Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
What happens if Microsoft has updated the certs on your machine, and a new BIOS is flashed that just has the old certs? If indeed "it would suck", I take it to mean the new BIOS would overwrite the new certs, putting you back where you started. Will Windows reapply the new certs when booted, or does it happen sometime later at the whim of Windows Update?Yes it would suck. But look at it from at ASUS's perspective:
1. To provide you a new firmware with built-in CA 2023 certs requires them to do the KEK signing process. But releasing a new firmware is a can of worms. People are going to complain well if you bothered to release new code, why didn't you fix known [XYZ] BIOS bug that's been there for years.
2. Providing just the signed KEK to MS is the lesser of two evils for the OEM. Functionally it gets the Secure Boot process done without having the risk of releasing a whole new BIOS. And the QA effort in testing the BIOS, if they're not going to fake testing.
If they have too many old BIOS'es right on the edge of support, only signing the KEK allows them to keep more models going.
Windows 11 25H2 (26200.7840)
Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF
BIOS Firmware
-------------
MEDION MD34060/2523
Version: 370H4W0X.112
Date: 2019-02-15
Factory Default UEFI PK Cert
----------------------------
MEDION Certificate
UEFI PK Cert
------------
MEDION Certificate
Factory Default UEFI KEK Certs
------------------------------
Microsoft Corporation KEK CA 2011
UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023
Factory Default UEFI DB Certs
-----------------------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023
Factory Default UEFI DBX Certs
------------------------------
(NONE)
EFI_CERT_SHA256_GUID Signatures: 77
UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 7.0
EFI_CERT_SHA256_GUID Signatures: 489
EFI Files
---------
Disk 1: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
bootmgfw.efi File version: 26100.30227
Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.
Disk 1: SkuSiPolicy.p7b (for VBS) is CURRENT.
STATUS REPORT
-------------
Registry: UEFICA2023Status = Updated
SUCCESS: NO UPDATES ARE REQUIRED.
My understand is a BIOS update doesn't overwrite the current certs, only the "BIOS" default certs. I've updated the BIOS on several machines here and my active keys didn't change or get erased.What happens if Microsoft has updated the certs on your machine, and a new BIOS is flashed that just has the old certs? If indeed "it would suck", I take it to mean the new BIOS would overwrite the new certs, putting you back where you started. Will Windows reapply the new certs when booted, or does it happen sometime later at the whim of Windows Update?
MS has a supposed "recovery" method for this scenario, but it's rather lame.What happens if Microsoft has updated the certs on your machine, and a new BIOS is flashed that just has the old certs? If indeed "it would suck", I take it to mean the new BIOS would overwrite the new certs, putting you back where you started. Will Windows reapply the new certs when booted, or does it happen sometime later at the whim of Windows Update?
You guys really don't like believing when the script reports "SUCCESS". You're done.SUCCESS: NO UPDATES ARE REQUIRED.
The problem is with some BIOS updates, something weird happens and users report it ends up reset the NVRAM (losing all the settings). This would include the current certs in the UEFI.My understand is a BIOS update doesn't overwrite the current certs, only the "BIOS" default certs. I've updated the BIOS on several machines here and my active keys didn't change or get erased.
I had that message before, but you then still pointed out a mistake I made...You guys really don't like believing when the script reports "SUCCESS". You're done.
OK. I will file the @parttimewindows bug, check if user can't read and manually applies the wrong cert to PK.I had that message before, but you then still pointed out a mistake I made...![]()
Secure Boot: OFF
Virtualization Based Security: OFF
BitLocker on (C:) OFF
UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023
UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023
UEFI DBX Certs
--------------
(NONE)
EFI Files
---------
Disk 0: Windows Boot Manager [Production PCA 2011] is ALLOWED.
Registry: WindowsUEFICA2023Capable = 1
[Windows UEFI CA 2023] in UEFI DB.
REQUIRED ACTION
===============
OPTION 1: DO NOTHING. Windows will apply the UEFI updates in 2026 (supported BIOS).
