Did you manually update your Secure Boot Keys ?

gunrunnerjohn · Sep 25, 2025

Even I know not to take Google AI as the gospel! I've seen some egregious misstatements with their AI!

Almighty1 · Sep 25, 2025

Akeo said:
<Sigh> Then I would appreciate if you would stop pretending I wrote things that I most certainly did not write, thank you.

Also, I'm super happy to learn that Mosby is an Android application, which should give you some hint that, possibly, your AI summary isn't that trustworthy...

Well, remember I am not the only one who read it that way which was why I asked Google AI how they would translate it and notice it said that was what you implied as well when you think about it from a correct english perspective.

If you search for Mosby, you will get the other Mosby 99% of the time. The only way I even found the link to Mosby had always been to use pbatard first and then look at your projects. Search for Mosby will always have results of people with the name Mosby and this is the only thing even related to
software:

Remember that both Mosby's are on github except yours is not showing up. The only way to find the correct Mosby is to use Mosby Software in the search but the other Mosby has existed since 2015 if not earlier so I am sure the AI is based on the Mosby that is more well known...

Almighty1 · Sep 25, 2025

gunrunnerjohn said:
Even I know not to take Google AI as the gospel! I've seen some egregious misstatements with their AI!

Yes but remember there is nothing in the README that says in addition so how would one translate it. If you don't want to take Google as gospel, ask someone who's profession is in the english language or someone who is a Toastmasters International Club member on how they would translate it. It has to do with how something is said as it should be something the reader as in general audience or in laymen's terms would all understand the same way.

Akeo · Sep 25, 2025

Again, there's only one 2011 cert that has been revoked, so when someone talks about adding a 2011 cert to the DBX, I will always assume PCA, because it makes no sense trying to add anything else there. It didn't even remotely cross my mind that someone would want to add an Option ROM cert there...

Excuse me for trying to give you credit for not completely mixing things up. I will try not to repeat that mistake...

And, with regards to your last comment, when you actually read it, there's nothing in the README that states it will only add that cert. I am not responsible for how people choose to misinterpret things they read.

Almighty1 · Sep 25, 2025

Akeo said:
Again, there's only one 2011 cert that has been revoked, so when someone talks about adding a 2011 cert to the DBX, I will always assume PCA, because it makes no sense trying to add anything else there.

Excuse me for trying to give you credit for not completely mixing things up. I will try not to repeat that mistake...

And, with regards to your last comment, when you actually read it, there's nothing in the README that states it will only add that cert. I am not responsible for how people choose to misinterpret things they read.

Now you know why one needs to proof read what one actually writes to be competent in communications. I wasn't trying to be rude but just wanted to point it out.

You are right you never used the word only but one would not know how Mosby operates without actually trying it with the -x and you did give that warning in that -x option and besides, there is two ways to add the cert, either the Mosby way or the Microsoft way. Most people would be more interested in what just running Mosby adds anyways since it has the unique key plus the 3 certificates. But good to know that at least with -x, one does not have to run Mosby twice, once for the DB's and once for the DBX. In a way, it's similar to manpages on Unix and Un*x like OSes, they can put paramenters as well but they will say what each parameter actually includes.

Margarita · Sep 25, 2025

I followed all the steps in the Microsoft article Here How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support and the mitigations and revocations It was successful

But I got a strange value in the registry indicating that UEFICA2023Status=NotStarted

gunrunnerjohn · Sep 25, 2025

Akeo said:
Again, there's only one 2011 cert that has been revoked, so when someone talks about adding a 2011 cert to the DBX, I will always assume PCA, because it makes no sense trying to add anything else there. It didn't even remotely cross my mind that someone would want to add an Option ROM cert there...

That was probably my mistake, I falsely assumed that both 2011 certificates would be revoked since there were two 2023 replacement certificates. I see now the error in my ways, and I'm thankful that you pointed out that I was potentially taking aim at a body part for no reason!

I promise to take a more measured approach before jumping into the deep end again!

gunrunnerjohn · Sep 25, 2025

oma99 said:
I followed all the steps in the Microsoft article Here How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support and the mitigations and revocations worked

View attachment 146620

But I got a strange value in the registry indicating that UEFICA2023Status=NotStarted
View attachment 146618

It looks like that might be an indicator for Microsoft to know where in the Secure Boot process update they are. Mine says the same thing, but I am using Secure Boot with the 2023 keys and the 2011 key revoked.

Margarita · Sep 25, 2025

gunrunnerjohn said:
It looks like that might be an indicator for Microsoft to know where in the Secure Boot process update they are. Mine says the same thing, but I am using Secure Boot with the 2023 keys and the 2011 key revoked.

View attachment 146623

Google Search AI Say..
"UEFI CA 2023 Status NotStarted" likely refers to the current status of the "Windows UEFI CA 2023 certificate update," which is part of Microsoft's initiative to replace the expiring 2011 certificates for Secure Boot. A "NotStarted" status indicates that the process to update the certificate on a specific device or within an enterprise environment has not yet begun or completed

gunrunnerjohn · Sep 25, 2025

oma99 said:
Google Search AI Say..
"UEFI CA 2023 Status NotStarted" likely refers to the current status of the "Windows UEFI CA 2023 certificate update," which is part of Microsoft's initiative to replace the expiring 2011 certificates for Secure Boot. A "NotStarted" status indicates that the process to update the certificate on a specific device or within an enterprise environment has not yet begun or completed

Well, in this case, they're probably right, that's what I figured it was. Obviously, I didn't wait for Microsoft to do the work.

