificate, I falsely assumed that it was included in the certificates to be revoked.

Is the 2023 version just intended to be used going forward, or is there another reason for that to exist.

I guess really my upgrades are complete if the Microsoft UEFI CA 2011 certificate is still a trusted entity.

I hope you can see why this whole topic is a bit confusing!

Almighty1 · Sep 25, 2025

Akeo said:
You are incorrect. Please double check what you are saying before trying to speak authoratively, because you are 100% wrong here, and I'm growing tired of having to correct misconception and approximations in this thread.

This is the actual output from running Mosby -x, which shows that you are incorrect:

Code:

Installing SSPV: 'SkuSiPolicyVersion [2023.04.29]' Installing SSPU: 'SkuSiPolicyUpdateSigners [2023.04.29]' Installing SBAT: 'SbatLevel.txt [2024.01.09]' Installing DBX: 'Revocation of 'Microsoft Windows Production PCA 2011'' Installing DBX: 'Microsoft's 'Secure Version Number' DBX entries [2025.01]' Installing DBX: 'DBX for x86 (64 bit) [2025.06.11]' Installing DB: 'Windows UEFI CA 2023' Installing DB: 'Microsoft Corporation UEFI CA 2011' Installing DB: 'Microsoft UEFI CA 2023' Installing DB: From 'MosbyKey.crt' Installing KEK: 'Microsoft Corporation KEK CA 2011' Installing KEK: 'Microsoft Corporation KEK 2K CA 2023' Installing PK: 'Mosby Generated PK [2025.09.25]'

You would know Mosby better than anyone else as you are the author but this is what it says on the README and this is a screenshot:

The -x says it only install the Microsoft update that invalidates Microsoft Windows Production PCA 2011 which would imply that the only thing it does and not in addition to what running "Mosby" does.

Akeo · Sep 25, 2025

gunrunnerjohn said:
I hope you can see why this whole topic is a bit confusing!

I'm going to be very honest here: The only reason this topic is confusing is because you guys are rushing into trying stuff pretty much at random, rather than trying to understand the pieces first.

This is the problem of user forums like this. There's a lot of intrinsic "I was first to do X" competition, for illusory internet bragging right, which leads to approximations, half-truths or flat out errors, along with the usual "Well I was incorrect... but not really" replies, which of course makes a thread where people want to find actual actionable data a complete mess to sieve through.

Almighty1 · Sep 25, 2025

gunrunnerjohn said:
Very true! OK, so we don't want to revoke the Microsoft UEFI CA 2011, obviously good to know! I realized that it wasn't used to boot Windows, but since they had a new 2023 version of the certificate, I falsely assumed that it was included in the certificates to be revoked.

Is the 2023 version just intended to be used going forward, or is there another reason for that to exist.

I guess really my upgrades are complete if the Microsoft UEFI CA 2011 certificate is still a trusted entity.

I hope you can see why this whole topic is a bit confusing!

I already assumed early it wasn't revoked for a reason when you were saying you were going to revoke it as there are no instructions to revoke it. Well, the 2011 still will work until June 2026 so if it didn't exist, you would have other problems with things that already uses the 2011. The 2011 won't work after June 2026.

gunrunnerjohn · Sep 25, 2025

Well, I'll sit in the corner now and see how things shake out. Sorry to be so much trouble.

Akeo · Sep 25, 2025

Almighty1 said:
You would know Mosby better than anyone else as you are the author but this is what it says on the README and this is a screenshot:

View attachment 146592

The -x says it only install the Microsoft update that invalidates Microsoft Windows Production PCA 2011 which would imply that the only thing it does and not in addition to what running "Mosby" does.

Please re-read what the README actually says. There's an "only" there, but NOT for the certificate that is going to be installed part. Instead it is for the "You are supposed to know what you are doing part". See also my previous reply.

Almighty1 · Sep 25, 2025

Akeo said:
I'm going to be very honest here: The only reason this topic is confusing is because you guys are rushing into trying stuff pretty much at random, rather than trying to understand the pieces first.

This is the problem of user forums like this. There's a lot of intrinsic "I was first to do X" competition, for illusory internet bragging right, which leads to approximations, half-truths or flat out errors, along with the usual "Well I was incorrect... but not really" replies, which of course makes a thread where people want to find actual actionable data a complete mess to sieve through.

That's actually @gunrunnerjohn since remember in the other thread, he was the one who can't tell the difference between 25H2 of UEFI Shell and Windows 11 when it came to Mosby so I only used Mosby after reading the dialog between you and him which is weeks after he successfully used it. Earlier in this thread a few days ago, he also talked about revoking the 2011 UEFI and I already said no one else had done it yet and there are no instructions for it, and then earlier you and he was talking about revoking the 2011 ROM which means instead of 2 2011 certificates, there is now 3 certificates as you said -x revoked the 2011 ROM in a earlier post and remember you are the author of Mosby so you should know your product well. it has nothing to do with forums like this because if you look at @gunrunnerjohn's signature, he is supposedly a Microsoft MVP as well so he is supposed to be more competent than others in this area. As for me, why would I want to try -x when in the instructions, you specifically said:

-x: Install the Microsoft update that invalidates Microsoft Windows Production PCA 2011. You should only use this if you know what you are doing, as you you may not be able to boot or reinstall Windows otherwise. You have been warned!

Akeo · Sep 25, 2025

Almighty1 said:
as you said -x revoked the 2011 ROM in a earlier post

Point to that post then.

Almighty1 · Sep 25, 2025

Akeo said:
Please re-read what the README actually says. There's an "only" there, but NOT for the certificate that is going to be installed part. Instead it is for the "You are supposed to know what you are doing part". See also my previous reply.

I don't need to, I have read it at least 20 times over the past week and it has more to do with how one interprets it as this is even what Google's AI says:

implies is exactly what I am talking about.

Akeo · Sep 25, 2025

Almighty1 said:
I don't need to

<Sigh> Then I would appreciate if you would stop pretending I wrote things that I most certainly did not write, thank you.

Also, I'm super happy to learn that Mosby is an Android application, which should give you some hint that, possibly, your AI summary isn't that trustworthy...

Almighty1 · Sep 25, 2025

Akeo said:
Point to that post then.

See post #614 at Did you manually update your Secure Boot Keys ? which is screenshot below:

Did you manually update your Secure Boot Keys ?

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Similar threads