Solved garlin's PowerShell scripts for updating Secure Boot CA 2023


Here's what I'm thinking about the winload.efi problem:

1. winload.efi lives under \Windows\System32 on WinPE, Windows, and WinRE.

2. It's not part of the EFI partition files.

3. It's not part of \Windows\Boot, or \Windows\System32\SecureBootUpdates files.

4. Secure Boot variables are equally available to WinPE, Windows, and WinRE to read.
If you can boot Windows, why can't WinRE boot? It's the same variables for everyone.

5. Is there another WinRE security policy that blocks WinRE winload.efi?

6. Is this actually not a Secure Boot problem, but some weird BCD issue?

I have seen people complain about failed Windows installs due to winload.efi errors. It takes while, but after some point, Windows reboots itself to continue the installation and then fails. The install was working until the reboot, so it could boot the first time but not the next.

To me, that points to some policy or config setting (BCD?) that changed in between the two boots.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
Here's what I'm thinking about the winload.efi problem:

1. winload.efi lives under \Windows\System32 on WinPE, Windows, and WinRE.

2. It's not part of the EFI partition files.

3. It's not part of \Windows\Boot, or \Windows\System32\SecureBootUpdates files.

4. Secure Boot variables are equally available to WinPE, Windows, and WinRE to read.
If you can boot Windows, why can't WinRE boot? It's the same variables for everyone.

5. Is there another WinRE security policy that blocks WinRE winload.efi?

6. Is this actually not a Secure Boot problem, but some weird BCD issue?

I have seen people complain about failed Windows installs due to winload.efi errors. It takes while, but after some point, Windows reboots itself to continue the installation and then fails. The install was working until the reboot, so it could boot the first time but not the next.

To me, that points to some policy or config setting (BCD?) that changed in between the two boots.
Yeah, I think something got corrupted in this last Windows build, it doesn't seem to give the impression it's related to Secure Boot. I can see why you would suspect the problem lays elsewhere, such as the BCD you mentioned. Good detective work on your part!
 

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
Hello,

Thank you for the scripts. However, I encountered an error when trying to run the update script:
Batch:
PS C:\Users\xxx\Downloads\SecureBoot-CA-2023-Updates> .\Check_UEFI-CA2023.ps1
Secure Boot: ON
Virtualization Based Security: OFF
BitLocker on (C:) ON

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Microsoft Option ROM UEFI CA 2023
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023

UEFI DBX Certs
--------------
    (NONE)

EFI Files
---------
    Disk 0: Windows Boot Manager [Production PCA 2011] is ALLOWED.

    Registry: WindowsUEFICA2023Capable = 1
        [Windows UEFI CA 2023] in UEFI DB.


REQUIRED ACTION
===============

Run the command:
    Update_UEFI-CA2023.ps1 -Revoke

Finish the UEFI steps to manually add the [KEK CA 2023] cert, if the script provided instructions.

PS C:\Users\xxx\Downloads\SecureBoot-CA-2023-Updates> .\Update_UEFI-CA2023.ps1
Downloading "KEKUpdate_ASUS_PK6.bin" from GitHub.
ERROR: Failed to append "KEKUpdate_ASUS_PK6.bin" to UEFI KEK.
Unexpected Result, status error: 0xC000000D
PS C:\Users\xxx\Downloads\SecureBoot-CA-2023-Updates> .\Update_UEFI-CA2023.ps1 -Revoke
Downloading "KEKUpdate_ASUS_PK6.bin" from GitHub.
ERROR: Failed to append "KEKUpdate_ASUS_PK6.bin" to UEFI KEK.
Unexpected Result, status error: 0xC000000D
How should I proceed please?
Thank you in advance.
 

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
PS C:\Users\xxx\Downloads\SecureBoot-CA-2023-Updates> .\Update_UEFI-CA2023.ps1
Downloading "KEKUpdate_ASUS_PK6.bin" from GitHub.
ERROR: Failed to append "KEKUpdate_ASUS_PK6.bin" to UEFI KEK.
Unexpected Result, status error: 0xC000000D
PS C:\Users\xxx\Downloads\SecureBoot-CA-2023-Updates> .\Update_UEFI-CA2023.ps1 -Revoke
Downloading "KEKUpdate_ASUS_PK6.bin" from GitHub.
ERROR: Failed to append "KEKUpdate_ASUS_PK6.bin" to UEFI KEK.
Unexpected Result, status error: 0xC000000D[/CODE]
How should I proceed please?
Thank you in advance.
Your PC has a supported BIOS, because ASUS shared its version of KEK CA 2023 with MS.
We downloaded that version.

