Solved garlin's PowerShell scripts for updating Secure Boot CA 2023


The script tried to append the signed KEK .bin file and failed. So the .der file is an equivalent option that should always work. “Should”.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
Yes it would suck. But look at it from at ASUS's perspective:

1. To provide you a new firmware with built-in CA 2023 certs requires them to do the KEK signing process. But releasing a new firmware is a can of worms. People are going to complain well if you bothered to release new code, why didn't you fix known [XYZ] BIOS bug that's been there for years.

2. Providing just the signed KEK to MS is the lesser of two evils for the OEM. Functionally it gets the Secure Boot process done without having the risk of releasing a whole new BIOS. And the QA effort in testing the BIOS, if they're not going to fake testing.

If they have too many old BIOS'es right on the edge of support, only signing the KEK allows them to keep more models going.
What happens if Microsoft has updated the certs on your machine, and a new BIOS is flashed that just has the old certs? If indeed "it would suck", I take it to mean the new BIOS would overwrite the new certs, putting you back where you started. Will Windows reapply the new certs when booted, or does it happen sometime later at the whim of Windows Update?
 

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
So this is what I did on the Medion PC:
  1. Reset the PK to factory default (MEDION certificate)
  2. Reset the KEK to factory default (Microsoft Corporation KEK CA 2011)
  3. Append the MEDION signed KEK (post-signed, MEDION folder, file KEKUpdate_PK2.bin, Microsoft Corporation KEK 2K CA 2023)
This is the verbose output of your check script:
Code:
Windows 11 25H2 (26200.7840)

Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

BIOS Firmware
-------------
    MEDION MD34060/2523
    Version: 370H4W0X.112
    Date: 2019-02-15

Factory Default UEFI PK Cert
----------------------------
    MEDION Certificate

UEFI PK Cert
------------
    MEDION Certificate

Factory Default UEFI KEK Certs
------------------------------
    Microsoft Corporation KEK CA 2011

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011
    Microsoft Corporation KEK 2K CA 2023

Factory Default UEFI DB Certs
-----------------------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Microsoft Option ROM UEFI CA 2023
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023

Factory Default UEFI DBX Certs
------------------------------
    (NONE)
    EFI_CERT_SHA256_GUID Signatures: 77

UEFI DBX Certs
--------------
    Microsoft Windows Production PCA 2011
    Windows BootMgr SVN 7.0
    EFI_CERT_SHA256_GUID Signatures: 489

EFI Files
---------
    Disk 1: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
        bootmgfw.efi File version: 26100.30227

    Registry: WindowsUEFICA2023Capable = 2
        [Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

    Disk 1: SkuSiPolicy.p7b (for VBS) is CURRENT.

STATUS REPORT
-------------
    Registry: UEFICA2023Status = Updated

SUCCESS: NO UPDATES ARE REQUIRED.
Did I fix my previous mistake correctly like this?

(Windows boots with Secure Mode enabled, but it also did when I had the wrong PK...)

Or did I made a new stupid mistake? (Wouldn't be suprised if I did... ;-))
 

My Computer My Computer

At a glance

Windows 11Intel Core i3-6006U @ 2.00 GHz16,0 GBIntel HD Graphics 520
OS
Windows 11
Computer type
Laptop
Manufacturer/Model
Dell Latitude 3380
CPU
Intel Core i3-6006U @ 2.00 GHz
Motherboard
Dell 0WM4F
Memory
16,0 GB
Graphics Card(s)
Intel HD Graphics 520
Sound Card
Realtek Audio
Monitor(s) Displays
Built-in
Screen Resolution
1366 x 768 @ 59 Hz
Hard Drives
SK Hynix SC311 SATA 128 GB SSD
Other Info
Multi-boot Windows/Ubuntu using rEFInd
What happens if Microsoft has updated the certs on your machine, and a new BIOS is flashed that just has the old certs? If indeed "it would suck", I take it to mean the new BIOS would overwrite the new certs, putting you back where you started. Will Windows reapply the new certs when booted, or does it happen sometime later at the whim of Windows Update?
My understand is a BIOS update doesn't overwrite the current certs, only the "BIOS" default certs. I've updated the BIOS on several machines here and my active keys didn't change or get erased.
 

