Did you manually update your Secure Boot Keys ?

Phil_C · Oct 22, 2025

neldog said:
If you don't mind, I would like to ask how you got your USB drives to show up like they are? I have everything like yours, but no USB drives displayed.

Just attach your USB drives before running the script.

neldog · Oct 22, 2025

Phil_C said:
Just attach your USB drives before running the script.

Thank you so much!

neldog · Oct 22, 2025

Well I got it to display but it does not show the 2023 Certificate. Do you know, hate to ask... how do I go about correcting that?

Phil_C · Oct 22, 2025

neldog said:
Well I got it to display but it does not show the 2023 Certificate. Do you know, hate to ask... how do I go about correcting that?

If you are referring to the USB boot drive, go to this link:

How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932

Run the commands under the heading "Updating Windows Install Media". This will transfer the 2023 signed bootloader to the USB stick. Do this for each bootable USB.

neldog · Oct 22, 2025

Phil_C said:
If you are referring to the USB boot drive, go to this link:

How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932

Run the commands under the heading "Updating Windows Install Media". This will transfer the 2023 signed bootloader to the USB stick. Do this for each bootable USB.

Thank you so much.

itsme1 · Oct 22, 2025

According to posts in this thread, MoKiChU scripts install 2023 certificates via Windows Update (it's forced) in Windows, and the observer detects it and no longer displays an error.

It may not be the same for Mosby, and perhaps via BIOS updates as well.

zqchri · Oct 22, 2025

funnily enough running
' [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023’ '

returns a True value, but event viewer keeps returning the error

Scott · Oct 23, 2025

zqchri said:
but event viewer keeps returning the error

Run these two commands and see if you get Event ID 1808 under System. Worked for me.

Admin CMD Pormpt
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f

Admin Powershell
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Then reboot.

Source

Registry key updates for Secure Boot: Windows devices with IT-managed updates - Microsoft Support

support.microsoft.com

JamesSmith · Oct 23, 2025

I just ran the Bo script. I assume I have a lot of work to do?
I really don't understand any of this.

I am crossing my fingers that Microsoft will release something in the near future to fix this. The people who have posted in this long thread are truly awesome but I have reached the end with it all. If windows doesn't boot because I can't read through MS complex boot update procedure and 50/100 pages of forum posts then so be it.

Secure Boot: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Windows UEFI CA 2023

UEFI DBX Certs
--------------

EFI Files
---------
Disk 0: Boot Manager [Windows UEFI CA 2023] is ALLOWED.

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] is in UEFI DB, and Windows is starting from CA 2023 Boot Manager.

ultrajv · Oct 23, 2025

Doesn't work on HP prodesk 400 G2 with Intel 6500T CPU latest BIOS. Has TPM 2 with all security on. Windows 11 fully updated. 24H2. Schedule returns errors 0x0. Tried every which way but No luck. I know that Windows 11 doesn't officially support the 6500T.

Buddywh · Oct 23, 2025

ultrajv said:
Doesn't work on HP prodesk 400 G2 with Intel 6500T CPU latest BIOS. Has TPM 2 with all security on. Windows 11 fully updated. 24H2. Schedule returns errors 0x0. Tried every which way but No luck. I know that Windows 11 doesn't officially support the 6500T.

What didn't work?

I updated keys using @Scott 's method above on my HP laptop with an old AMD processor that's "officially unsupported" by Windows 11 so I know that alone won't prevent, there has to be something else peculiar to the system. Your machine my not be one of those Microsoft considers "high confident" so gets flagged in registry to not do an automatic update (info linked Microsoft's KB ID 5068202 linked above). You might check with HP for an updated firmware (BIOS) that provides the 2023 secure boot keys.

The only thing is I did not get the Event ID 1808 in Event Log. I had to run the Check_Mosby_EFIBootFile.ps1 script (look back in this thread to find a link to it) in PowerShell to see the new keys and that the laptop is booting using 2023 boot files. I trust the .ps1 script more anyway since it's actually looking into the BIOS' UEFI variables to find the keys it's reporting on while 1808 is simply based on a flag in the OS' registry which may or may not be representative of what's actually in the BIOS UEFI variables.

ultrajv · Oct 23, 2025

Buddywh said:
What didn't work?

I updated keys using @Scott 's method above on my HP laptop with an old AMD processor that's "officially unsupported" by Windows 11 so I know that alone won't prevent, there has to be something else peculiar to the system. Your machine my not be one of those Microsoft considers "high confident" so gets flagged in registry to not do an automatic update (info linked Microsoft's KB ID 5068202 linked above). You might check with HP for an updated firmware (BIOS) that provides the 2023 secure boot keys.

The only thing is I did not get the Event ID 1808 in Event Log. I had to run the Check_Mosby_EFIBootFile.ps1 script (look back in this thread to find a link to it) in PowerShell to see the new keys and that the laptop is booting using 2023 boot files.

I get false when checking CA 2023. Also Schedule returns error 0x0. The BIOS is latest.

Buddywh · Oct 23, 2025

ultrajv said:
I get false when checking CA 2023 The BIOS is latest.

Did you run these first:
Admin CMD Pormpt:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f

Admin Powershell:
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Then re-start the system; twice to be sure.

From @Scott 's post above.

