Did you manually update your Secure Boot Keys ?

Why is this error when copy/pasting the CA 2023 check command in OP? I use both the forum system copy to clipboard on click and manual highlight and copy but same error.



Nevermind, I figured it out. Apparently doesn't paste the 'quotation' symbol in correct format. I had to paste it into Notepad, recompose it, replace the pasted quotation mark with types ones. Why I do not know.

here is my current deal as of now
Secure Boot: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------

EFI Files
---------
Disk 1: Boot Manager [Windows UEFI CA 2023] is ALLOWED.

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] is in UEFI DB, and Windows is starting from CA 2023 Boot Manager.

Ok here are a few questions before i consider this done .
1. Microsoft Option ROM UEFI CA 2023 do i need it ?
2. the dbx file should be left blank because as of now they are no iso files with the 2023 version out there?
3. with having windows uefi ca 2023 in the boot mgr it should load all files signed with a 2011 signature?
4. if u have to do a clean install should u be able to do it with secure boot on ?

FIREMEDIC2700 said:

...
4. if u have to do a clean install should u be able to do it with secure boot on ?

Click to expand...

I'm very interested in the expert's answer to that one, although I do have an idea what the answer might be.

But I also have a twist on it: what happens with a "repair install with in-place upgrade"?

ADDED: BTW, I'm following all this (and trying things too) so that I can have some measure of confidence I can figure things out when it starts going side-ways on my family's systems as Microsoft pushes out the certificate-fixing updates in the coming months. That's when these experts are either going to be hiding under a rock flying "I Told You So" flags, or too busy helping out paying clients get their systems back in service.

garlin said:

The issue isn't based on WHAT TIME IT IS. It's the fact that some VBIOS'es have signed themselves, in order to allow the UEFI to trust it.

By banning the CA 2011 cert by adding it to DBX, it invalidates anything accessible to UEFI that signed itself with CA 2011. This means your boot file readable on a disk device, or the GPU that self-signed as CA 2011. This problem exists as soon as you send CA 2011 to DBX.

Not all GPU's are vulnerable to this problem. But the alarm is from the lack of urgency in providing a similar method for self-scanning, and pestering the GPU vendors to provide some relief.

Click to expand...

Clearly, my RTX 4060 GPU is not one that has the problem as I have revoked the CA 2011 and I'm booting with the 2023 certs and secure boot enabled. My processor does have integrated graphics, but nothing is connected to it.

Buddywh said:

I'm very interested in the answer to that quest

Click to expand...

Buddywh said:

I'm very interested in the expert's answer to that one, although I do have an idea what the answer might be.

But I also have a twist on it: what happens with a "repair install with in-place upgrade"?

ADDED: BTW, I'm following all this (and trying things too) so that I can have some measure of confidence I can figure things out when it starts going side-ways on my family's systems as Microsoft pushes out the certificate-fixing updates in the coming months. That's when these experts are either going to be hiding under a rock flying "I Told You So" flags, or too busy helping out paying clients get their systems back in service.

Click to expand...

it has taken me 2 months to get to where i am . i have done so many bios updates resets clean installs yada yad , as for the gpu thats another season lol . i went with a cheap older radaon. at least it supports secure boot for the time.

the question here is can a windows 10 iso be moded to get the 2023 signature like a 11 iso can ?

FIREMEDIC2700 said:

the question here is can a windows 10 iso be moded to get the 2023 signature like a 11 iso can ?

Click to expand...

I'm pretty sure you can mod an ISO to sign the boot file with your own, custom, key so modding it to sign with either the CA 2011 or CA 2023 is certainly possible (assuming it doesn't also appear in DBX). At least I'm inferring that from @Akeo 's posts and readme files AND, as well, it's quite likely one reason MOSBY provides the ability to upload your own keys to the secure boot variables and establish your own, unique chain of trust all the way back to a totally unique-in-this-world Platform Key. At which point you will have assumed complete control and responsibility for maintaining your Windows 11 installation I suppose, which is PROBABLY something many large corporations might do.

This is just one really good reason to only get your install media direct from Microsoft if you aren't extremely capable at what you're doing.

And also, modifying ISO's and WIM's is a skill far above and beyond any I'm likely to acquire. So largely only a matter of curiosity.

Buddywh said:

So do you think the concerns about GPU's being rendered incapable of supporting secure boot (by the Microsoft certificates expiring) if they don't get vBIOS updates is... let's say over-hyped?

There are always exceptions, and that would doubtless be the case here too, but I certainly do hope the "sky is falling" perspective isn't deserved.

Click to expand...

Hard to say, don't like to play the role of the Devil's advocate for Microsoft - or any other tech giants. As proven by Nvidia in practice - while raising the GPU prices to the most obscene levels during the pandemic (a time when the GPU production was at all time low, so let's say... GPUs being that overpriced - made sense back then). Tho, seeing - the demand was so high even at such prices - greed got the best of them - and decided to keep selling them overpriced till it became the norm. That being said - i'm not undermining the corporate greed capacity - where this tech giants could turn bluntly Evil once again - for the sake of profit. So yes, Evil exists (even in the worst imaginable ways) - i'm not ignorant to that possibility - where Microsoft in partnership with the major OEMs - would sacrifice the system of hundreds of millions of users - claiming those are outdated and an upgrade would be mandatory (that be worth trillions $ in sells). Even for systems that are officially supported or GPUs - not yet labeled as EOL by the Manufacturer (Nvidia, AMD and Intel) - but by the OEM (claiming they no longer support those models).