My Computers My Computers

  • At a glance

    Win 11 Pro 25H2, Build 26200.8737Intel Core i5 1450064GB DDR4GeForce RTX 4060
    OS
    Win 11 Pro 25H2, Build 26200.8737
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14500
    Motherboard
    Gigabyte B760M G P WIFI
    Memory
    64GB DDR4
    Graphics Card(s)
    GeForce RTX 4060
    Sound Card
    Chipset Realtek
    Monitor(s) Displays
    LG 45" Ultragear, Acer 24" 1080p
    Screen Resolution
    5120x1440, 1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 3D NAND NVMe M.2 SSD (O/S)
    Silicon Power 2TB US75 NVMe PCIe Gen4 M.2 2280 SSD (backup)
    Crucial BX500 2TB 3D NAND (2nd backup)
    Seagate 4TB Ironwolf, rotating HDD archive files
    External off-line backup Drives: 2 NVMe 4TB drives in external enclosures
    PSU
    Thermaltake Toughpower GF3 750W
    Case
    LIAN LI LANCOOL 216 E-ATX PC Case
    Cooling
    Lots of fans!
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
  • At a glance

    Win 11 Pro 25H2, Build 26200.8655Intel Core i5 1440032GB DDR5Intel 700 Embedded GPU
    Operating System
    Win 11 Pro 25H2, Build 26200.8655
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14400
    Motherboard
    Gigabyte B760M DS3H AX
    Memory
    32GB DDR5
    Graphics card(s)
    Intel 700 Embedded GPU
    Sound Card
    Realtek Embedded
    Monitor(s) Displays
    27" HP 1080p
    Screen Resolution
    1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 eD NAND PCIe SSD
    Samsung EVO 990 2TB NVMe Gen4 SSD
    Samsung 2TB SATA SSD
    PSU
    Thermaltake Smart BM3 650W
    Case
    Okinos Micro ATX Case
    Cooling
    Fans
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
  • Nimo N171 17" Laptop, (Intel i3-1215U, 16GB RAM, 2TB NVMe, Win11 Pro)
    Acemagic Vista Mini PC V1 (Intel N150, 16GB RAM, 1TB NVMe, Win11 Pro)
    HP ENVY h8-1540t, (24GB RAM, 2TB SSD, 2TB HDD, Win11 Pro)
What happens if Microsoft has updated the certs on your machine, and a new BIOS is flashed that just has the old certs? If indeed "it would suck", I take it to mean the new BIOS would overwrite the new certs, putting you back where you started. Will Windows reapply the new certs when booted, or does it happen sometime later at the whim of Windows Update?
MS has a supposed "recovery" method for this scenario, but it's rather lame.
They copy a securebootrecovery.efi which can be renamed to bootfwmgr.efi, and it will temporarily allow booting.

The dirt simple method is to disable Secure Boot. Restart Windows and presumably once we're in the mandatory update stage, the Secure Boot scheduled task will detect it's got work to do and re-apply the missing certs. Now if the scheduled task couldn't handle this job before, it can't restore the full certs in the future.

For those users, you'll have to repeat what you did before to get the PC updated.

Does this suck? Sure. But presumably the number of catastrophic events where all your current certs are lost will be rare.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
My understand is a BIOS update doesn't overwrite the current certs, only the "BIOS" default certs. I've updated the BIOS on several machines here and my active keys didn't change or get erased.
The problem is with some BIOS updates, something weird happens and users report it ends up reset the NVRAM (losing all the settings). This would include the current certs in the UEFI.

