Did you manually update your Secure Boot Keys ?

man00 · Jan 4, 2026

Or would it be okay just to leave as is..secure boot according to msinfo32 is on , ran Confirm-SecureBootUEFI shows True

Dirtyflash · Jan 4, 2026

man00 said:
Or would it be okay just to leave as is..secure boot according to msinfo32 is on , ran Confirm-SecureBootUEFI shows True

Yes, it's all good.

fg2001gf11F · Jan 7, 2026

garlin said:
Thanks. PS 7 changed the calling arguments for Get-PfxCertificate.

Replace "-FileName" with "-LiteralPath":

Code:

171 function Get-PFXCert { 172 [Parameter(Mandatory)] 173 param ([string]$FileName) 174 175 try { 176 $Issuer = (Get-PfxCertificate -LiteralPath $FileName).Issuer 177 }

This edit will be rolled into the next official version of the script (later this week).

Actually, it should say:
Replace "-FilePath" with "-LiteralPath"

function Get-PFXCert {
[Parameter(Mandatory)]
param ([string]$FileName)

try {
$Issuer = (Get-PfxCertificate -FilePath $FileName).Issuer
}

tzr916 · Jan 14, 2026

I ran the commands from the first post a while back on all my machines, all currently 25H2.
Just in the past few days some of them have gotten KEK updates through Windows Update. All running 25H2:
z390 ud with i7-9700k
h270m-d3h with i7-7700
LG Gram laptop with i7-1360p
MSI laptop with i7-11800h

But nothing yet on these machines

Asus z590 with i7-11700k
Lenovo laptop i5-1135g7
MSI laptop i5-10210u

Winuser · Jan 14, 2026

tzr916 said:
Just in the past few days some of them have gotten KEK updates through Windows Update.

I received the same update on my newer desktop a couple of days ago. Being that my other devices are older I'm not sure if they will get an update or not.

gunrunnerjohn · Jan 14, 2026

I had use Mosby to generate all my keys, and I haven't seen any of these updates on any of my machines.

Anibor_11 · Jan 14, 2026

gunrunnerjohn said:
I had use Mosby to generate all my keys, and I haven't seen any of these updates on any of my machines.

And you won´t. Mosby uses a different procedure. It doesn´t need the KEK generated by the OEM.

That´s why it can be used to update Secure Boot on old computers that don´t have OEM support.

gunrunnerjohn · Jan 14, 2026

Anibor_11 said:
And you won´t. Mosby uses a different procedure. It doesn´t need the KEK generated by the OEM.

That´s why it can be used to update Secure Boot on old computers that don´t have OEM support.

My reasoning for using Mosby in the first place was it generates it's own PK that is unique to each machine, not the clone that is only unique to a maker's thousands of machines. Since the whole point of Secure Boot and all this certificate juggling is security, might as well make it as secure as possible.

TheVisitor · Jan 21, 2026

I finally got brave and ran the updates scripts today. Also fixed the TPM errors, TPM is up to date now is seems. Did not run the script to remove keys.

Checking for Administrator permission...
Running as administrator - continuing execution...

21 January 2026
Manufacturer: HP
Model: HP Pavilion Desktop TP01-1xxx
BIOS: AMI, F.54, F.54, HPQOEM - 1072009
Windows version: 25H2 (Build 26200.7623)

Secure Boot status: Enabled

Current UEFI PK
√ HP UEFI Secure Boot PK 2017

Default UEFI PK
√ HP UEFI Secure Boot PK 2017

Current UEFI KEK √ Microsoft Corporation KEK CA 2011 (revoked: False) √ Microsoft Corporation KEK 2K CA 2023 (revoked: False) √ HP UEFI Secure Boot KEK 2017 (revoked: False) Default UEFI KEK √ Microsoft Corporation KEK CA 2011 (revoked: False) X Microsoft Corporation KEK 2K CA 2023
√ HP UEFI Secure Boot KEK 2017 (revoked: False)

Current UEFI DB
√ Microsoft Windows Production PCA 2011 (revoked: False)
√ Microsoft Corporation UEFI CA 2011 (revoked: False)
√ Windows UEFI CA 2023 (revoked: False)
√ Microsoft UEFI CA 2023 (revoked: False)
√ Microsoft Option ROM UEFI CA 2023 (revoked: False)
√ HP UEFI Secure Boot DB 2017 (revoked: False)

Default UEFI DB
√ Microsoft Windows Production PCA 2011 (revoked: False)
√ Microsoft Corporation UEFI CA 2011 (revoked: False)
X Windows UEFI CA 2023
X Microsoft UEFI CA 2023
X Microsoft Option ROM UEFI CA 2023
√ HP UEFI Secure Boot DB 2017 (revoked: False)

Current UEFI DBX (only the latest one is needed to be secure)
2025-06-11 (v1.5.1) : SUCCESS: 430 successes detected
2025-10-14 (v1.6.0) : SUCCESS: 431 successes detected

