Solved garlin's PowerShell scripts for updating Secure Boot CA 2023


Same question, I think - why does the Microsoft Corporation UEFI CA 2011 cert is not revoked?
We don't revoke the Microsoft UEFI CA 2011 because that cert is reserved for booting Linux. Windows PCA 2011 covers Windows releases.

The cert names may be confusing. Microsoft owns the UEFI CA 2011 cert, because MS provided it on behalf of Linux distros since no OEM is going to bundle every distro's unique signing certs in the BIOS. So they share a generic one to get past the UEFI security check.

Any cert that includes the word "Windows" manages Windows boot files.

I'm avoiding anything that would impact a Linux setup. Most Linuxes use the SBAT file on the EFI partition as their equivalent method of banning outdated boot files.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
I run Lenovo System Update regularly and BIOS version FBKTE0AUS is the most recent.
Lenovo installed your BIOS on Feb. 2022, but this firmare was released in early Jan 2022 (and factory signed as late Dec 2021).

That makes perfect sense to me. If you've ever worked in a large company, the handoff between different groups takes a little while to process.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
There's no way it shouldn't work if we have the same BIOS. Can you please create an issue in pbatard/Mosby and post your full Mosby.log there (you'll find the Mosby.log at the root of the USB).

Again, I extensively tested Mosby on that machine (and I am positive I have the exact same T460 model as you have), so there has to be an explanation as to why you can't seem to get the same results as I do. The log should explain it.

I have no doubt your fix worked, it's just my device is being a pain. Here's the log of my two attempts:

 

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
I have no doubt your fix worked, it's just my device is being a pain. Here's the log of my two attempts:


From what I can tell, you are still using an old version of Mosby, since your log entry should have the Mosby version reported (this reporting was added in newer versions precisely so we can tell if someone is not using an up to date Mosby), which entirely explains your issue. Please download and extract Mosby 3.0 again to the root of your USB. You should find that it works a lot better.
 

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
Computer type
PC/Desktop
Manufacturer/Model
Home Built
Screen Resolution
4k
From what I can tell, you are still using an old version of Mosby, since your log entry should have the Mosby version reported (this reporting was added in newer versions precisely so we can tell if someone is not using an up to date Mosby), which entirely explains your issue. Please download and extract Mosby 3.0 again to the root of your USB. You should find that it works a lot better.
Your wish is my command:

[Mosby session started: 2026-02-21 18:51:34]
Mosby v3.0 x64
UEFI v2.40 (Lenovo, 0x00001450)
LENOVO R06ET71W (1.45 )
LENOVO 20FN002JUS
Reusing existing MosbyKey.crt certificate...
Not installing SBAT since this system's SBAT is either the same or newer
Generating PK certificate...
Installing SSPV: 'SkuSiPolicyVersion [2023.04.29]'
Installing SSPU: 'SkuSiPolicyUpdateSigners [2023.04.29]'
Installing DBX: 'DBX for x86 (64 bit) [2025.10.16]'
Installing DBX: 'Windows Bootmgr SVN 7.0 DBX update [2025-06-06]'
Installing DB: 'Microsoft Windows Production PCA 2011'
Installing DB: 'Microsoft Corporation UEFI CA 2011'
Installing DB: 'Windows UEFI CA 2023'
Installing DB: 'Microsoft UEFI CA 2023'
Installing DB: 'Microsoft Option ROM UEFI CA 2023'
Installing DB: 'MosbyKey [2026.02.21]'
Installing KEK: 'Microsoft Corporation KEK CA 2011'
Installing KEK: 'Microsoft Corporation KEK 2K CA 2023'
Installing PK: 'Mosby Generated PK [2026.02.21]'
[Mosby session ended: 2026-02-21 18:51:44]


You are very talented!


Microsoft Windows [Version 10.0.28000.1641]
(c) Microsoft Corporation. All rights reserved.