That shouldn't happen, but you can find people complaining about. Not about Secure Boot, but losing BIOS settings after a flash. You can't rule it out. And MS is aware of the problem, and even wrote a note about it in their Secure Boot docs.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
You guys really don't like believing when the script reports "SUCCESS". You're done.
I had that message before, but you then still pointed out a mistake I made... ;-)
 

My Computer My Computer

At a glance

Windows 11Intel Core i3-6006U @ 2.00 GHz16,0 GBIntel HD Graphics 520
OS
Windows 11
Computer type
Laptop
Manufacturer/Model
Dell Latitude 3380
CPU
Intel Core i3-6006U @ 2.00 GHz
Motherboard
Dell 0WM4F
Memory
16,0 GB
Graphics Card(s)
Intel HD Graphics 520
Sound Card
Realtek Audio
Monitor(s) Displays
Built-in
Screen Resolution
1366 x 768 @ 59 Hz
Hard Drives
SK Hynix SC311 SATA 128 GB SSD
Other Info
Multi-boot Windows/Ubuntu using rEFInd
Hello, I used your method to find the keys and updated Windows to 26200.7840, and everything is fine. I decided to reinstall the system from a fresh image using the Media Creation Tool. I did a security erase on the SSD, but the Windows flash drive won't boot and keeps booting me back to the BIOS. I have a backup of the previous Windows 11 system (26200.7623), but after restoring it, the system won't boot. I restored an even older backup from Windows 10 - it still won't boot and keeps booting me back to the BIOS window. I disabled security boot, and Windows 10 booted, and I'm writing from it now. What should I do to restore security boot and avoid bricking the motherboard? (MSI B450M PRO-VDH MAX motherboard, latest BIOS 7A38vBP1 (Beta version), 2025-09-23)
screen.webp
This is Windows 10 with security boot disabled, which I'm writing from now
Code:
Secure Boot: OFF
Virtualization Based Security: OFF
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011
    Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Microsoft Option ROM UEFI CA 2023
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023

UEFI DBX Certs
--------------
    (NONE)

EFI Files
---------
    Disk 0: Windows Boot Manager [Production PCA 2011] is ALLOWED.

    Registry: WindowsUEFICA2023Capable = 1
        [Windows UEFI CA 2023] in UEFI DB.


REQUIRED ACTION
===============

OPTION 1:  DO NOTHING.  Windows will apply the UEFI updates in 2026 (supported BIOS).

OPTION 2:  To install Windows Boot Manager [UEFI CA 2023], run the commands:

    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x100 /f
    powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

OPTION 3:  To install [UEFI CA 2023] certs and REVOKE the [PCA 2011] cert, run the commands:

    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x282 /f
    powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
 

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
Computer type
PC/Desktop
This PC has both sets of certs, and none are banned so you should be able to boot any Windows USB.

Can you run the script, but add "-Verbose -Audit" on the command line?
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
The problem is with some BIOS updates, something weird happens and users report it ends up reset the NVRAM (losing all the settings). This would include the current certs in the UEFI.

That shouldn't happen, but you can find people complaining about. Not about Secure Boot, but losing BIOS settings after a flash. You can't rule it out. And MS is aware of the problem, and even wrote a note about it in their Secure Boot docs.
Makes sense, I haven't seen that yet, but I've only personally done about eight machines, most of them fairly current.
 

My Computers My Computers

  • At a glance

    Win 11 Pro 25H2, Build 26200.8737Intel Core i5 1450064GB DDR4GeForce RTX 4060
    OS
    Win 11 Pro 25H2, Build 26200.8737
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14500
    Motherboard
    Gigabyte B760M G P WIFI
    Memory
    64GB DDR4
    Graphics Card(s)
    GeForce RTX 4060
    Sound Card
    Chipset Realtek
    Monitor(s) Displays
    LG 45" Ultragear, Acer 24" 1080p
    Screen Resolution
    5120x1440, 1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 3D NAND NVMe M.2 SSD (O/S)
    Silicon Power 2TB US75 NVMe PCIe Gen4 M.2 2280 SSD (backup)
    Crucial BX500 2TB 3D NAND (2nd backup)
    Seagate 4TB Ironwolf, rotating HDD archive files
    External off-line backup Drives: 2 NVMe 4TB drives in external enclosures
    PSU
    Thermaltake Toughpower GF3 750W
    Case
    LIAN LI LANCOOL 216 E-ATX PC Case
    Cooling
    Lots of fans!
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
  • At a glance