Margarita · Sep 25, 2025

gunrunnerjohn said:
Well, in this case, they're probably right, that's what I figured it was. Obviously, I didn't wait for Microsoft to do the work.

But I tested the Macrium media and got a "secure boot violation" which means the mitigations and revocations is working

gunrunnerjohn · Sep 25, 2025

Yep, I'm sure you have it installed, but I suspect that flag is for the Windows Update to sequence the updates, you jumped the gun and did it manually.

Akeo · Sep 25, 2025

(According to Google, but not Google AI) The text below used to be in Windows devices with IT-managed updates - Microsoft Support

The names UEFICA2023Status and UEFICA2023Error were defined in the design to capture the status of adding the “Windows UEFI CA 2023” certificates.

Be very careful that the process of adding the “Windows UEFI CA 2023” certificates is a different thing from actual use of the Windows UEFI CA 2023 certificate or system capability regarding its compatibility.

Most likely it refers to registry keys that are created when going through the KB5025885 update process, and that pertain to the status of that specific process, when it comes to updating the Secure Boot database on a system that only has the 2011 certs. So on systems that did not need to run that process, one can surmise it will say NotStarted, even as the system is 2023 cert compatible.

For instance, if you installed Windows 25H2 on a system that already has Windows UEFI CA 2023 (with PCA 2011 revoked), you will also see NotStarted (I actually tested it), even though the system is obviously using Windows UEFI CA 2023.

In other words, you want to be careful trying to rely on registry key, that is not formally documented by Microsoft, to tell you whether your system is using the 2023 certs or not.

WindowsUEFICA2023Capable does seem to reflect the capabilities of the system though (even as we have no clue what having 2 instead of 1 means).

The only sure way to know if your system is 2023 capable or if the 2011 PCA cert has been revoked is to look at the actual Secure Boot variables.

gunrunnerjohn · Sep 25, 2025

Akeo said:
The only sure way to know if your system is 2023 capable or if the 2011 PCA cert has been revoked is to look at the actual Secure Boot variables.

And there have been several handy scripts posted here to check and see if everything is updated and the system is capable of booting with the Windows UEFI CA 2023 and secure boot enabled.

Maybe the "2" means it's doubly ready. :think:

garlin · Sep 25, 2025

You folks should stop trying argue technical topics by quoting an AI engine. Seriously.

Ted Mosby is the main character from the TV sitcom "How I Met Your Mother".

Margarita · Sep 25, 2025

@Akeo Thank you this was helpful..it's more complicated than it looks

Akeo · Sep 25, 2025

@Buddywh, the issue is that we are saying the same thing, but (from what I interpret of what you wrote) you appear to assume that we are saying something different. What you see reported in the BIOS are the Secure Boot variables.

I get the feeling that you are thinking that the Secure Boot variables are somehow different than the Secure Boot KEK, DBX, DB and so on you see in the UEFI firmware, whereas they are the same thing. These objects are being stored as UEFI variables, so that's why I'm calling them so.

And yeah, not all UEFI firmwares will report detailed information about them. But you can use PowerShell to access these variables or UEFI executables that are designed to look at these to get the details you need.

Buddywh · Sep 25, 2025

Akeo said:
@Buddywh, the issue is that we are saying the same thing, but (from what I interpret of what you wrote) you appear to assume that we are saying something different. What you see reported in the BIOS are the Secure Boot variables.
...

I went back and re-read your post after I wrote that and thought maybe you were saying the same thing too... so I deleted it.

But I was not certain so thanks for confirming it! This is whole transition with this keys update is a bit concerning. I want to know enough that I could manage a recovery from a mangled update (should it happen) when Microsoft starts it in a few months. I'm already considering that laptop a complete loss, both for this and the win10 obsolescence, I don't want similar happening to any of the three desktops in my household.

So I lurk on forums like this, hoping to pick up a few morsels since no one is willing to dumb it down just far enough for someone of my skill level to understand.

Almighty1 · Sep 25, 2025

@Buddywh - As @Brink would say which is in his signature "There are no dumb questions, just the people who do not ask them." People will increase their knowledge when they ask the question and learn from the answers themselves and the other people who read it will also learn something. Until they ask, they will not even know what is the correct answer and then it will just be assuming, just like the word when dissected (a s s out of u + me) as the saying goes. If people do not ask anything, there would also be no purpose for forums either since everyone already knows everything and until the day one dies, there is always something new to learn.

Margarita · Sep 25, 2025

Check_Mosby_EFIBootFile.ps1

Did you manually update your Secure Boot Keys ?

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Active member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Active member

My Computer

Well-known member

My Computers

Active member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Active member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Active member

My Computer

Similar threads