Solved garlin's PowerShell scripts for updating Secure Boot CA 2023


Dirtyflash said:
There was no need to update the Mosby USB stick as it never boots the device, rather it only appends and amends the UEFI in the NVRAM.
Click to expand...
Okay, good to know. I wasn't sure if I even needed to bother.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo T490 (2020 Hardware)
    CPU
    i7-8565U
    Motherboard
    20N20028US
    Memory
    16GB
    Graphics Card(s)
    Intel UHD Graphics 620
    Sound Card
    Realtec Audio
    Monitor(s) Displays
    ASUS VE248
    Screen Resolution
    1920 X 1080
    Hard Drives
    Samsung SSD 970 PRO 512GB NVMe
    Internet Speed
    Frontier fiber 1GB
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Norton 360 Deluxe Plus
    Other Info
    Supported hardware, upgraded from Windows 10 Pro to Windows 11 Pro version 24H2 on 06/01/2025 using the Windows 11 ISO file. Used the enablement package to upgrade to version 25H2 on 10/07/2025. Secure boot enabled. Secure Boot CA 2023 updated.
  • Operating System
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo ThinkCentre M83 (2014 Hardware)
    CPU
    i7-4770 (with SSE4.2, and POPCNT)
    Motherboard
    10AL000GUS
    Memory
    16GB
    Graphics card(s)
    Intel HD Graphics 4600
    Sound Card
    Realtec High Definition Audio
    Monitor(s) Displays
    ASUS VE248
    Screen Resolution
    1920 X 1080
    Hard Drives
    Samsung SSD 860 PRO 1TB SATA
    Internet Speed
    Frontier fiber 1GB
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Norton 360 Deluxe Plus
    Other Info
    Unsupported hardware, upgraded from Windows 10 Pro (TPM 1.2 & unsupported CPU, but does have SSE4.2, and POPCNT) to Windows 11 Pro version 24H2 on 06/15/2025. Added Registry Key HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup – AllowUpgradesWithUnsupportedTPMOrCPU=1 to allow installation using the Windows 11 ISO file. Used the enablement package to upgrade to version 25H2 on 10/08/2025. Secure boot enabled. Secure Boot CA 2023 updated.
hottroc said:
Sorry that went over my head a little. So please just tell me what I should do? Or nothing? And would this be any factor in my boot problems? Thank you for your help btw, really appreciate your efforts.
Click to expand...
That means you didn't revoke the CA 2011 certs yet. Which would be a good thing, since it could have been a potential blocker to booting. But if you're still have boot problems, it means the reason lies somewhere else.
 

My Computer

System One

  • OS
    Windows 7
jabbado said:
UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Click to expand...
jabbado said:
REQUIRED ACTION
===============

Run the command:
Update_UEFI-CA2023.ps1 -Revoke

Finish the UEFI steps to manually add the [KEK CA 2023] cert, if the script provided instructions.[/CODE]
Click to expand...
You have an unsupported BIOS.

The manual steps (from the README_UEFI.TXT) are to look in your BIOS menu, for an option to manually add a KEK key.

If you find this option, it will provide a list of drive devices and you search the device(s) until you find an \EFI folder. Under the EFI folder will be a "Certs" subfolder. In that folder is a KEK CA 2023 file to import.

Presuming that step goes well, restart Windows. Now run the update script again. If you don't have a KEK manual enrollment option, we need to proceed to deleting all keys first from the BIOS menu. Then restart Windows, and run the update script again.
 

My Computer

System One

  • OS
    Windows 7
You must log in or register to reply here.

Latest Support Threads

Latest Tutorials

Back
Top Bottom