    Win 11 Pro 25H2, Build 26200.8655Intel Core i5 1440032GB DDR5Intel 700 Embedded GPU
    Operating System
    Win 11 Pro 25H2, Build 26200.8655
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14400
    Motherboard
    Gigabyte B760M DS3H AX
    Memory
    32GB DDR5
    Graphics card(s)
    Intel 700 Embedded GPU
    Sound Card
    Realtek Embedded
    Monitor(s) Displays
    27" HP 1080p
    Screen Resolution
    1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 eD NAND PCIe SSD
    Samsung EVO 990 2TB NVMe Gen4 SSD
    Samsung 2TB SATA SSD
    PSU
    Thermaltake Smart BM3 650W
    Case
    Okinos Micro ATX Case
    Cooling
    Fans
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
  • Nimo N171 17" Laptop, (Intel i3-1215U, 16GB RAM, 2TB NVMe, Win11 Pro)
    Acemagic Vista Mini PC V1 (Intel N150, 16GB RAM, 1TB NVMe, Win11 Pro)
    HP ENVY h8-1540t, (24GB RAM, 2TB SSD, 2TB HDD, Win11 Pro)
This PC has both sets of certs, and none are banned so you should be able to boot any Windows USB.

Can you run the script, but add "-Verbose -Audit" on the command line?
Code:
PS C:\Windows\system32> E:\temp\Check_UEFI-CA2023.ps1 -Verbose -Audit

Windows 10 21H2 (19044.5965)



Secure Boot: OFF (Audit Report runs as ON)

Virtualization Based Security: OFF

BitLocker on (C:) OFF



BIOS Firmware

-------------

    Micro-Star International Co. MS-7A38

    Version: B.P1

    Date: 2025-09-12



Factory Default UEFI PK Cert

----------------------------

    MSI SHIP PK



UEFI PK Cert

------------

    MSI SHIP PK



Factory Default UEFI KEK Certs

------------------------------

    Microsoft Corporation KEK CA 2011

    Microsoft Corporation KEK 2K CA 2023

    MSI SHIP KEK



UEFI KEK Certs

--------------

    Microsoft Corporation KEK CA 2011

    Microsoft Corporation KEK 2K CA 2023

    MSI SHIP KEK



Factory Default UEFI DB Certs

-----------------------------

    Microsoft Corporation UEFI CA 2011

    Microsoft Windows Production PCA 2011

    Microsoft Option ROM UEFI CA 2023

    Microsoft UEFI CA 2023

    Windows UEFI CA 2023

    MSI SHIP DB



UEFI DB Certs

-------------

    Microsoft Corporation UEFI CA 2011

    Microsoft Windows Production PCA 2011

    Microsoft Option ROM UEFI CA 2023

    Microsoft UEFI CA 2023

    Windows UEFI CA 2023

    MSI SHIP DB



Factory Default UEFI DBX Certs

------------------------------

    (NONE)

    EFI_CERT_SHA256_GUID Signatures: 416



UEFI DBX Certs

--------------

    (NONE)

    Windows BootMgr SVN is MISSING.

    EFI_CERT_SHA256_GUID Signatures: 416



EFI Files

---------

    Disk 0: Windows Boot Manager [Production PCA 2011] will be ALLOWED.

        bootmgfw.efi File version: 19041.4648



    Registry: WindowsUEFICA2023Capable = 1

        [Windows UEFI CA 2023] in UEFI DB.





AUDIT REPORT

============

1.  Update W10 21H2 to KB5066791 (Oct 2025) or later

2.  Secure Boot is DISABLED

3.  [Production PCA 2011] is missing from UEFI DBX

4.  DBX Updates are missing from UEFI DBX

5.  Windows BootMgr SVN is missing from UEFI DBX

6.  Windows Boot Manager [Production PCA 2011] is wrong version





REQUIRED ACTION

===============



OPTION 1:  DO NOTHING.  Windows will apply the UEFI updates in 2026 (supported BIOS).



