Solved garlin's PowerShell scripts for updating Secure Boot CA 2023


Adding a single key (enrollment) is less drastic than erasing all Secure Boot settings. MS has provided a set of replacement keys which the script can use in the "Setup Mode" scenario where all keys have been cleared.

But it's always better to take the smaller approach (single key enrollment) if your BIOS supports it.
Thanks for making things clear and your time. I feel confident now.
 

My Computer My Computer

At a glance

Windows 10 x64 PRO N with ESUi3-4005U8 GB DDR3Intel HD Graphics 4400 / NVIDIA GeForce 920M
OS
Windows 10 x64 PRO N with ESU
Computer type
Laptop
Manufacturer/Model
Acer
CPU
i3-4005U
Memory
8 GB DDR3
Graphics Card(s)
Intel HD Graphics 4400 / NVIDIA GeForce 920M
Hard Drives
512 GB SSD
Browser
Firefox
Other Info
10 years old, still running
Secure Boot: ON
Virtualization Based Security: OFF
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 7.0

EFI Files
---------
Disk 1: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.


AUDIT REPORT
============


STATUS REPORT
-------------
Registry: UEFICA2023Status = Updated

SUCCESS: NO UPDATES ARE REQUIRED.

Thanks for the script. Seems to have gone perfect on my first machine.
 

My Computers My Computers

  • At a glance

    11Ryzen 5900HX32GBRTX 3080 16GB
    OS
    11
    Computer type
    Laptop
    Manufacturer/Model
    ASUS
    CPU
    Ryzen 5900HX
    Motherboard
    Built In
    Memory
    32GB
    Graphics Card(s)
    RTX 3080 16GB
    Sound Card
    Onboard
    Monitor(s) Displays
    Built in
    Screen Resolution
    1920x1080
    Hard Drives
    Samsung 1TB
    Sabrent 2TB
    PSU
    240W Poorly Designed Asus Charger
    Case
    Built In
    Cooling
    Liquid Metal
    Keyboard
    Built in RGB
  • At a glance

    Windows 119900K32GB2080 TI
    Operating System
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Made
    CPU
    9900K
    Motherboard
    Asus Z390-P
    Memory
    32GB
    Graphics card(s)
    2080 TI
    Sound Card
    Onboard
    Monitor(s) Displays
    25 Inch
    Screen Resolution
    1920x1080
    Hard Drives
    256gb Crucial SSD
    1 TB WD SSD
    8 TB Samsung SSD
    PSU
    750W
    Case
    Corsair
    Cooling
    Corsair H100I
    Keyboard
    HyperX
    Mouse
    Razer Death Adder 2021 (Not full price lol)
@garlin This is from my oldest PC which is a Lenovo M83 desktop circa 2014 hardware (System 2 Specs). I had to use Mosby and just wanted to be sure I'm good. Yeah , yeah, I know, it ends with your favorite "SUCCESS: NO UPDATES ARE REQUIRED." so why am I asking... ;-)

I ran your script using -verbose

Secure Boot: ON
Virtualization Based Security: OFF
BitLocker on (C:) OFF

BIOS Firmware
-------------
LENOVO 10AL000GUS
Version: FBKTE0AUS
Date: 2021-12-22

Factory Default UEFI PK Cert
----------------------------
(NONE)

UEFI PK Cert
------------
Mosby Generated PK [2025.12.22]

Factory Default UEFI KEK Certs
------------------------------
(NONE)

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

Factory Default UEFI DB Certs
-----------------------------
(NONE)

UEFI DB Certs
-------------
MosbyKey [2025.12.22]
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

Factory Default UEFI DBX Certs
------------------------------
(NONE)
Get-SecureBootUEFI : Variable is currently undefined: 0xC0000100
At C:\SecureBoot\SecureBoot-CA-2023-Updates_v2026-01-18\Check_UEFI-CA2023.ps1:1115 char:62
+ ... gnatures: {1}' -f $Tab4, (Get-SecureBootUEFI -Name dbxDefault | Get-U ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (Microsoft.Secur...BootUefiCommand:GetSecureBootUefiCommand) [Get-S
ecureBootUEFI], StatusException
+ FullyQualifiedErrorId : GetFWVarFailed,Microsoft.SecureBoot.Commands.GetSecureBootUefiCommand



UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 7.0
EFI_CERT_SHA256_GUID Signatures: 437

EFI Files
---------
Disk 0: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
bootmgfw.efi File version: 26100.30227

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

STATUS REPORT
-------------
Registry: UEFICA2023Status = Updated

SUCCESS: NO UPDATES ARE REQUIRED.
 

