First thing to do is update your BIOS to the latest available and hope your manufacturer includes the keys as defaults in it. This is preferred since they become built-in to the BIOS as defaults that will always be there. But if your mfr. has abandoned your motherboard/system and doesn't provide updates that include updated keys, there are some easy ways to also get them:
1st is is easiest. That's to be sure to run in Secure Boot and enable reporting of diagnostics so that Microsoft can push out key updates over the next few weeks or months.
2nd if you can't wait is to make sure your Windows is fully up-to-date with latest updates, especially security updates. Then run the two following commands:
from Admin CMD Pormpt
Code:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f
from Admin Powershell
Code:
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
There's a third way that's somewhat more involved: download a utility called MOSBY and it's companion RUFUS from PBatard's GitHUB, read instructions on using them for updating all the keys and in addition closing a potential backdoor virtually all consumer systems and motherboards ship with at the same time.
There's a fourth way but it depends on whether your BIOS has capability for it, and you to find the certificates on Microsoft's GitHUB location. That's to append the key into each variable in BIOS. It also requires a bit more knowledge of the secure boot chain of trust.