On the other hand.... there’s also room for common sense. Most of this fear assumes that UEFI firmware will strictly enforce signature verification on GPU GOP firmware but in real-world consumer hardware, that’s rarely the case. A large number of GPUs either have no formal signature at all or rely on OEM trust certificates rather than Microsoft’s certificate chain, especially in laptops. And laptops (along with tablets and mobile devices) have made up the majority of PC sales for nearly a decade or so - not desktops.

Strict GOP signature enforcement is far more common in enterprise or server platforms, where hardware integrity is a high-security requirement. But on mainstream consumer devices, GPUs are usually treated more permissively. The only real exception tends to be network hardware - for obvious reasons (it's where the big bad wolf - is expected to invade the system).

I just seen where the latest version of rufus will allow u to make a windows uefi ca 2023 iso file if pca 2011 has been revoked.
i am testing it out to see if a ca 2023 will boot with pca is still active and not revoked

​

neves said:

.... But on mainstream consumer devices, GPUs are usually treated more permissively ...

Click to expand...

That's kind of what I was thinking before reading the "sky is falling" posts, mostly from a common sense perspective.

I'm thinking of the many hacked vBIOS's people have uploaded to their GPU's in a bid to improve gaming performance. And the hacked BIOS's for bit mining which many people bought used on eBay. From a common sense perspective, I'd have to imagine those GPU's wouldn't allow an average Windows 10 or 11 PC to boot in Secure Boot mode IF there were signing and "trust" issues. And yet they did, and still do in many cases.

FIREMEDIC2700 said:

the question here is can a windows 10 iso be moded to get the 2023 signature like a 11 iso can ?

Click to expand...

You replace the USB media's boot file and copy the extra EFI folders to a mounted install WIM.

MS already provides a workable PS script for doing it. But it's far easier to use UUP dump, and edit ConvertConfig.ini to allow UUP dump to do this task automatically.

garlin said:

You replace the USB media's boot file and copy the extra EFI folders to a mounted install WIM.

MS already provides a workable PS script for doing it. But it's far easier to use UUP dump, and edit ConvertConfig.ini to allow UUP dump to do this task automatically.

Click to expand...

thats what i was thinking .
do u think a iso made with ca 2023 would still boot if u have not revoked ca 2011 ?

There's really four distinct possibilities:

1. Your UEFI only has KEK CA 2011; so it can only boot CA 2011-signed media.
2. Your UEFI has both KEK CA 2011 and KEK CA 2023; so it can boot either media.
3. Your UEFI has both KEK CA 2011 and KEK CA 2023, but has banned CA 2011; so it can only boot CA 2023.
4. Your vendor hates you and UEFI only has KEK CA 2023; so it can only boot CA 2023.

In any case, you can always temporarily disable Secure Boot to perform an install.

well

this is what the script says

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------

EFI Files
---------
Disk 1: Boot Manager [Windows UEFI CA 2023] is ALLOWED.

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] is in UEFI DB, and Windows is starting from CA 2023 Boot Manager.

Your UEFI currently trusts both old and new boot files, because CA 2011 hasn't been banned (added to DBX). Windows Update will probably force that on you next year.

ok can u explain this please when changing the convertconfig on a iso . which i did and saved it. but i dont know what this means can u explain
5. Run the Windows cmd script likely you normally would do.

It is Microsoft Windows Production PCA 2011 that will be revoked in 2026 by Microsoft without the possibility of preventing it and going back.

Microsoft Corporation UEFI CA 2011 will not be revoked, at least not in the short-medium term.

itsme1 said:

It is Microsoft Windows Production PCA 2011 that will be revoked in 2026 by Microsoft without the possibility of preventing it and going back.

Microsoft Corporation UEFI CA 2011 will not be revoked, at least not in the short-medium term.

Click to expand...

You do realize you can undo the revocation by entering UEFI and clearing the DBX of CA 2011? Presumably Windows will have some future automated check script, but I'm sure that will be easy to disable.

garlin said:

You do realize you can undo the revocation by entering UEFI and clearing the DBX of CA 2011? Presumably Windows will have some future automated check script, but I'm sure that will be easy to disable.

Click to expand...

That has to be a capability provided in the BIOS of the particular machine. Only one of the three machines I've been working on was capable of doing the DBX alone. Otherwise I have to restore ALL the default keys which at this time are all 2011 keys. As I found out, it can leave it unbootable in secure boot if EFI is using a 2023 bootfile which was a problem I ran into. Luckily Microsoft has a recovery process lined out in the KB article.

garlin said:

You do realize you can undo the revocation by entering UEFI and clearing the DBX of CA 2011? Presumably Windows will have some future automated check script, but I'm sure that will be easy to disable.

Click to expand...

This is only used for Windows. Future builds will never use it again, so removing it from the revocation list at the BIOS level will not help.

It won't be possible to disable it on Windows:

"Date to be announced – Enforcement Phase​

The Enforcement Phase will not begin before January 2026, and we will give at least six months of advance warning in this article before this phase begins. When updates are released for the Enforcement Phase, they will include the following:

• The “Windows Production PCA 2011” certificate will automatically be revoked by being added to the Secure Boot UEFI Forbidden List (DBX) on capable devices. These updates will be programmatically enforced after installing updates for Windows to all affected systems with no option to be disabled."