But the UEFI update (append action) failed. It's been reported that KEK appends can fail on some BIOS'es. So you may want to try this:

1. Disable Secure Boot mode.
2. Reset the UEFI certs to factory defaults.
3. Run the update script again.

If it fails, we can try replacing the factory Platform Key with a Windows OEM Devices PK. What model PC is this? How old is your PC?
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
Your PC has a supported BIOS, because ASUS shared its version of KEK CA 2023 with MS.
We downloaded that version.

But the UEFI update (append action) failed. It's been reported that KEK appends can fail on some BIOS'es. So you may want to try this:

1. Disable Secure Boot mode.
2. Reset the UEFI certs to factory defaults.
3. Run the update script again.

If it fails, we can try replacing the factory Platform Key with a Windows OEM Devices PK. What model PC is this? How old is your PC?
I'm unable to reset the UEFI certs to factory default after disabling Secure Boot mode as the control is hidden when Secure Mode is disabled. Running the script again produced the same error:
Code:
PS C:\Users\xxx\Downloads\SecureBoot-CA-2023-Updates> .\Check_UEFI-CA2023.ps1
Secure Boot: OFF
Virtualization Based Security: OFF
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Microsoft Option ROM UEFI CA 2023
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023

UEFI DBX Certs
--------------
    (NONE)

EFI Files
---------
    Disk 0: Windows Boot Manager [Production PCA 2011] is ALLOWED.

    Registry: WindowsUEFICA2023Capable = 1
        [Windows UEFI CA 2023] in UEFI DB.


REQUIRED ACTION
===============

Run the command:
    Update_UEFI-CA2023.ps1 -Revoke

Finish the UEFI steps to manually add the [KEK CA 2023] cert, if the script provided instructions.

PS C:\Users\xxx\Downloads\SecureBoot-CA-2023-Updates> .\Update_UEFI-CA2023.ps1 -Revoke
Downloading "KEKUpdate_ASUS_PK6.bin" from GitHub.
ERROR: Failed to append "KEKUpdate_ASUS_PK6.bin" to UEFI KEK.
Unexpected Result, status error: 0xC000000D
This PC is a laptop, ASUS GL502VS. I think it's from 2017.
Awaiting further instructions. Thank you for your support.
 

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
Running the script twice isn't going to change the result. The problem is there's already a KEK entry for CA 2011 (expected), but we can't append the new CA 2023 entry without an error. I don't know how to do it for your BIOS version, but we need to try a reset and see if it's a temporary problem.

I suspect this PC might have the known "problem BIOS". In which case, we need to clear out the current certs (go into Setup Mode). Certain PC's which share the same BIOS vendor have this append problem. The solution is to overwrite the KEK by first clearing all the certs.

The problem is how to do this, and what that is called, depends on your exact BIOS. It might be different on someone else's PC. But so far, going into Setup Mode usually worked on the bad PC's.

See if you can figure out how it's done on this BIOS.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
Running the script twice isn't going to change the result. The problem is there's already a KEK entry for CA 2011 (expected), but we can't append the new CA 2023 entry without an error. I don't know how to do it for your BIOS version, but we need to try a reset and see if it's a temporary problem.

I suspect this PC might have the known "problem BIOS". In which case, we need to clear out the current certs (go into Setup Mode). Certain PC's which share the same BIOS vendor have this append problem. The solution is to overwrite the KEK by first clearing all the certs.

The problem is how to do this, and what that is called, depends on your exact BIOS. It might be different on someone else's PC. But so far, going into Setup Mode usually worked on the bad PC's.

See if you can figure out how it's done on this BIOS.
Unfortunately it looks like my laptop is now dead..
I've successfully entered setup mode, run the update script again, and was following the readme-UEFI.txt file when I couldn't find the KEK cert after installing the PK cert. I rebooted and now the display won't even turn on but it still responds to Ctrl Alt Del keyboard command. I've tried using external monitor as well but it still doesn't work.
 