My Computers My Computers

  • At a glance

    Windows 11 Pro 25H2i7-8565U16GBIntel UHD Graphics 620
    OS
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo T490 (2020 Hardware)
    CPU
    i7-8565U
    Motherboard
    20N20028US
    Memory
    16GB
    Graphics Card(s)
    Intel UHD Graphics 620
    Sound Card
    Realtec Audio
    Monitor(s) Displays
    ASUS VE248
    Screen Resolution
    1920 X 1080
    Hard Drives
    Samsung SSD 970 PRO 512GB NVMe
    Internet Speed
    Frontier fiber 1GB
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Norton 360 Deluxe Plus
    Other Info
    Supported hardware, upgraded from Windows 10 Pro to Windows 11 Pro version 24H2 on 06/01/2025 using the Windows 11 ISO file. Used the enablement package to upgrade to version 25H2 on 10/07/2025. Secure boot enabled. Secure Boot CA 2023 updated.
  • At a glance

    Windows 11 Pro 25H2i7-4770 (with SSE4.2, and POPCNT)16GBIntel HD Graphics 4600
    Operating System
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo ThinkCentre M83 (2014 Hardware)
    CPU
    i7-4770 (with SSE4.2, and POPCNT)
    Motherboard
    10AL000GUS
    Memory
    16GB
    Graphics card(s)
    Intel HD Graphics 4600
    Sound Card
    Realtec High Definition Audio
    Monitor(s) Displays
    ASUS VE248
    Screen Resolution
    1920 X 1080
    Hard Drives
    Samsung SSD 860 PRO 1TB SATA
    Internet Speed
    Frontier fiber 1GB
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Norton 360 Deluxe Plus
    Other Info
    Unsupported hardware, upgraded from Windows 10 Pro (TPM 1.2 & unsupported CPU, but does have SSE4.2, and POPCNT) to Windows 11 Pro version 24H2 on 06/15/2025. Added Registry Key HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup – AllowUpgradesWithUnsupportedTPMOrCPU=1 to allow installation using the Windows 11 ISO file. Used the enablement package to upgrade to version 25H2 on 10/08/2025. Secure boot enabled. Secure Boot CA 2023 updated.
@garlin This is from my oldest PC which is a Lenovo M83 desktop circa 2014 hardware (System 2 Specs). I had to use Mosby and just wanted to be sure I'm good. Yeah , yeah, I know, it ends with your favorite "SUCCESS: NO UPDATES ARE REQUIRED." so why am I asking... ;-)

I ran your script using -verbose

Secure Boot: ON
Virtualization Based Security: OFF
BitLocker on (C:) OFF

BIOS Firmware
-------------
LENOVO 10AL000GUS
Version: FBKTE0AUS
Date: 2021-12-22

Factory Default UEFI PK Cert
----------------------------
(NONE)

UEFI PK Cert
------------
Mosby Generated PK [2025.12.22]

Factory Default UEFI KEK Certs
------------------------------
(NONE)

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

Factory Default UEFI DB Certs
-----------------------------
(NONE)

UEFI DB Certs
-------------
MosbyKey [2025.12.22]
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

Factory Default UEFI DBX Certs
------------------------------
(NONE)
Get-SecureBootUEFI : Variable is currently undefined: 0xC0000100
At C:\SecureBoot\SecureBoot-CA-2023-Updates_v2026-01-18\Check_UEFI-CA2023.ps1:1115 char:62
+ ... gnatures: {1}' -f $Tab4, (Get-SecureBootUEFI -Name dbxDefault | Get-U ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (Microsoft.Secur...BootUefiCommand:GetSecureBootUefiCommand) [Get-S
ecureBootUEFI], StatusException
+ FullyQualifiedErrorId : GetFWVarFailed,Microsoft.SecureBoot.Commands.GetSecureBootUefiCommand



UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 7.0
EFI_CERT_SHA256_GUID Signatures: 437

EFI Files
---------
Disk 0: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
bootmgfw.efi File version: 26100.30227

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

STATUS REPORT
-------------
Registry: UEFICA2023Status = Updated

SUCCESS: NO UPDATES ARE REQUIRED.
I Google AI the M83, says it got a BIOS update FEB 2023! Maybe it had a 2023 KEK key issued? I'm surprised Mosby worked on the BIOS as it doesn't on a T460 which apparently has a locked down PK.
 

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
SUCCESS: NO UPDATES ARE REQUIRED.
This looks good, except your BIOS has that weird bug (probably because it's really old) that doesn't allow reading factory default DBX.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
I Google AI the M83, says it got a BIOS update FEB 2023! Maybe it had a 2023 KEK key issued? I'm surprised Mosby worked on the BIOS as it doesn't on a T460 which apparently has a locked down PK.
M83 10AL (from the model output) only lists a Jan 2022 BIOS update.
https://pcsupport.lenovo.com/us/en/...m93p-thinkstation-e32-p300?category=BIOS/UEFI

If you look at the BIOS version date (Dec. 2021), it's probably the same one since it's the end of December/beginning of January.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
I'm surprised Mosby worked on the BIOS as it doesn't on a T460 which apparently has a locked down PK.

I have a T460, and I extensively validated Mosby on it. It should work fine, as long as you do use the latest version.
 

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
Computer type
PC/Desktop
Manufacturer/Model
Home Built
Screen Resolution
4k
I have a T460, and I extensively validated Mosby on it. It should work fine, as long as you do use the latest version.
Oh, that's interesting, haven't tried for a couple months, gave up. I'll give it another shot based on your experience. Can you tell me which BIOS version your T460 is on?
 

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
They didn't call it a "private BIOS". I think they referred to it as a pre-release or beta or something. I would have to see if the messages are still in the support website to be sure. I guess it doesn't matter.

I like the idea of wiping all of the keys and installing the Microsoft keys from scratch.

I will be going away for a while, so I won't be able to try this until I get back. I'll restart this conversation than.

Thanks again.
I deleted all of the keys from the BIOS and rebooted.

After that, I ran Check_UEFI-CA2023.

Here is the output:

Secure Boot: OFF
Virtualization Based Security: ON
BitLocker on (C:) OFF

UEFI is in Setup Mode (NO CERTS)

EFI Files
---------
Disk 0: Windows Boot Manager [Production PCA 2011] is ALLOWED.

Registry: WindowsUEFICA2023Capable = 0
[Windows UEFI CA 2023] not in UEFI DB.

Disk 0: SkuSiPolicy.p7b (for VBS) is NOT PRESENT.


REQUIRED ACTION
===============

OPTION 1: To install [UEFI CA 2023] certs WITHOUT REVOKING the [PCA 2011] cert, run the command:

Update_UEFI-CA2023.ps1


OPTION 2: To install [UEFI CA 2023] certs and REVOKE the [PCA 2011] cert, run the command:

Update_UEFI-CA2023.ps1 -Revoke

Here is the output from running Update_UEFI-CA2023:

Downloading "edk2-x64-secureboot-binaries.zip" from GitHub.
Successfully wrote "Default3PDb.bin" to UEFI db.
Successfully wrote "DefaultDbx.bin" to UEFI dbx.

cmdlet Suspend-Bitlocker at command pipeline position 1
Supply values for the following parameters:
MountPoint[0]:
Suspend-Bitlocker : Cannot validate argument on parameter 'MountPoint'. The argument is null, empty, or an element of
the argument collection contains a null value. Supply a collection that does not contain any null values and then try
the command again.
At C:\Users\VPN\Downloads\SecureBoot-CA-2023-Updates\Update_UEFI-CA2023.ps1:649 char:5
+ Suspend-Bitlocker
+ ~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidData: (:) [Suspend-Bitlocker], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationError,Suspend-Bitlocker

Successfully wrote "DefaultKek.bin" to UEFI KEK.

cmdlet Suspend-Bitlocker at command pipeline position 1
Supply values for the following parameters:
MountPoint[0]:
I didn't know what it wanted for MountPoint[0], so I pressed <Enter>.