That forces Microsoft's automated process to update keys and put in place boot files using the 2023 keys using Microsoft's automated method. And I think it's a good idea to make the system current with updates and running on 25h2 is probably best. And probably also requires it be what is termed a High Confident system in their documents.

Then look back to find the Check_Mosby_EFIBootFile.ps1 script and run that.

ultrajv · Oct 23, 2025

Buddywh said:
Did you run these first:
Admin CMD Pormpt:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f

Admin Powershell:
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Then re-start the system; twice to be sure.

From @Scott 's post above.

That forces Microsoft's automated process to update keys and put in place boot files using the 2023 keys using Microsoft's automated method. And I think it's a good idea to make the system current with updates and running on 25h2 is probably best. And probably also requires it be what is termed a High Confident system in their documents.

Then look back to find the Check_Mosby_EFIBootFile.ps1 script and run that.

Thanks, will try that. I used the power shell scripts. These have different values.

Buddywh · Oct 23, 2025

ultrajv said:
Thanks, will try that. I used the power shell scripts. These have different values.

When it runs there are a variety of Event ID's that could be logged in the Event Log, even if there are failures, to help it confirm readiness before revoking trust in the 2011 certificates. They could confirm it ran properly or offer clues as to why it fails.

This is the document you'd want to refer to for understanding them:

Secure Boot DB and DBX variable update events - Microsoft Support

support.microsoft.com

And BTW, I forgot to add this: either disable and decrypt any BitLocker'd drives before doing this OR create a USB key drive to recover keys after the updates are done.

ultrajv · Oct 23, 2025

Buddywh said:
When it runs there are a variety of Event ID's that could be logged in the Event Log, even if there are failures, to help it confirm readiness before revoking trust in the 2011 certificates. They could confirm it ran properly or offer clues as to why it fails.

This is the document you'd want to refer to for understanding them:

Secure Boot DB and DBX variable update events - Microsoft Support

support.microsoft.com

And BTW, I forgot to add this: either disable and decrypt any BitLocker'd drives before doing this OR create a USB key drive to recover keys after the updates are done.

Thanks. I'm getting event 15, due to CPU not having VBS.

wowchick · Oct 23, 2025

ultrajv said:
Thanks, will try that. I used the power shell scripts. These have different values.

thanks this worked it got rid of that nasty needed update event error

Buddywh · Oct 23, 2025

ultrajv said:
Thanks. I'm getting event 15, due to CPU not having VBS.

This may be something to investigate with the experts since it may be a hard compatibility problem imposed by the processor, or just something that popped up coincidentally in the log at the same time. It might pop up if you have virtualization disabled in the BIOS CPU settings or aren't using Kernel Mode Hardware Stack protection for instance. I've updated keys in this state on my AMD system but it might be different with Intel and/or HP.

Probably start your own thread asking this question but you'll have to provide both system details and report log details.

Still, look especially for the events listed in the Microsoft Document I linked.

If the Microsoft tasks can't do the updates you could try using MOSBY to update keys. But you'd have to be able to put Secure Boot into "setup mode" in BIOS settings, or delete all the keys. That also means being able to restore default keys if things don't work right. If your BIOS doesn't give you these controls you're probably at the mercy of HP since HP and Dell's business computers typically have very few user-accessible BIOS controls that are useful.

ultrajv · Oct 23, 2025

Buddywh said:
This may be something to investigate with the experts since it may be a hard compatibility problem imposed by the processor, or just something that popped up coincidentally in the log at the same time. It might pop up if you have virtualization disabled in the CPU or aren't using Kernel Mode Hardware Stack protection for instance. I've updated keys in this state on my AMD system but it might be different with Intel and/or HP.

Probably start your own thread asking this question but you'll have to provide both system details and report log details.

Still, look especially for the events listed in the Microsoft Document I linked.

If the Microsoft tasks can't do the updates you could try using MOSBY to update keys. But you'd have to be able to put Secure Boot into "setup mode" in BIOS settings, or delete all the keys. That also means being able to restore default keys if things don't work right. If your BIOS doesn't give you these controls you're probably at the mercy of HP.

Thanks again. Good pointers

Phil_C · Oct 23, 2025

JamesSmith said:
I just ran the Bo script. I assume I have a lot of work to do?
I really don't understand any of this.

I am crossing my fingers that Microsoft will release something in the near future to fix this. The people who have posted in this long thread are truly awesome but I have reached the end with it all. If windows doesn't boot because I can't read through MS complex boot update procedure and 50/100 pages of forum posts then so be it.

Secure Boot: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Windows UEFI CA 2023

UEFI DBX Certs
--------------

EFI Files
---------
Disk 0: Boot Manager [Windows UEFI CA 2023] is ALLOWED.

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] is in UEFI DB, and Windows is starting from CA 2023 Boot Manager.

You already have the Windows 2023 CA and are booting from it. There are three other CAs that will be needed. I would try running the commands posted by @Buddywh in #1153, which should add the missing CAs. I don't know if that also makes the CAs active, as I did my systems in different ways.

Did you manually update your Secure Boot Keys ?

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

Attachments

My Computer

Well-known member

My Computers

Well-known member

My Computers

New member

My Computer

Well-known member

My Computers

New member

My Computer

Well-known member

My Computers

New member

My Computer

Well-known member

My Computers

New member

My Computer

Active member

My Computer

Well-known member

My Computers

New member

My Computer

Well-known member

My Computers

Similar threads