My Computer My Computer

At a glance

Windows 11
OS
Windows 11

My Computer My Computer

At a glance

Windows 7
OS
Windows 7

My Computer My Computer

At a glance

Windows 11 ProCore i7-13700K64 GB Kingston Fury Beast DDR5Gigabyte GeForce RTX 2060 Super Gaming OC 8G
OS
Windows 11 Pro
Computer type
PC/Desktop
Manufacturer/Model
Self build
CPU
Core i7-13700K
Motherboard
Asus TUF Gaming Plus WiFi Z790
Memory
64 GB Kingston Fury Beast DDR5
Graphics Card(s)
Gigabyte GeForce RTX 2060 Super Gaming OC 8G
Sound Card
Realtek S1200A
Monitor(s) Displays
Viewsonic VP2770 & Dell (secondary)
Screen Resolution
2560 x 1440
Hard Drives
Kingston KC3000 2TB NVME SSD & SATA HDDs & SSD
PSU
EVGA SuperNova G2 850W
Case
Nanoxia Deep Silence 1
Cooling
Noctua NH-D14
Keyboard
Microsoft Digital Media Pro
Mouse
Logitech Wireless
Internet Speed
80 Mb / s
Browser
Chrome
Antivirus
Defender, Malwarebytes Free & AdwCleaner
That's really unfortunate. Have you looked at the BIOS reflashing instructions here?

https://rog-forum.asus.com/t5/rog-strix-series/gl502vsk-bricked-bios-update/td-p/871496
https://rog-forum.asus.com/t5/rog-strix-series/asus-gl502vs-vsk-bios-update-procedure/td-p/734840

The update script only touches the Secure Boot variables (using the Set-SecureUEFIBoot call), it can't overwrite the firmware. But reflashing the BIOS might clear whatever UEFI state your BIOS is stuck in.
Yes, I know the script is safe. I just think the problem might be because I left the PK populated but KEK empty so it triggers a bug.
I tried reflashing the BIOS using the link you posted and the flashing process works.
But normal boot is still stuck on black screen unfortunately.

Thank you for the tips.
 

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
That feels like a hardware issue more like a BIOS issue. Check if somehow, the soldering in the chips is still reliable, because that sounds like it's not making contact and will need a reballing. You should be getting boot errors in worst scenarios, not a black screen...

Dis you get video or any sign when you reflashed the BIOS? (I mean during the process)
 

My Computers My Computers

  • At a glance

    Windows 11 Pro 25H2AMD Ryzen 5 5600G @ 3.9/4.4Ghz2 x 16 GB DDR4 Kingston Fury Beast 3200 MhzAMD Radeon RX 6600 XT MSI Mech 2X OC Edition ...
    OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built PC
    CPU
    AMD Ryzen 5 5600G @ 3.9/4.4Ghz
    Motherboard
    MSI B550M-PRO-WiFi Ver. 1.4
    Memory
    2 x 16 GB DDR4 Kingston Fury Beast 3200 Mhz
    Graphics Card(s)
    AMD Radeon RX 6600 XT MSI Mech 2X OC Edition 8 GB
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    Samsung C50Rx 27" LED / HP S2031 20" LCD
    Screen Resolution
    1920 x 1080 px / 1600 x 900 px
    Hard Drives
    WD Blue SN570 NVME M.2 SSD [1 TB] -- External Drives: - WD Scorpion Blue 250 GB 5400 RPM (Data Backup) - Hitachi 500 GB 5400 RPM (Software / ISOs Backup) - Toshiba MQ01ABD100 1 TB 5400 RPM (OS Images) - HGST TravelStar 7K1000 1 TB, 7200 RPM USB 3.0 - ADATA SU800 2TB SSD USB 3.0
    PSU
    Corsair RM750e 750W Fully Modular
    Case
    Naceb Hydra NA-1602
    Cooling
    Naceb Orpheus x 3 (Front) + Naceb Cepheus 1200 RPM Max (Rear) + ThemalRight Assasin X 90 SE (CPU)
    Keyboard
    Logitech MK470 Wireless
    Mouse
    Logitech MK470 Wireless
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - VMs: WMware Player - Windows 8.1 Pro x64 / Windows 11 Pro
    - Wacom Intuos Pro Small Tablet PTH-460
  • At a glance

