Did you manually update your Secure Boot Keys ?

Warre1 · Nov 16, 2025

But only bios update can change the default keys in bios. So if bios is reseted to default keys and bios is not updated new keys get removed.

Buddywh · Nov 16, 2025

Warre1 said:
But only bios update can change the default keys in bios. So if bios is reseted to default keys and bios is not updated new keys get removed.

Quite true, and a main reason I suggest people update BIOS to get the updated keys as defaults. But there are a lot of (still perfectly good) computers that have been abandoned by their mfr's... especially HP, Lenovo and Dell... so no BIOS updates are ever coming.

Luckily, there's not many people with a reason to Restore Default Keys in BIOS settings. And before this fiasco reared up even fewer ever burrowed into the screens to see it existed.

I also have to think Microsoft has a way to deal with that situation since they've demonstrated a capability for pushing keys into firmware already.

itsme1 · Nov 18, 2025

alastairGreen_Nexus said:
Same, since for laptops GPU is not replaceable/soldered and this will cause more issues if OEMs and NVIDIA will not act quickly about providing new vBIOS that is signed with the 2023 certificate:

Perhaps it will be okay because Microsoft Windows Production PCA 2011 will be revoked, but not UEFI CA 2011. UEFI CA 2011 will expire but will continue to function after that expiration.

kiilp · Nov 20, 2025

Im missing the KEK key, does anyone know how I can get it? I used powershell commands for the other keys and it seems to be working okay but all I need now is the KEK key.

808 · Nov 20, 2025

kiilp said:
View attachment 153661
Im missing the KEK key, does anyone know how I can get it? I used powershell commands for the other keys and it seems to be working okay but all I need now is the KEK key.

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x4 /f
schtasks /run /tn "\Microsoft\Windows\PI\Secure-Boot-Update"

If MS has a KEK signed by your OEM's PK and staged, this should bring it down.

kiilp · Nov 20, 2025

808 said:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x4 /f
schtasks /run /tn "\Microsoft\Windows\PI\Secure-Boot-Update"

If MS has a KEK signed by your OEM's PK and staged, this should bring it down.

Thanks, sadly it did not help. I still don't have 2023 KEK installed. Event Viewer complained about Even ID 1801 right after as well. I suppose I need to ask the manufacturer to give me an updated BIOS version that will have the 2023 KEK and PK from the start.

kiilp · Nov 20, 2025

kiilp said:
Thanks, sadly it did not help. I still don't have 2023 KEK installed. Event Viewer complained about Even ID 1801 right after as well. I suppose I need to ask the manufacturer to give me an updated BIOS version that will have the 2023 KEK and PK from the start.

It also says that UEFICA2023Status is InProgress, any ideas?

Buddywh · Nov 20, 2025

kiilp said:
It also says that UEFICA2023Status is InProgress, any ideas?

View attachment 153675

The key updates are normally rolled out as a series of events that don't all happen at once. If your system received the DB update (Windows CA 2023) then the Secure Boot firmware can validate boot manager files signed with a 2023 certificate, but if it did not receive a 2023 KEK it's not yet complete. So I'd imagine it would consider it still "in progress". It's possible that If something should happen that lets it install an updated KEK (like your mfr. returns one signed by your PK) it might conclude on it's own.

hader · Nov 20, 2025

Yes we are aware of the problem. It should not be a problem if Microsoft would incorporated into their updates. For unknown purpose; They didn't.

neves · Nov 20, 2025

kiilp said:
Thanks, sadly it did not help. I still don't have 2023 KEK installed. Event Viewer complained about Even ID 1801 right after as well. I suppose I need to ask the manufacturer to give me an updated BIOS version that will have the 2023 KEK and PK from the start.

Follow this guide: [INFORMATION] Secure Boot : Windows UEFI CA 2023 Update

BTW, i see you also have the latest UEFI DBX v1.6.0 from 14 Oct 2025 - which doesn't come with any of this low key secure boot updates (rather out-dated). That was either updated by your OEM (that, if you have a modern - more recent hardware - which is "still" targeted by your OEM for updates) - or manually updated (a bit more complicated - compared to above tutorials). Well, that - actually offers some up-to-date level of security.

Buddywh · Nov 20, 2025

neves said:
latest UEFI DBX v1.6.0 from 14 Oct 2025

how do we know what the latest UEFI DBX update is?

neves · Nov 20, 2025

Buddywh said:
how do we know what the latest UEFI DBX update is?

Releases · microsoft/secureboot_objects

Secure boot objects recommended by Microsoft. Contribute to microsoft/secureboot_objects development by creating an account on GitHub.

github.com

On new (recently released) hardware - you'll get that updated by the OEM (the ones who bother with security updates - like Dell and co. - cause some either lag behind or don't bother - like MSI and co.). Older system - are usually out of luck and a manual update can be a hit or miss (a back-up is a must - in case of a miss, can even brick the system). The ones from above link - are meant for OEMs and firmware vendors - not end-users. Older systems firmware with no LVFS (Linux Vendor Firmware Service) support - can be very risky to update manually - because the firmware wasn’t designed for that workflow. You'll just have to chek and see if your hardware supports it: GitHub - fwupd/fwupd: A system daemon to allow session software to update firmware

Buddywh · Nov 20, 2025

neves said:
Releases · microsoft/secureboot_objects

Secure boot objects recommended by Microsoft. Contribute to microsoft/secureboot_objects development by creating an account on GitHub.