After that, I ran Check_UEFI-CA2023 again.

Here is the output:

Secure Boot: OFF
Virtualization Based Security: ON
BitLocker on (C:) OFF

UEFI is in Setup Mode (NO CERTS)

EFI Files
---------
Disk 0: Windows Boot Manager [Production PCA 2011] is ALLOWED.

Registry: WindowsUEFICA2023Capable = 1
[Windows UEFI CA 2023] in UEFI DB.

Disk 0: SkuSiPolicy.p7b (for VBS) is NOT PRESENT.


REQUIRED ACTION
===============

OPTION 1: To install [UEFI CA 2023] certs WITHOUT REVOKING the [PCA 2011] cert, run the command:

Update_UEFI-CA2023.ps1


OPTION 2: To install [UEFI CA 2023] certs and REVOKE the [PCA 2011] cert, run the command:

Update_UEFI-CA2023.ps1 -Revoke

What should I do now?
 

My Computer My Computer

At a glance

Windows 11 Professional
OS
Windows 11 Professional
Computer type
PC/Desktop
Can you tell me which BIOS version your T460 is on?

v1.45. Actually, the whole reason why I purchased a secondhand T460 is because I saw your original report in the other thread, where you mentioned the failure with Mosby (and I believe you also piggybacked on an issue on the GitHub issue tracker), and I wanted to investigate it. See PK installation fails with Security Violation on Lenovo ThinkPad T460 · Issue #19 · pbatard/Mosby.

This was part of a set of two issues that looked hard to solve without getting access to the hardware, so I just got that hardware off ebay for the sake of it (which isn't bad hardware to have, as it's proved useful for other things too).
 

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
Computer type
PC/Desktop
Manufacturer/Model
Home Built
Screen Resolution
4k
What should I do now?
My bad, I created a new function to suspend BitLocker and I accidentally gave the function the same name as PowerShell's Suspend-BitLocker command. :facepalm:

Try this script.
 

Attachments

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
v1.45. Actually, the whole reason why I purchased a secondhand T460 is because I saw your original report in the other thread, where you mentioned the failure with Mosby (and I believe you also piggybacked on an issue on the GitHub issue tracker), and I wanted to investigate it. See PK installation fails with Security Violation on Lenovo ThinkPad T460 · Issue #19 · pbatard/Mosby.

This was part of a set of two issues that looked hard to solve without getting access to the hardware, so I just got that hardware off ebay for the sake of it (which isn't bad hardware to have, as it's proved useful for other things too).
Thank you for going to great lengths to solve the mystery, glad you found some use for the T460 after the successful experiment. I checked the BIOS version and it too is 1.45. However, I was once again unsuccessful in my attempt and received the same " Security Violation " . I'll run the T460 for as long as it lasts the way it is. I do very much appreciate what you did to help out and I'm sure your work will help many others.

Edit: I just read through the GitHub thread linked in your post. I did not read it first before trying and now noticed your recommendation to ' Clear Keys ' instead of ' Setup Mode '. I'll give it another shot.

Edit: Gave it another shot and cleared all the keys, unfortunately it was another " Security Violation " I had downloaded the latest Mosby version 3.0 and copy/pasted the files into the newly made USB UEFI SHELL 2.2 . I'm still happy knowing you got it to work on your T460.
 
Last edited:

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
My bad, I created a new function to suspend BitLocker and I accidentally gave the function the same name as PowerShell's Suspend-BitLocker command. :facepalm:

Try this script.
Thanks for the quick reply!

I ran the updated script and here is the output:

Downloading "WindowsOEMDevicesPK.der" from GitHub.
Copying "WindowsOEMDevicesPK.der" to EFI.
Copying EFI boot files.
Boot files successfully created.
Directory set to: \\?\GLOBALROOT\device\harddisk0\partition4\Recovery\WindowsRE

REAGENTC.EXE: Operation Successful.

The operation completed successfully.