C:\Windows\System32>powershell -nop -ep bypass -f C:\Temp\check_uefi-ca2023.ps1 -Verbose
Windows 11 26H1 (28000.1641)

Secure Boot: ON
Virtualization Based Security: OFF
BitLocker on (C:) OFF

BIOS Firmware
-------------
LENOVO 20FN002JUS
Version: R06ET71W (1.45 )
Date: 2022-02-20

Factory Default UEFI PK Cert
----------------------------
TPCDL-KEK

UEFI PK Cert
------------
Mosby Generated PK [2026.02.21]

Factory Default UEFI KEK Certs
------------------------------
Microsoft Corporation KEK CA 2011
TPCDL-KEK

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

Factory Default UEFI DB Certs
-----------------------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
ThinkPad Product CA 2012
Lenovo UEFI CA 2014
TPCDL-DB

UEFI DB Certs
-------------
MosbyKey [2026.02.21]
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

Factory Default UEFI DBX Certs
------------------------------
(NONE)
EFI_CERT_SHA256_GUID Signatures: 77

UEFI DBX Certs
--------------
(NONE)
Windows BootMgr SVN 7.0
EFI_CERT_SHA256_GUID Signatures: 434

EFI Files
---------
Disk 0: Windows Boot Manager [Production PCA 2011] is ALLOWED.
bootmgfw.efi File version: 27954.300

Registry: WindowsUEFICA2023Capable = 1
[Windows UEFI CA 2023] in UEFI DB.


REQUIRED ACTION
===============

OPTION 1: DO NOTHING. Windows will apply the UEFI updates in 2026 (supported BIOS).

OPTION 2: To install Windows Boot Manager [UEFI CA 2023], run the commands:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x100 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

OPTION 3: To install [UEFI CA 2023] certs and REVOKE the [PCA 2011] cert, run the commands:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x80 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
 

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
There you go. Mosby was successful and your PK was installed without errors.
 

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
Computer type
PC/Desktop
Manufacturer/Model
Home Built
Screen Resolution
4k
Here's what I'm thinking about the winload.efi problem:

1. winload.efi lives under \Windows\System32 on WinPE, Windows, and WinRE.

2. It's not part of the EFI partition files.

3. It's not part of \Windows\Boot, or \Windows\System32\SecureBootUpdates files.

4. Secure Boot variables are equally available to WinPE, Windows, and WinRE to read.
If you can boot Windows, why can't WinRE boot? It's the same variables for everyone.

5. Is there another WinRE security policy that blocks WinRE winload.efi?

6. Is this actually not a Secure Boot problem, but some weird BCD issue?

I have seen people complain about failed Windows installs due to winload.efi errors. It takes while, but after some point, Windows reboots itself to continue the installation and then fails. The install was working until the reboot, so it could boot the first time but not the next.

To me, that points to some policy or config setting (BCD?) that changed in between the two boots.
The only way I found to avoid the 0xc0000428 error in winload.efi is to update the boot-/ installation- media via DISM with the latest cumulative update. This worked for WinRE, PE media (PEbakery) and PXE boot image (Server ess 2016 PXE client restore).

It might be this is SkuSiPolicy related- SkuSiPolicy version information is stored in the NVRAM of the PC if once activated, so it's not just deleting the file again to get rid of it. In 2026 an updated SkuSIPolicy 3.0.0.13 was distributed, WinRE got updated to 6807 for Win10 22H2, so I assume minimal required cumulative update level would be january 2026 for now.
 

My Computer My Computer

At a glance

W10
OS
W10
For the last two months, I've been working on new PowerShell scripts to automate the Secure Boot CA 2023 update process.
This weekend I updated two more laptops (from relatives). Both were Lenovo laptops; one rather recent, with the 2023 files in the BIOS, and a much older one that does not have them (and probably won't ever get a new BIOS). Using your scripts I was able to let them use the 2023 set and revoke the 2011 set. This was the first time for me that I didn't get errors for the KEK and I thus did not have to modify anything in their BIOS 🎉

Thanks again for creating these scripts, sharing them and supporting them!
 