github.com

On new (recently released) hardware - you'll get that updated by the OEM (the ones who bother with security updates - like Dell and co. - cause some either lag behind or don't bother - like MSI and co.). Older system - are usually out of luck and a manual update can be a hit or miss (a back-up is a must - in case of a miss, can even brick the system). The ones from above link - are meant for OEMs and firmware vendors - not end-users. Older systems firmware with no LVFS (Linux Vendor Firmware Service) support - can be very risky to update manually - because the firmware wasn’t designed for that workflow. You'll just have to chek and see if your hardware supports it: GitHub - fwupd/fwupd: A system daemon to allow session software to update firmware

Is this something Microsoft regularly updates for Windows OS's? I did note the README on the linked GitHub repository states clearly that if not an advanced user with knowledge of the working of Secure Boot you should leave it to the OS to manage... that suggests Windows should do so but that's not certain to me. It sounds like Linux might be well prepared for dealing with it though, which makes sense for an OS that's favored by the tin-foil hat crowd.

If it's not regularly maintained by Windows, then it may be because they think it infeasible for any of several reasons (some like you suggest). So it would possibly be something IT departments will maintain for systems they manage in their networks. That also makes it seem kind of irrelevant for a bog-standard consumer PC to be shipped with the 'very latest' since it's going to become out-dated pretty soon anyway.

neves · Nov 20, 2025

Buddywh said:
Is this something Microsoft regularly updates for Windows OS's?

Not regullary and only Secure Boot DBX (revocation list) through Windows Update when a vulnerable bootloader or certificate needs to be blocked. This is the part Microsoft controls, because it involves the Windows UEFI CA they operate.

OEM platform keys (PK - KEK), Intel ME/AMT/CSME firmware or the actual UEFI firmware is updated by OEM (in some cases on a blue moon or never - depends how old is your machine).

Buddywh said:
IT departments will maintain for systems they manage in their networks.

This is true only for enterprises that use custom Secure Boot configurations. Many corporate environments use the default - Microsoft managed keys - and never modify them.

666pierog · Nov 23, 2025

I already updated that Option ROM UEFI CA 2023 by myself in BIOS by importing that thing, so i dont need to do anything else yea?

gunrunnerjohn · Nov 23, 2025

I'd just revoke the Microsoft Windows Production PCA 2011, other than that it seems fine.

666pierog · Nov 23, 2025

gunrunnerjohn said:
I'd just revoke the Microsoft Windows Production PCA 2011, other than that it seems fine.

do i need to do that? i think my windows is not running on that 2023 thing

gunrunnerjohn · Nov 23, 2025

666pierog said:
do i need to do that? i think my windows is not running on that 2023 thing

You don't need to do it. However, what was the point of getting the keys updated if you're not going to revoke the old key? A current version of Windows should have the 2023 boot cert. You seem to have the Windows 2023 cert in your DB.

666pierog · Nov 23, 2025

gunrunnerjohn said:
You don't need to do it. However, what was the point of getting the keys updated if you're not going to revoke the old key? A current version of Windows should have the 2023 boot cert. You seem to have the Windows 2023 cert in your DB.

I got "Invalid Signature Detected", i cant remove that.

Buddywh · Nov 24, 2025

666pierog said:
do i need to do that? i think my windows is not running on that 2023 thing .... I got "Invalid Signature Detected", i cant remove that.

If you're not positive your Windows is using 2023 signed secure boot manager files then do not revoke the 2011 Windows CA or your Windows will not start with Secure Boot enabled.

And where are you getting your secure boot objects? Assuming you're trying to "append" to DBX... you might need to use signed binary objects you can get from Microsoft's GitHub (below). Just don't do this until you've saved a copy of bitlocker keys (if using it) AND you KNOW your Windows is running with 2023- signed boot manager files.

secureboot_objects/PostSignedObjects at main · microsoft/secureboot_objects

Secure boot objects recommended by Microsoft. Contribute to microsoft/secureboot_objects development by creating an account on GitHub.

github.com

Did you manually update your Secure Boot Keys ?

Well-known member

My Computer My Computer

At a glance

Well-known member

My Computers My Computers

At a glance

At a glance

Well-known member

My Computer My Computer

At a glance

New member

My Computer My Computer

At a glance

New member

My Computer My Computer

At a glance

New member

My Computer My Computer

At a glance

New member

My Computer My Computer

At a glance

Well-known member

My Computers My Computers

At a glance

At a glance

Well-known member

My Computers My Computers

At a glance

At a glance

Well-known member

My Computer My Computer

At a glance

Well-known member

My Computers My Computers

At a glance

At a glance

Well-known member

My Computer My Computer

At a glance

Well-known member

My Computers My Computers

At a glance

At a glance

Well-known member

My Computer My Computer

At a glance

Member

My Computer My Computer

At a glance

Well-known member

My Computers My Computers

At a glance

At a glance

Member

My Computer My Computer

At a glance

Well-known member

My Computers My Computers

At a glance

At a glance

Member

My Computer My Computer

At a glance

Well-known member

My Computers My Computers

At a glance

At a glance

Similar threads

My Computer

My Computers

My Computer

My Computer

My Computer

My Computer

My Computer

My Computers

My Computers

My Computer

My Computers

My Computer

My Computers

My Computer

My Computer

My Computers

My Computer

My Computers

My Computer

My Computers