    Windows 11 Pro 25H2AMD Ryzen 7 7730U @ 2.0/4.5 Ghz2 x 16 GB Kingston Fury Impact DDR4 3200 MhzRadeon (tm) Graphics Vega 8 (512 MB)
    Operating System
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    HP Pavilion 15-eh3000la (80M53LA)
    CPU
    AMD Ryzen 7 7730U @ 2.0/4.5 Ghz
    Motherboard
    HP 8BC7
    Memory
    2 x 16 GB Kingston Fury Impact DDR4 3200 Mhz
    Graphics card(s)
    Radeon (tm) Graphics Vega 8 (512 MB)
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    AU Optronics
    Screen Resolution
    1920 x 1080 px (125% size)
    Hard Drives
    WD Blue SN570 1TB NVME M.2 Drive
    PSU
    45 Watt Charger
    Cooling
    Laptop Cooling Pad
    Keyboard
    Free Wolf Foldable Portable Keyboard
    Mouse
    Free Wolf Wireless Mouse
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - 41mWh battery.
    - Wacom Intuos Pro Small Tablet PTH-460
That feels like a hardware issue more like a BIOS issue. Check if somehow, the soldering in the chips is still reliable, because that sounds like it's not making contact and will need a reballing. You should be getting boot errors in worst scenarios, not a black screen...

Dis you get video or any sign when you reflashed the BIOS? (I mean during the process)
Unfortunately, even if it's true, it's outside my expertise to reball a chip..
I'll have to look around for a service shop that can do that.

Yes, I got normal video when I reflashed the BIOS.
 

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
Trying to update a Medion PC, but just like my ancient Dell, the update script fails to install the KEK. The error is slightly different this time:
Code:
Downloading "KEKUpdate_PK2.bin" from GitHub.
ERROR: Failed to append "KEKUpdate_PK2.bin" to UEFI KEK.
Wrong signature for this UEFI variable.
Relevant(?) details:
Code:
BIOS Firmware
-------------
    MEDION MD34060/2523
    Version: 370H4W0X.112
    Date: 2019-02-15

Factory Default UEFI PK Cert
----------------------------
    MEDION Certificate

UEFI PK Cert
------------
    MEDION Certificate
        [KEK CA 2023] Update is available from MEDION or Microsoft.

Factory Default UEFI KEK Certs
------------------------------
    Microsoft Corporation KEK CA 2011

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011
 

My Computer My Computer

At a glance

Windows 11Intel Core i3-6006U @ 2.00 GHz16,0 GBIntel HD Graphics 520
OS
Windows 11
Computer type
Laptop
Manufacturer/Model
Dell Latitude 3380
CPU
Intel Core i3-6006U @ 2.00 GHz
Motherboard
Dell 0WM4F
Memory
16,0 GB
Graphics Card(s)
Intel HD Graphics 520
Sound Card
Realtek Audio
Monitor(s) Displays
Built-in
Screen Resolution
1366 x 768 @ 59 Hz
Hard Drives
SK Hynix SC311 SATA 128 GB SSD
Other Info
Multi-boot Windows/Ubuntu using rEFInd
Manually imported that PK file into the BIOS in custom mode (and later the KEK, as the script told me) and I think I'm good now?
Code:
Windows 11 25H2 (26200.7840)

Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

BIOS Firmware
-------------
    MEDION MD34060/2523
    Version: 370H4W0X.112
    Date: 2019-02-15

Factory Default UEFI PK Cert
----------------------------
    MEDION Certificate

UEFI PK Cert
------------
    Microsoft Corporation KEK 2K CA 2023

Factory Default UEFI KEK Certs
------------------------------
    Microsoft Corporation KEK CA 2011

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011
    Microsoft Corporation KEK 2K CA 2023

Factory Default UEFI DB Certs
-----------------------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Microsoft Option ROM UEFI CA 2023
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023

Factory Default UEFI DBX Certs
------------------------------
    (NONE)
    EFI_CERT_SHA256_GUID Signatures: 77

UEFI DBX Certs
--------------
    Microsoft Windows Production PCA 2011
    Windows BootMgr SVN 7.0
    EFI_CERT_SHA256_GUID Signatures: 489

EFI Files
---------
    Disk 1: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
        bootmgfw.efi File version: 26100.30227

    Registry: WindowsUEFICA2023Capable = 2
        [Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

    Disk 1: SkuSiPolicy.p7b (for VBS) is CURRENT.