My Computer My Computer

At a glance

Windows 11Intel Core i3-6006U @ 2.00 GHz16,0 GBIntel HD Graphics 520
OS
Windows 11
Computer type
Laptop
Manufacturer/Model
Dell Latitude 3380
CPU
Intel Core i3-6006U @ 2.00 GHz
Motherboard
Dell 0WM4F
Memory
16,0 GB
Graphics Card(s)
Intel HD Graphics 520
Sound Card
Realtek Audio
Monitor(s) Displays
Built-in
Screen Resolution
1366 x 768 @ 59 Hz
Hard Drives
SK Hynix SC311 SATA 128 GB SSD
Other Info
Multi-boot Windows/Ubuntu using rEFInd
I am glad some people know what is happening lol
my desktop updated itsself this morning with "secure boot allowed signature database" which from running your check script suggests its downloaded the new certs but they arent active until either windows does it or i run the suggested command.
my parents laptop got a different "secure boot kek update" which i presume does something similar
:boom:
 

My Computers My Computers

  • At a glance

    11Ryzen 5900HX32GBRTX 3080 16GB
    OS
    11
    Computer type
    Laptop
    Manufacturer/Model
    ASUS
    CPU
    Ryzen 5900HX
    Motherboard
    Built In
    Memory
    32GB
    Graphics Card(s)
    RTX 3080 16GB
    Sound Card
    Onboard
    Monitor(s) Displays
    Built in
    Screen Resolution
    1920x1080
    Hard Drives
    Samsung 1TB
    Sabrent 2TB
    PSU
    240W Poorly Designed Asus Charger
    Case
    Built In
    Cooling
    Liquid Metal
    Keyboard
    Built in RGB
  • At a glance

    Windows 119900K32GB2080 TI
    Operating System
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Made
    CPU
    9900K
    Motherboard
    Asus Z390-P
    Memory
    32GB
    Graphics card(s)
    2080 TI
    Sound Card
    Onboard
    Monitor(s) Displays
    25 Inch
    Screen Resolution
    1920x1080
    Hard Drives
    256gb Crucial SSD
    1 TB WD SSD
    8 TB Samsung SSD
    PSU
    750W
    Case
    Corsair
    Cooling
    Corsair H100I
    Keyboard
    HyperX
    Mouse
    Razer Death Adder 2021 (Not full price lol)
I am glad some people know what is happening lol
my desktop updated itsself this morning with "secure boot allowed signature database" which from running your check script suggests its downloaded the new certs but they arent active until either windows does it or i run the suggested command.
my parents laptop got a different "secure boot kek update" which i presume does something similar
"Secure Boot KEK Update" means the OEM provided a signed KEK to MS for deployment, via Windows Update. That means the rest of the update process can be handled entirely by Windows, when MS decides it's time.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
(NONE)
Windows BootMgr SVN 7.0

EFI Files
---------
Disk 1: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

Disk 1: SkuSiPolicy.p7b (for VBS) is NOT PRESENT.


REQUIRED ACTION
===============

To revoke the [PCA 2011] cert, run the commands, run the commands:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x80 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

To install SkuSiPolicy.p7b, run the command:
Update_UEFI-CA2023.ps1 -SkuSiPolicy

PS C:\WINDOWS\system32>

I looks like mine is all good except for the SkuSiPolicy.p7b (for VBS) is NOT PRESENT.