OPTION 2:  To install Windows Boot Manager [UEFI CA 2023], run the commands:



    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x100 /f

    powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"



OPTION 3:  To install [UEFI CA 2023] certs and REVOKE the [PCA 2011] cert, run the commands:



    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x282 /f

    powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
I went back into the BIOS and enabled Secure Boot, and a window appeared asking me to reset to defaults. I agreed. Now I can boot with Secure Boot enabled and also boot with the 26200.7840 installation image.
I'm about to install the latest Windows 11. Sorry for the false alarm.
PS C:\Windows\system32> E:\temp\Check_UEFI-CA2023.ps1
Secure Boot: ON
Virtualization Based Security: OFF
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
(NONE)

EFI Files
---------
Disk 0: Windows Boot Manager [Production PCA 2011] is ALLOWED.

Registry: WindowsUEFICA2023Capable = 1
[Windows UEFI CA 2023] in UEFI DB.


REQUIRED ACTION
===============

OPTION 1: DO NOTHING. Windows will apply the UEFI updates in 2026 (supported BIOS).

OPTION 2: To install Windows Boot Manager [UEFI CA 2023], run the commands:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x100 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

OPTION 3: To install [UEFI CA 2023] certs and REVOKE the [PCA 2011] cert, run the commands:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x282 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
 
Last edited:

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
Computer type
PC/Desktop
During normal boot when I just press the power button, no, I don't get any video. But it still responsive to Ctrl Alt Del reboot command.

If I hold Ctrl Home then press the power button, I get logo but then it boots directly to Easy Flash.
Seems like the reflash process went wrong somehow then... Good news, not a hardware issues, bad news: the reflash route didn't work...
I'd suggest checking your process to reflash your bios, and also removing the battery to clear the CMOS completely.
 

My Computers My Computers

  • At a glance

    Windows 11 Pro 25H2AMD Ryzen 5 5600G @ 3.9/4.4Ghz2 x 16 GB DDR4 Kingston Fury Beast 3200 MhzAMD Radeon RX 6600 XT MSI Mech 2X OC Edition ...
    OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built PC
    CPU
    AMD Ryzen 5 5600G @ 3.9/4.4Ghz
    Motherboard
    MSI B550M-PRO-WiFi Ver. 1.4
    Memory
    2 x 16 GB DDR4 Kingston Fury Beast 3200 Mhz
    Graphics Card(s)
    AMD Radeon RX 6600 XT MSI Mech 2X OC Edition 8 GB
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    Samsung C50Rx 27" LED / HP S2031 20" LCD
    Screen Resolution
    1920 x 1080 px / 1600 x 900 px
    Hard Drives
    WD Blue SN570 NVME M.2 SSD [1 TB] -- External Drives: - WD Scorpion Blue 250 GB 5400 RPM (Data Backup) - Hitachi 500 GB 5400 RPM (Software / ISOs Backup) - Toshiba MQ01ABD100 1 TB 5400 RPM (OS Images) - HGST TravelStar 7K1000 1 TB, 7200 RPM USB 3.0 - ADATA SU800 2TB SSD USB 3.0
    PSU
    Corsair RM750e 750W Fully Modular
    Case
    Naceb Hydra NA-1602
    Cooling
    Naceb Orpheus x 3 (Front) + Naceb Cepheus 1200 RPM Max (Rear) + ThemalRight Assasin X 90 SE (CPU)
    Keyboard
    Logitech MK470 Wireless
    Mouse
    Logitech MK470 Wireless
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - VMs: WMware Player - Windows 8.1 Pro x64 / Windows 11 Pro
    - Wacom Intuos Pro Small Tablet PTH-460
  • At a glance