STATUS REPORT
-------------
    Registry: UEFICA2023Status = Updated

SUCCESS: NO UPDATES ARE REQUIRED.

Surprised about this part though:
Code:
UEFI PK Cert
------------
    Microsoft Corporation KEK 2K CA 2023
Should that not have been labeled as MEDION? (I imported the Medion file from GitHub)
 
Last edited:

My Computer My Computer

At a glance

Windows 11Intel Core i3-6006U @ 2.00 GHz16,0 GBIntel HD Graphics 520
OS
Windows 11
Computer type
Laptop
Manufacturer/Model
Dell Latitude 3380
CPU
Intel Core i3-6006U @ 2.00 GHz
Motherboard
Dell 0WM4F
Memory
16,0 GB
Graphics Card(s)
Intel HD Graphics 520
Sound Card
Realtek Audio
Monitor(s) Displays
Built-in
Screen Resolution
1366 x 768 @ 59 Hz
Hard Drives
SK Hynix SC311 SATA 128 GB SSD
Other Info
Multi-boot Windows/Ubuntu using rEFInd
Unfortunately, even if it's true, it's outside my expertise to reball a chip..
I'll have to look around for a service shop that can do that.

Yes, I got normal video when I reflashed the BIOS.
Do you get any logo or anything during BIOS boot? Like before trying to load Windows? If you do then it's not that bad... but for some reason would mean you would need to repair your boot files.
 

My Computers My Computers

  • At a glance

    Windows 11 Pro 25H2AMD Ryzen 5 5600G @ 3.9/4.4Ghz2 x 16 GB DDR4 Kingston Fury Beast 3200 MhzAMD Radeon RX 6600 XT MSI Mech 2X OC Edition ...
    OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built PC
    CPU
    AMD Ryzen 5 5600G @ 3.9/4.4Ghz
    Motherboard
    MSI B550M-PRO-WiFi Ver. 1.4
    Memory
    2 x 16 GB DDR4 Kingston Fury Beast 3200 Mhz
    Graphics Card(s)
    AMD Radeon RX 6600 XT MSI Mech 2X OC Edition 8 GB
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    Samsung C50Rx 27" LED / HP S2031 20" LCD
    Screen Resolution
    1920 x 1080 px / 1600 x 900 px
    Hard Drives
    WD Blue SN570 NVME M.2 SSD [1 TB] -- External Drives: - WD Scorpion Blue 250 GB 5400 RPM (Data Backup) - Hitachi 500 GB 5400 RPM (Software / ISOs Backup) - Toshiba MQ01ABD100 1 TB 5400 RPM (OS Images) - HGST TravelStar 7K1000 1 TB, 7200 RPM USB 3.0 - ADATA SU800 2TB SSD USB 3.0
    PSU
    Corsair RM750e 750W Fully Modular
    Case
    Naceb Hydra NA-1602
    Cooling
    Naceb Orpheus x 3 (Front) + Naceb Cepheus 1200 RPM Max (Rear) + ThemalRight Assasin X 90 SE (CPU)
    Keyboard
    Logitech MK470 Wireless
    Mouse
    Logitech MK470 Wireless
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - VMs: WMware Player - Windows 8.1 Pro x64 / Windows 11 Pro
    - Wacom Intuos Pro Small Tablet PTH-460
  • At a glance

    Windows 11 Pro 25H2AMD Ryzen 7 7730U @ 2.0/4.5 Ghz2 x 16 GB Kingston Fury Impact DDR4 3200 MhzRadeon (tm) Graphics Vega 8 (512 MB)
    Operating System
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    HP Pavilion 15-eh3000la (80M53LA)
    CPU
    AMD Ryzen 7 7730U @ 2.0/4.5 Ghz
    Motherboard
    HP 8BC7
    Memory
    2 x 16 GB Kingston Fury Impact DDR4 3200 Mhz
    Graphics card(s)
    Radeon (tm) Graphics Vega 8 (512 MB)
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    AU Optronics
    Screen Resolution
    1920 x 1080 px (125% size)
    Hard Drives
    WD Blue SN570 1TB NVME M.2 Drive
    PSU
    45 Watt Charger
    Cooling
    Laptop Cooling Pad
    Keyboard
    Free Wolf Foldable Portable Keyboard
    Mouse
    Free Wolf Wireless Mouse
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - 41mWh battery.
    - Wacom Intuos Pro Small Tablet PTH-460
Code:
UEFI PK Cert
------------
    Microsoft Corporation KEK 2K CA 2023
Should that not have been labeled as MEDION? (I imported the Medion file from GitHub)
No dude. You imported the KEK CA 2023 into the PK (not into the KEK).

