From what I can tell, you are still using an old version of Mosby, since your log entry should have the Mosby version reported (this reporting was added in newer versions precisely so we can tell if someone is not using an up to date Mosby), which entirely explains your issue. Please download and extract Mosby 3.0 again to the root of your USB. You should find that it works a lot better.
Your wish is my command:
[Mosby session started: 2026-02-21 18:51:34]
Mosby v3.0 x64
UEFI v2.40 (Lenovo, 0x00001450)
LENOVO R06ET71W (1.45 )
LENOVO 20FN002JUS
Reusing existing MosbyKey.crt certificate...
Not installing SBAT since this system's SBAT is either the same or newer
Generating PK certificate...
Installing SSPV: 'SkuSiPolicyVersion [2023.04.29]'
Installing SSPU: 'SkuSiPolicyUpdateSigners [2023.04.29]'
Installing DBX: 'DBX for x86 (64 bit) [2025.10.16]'
Installing DBX: 'Windows Bootmgr SVN 7.0 DBX update [2025-06-06]'
Installing DB: 'Microsoft Windows Production PCA 2011'
Installing DB: 'Microsoft Corporation UEFI CA 2011'
Installing DB: 'Windows UEFI CA 2023'
Installing DB: 'Microsoft UEFI CA 2023'
Installing DB: 'Microsoft Option ROM UEFI CA 2023'
Installing DB: 'MosbyKey [2026.02.21]'
Installing KEK: 'Microsoft Corporation KEK CA 2011'
Installing KEK: 'Microsoft Corporation KEK 2K CA 2023'
Installing PK: 'Mosby Generated PK [2026.02.21]'
[Mosby session ended: 2026-02-21 18:51:44]
You are very talented!
Microsoft Windows [Version 10.0.28000.1641]
(c) Microsoft Corporation. All rights reserved.
C:\Windows\System32>powershell -nop -ep bypass -f C:\Temp\check_uefi-ca2023.ps1 -Verbose
Windows 11 26H1 (28000.1641)
Secure Boot: ON
Virtualization Based Security: OFF
BitLocker on (C:) OFF
BIOS Firmware
-------------
LENOVO 20FN002JUS
Version: R06ET71W (1.45 )
Date: 2022-02-20
Factory Default UEFI PK Cert
----------------------------
TPCDL-KEK
UEFI PK Cert
------------
Mosby Generated PK [2026.02.21]
Factory Default UEFI KEK Certs
------------------------------
Microsoft Corporation KEK CA 2011
TPCDL-KEK
UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023
Factory Default UEFI DB Certs
-----------------------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
ThinkPad Product CA 2012
Lenovo UEFI CA 2014
TPCDL-DB
UEFI DB Certs
-------------
MosbyKey [2026.02.21]
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023
Factory Default UEFI DBX Certs
------------------------------
(NONE)
EFI_CERT_SHA256_GUID Signatures: 77
UEFI DBX Certs
--------------
(NONE)
Windows BootMgr SVN 7.0
EFI_CERT_SHA256_GUID Signatures: 434
EFI Files
---------
Disk 0: Windows Boot Manager [Production PCA 2011] is ALLOWED.
bootmgfw.efi File version: 27954.300
Registry: WindowsUEFICA2023Capable = 1
[Windows UEFI CA 2023] in UEFI DB.
REQUIRED ACTION
===============
OPTION 1: DO NOTHING. Windows will apply the UEFI updates in 2026 (supported BIOS).
OPTION 2: To install Windows Boot Manager [UEFI CA 2023], run the commands:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x100 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
OPTION 3: To install [UEFI CA 2023] certs and REVOKE the [PCA 2011] cert, run the commands:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x80 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"