REQUIRED ACTION
---------------
Please follow the README_UEFI.TXT instructions, for installing the PK cert from BIOS.

Restart Windows, for UEFI updates to take effect.

After rebooting, I followed the instructions to install the PK and append it to the KEK.

I reran Check_UEFI-CA2023 and here is the output:

Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
(NONE)

EFI Files
---------
Disk 0: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

Disk 0: SkuSiPolicy.p7b (for VBS) is NOT PRESENT.


REQUIRED ACTION
===============

To revoke the [PCA 2011] cert, run the commands, run the commands:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x280 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

To install SkuSiPolicy.p7b, run the command:
Update_UEFI-CA2023.ps1 -SkuSiPolicy

Is it expected that there should be no DBX certificates?

I'm not clear what the purpose of SkuSiPolicy.p7b is and what the consequences of installing it or not installing it. I'm using virtualization (WSL2) on this computer if that makes any differences. I have are two instances of Ubuntu 24.04 installed (two user accounts).

I reran Check UEFI PK, KEK, DB and DBX and here is the output:

Checking for Administrator permission...
Running as administrator - continuing execution...

21 February 2026
Manufacturer: Gigabyte Technology Co., Ltd.
Model: To be filled by O.E.M.
BIOS: American Megatrends Inc., A1, A1, ALASKA - 1072009
Windows version: 22H2 (Build 19045.6937)

Secure Boot status: Enabled

Current UEFI PK
√ Windows OEM Devices PK

Default UEFI PK
WARNING: Failed to query UEFI variable PKDefault

Current UEFI KEK
√ Microsoft Corporation KEK CA 2011 (revoked: False)
√ Microsoft Corporation KEK 2K CA 2023 (revoked: False)

Default UEFI KEK
WARNING: Failed to query UEFI variable 'KEKDefault' for cert 'Microsoft Corporation KEK CA 2011'
WARNING: Failed to query UEFI variable 'KEKDefault' for cert 'Microsoft Corporation KEK 2K CA 2023'
WARNING: Failed to query UEFI variable 'KEKDefault'

Current UEFI DB
√ Microsoft Windows Production PCA 2011 (revoked: False)
√ Microsoft Corporation UEFI CA 2011 (revoked: False)
√ Windows UEFI CA 2023 (revoked: False)
√ Microsoft UEFI CA 2023 (revoked: False)
√ Microsoft Option ROM UEFI CA 2023 (revoked: False)

Default UEFI DB
WARNING: Failed to query UEFI variable 'dbDefault' for cert 'Microsoft Windows Production PCA 2011'
WARNING: Failed to query UEFI variable 'dbDefault' for cert 'Microsoft Corporation UEFI CA 2011'
WARNING: Failed to query UEFI variable 'dbDefault' for cert 'Windows UEFI CA 2023'
WARNING: Failed to query UEFI variable 'dbDefault' for cert 'Microsoft UEFI CA 2023'
WARNING: Failed to query UEFI variable 'dbDefault' for cert 'Microsoft Option ROM UEFI CA 2023'
WARNING: Failed to query UEFI variable 'DBDefault'

Current UEFI DBX
2025-10-14 (v1.6.0) : SUCCESS: 431 successes detected
Windows Bootmgr SVN : None
Windows cdboot SVN : None
Windows wdsmgfw SVN : None

Press any key to continue . . .

Does it matter or make any difference that the UEFI variables are not defined?

I reran Check Windows state and here is the output:

Checking for Administrator permission...
Running as administrator - continuing execution...

Windows version: 22H2 (Build 19045.6937)

UEFISecureBootEnabled : 1
AvailableUpdates : 0x0000
UEFICA2023Status : Updated
WindowsUEFICA2023Capable : Windows UEFI CA 2023 cert is in DB, system is starting from 2023 signed boot manager

bootmgfw version : 10.0.26100.1004 (WinBuild.160101.0800)
bootmgfw signature CA : Windows UEFI CA 2023
bootmgfw SVN : 7.0

bootmgr version : 10.0.26088.1 (WinBuild.160101.0800)
bootmgr signature CA : Microsoft Windows Production PCA 2011
bootmgr SVN : 7.0

memtest version : 10.0.19041.1 (WinBuild.160101.0800)
memtest signature CA : Microsoft Windows Production PCA 2011

Press any key to continue . . .