    Windows 11 Pro 25H2AMD Ryzen 7 7730U @ 2.0/4.5 Ghz2 x 16 GB Kingston Fury Impact DDR4 3200 MhzRadeon (tm) Graphics Vega 8 (512 MB)
    Operating System
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    HP Pavilion 15-eh3000la (80M53LA)
    CPU
    AMD Ryzen 7 7730U @ 2.0/4.5 Ghz
    Motherboard
    HP 8BC7
    Memory
    2 x 16 GB Kingston Fury Impact DDR4 3200 Mhz
    Graphics card(s)
    Radeon (tm) Graphics Vega 8 (512 MB)
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    AU Optronics
    Screen Resolution
    1920 x 1080 px (125% size)
    Hard Drives
    WD Blue SN570 1TB NVME M.2 Drive
    PSU
    45 Watt Charger
    Cooling
    Laptop Cooling Pad
    Keyboard
    Free Wolf Foldable Portable Keyboard
    Mouse
    Free Wolf Wireless Mouse
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - 41mWh battery.
    - Wacom Intuos Pro Small Tablet PTH-460
For people having problems reinstalling windows or older images... remember that we are signing the boot files with new certificates, older backups will have problems if you try to restore from them. You will need to update your bootable media to reinstall Windows if you want the OS to reinstall without problems.

Honestly, I would discard older backups, unless you absolutely need something inside them, and make new ones with the new certs, or if you feel you will need to restore an old image of Windows or install any version prior to October 2025, DO NOT revoke the 2011 certificate, otherwise, your systems won't be able to boot unless you turn off Secure Boot and run the script to sign the boot files with the new certs.
 

My Computers My Computers

  • At a glance

    Windows 11 Pro 25H2AMD Ryzen 5 5600G @ 3.9/4.4Ghz2 x 16 GB DDR4 Kingston Fury Beast 3200 MhzAMD Radeon RX 6600 XT MSI Mech 2X OC Edition ...
    OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built PC
    CPU
    AMD Ryzen 5 5600G @ 3.9/4.4Ghz
    Motherboard
    MSI B550M-PRO-WiFi Ver. 1.4
    Memory
    2 x 16 GB DDR4 Kingston Fury Beast 3200 Mhz
    Graphics Card(s)
    AMD Radeon RX 6600 XT MSI Mech 2X OC Edition 8 GB
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    Samsung C50Rx 27" LED / HP S2031 20" LCD
    Screen Resolution
    1920 x 1080 px / 1600 x 900 px
    Hard Drives
    WD Blue SN570 NVME M.2 SSD [1 TB] -- External Drives: - WD Scorpion Blue 250 GB 5400 RPM (Data Backup) - Hitachi 500 GB 5400 RPM (Software / ISOs Backup) - Toshiba MQ01ABD100 1 TB 5400 RPM (OS Images) - HGST TravelStar 7K1000 1 TB, 7200 RPM USB 3.0 - ADATA SU800 2TB SSD USB 3.0
    PSU
    Corsair RM750e 750W Fully Modular
    Case
    Naceb Hydra NA-1602
    Cooling
    Naceb Orpheus x 3 (Front) + Naceb Cepheus 1200 RPM Max (Rear) + ThemalRight Assasin X 90 SE (CPU)
    Keyboard
    Logitech MK470 Wireless
    Mouse
    Logitech MK470 Wireless
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - VMs: WMware Player - Windows 8.1 Pro x64 / Windows 11 Pro
    - Wacom Intuos Pro Small Tablet PTH-460
  • At a glance

    Windows 11 Pro 25H2AMD Ryzen 7 7730U @ 2.0/4.5 Ghz2 x 16 GB Kingston Fury Impact DDR4 3200 MhzRadeon (tm) Graphics Vega 8 (512 MB)
    Operating System
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    HP Pavilion 15-eh3000la (80M53LA)
    CPU
    AMD Ryzen 7 7730U @ 2.0/4.5 Ghz
    Motherboard
    HP 8BC7
    Memory
    2 x 16 GB Kingston Fury Impact DDR4 3200 Mhz
    Graphics card(s)
    Radeon (tm) Graphics Vega 8 (512 MB)
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    AU Optronics
    Screen Resolution
    1920 x 1080 px (125% size)
    Hard Drives
    WD Blue SN570 1TB NVME M.2 Drive
    PSU
    45 Watt Charger
    Cooling
    Laptop Cooling Pad
    Keyboard
    Free Wolf Foldable Portable Keyboard
    Mouse
    Free Wolf Wireless Mouse
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - 41mWh battery.
    - Wacom Intuos Pro Small Tablet PTH-460
You don't need to discard older backups, or old recovery media. You can always disable Secure Boot before recovering the backup.
Without Secure Boot, UEFI doesn't enforce the cert check.