Will I face any unforseen downsides to installing this policy?
Will my Macrium bootable usb and images made before this be affected?

peace
wanna
 
Last edited:

My Computers My Computers

  • At a glance

    Windows 11 Pro 64 bitIntel® Core™ i5-14600KG.SKILL Ripjaws S5 Series DDR5 (2x16GB) 6400M...PNY RTX 5060 Ti OC 16GB
    OS
    Windows 11 Pro 64 bit
    Computer type
    PC/Desktop
    Manufacturer/Model
    Acme Mail Order (meep meep)
    CPU
    Intel® Core™ i5-14600K
    Motherboard
    MSI PRO Z790-A MAX WiFi bios 7E07vMA
    Memory
    G.SKILL Ripjaws S5 Series DDR5 (2x16GB) 6400MT/s CL32
    Graphics Card(s)
    PNY RTX 5060 Ti OC 16GB
    Sound Card
    Onboard Realtek® ALC4080 Codec
    Monitor(s) Displays
    2 x Dell - S3222DGM 32" LED Curved QHD FreeSync Gaming Monitor
    Screen Resolution
    2560x1440
    Hard Drives
    990 PRO PCIe 4.0 NVMe®1TB OS
    970 EVO PCIe 3.0 NVMe® SSD 500GB Games
    860 EVO SATA 2.5" SSD 1TB Storage
    PSU
    RMx Series™ RM850x — 80 PLUS® Gold
    Case
    LIAN LI PC-G70B Black Aluminum Full Tower
    Cooling
    Custom loop Optimus Foundation Block, MCP655-PWM D5 pump, MCR320 QP rad
    Keyboard
    Razer Black Widow Ultimate
    Mouse
    Razer Death Adder Elite
    Internet Speed
    500 down 20 up
    Browser
    Edge / Chrome
    Antivirus
    Microsoft Defender
    Other Info
    Always switching installs testing out the latest and greatest.
  • At a glance

    Windows 11 Pro 64 bit latest public releaseIntel® Core™ i5-11600KG.SKILL Ripjaws V Series 16GB DDR4 3600 (16-1...EVGA GeForce RTX 3060 XC GAMING 12GB
    Operating System
    Windows 11 Pro 64 bit latest public release
    Computer type
    PC/Desktop
    Manufacturer/Model
    Acme Mail Order (meep meep) Wife's PC Edition
    CPU
    Intel® Core™ i5-11600K
    Motherboard
    MSI - Z590 A Pro - bios 7D09v1B1
    Memory
    G.SKILL Ripjaws V Series 16GB DDR4 3600 (16-16-16-36)
    Graphics card(s)
    EVGA GeForce RTX 3060 XC GAMING 12GB
    Sound Card
    Onboard Realtek® ALC897 Codec
    Monitor(s) Displays
    2 x 27'' ACER S271HL
    Screen Resolution
    1920x1080
    Hard Drives
    980 PRO PCIe 4.0 NVMe® SSD 250GB OS
    Samsung 128GB 850 PRO SATA III for Storage
    PSU
    CORSAIR - CX-M Series 650W
    Case
    LIAN LI PC-A16B Black Aluminum ATX Mid Tower
    Cooling
    Thermalright Phantom Spirit 120SE Air Cooler
    Keyboard
    Logitech - K740 Illuminated
    Mouse
    Razer Death Adder Elite
    Internet Speed
    500 down 20 up
    Browser
    Chrome
    Antivirus
    Windows Defender
    Other Info
    Stock clocked, over cooled, and unmolested for a rock solid, whisper quiet, Wifey approved user experience.
I looks like mine is all good except for the SkuSiPolicy.p7b (for VBS) is NOT PRESENT.

Will I face any unforseen downsides to installing this policy?
Will my Macrium bootable usb and images made before this be affected?
SkuSiPolicy is recommended whenever VBS is enabled. You should update the Macrium USB with the updated boot file.
Another Macrium Secure Boot Question

If you have a backup image from before the update, you can temporarily disable Secure Boot and restore the image. After getting into Windows, re-run the update script and it will copy the newer boot files into place.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
Simple enough. Thanks Garlin.