OPTION 2: To install Windows Boot Manager [UEFI CA 2023], run the commands:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x100 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
OPTION 3: To install [UEFI CA 2023] certs and REVOKE the [PCA 2011] cert, run the commands:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x282 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
Makes sense, I haven't seen that yet, but I've only personally done about eight machines, most of them fairly current.The problem is with some BIOS updates, something weird happens and users report it ends up reset the NVRAM (losing all the settings). This would include the current certs in the UEFI.
That shouldn't happen, but you can find people complaining about. Not about Secure Boot, but losing BIOS settings after a flash. You can't rule it out. And MS is aware of the problem, and even wrote a note about it in their Secure Boot docs.
This PC has both sets of certs, and none are banned so you should be able to boot any Windows USB.
Can you run the script, but add "-Verbose -Audit" on the command line?
PS C:\Windows\system32> E:\temp\Check_UEFI-CA2023.ps1 -Verbose -Audit
Windows 10 21H2 (19044.5965)
Secure Boot: OFF (Audit Report runs as ON)
Virtualization Based Security: OFF
BitLocker on (C:) OFF
BIOS Firmware
-------------
Micro-Star International Co. MS-7A38
Version: B.P1
Date: 2025-09-12
Factory Default UEFI PK Cert
----------------------------
MSI SHIP PK
UEFI PK Cert
------------
MSI SHIP PK
Factory Default UEFI KEK Certs
------------------------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023
MSI SHIP KEK
UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023
MSI SHIP KEK
Factory Default UEFI DB Certs
-----------------------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023
MSI SHIP DB
UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023
MSI SHIP DB
Factory Default UEFI DBX Certs
------------------------------
(NONE)
EFI_CERT_SHA256_GUID Signatures: 416
UEFI DBX Certs
--------------
(NONE)
Windows BootMgr SVN is MISSING.
EFI_CERT_SHA256_GUID Signatures: 416
EFI Files
---------
Disk 0: Windows Boot Manager [Production PCA 2011] will be ALLOWED.
bootmgfw.efi File version: 19041.4648
Registry: WindowsUEFICA2023Capable = 1
[Windows UEFI CA 2023] in UEFI DB.
AUDIT REPORT
============
1. Update W10 21H2 to KB5066791 (Oct 2025) or later
2. Secure Boot is DISABLED
3. [Production PCA 2011] is missing from UEFI DBX
4. DBX Updates are missing from UEFI DBX
5. Windows BootMgr SVN is missing from UEFI DBX
6. Windows Boot Manager [Production PCA 2011] is wrong version
REQUIRED ACTION
===============
OPTION 1: DO NOTHING. Windows will apply the UEFI updates in 2026 (supported BIOS).
OPTION 2: To install Windows Boot Manager [UEFI CA 2023], run the commands:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x100 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
OPTION 3: To install [UEFI CA 2023] certs and REVOKE the [PCA 2011] cert, run the commands:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x282 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
Seems like the reflash process went wrong somehow then... Good news, not a hardware issues, bad news: the reflash route didn't work...During normal boot when I just press the power button, no, I don't get any video. But it still responsive to Ctrl Alt Del reboot command.
If I hold Ctrl Home then press the power button, I get logo but then it boots directly to Easy Flash.
mountvol S: /s
del S:\EFI\Microsoft\Boot\SkuSiPolicy.p7b
That's exactly what I did. I had no reason to keep images from 4 months ago. I usually keep the most recent 3.Honestly, I would discard older backups, unless you absolutely need something inside them, and make new ones with the new certs, or if you feel you will need to restore an old image of Windows or install any version prior to October 2025, DO NOT revoke the 2011 certificate, otherwise, your systems won't be able to boot unless you turn off Secure Boot and run the script to sign the boot files with the new certs.
Some users are not as organized. They only make a backup right after an install or upgrade. The point is there's still a way to use those images, if there's no other alternative.That's exactly what I did. I had no reason to keep images from 4 months ago. I usually keep the most recent 3.