1. Disable Secure Boot.
2. Boot into the restored image (or boot from the recovery media). The only thing wrong with your old image is the CA 2011 version of the boot file.
3. Download and re-run the update script, and it will install the newer CA 2023 boot file for you.
4. Shutdown, and re-enable Secure Boot.

If you have Virtualization Based Security (VBS) enabled, and the script copied a current SkuSiPolicy.p7b file, you will need an extra step.

Boot from a recovery media or WinPE, and manually delete the SkuSiPolicy.p7b file from EFI. Then you can boot from the old image or recovery drive.
Code:
mountvol S: /s
del S:\EFI\Microsoft\Boot\SkuSiPolicy.p7b
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
Another bit of useful info, thanks mate!
The SkuPolicy part, is done after enabling secure boot? Right after you have reinstalled all your CA 2023 certs?
 

My Computers My Computers

  • At a glance

    Windows 11 Pro 25H2AMD Ryzen 5 5600G @ 3.9/4.4Ghz2 x 16 GB DDR4 Kingston Fury Beast 3200 MhzAMD Radeon RX 6600 XT MSI Mech 2X OC Edition ...
    OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built PC
    CPU
    AMD Ryzen 5 5600G @ 3.9/4.4Ghz
    Motherboard
    MSI B550M-PRO-WiFi Ver. 1.4
    Memory
    2 x 16 GB DDR4 Kingston Fury Beast 3200 Mhz
    Graphics Card(s)
    AMD Radeon RX 6600 XT MSI Mech 2X OC Edition 8 GB
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    Samsung C50Rx 27" LED / HP S2031 20" LCD
    Screen Resolution
    1920 x 1080 px / 1600 x 900 px
    Hard Drives
    WD Blue SN570 NVME M.2 SSD [1 TB] -- External Drives: - WD Scorpion Blue 250 GB 5400 RPM (Data Backup) - Hitachi 500 GB 5400 RPM (Software / ISOs Backup) - Toshiba MQ01ABD100 1 TB 5400 RPM (OS Images) - HGST TravelStar 7K1000 1 TB, 7200 RPM USB 3.0 - ADATA SU800 2TB SSD USB 3.0
    PSU
    Corsair RM750e 750W Fully Modular
    Case
    Naceb Hydra NA-1602
    Cooling
    Naceb Orpheus x 3 (Front) + Naceb Cepheus 1200 RPM Max (Rear) + ThemalRight Assasin X 90 SE (CPU)
    Keyboard
    Logitech MK470 Wireless
    Mouse
    Logitech MK470 Wireless
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - VMs: WMware Player - Windows 8.1 Pro x64 / Windows 11 Pro
    - Wacom Intuos Pro Small Tablet PTH-460
  • At a glance

    Windows 11 Pro 25H2AMD Ryzen 7 7730U @ 2.0/4.5 Ghz2 x 16 GB Kingston Fury Impact DDR4 3200 MhzRadeon (tm) Graphics Vega 8 (512 MB)
    Operating System
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    HP Pavilion 15-eh3000la (80M53LA)
    CPU
    AMD Ryzen 7 7730U @ 2.0/4.5 Ghz
    Motherboard
    HP 8BC7
    Memory
    2 x 16 GB Kingston Fury Impact DDR4 3200 Mhz
    Graphics card(s)
    Radeon (tm) Graphics Vega 8 (512 MB)
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    AU Optronics
    Screen Resolution
    1920 x 1080 px (125% size)
    Hard Drives
    WD Blue SN570 1TB NVME M.2 Drive
    PSU
    45 Watt Charger
    Cooling
    Laptop Cooling Pad
    Keyboard
    Free Wolf Foldable Portable Keyboard
    Mouse
    Free Wolf Wireless Mouse
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - 41mWh battery.
    - Wacom Intuos Pro Small Tablet PTH-460
Honestly, I would discard older backups, unless you absolutely need something inside them, and make new ones with the new certs, or if you feel you will need to restore an old image of Windows or install any version prior to October 2025, DO NOT revoke the 2011 certificate, otherwise, your systems won't be able to boot unless you turn off Secure Boot and run the script to sign the boot files with the new certs.
That's exactly what I did. I had no reason to keep images from 4 months ago. I usually keep the most recent 3.
 