peace
wanna
 

My Computers My Computers

  • At a glance

    Windows 11 Pro 64 bitIntel® Core™ i5-14600KG.SKILL Ripjaws S5 Series DDR5 (2x16GB) 6400M...PNY RTX 5060 Ti OC 16GB
    OS
    Windows 11 Pro 64 bit
    Computer type
    PC/Desktop
    Manufacturer/Model
    Acme Mail Order (meep meep)
    CPU
    Intel® Core™ i5-14600K
    Motherboard
    MSI PRO Z790-A MAX WiFi bios 7E07vMA
    Memory
    G.SKILL Ripjaws S5 Series DDR5 (2x16GB) 6400MT/s CL32
    Graphics Card(s)
    PNY RTX 5060 Ti OC 16GB
    Sound Card
    Onboard Realtek® ALC4080 Codec
    Monitor(s) Displays
    2 x Dell - S3222DGM 32" LED Curved QHD FreeSync Gaming Monitor
    Screen Resolution
    2560x1440
    Hard Drives
    990 PRO PCIe 4.0 NVMe®1TB OS
    970 EVO PCIe 3.0 NVMe® SSD 500GB Games
    860 EVO SATA 2.5" SSD 1TB Storage
    PSU
    RMx Series™ RM850x — 80 PLUS® Gold
    Case
    LIAN LI PC-G70B Black Aluminum Full Tower
    Cooling
    Custom loop Optimus Foundation Block, MCP655-PWM D5 pump, MCR320 QP rad
    Keyboard
    Razer Black Widow Ultimate
    Mouse
    Razer Death Adder Elite
    Internet Speed
    500 down 20 up
    Browser
    Edge / Chrome
    Antivirus
    Microsoft Defender
    Other Info
    Always switching installs testing out the latest and greatest.
  • At a glance

    Windows 11 Pro 64 bit latest public releaseIntel® Core™ i5-11600KG.SKILL Ripjaws V Series 16GB DDR4 3600 (16-1...EVGA GeForce RTX 3060 XC GAMING 12GB
    Operating System
    Windows 11 Pro 64 bit latest public release
    Computer type
    PC/Desktop
    Manufacturer/Model
    Acme Mail Order (meep meep) Wife's PC Edition
    CPU
    Intel® Core™ i5-11600K
    Motherboard
    MSI - Z590 A Pro - bios 7D09v1B1
    Memory
    G.SKILL Ripjaws V Series 16GB DDR4 3600 (16-16-16-36)
    Graphics card(s)
    EVGA GeForce RTX 3060 XC GAMING 12GB
    Sound Card
    Onboard Realtek® ALC897 Codec
    Monitor(s) Displays
    2 x 27'' ACER S271HL
    Screen Resolution
    1920x1080
    Hard Drives
    980 PRO PCIe 4.0 NVMe® SSD 250GB OS
    Samsung 128GB 850 PRO SATA III for Storage
    PSU
    CORSAIR - CX-M Series 650W
    Case
    LIAN LI PC-A16B Black Aluminum ATX Mid Tower
    Cooling
    Thermalright Phantom Spirit 120SE Air Cooler
    Keyboard
    Logitech - K740 Illuminated
    Mouse
    Razer Death Adder Elite
    Internet Speed
    500 down 20 up
    Browser
    Chrome
    Antivirus
    Windows Defender
    Other Info
    Stock clocked, over cooled, and unmolested for a rock solid, whisper quiet, Wifey approved user experience.
Hi Garlin,

Following your advice concerning my PC with an unsupported BIOS, I tried:
"select an uefi file as trusted for executing".
I ran the "Update_UEFI-CA2023.ps1" as administrator.
It downloaded, copied "Ms Corp KEK 2K CA 2023.der" to EFI
Successfully appended "dbupdate2024.bin", "DBUpdate3P2023.bin" and "DBUpdateOROM2023.bin" to UEFI DB
Copying EFI boot files.
Boot files successfully created.

So far so good. In the BIOS. I chose "select an uefi file as trusted for executing", but in the EFI\Certs folder there was no file to select from.
I created a Macrium Reflect image of the EFI partition. There were 2 files inside the Certs folder: "Microsoft Corporation KEK 2K CA 2023.crt", "Microsoft Corporation KEK 2K CA 2023.der"
It appears that the BIOS would only accept .efi extension.