Does it matter that bootmgr and memtest are signed using Microsoft Windows Production PCA 2011 rather than Windows UEFI CA 2023?
 

My Computer My Computer

At a glance

Windows 11 Professional
OS
Windows 11 Professional
Computer type
PC/Desktop
The revoke step is not mandatory in the update script. If I forced a revocation, some users would be afraid to run it (not kidding).
Re-run the script with "-Revoke" flag, and you'll be done.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
The revoke step is not mandatory in the update script. If I forced a revocation, some users would be afraid to run it (not kidding).
Re-run the script with "-Revoke" flag, and you'll be done.
If I run it with the -Revoke flag, won't that cause a problem for bootmgr and memtest because they are signed using Microsoft Windows Production PCA 2011 rather than Windows UEFI CA 2023?

Also, I ran Check_DBXUpdate.bin and here is the output:

SUCCESS: Matched 431/431 EFI signatures from "dbxupdate.bin"
FAILED: Missing 3/3 SVN signatures from "DBXUpdate2024.bin"
FAILED: Missing 3/3 SVN signatures from "DBXUpdateSVN.bin"

Do the missing signatures come from Windows Update?
 

My Computer My Computer

At a glance

Windows 11 Professional
OS
Windows 11 Professional
Computer type
PC/Desktop
Windows Update pushes newer .bin files to the \Windows\System32\SecureBootUpdates folder. Both my script and the scheduled task use the same source files to install the latest set of DBX updates. That's why my script nags you to have a currently updated Windows.

But the script also supports "-Revoke -Latest" where it downloads the DBXupdate.bin and DBXUpdateSVN.bin from the MS GitHub, and checks if those files are newer than what's in the Windows folder.

If you haven't revoked CA 2011, then 2024.bin and SVN.bin have not been applied yet.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
Windows Update pushes newer .bin files to the \Windows\System32\SecureBootUpdates folder. Both my script and the scheduled task use the same source files to install the latest set of DBX updates. That's why my script nags you to have a currently updated Windows.

But the script also supports "-Revoke -Latest" where it downloads the DBXupdate.bin and DBXUpdateSVN.bin from the MS GitHub, and checks if those files are newer than what's in the Windows folder.

If you haven't revoked CA 2011, then 2024.bin and SVN.bin have not been applied yet.
I ran Update_UEFI-CA2023 -Revoke and it was successful!

I reran Check_UEFI-CA2023 -Verbose and here is the output:

Windows 10 22H2 (19045.6937)

Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

BIOS Firmware
-------------
Gigabyte Technology Co. To be filled by O.E.M.
Version: A1
Date: 2017-03-29

Factory Default UEFI PK Cert
----------------------------
(NONE)

UEFI PK Cert
------------
Windows OEM Devices PK

Factory Default UEFI KEK Certs
------------------------------
(NONE)

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

Factory Default UEFI DB Certs
-----------------------------
(NONE)

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

Factory Default UEFI DBX Certs
------------------------------
(NONE)
Get-SecureBootUEFI : Variable is currently undefined: 0xC0000100
At C:\Users\VPN\Downloads\SecureBoot-CA-2023-Updates\Check_UEFI-CA2023.ps1:1115 char:62
+ ... gnatures: {1}' -f $Tab4, (Get-SecureBootUEFI -Name dbxDefault | Get-U ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (Microsoft.Secur...BootUefiCommand:GetSecureBootUefiCommand) [Get-S
ecureBootUEFI], StatusException
+ FullyQualifiedErrorId : GetFWVarFailed,Microsoft.SecureBoot.Commands.GetSecureBootUefiCommand


UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 7.0
EFI_CERT_SHA256_GUID Signatures: 437

EFI Files
---------
Disk 0: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
bootmgfw.efi File version: 26100.1004

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

Disk 0: SkuSiPolicy.p7b (for VBS) is CURRENT.

STATUS REPORT
-------------
Registry: UEFICA2023Status = Updated

SUCCESS: NO UPDATES ARE REQUIRED.
I'm not clear why the 2011 certificates are still present after running -Revoke.
 