My Computers My Computers

  • At a glance

    Windows 11 Pro 25H2i7-8565U16GBIntel UHD Graphics 620
    OS
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo T490 (2020 Hardware)
    CPU
    i7-8565U
    Motherboard
    20N20028US
    Memory
    16GB
    Graphics Card(s)
    Intel UHD Graphics 620
    Sound Card
    Realtec Audio
    Monitor(s) Displays
    ASUS VE248
    Screen Resolution
    1920 X 1080
    Hard Drives
    Samsung SSD 970 PRO 512GB NVMe
    Internet Speed
    Frontier fiber 1GB
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Norton 360 Deluxe Plus
    Other Info
    Supported hardware, upgraded from Windows 10 Pro to Windows 11 Pro version 24H2 on 06/01/2025 using the Windows 11 ISO file. Used the enablement package to upgrade to version 25H2 on 10/07/2025. Secure boot enabled. Secure Boot CA 2023 updated.
  • At a glance

    Windows 11 Pro 25H2i7-4770 (with SSE4.2, and POPCNT)16GBIntel HD Graphics 4600
    Operating System
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo ThinkCentre M83 (2014 Hardware)
    CPU
    i7-4770 (with SSE4.2, and POPCNT)
    Motherboard
    10AL000GUS
    Memory
    16GB
    Graphics card(s)
    Intel HD Graphics 4600
    Sound Card
    Realtec High Definition Audio
    Monitor(s) Displays
    ASUS VE248
    Screen Resolution
    1920 X 1080
    Hard Drives
    Samsung SSD 860 PRO 1TB SATA
    Internet Speed
    Frontier fiber 1GB
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Norton 360 Deluxe Plus
    Other Info
    Unsupported hardware, upgraded from Windows 10 Pro (TPM 1.2 & unsupported CPU, but does have SSE4.2, and POPCNT) to Windows 11 Pro version 24H2 on 06/15/2025. Added Registry Key HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup – AllowUpgradesWithUnsupportedTPMOrCPU=1 to allow installation using the Windows 11 ISO file. Used the enablement package to upgrade to version 25H2 on 10/08/2025. Secure boot enabled. Secure Boot CA 2023 updated.
Although my AM5 B850 system is showing event 1808, I noted my AM4 B550 PC is just showing 1801. I understand updating is an ongoing process, and haven't looked further than the event or run any scripts etc, but I thought I'd ask a few questions-

I don't often update mb BIOS but did last September to get an update that added TPM-B FW as well various other fixes - but it made no mention of whether it includes new SB certs.

A Gigabyte AM4 board defaults to SB Not Active after a BIOS update. The method to get SB to show as Active is to select Custom and then either a) restore factory keys and stay in Custom or b) switch back to Standard which also loads defaults

1) there's a post above about whether a BIOS update overwrites keys - even if it doesn't those steps to change SB to Active would seem to overwrite them with those from the BIOS - what happens then?

2) I chose method b) so I'm not in Custom any more - is there any chance this is preventing Windows from installing the certs - i.e is there some some of read-only state?

3) over time there are many BIOS versions - including interim 'beta' releases - so each user might end up with a different one - is the exact BIOS version used by the telemetry in deciding whether Windows will go ahead with the update?
 

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
That's exactly what I did. I had no reason to keep images from 4 months ago. I usually keep the most recent 3.
Some users are not as organized. They only make a backup right after an install or upgrade. The point is there's still a way to use those images, if there's no other alternative.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
Back
Top Bottom