Press any key to continue . . .
EVENT Viewer ID 1808
This device has updated Secure Boot CA/keys. This device signature information is included here.
DeviceAttributes: FirmwareManufacturer:AMI;FirmwareVersion:F.54;OEMModelBaseBoard:8767;OEMManufacturerName:HP;OSArchitecture:amd64;
BucketId: 58c7a62c3d44f62559eac5f9ac4f9891af9ebfd538f37214d41ff5e68b045997
BucketConfidenceLevel:
UpdateType: Windows UEFI CA 2023 (DB), Option ROM CA 2023 (DB), 3P UEFI CA 2023 (DB), KEK 2023, Boot Manager (2023)
For more information, please see Windows Secure Boot certificate expiration and CA updates - Microsoft Support.

pietcorus2 · Jan 22, 2026

Im on legacy bios , since a few weeks my bootime went from 20 to 40 seconds !
Still searching for the cause ..........
Will I get my 20 seconds back , when converting from MBR to GPT , then changing bios from legacy to EUFI...........???

gunrunnerjohn · Jan 22, 2026

pietcorus2 said:
Im on legacy bios , since a few weeks my bootime went from 20 to 40 seconds !
Still searching for the cause ..........
Will I get my 20 seconds back , when converting from MBR to GPT , then changing bios from legacy to EUFI...........???

No real way of knowing without doing it. Is that such a big deal, 20 seconds extra for boot? How often do you have to boot?

666pierog · Feb 13, 2026

Im only missing Option ROM UEFI CA 2023, but i got it from script. Should i be worried about that in future? or im gonna get it with updates? rn i have disabled updates, im on 23h2. I have to do it with this script every time I reinstall Windows because I still haven't received this one key

garlin · Feb 13, 2026

You actually have the Option ROM cert installed. The reason I don't like this script is because everyone mis-reads the results.
Your BIOS doesn't have the Option ROM in the factory defaults. That can't be fixed except by the OEM.

666pierog · Feb 13, 2026

garlin said:
You actually have the Option ROM cert installed. The reason I don't like this script is because everyone mis-reads the results.
Your BIOS doesn't have the Option ROM in the factory defaults. That can't be fixed except by the OEM.

Yea i know, ty.
So i must waiting for bios update?

garlin · Feb 13, 2026

The last BIOS update for your ASR B670 Pro RS was October 2025. They might add it, but probably won't unless someone complains to tech support. My guess is someone in ASUS forgot to check the list and skipped Option ROM.

666pierog · Feb 13, 2026

Okay, thanks. So let's say they don't update with Option ROM 2023, then I'll have to use the script again, right? (if I reset bios/windows)

garlin · Feb 13, 2026

You can always re-apply the OROM cert. Where you might have a serious problem is if your GPU has a firmware signed with OROM. Then you won't see anything at power on (no display). That is a risk depending on your GPU.

Which is why you should complain to ASR about the missing OROM. MS doesn't force every vendor to include it. At a minimum they must support Windows UEFI CA 2023 and Microsoft UEFI CA 2023.

666pierog · Feb 13, 2026

garlin said:
You can always re-apply the OROM cert. Where you might have a serious problem is if your GPU has a firmware signed with OROM. Then you won't see anything at power on (no display). That is a risk depending on your GPU.

Which is why you should complain to ASR about the missing OROM. MS doesn't force every vendor to include it. At a minimum they must support Windows UEFI CA 2023 and Microsoft UEFI CA 2023.

I have RTX 5060. I will try to email them. Hope they fix that till 2011 will expire.

666pierog · Feb 13, 2026

garlin said:
You can always re-apply the OROM cert. Where you might have a serious problem is if your GPU has a firmware signed with OROM. Then you won't see anything at power on (no display). That is a risk depending on your GPU.

Which is why you should complain to ASR about the missing OROM. MS doesn't force every vendor to include it. At a minimum they must support Windows UEFI CA 2023 and Microsoft UEFI CA 2023.

I have one more question, so Option ROM 2023 can't be granted to me by Windows Update right?

garlin · Feb 14, 2026

Right now, Windows Update is only programmed to install KEK CA 2023 on supported PC's. It could install other certs, but it's a gradual deployment and KEK CA 2023 is the first one. You already have OROM in your UEFI DB, but it's missing from the factory defaults.

WU can't fix this. A separate scheduled task is responsible for pushing out certs. If you were missing OROM, the task could push it again. But again, we're in the optional stage. Windows will not force install certs for a few months.

If your vendor releases a new firmware, sometimes it can be delivered by WU. But that is up to the vendor, not MS, since the vendor has to share the file.

The answer is there is nothing you can do, except complain to ASUS. And wait. You're lucky, other people have PC's where there are no more BIOS updates.

Did you manually update your Secure Boot Keys ?

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Member

My Computer

Well-known member

My Computer

Member

My Computer

Well-known member

My Computer

Member

My Computer

Well-known member

My Computer

Member

My Computer

Member

My Computer

Well-known member

My Computer

Similar threads