My Computer My Computer

At a glance

Windows 11 Professional
OS
Windows 11 Professional
Computer type
PC/Desktop
Edit: Gave it another shot and cleared all the keys, unfortunately it was another " Security Violation " I had downloaded the latest Mosby version 3.0 and copy/pasted the files into the newly made USB UEFI SHELL 2.2 . I'm still happy knowing you got it to work on your T460.
There's no way it shouldn't work if we have the same BIOS. Can you please create an issue in pbatard/Mosby and post your full Mosby.log there (you'll find the Mosby.log at the root of the USB).

Again, I extensively tested Mosby on that machine (and I am positive I have the exact same T460 model as you have), so there has to be an explanation as to why you can't seem to get the same results as I do. The log should explain it.
 

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
Computer type
PC/Desktop
Manufacturer/Model
Home Built
Screen Resolution
4k
I ran Update_UEFI-CA2023 -Revoke and it was successful!

I reran Check_UEFI-CA2023 -Verbose and here is the output:


I'm not clear why the 2011 certificates are still present after running -Revoke.

Same question, I think - why does the Microsoft Corporation UEFI CA 2011 cert is not revoked?
 

My Computer My Computer

At a glance

Windows 10
OS
Windows 10
M83 10AL (from the model output) only lists a Jan 2022 BIOS update.
https://pcsupport.lenovo.com/us/en/products/desktops-and-all-in-ones/thinkcentre-m-series-desktops/thinkcentre-m83/10al/downloads/ds035753-flash-bios-update-thinkcentre-e93-m73p-m83-m93-m93p-thinkstation-e32-p300?category=BIOS/UEFI

If you look at the BIOS version date (Dec. 2021), it's probably the same one since it's the end of December/beginning of January.
I run Lenovo System Update regularly and BIOS version FBKTE0AUS is the most recent.Image2.webp

Image1.webp
 

My Computers My Computers

  • At a glance

    Windows 11 Pro 25H2i7-8565U16GBIntel UHD Graphics 620
    OS
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo T490 (2020 Hardware)
    CPU
    i7-8565U
    Motherboard
    20N20028US
    Memory
    16GB
    Graphics Card(s)
    Intel UHD Graphics 620
    Sound Card
    Realtec Audio
    Monitor(s) Displays
    ASUS VE248
    Screen Resolution
    1920 X 1080
    Hard Drives
    Samsung SSD 970 PRO 512GB NVMe
    Internet Speed
    Frontier fiber 1GB
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Norton 360 Deluxe Plus
    Other Info
    Supported hardware, upgraded from Windows 10 Pro to Windows 11 Pro version 24H2 on 06/01/2025 using the Windows 11 ISO file. Used the enablement package to upgrade to version 25H2 on 10/07/2025. Secure boot enabled. Secure Boot CA 2023 updated.
  • At a glance

    Windows 11 Pro 25H2i7-4770 (with SSE4.2, and POPCNT)16GBIntel HD Graphics 4600
    Operating System
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo ThinkCentre M83 (2014 Hardware)
    CPU
    i7-4770 (with SSE4.2, and POPCNT)
    Motherboard
    10AL000GUS
    Memory
    16GB
    Graphics card(s)
    Intel HD Graphics 4600
    Sound Card
    Realtec High Definition Audio
    Monitor(s) Displays
    ASUS VE248
    Screen Resolution
    1920 X 1080
    Hard Drives
    Samsung SSD 860 PRO 1TB SATA
    Internet Speed
    Frontier fiber 1GB
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Norton 360 Deluxe Plus
    Other Info
    Unsupported hardware, upgraded from Windows 10 Pro (TPM 1.2 & unsupported CPU, but does have SSE4.2, and POPCNT) to Windows 11 Pro version 24H2 on 06/15/2025. Added Registry Key HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup – AllowUpgradesWithUnsupportedTPMOrCPU=1 to allow installation using the Windows 11 ISO file. Used the enablement package to upgrade to version 25H2 on 10/08/2025. Secure boot enabled. Secure Boot CA 2023 updated.
Back
Top Bottom