UEFI is kinda stupid sometimes. It doesn't care which cert (PK, KEK, DB, DBX) gets imported into which variable. All it cares is you submitted a valid X509 certificate. Whether that's for a PK vs KEK vs DB/DBX, isn't UEFI's concern.

You need to factory reset this so your original MEDION PK is restored. I have done that before... not paying attention, and added the wrong cert into the wrong variable... If Secure Boot is disabled, then no harm is done.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
Do you get any logo or anything during BIOS boot? Like before trying to load Windows? If you do then it's not that bad... but for some reason would mean you would need to repair your boot files.
During normal boot when I just press the power button, no, I don't get any video. But it still responsive to Ctrl Alt Del reboot command.

If I hold Ctrl Home then press the power button, I get logo but then it boots directly to Easy Flash.
 

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
No dude. You imported the KEK CA 2023 into the PK (not into the KEK).

You need to factory reset this so your original MEDION PK is restored. I have done that before... not paying attention, and added the wrong cert into the wrong variable... If Secure Boot is disabled, then no harm is done.
Oops…

Secure Boot is enabled and Windows still boots…

Will have a look this afternoon.

Is this the correct procedure?
  1. Disable Secure Boot (since I’m already using the 2023 bootmanager)
  2. Factory reset keys
  3. Manually import the Medion KEK into KEK (not PK…)
  4. Run your scripts again
  5. Enable Secure Boot
 

My Computer My Computer

At a glance

Windows 11Intel Core i3-6006U @ 2.00 GHz16,0 GBIntel HD Graphics 520
OS
Windows 11
Computer type
Laptop
Manufacturer/Model
Dell Latitude 3380
CPU
Intel Core i3-6006U @ 2.00 GHz
Motherboard
Dell 0WM4F
Memory
16,0 GB
Graphics Card(s)
Intel HD Graphics 520
Sound Card
Realtek Audio
Monitor(s) Displays
Built-in
Screen Resolution
1366 x 768 @ 59 Hz
Hard Drives
SK Hynix SC311 SATA 128 GB SSD
Other Info
Multi-boot Windows/Ubuntu using rEFInd
If you can manually import keys, then a factory reset followed by importing only the KEK CA 2023 cert file should work. Unless you have one the problem BIOS'es that doesn't allow appending to the KEK keys.

Download the file:
https://raw.githubusercontent.com/m...ates/microsoft corporation kek 2k ca 2023.der

Code:
mountvol S: /s
mkdir S:\EFI\Certs
copy "microsoft corporation kek 2k ca 2023.der" S:\EFI\Certs

Now do the manual enrollment of the KEK keys, and look on the EFI partition for the .der file under \EFI\Certs. If the enrollment is successful, boot Windows and run the update script to finish the rest.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
Ha, I was just coming back to post another strategy:
  1. Reset PK only
  2. Import KEK
  3. Leave everything else as is
Could that work?

Also, can you please explain why you say I should import the pre-signed KEK from the Microsoft folder and not the post-signed MEDION folder? (I think your script tried the latter?)
 

My Computer My Computer

At a glance

Windows 11Intel Core i3-6006U @ 2.00 GHz16,0 GBIntel HD Graphics 520
OS
Windows 11
Computer type
Laptop
Manufacturer/Model
Dell Latitude 3380
CPU
Intel Core i3-6006U @ 2.00 GHz
Motherboard
Dell 0WM4F
Memory
16,0 GB
Graphics Card(s)
Intel HD Graphics 520
Sound Card
Realtek Audio
Monitor(s) Displays
Built-in
Screen Resolution
1366 x 768 @ 59 Hz
Hard Drives
SK Hynix SC311 SATA 128 GB SSD
Other Info
Multi-boot Windows/Ubuntu using rEFInd
Back
Top Bottom