Should I choose "Erase all Secure Boot Setting" instead, press ENTER and then F10 to save changes, boot into Windows and run the Update_UEFI-CA2023.ps1 script?

Thanks for your help!
 

My Computer My Computer

At a glance

Windows 10 x64 PRO N with ESUi3-4005U8 GB DDR3Intel HD Graphics 4400 / NVIDIA GeForce 920M
OS
Windows 10 x64 PRO N with ESU
Computer type
Laptop
Manufacturer/Model
Acer
CPU
i3-4005U
Memory
8 GB DDR3
Graphics Card(s)
Intel HD Graphics 4400 / NVIDIA GeForce 920M
Hard Drives
512 GB SSD
Browser
Firefox
Other Info
10 years old, still running
Sorry to write again,
I couldn't find the edit button for my previous post.

Do I have to leave Secure Boot on, change Secure Boot Mode before proceeding?
Here are 2 screenshots of my BIOS.
Thanks
IMG_20260219_155546_cr.webp

IMG_20260223_163654_cr.webp
 

My Computer My Computer

At a glance

Windows 10 x64 PRO N with ESUi3-4005U8 GB DDR3Intel HD Graphics 4400 / NVIDIA GeForce 920M
OS
Windows 10 x64 PRO N with ESU
Computer type
Laptop
Manufacturer/Model
Acer
CPU
i3-4005U
Memory
8 GB DDR3
Graphics Card(s)
Intel HD Graphics 4400 / NVIDIA GeForce 920M
Hard Drives
512 GB SSD
Browser
Firefox
Other Info
10 years old, still running
Sorry to write again,
I couldn't find the edit button for my previous post.

Do I have to leave Secure Boot on, change Secure Boot Mode before proceeding?
Here are 2 screenshots of my BIOS.
Thanks
View attachment 164117

View attachment 164119
If you're trying to append just the 2023 KEK, then you'll want to, " Select an UEFI File as Trusted for Executing ". By selecting " Restore Secure Boot to Factory Setting ", you'll wipe out everything you've already done and will have to start all over from the beginning as it will restore the key/certs to what is in BIOS version. Every OEM BIOS is a little different, but you'll find by selecting either of the aforementioned choices, it will disable Secure Boot, otherwise you wouldn't be able to update the keys/certs. Once you're done successfully updating, depending on the device, it will turn Secure Boot back on by itself.

If you find you're unable to fully update the certs/keys manually because the device is unsupported, there's always the Mosby option.
 

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
If the manual enrollment wants an ".efi" file, then you can try these steps:

1. Run the Check_UEFI-CA2023.ps1 script.
2. Confirm BitLocker is not ON. If it's enabled, then disable BitLocker on C: drive.

3. Disable Secure Boot in BIOS.
4. Erase all Secure Boot Settings.
5. Restart Windows.

6. Run the Update_UEFI-CA2023.ps1 script. It should detect you're in Setup Mode.
7. Restart Windows.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
I have run Garlin's latest script, and all my Secure Boot Certificates are correct. I completely uninstalled and reinstalled Macrium Reflect X to ensure that I had no cached Wims.

MR downloaded new PE Wims and yet I can't boot from the Windows boot menu or from the bootable USB SSD unless I disable Secure Boot.

I'm happy to disable SB but would like to know what's wrong.

All relevant wims are dated today.
 

My Computers My Computers

  • At a glance

    Windows 11 Pro 25H2 26200.8737AMD Ryzen 7 5825U with Radeon Graphics16GB
    OS
    Windows 11 Pro 25H2 26200.8737
    Computer type
    Laptop
    Manufacturer/Model
    Acemagic LX15PRO
    CPU
    AMD Ryzen 7 5825U with Radeon Graphics
    Motherboard
    BIOS CT_BI_AMI_LX15PRO_AB8139_A-004
    Memory
    16GB
    Screen Resolution
    1920 x 1080
    Hard Drives
    SSD 2TB
    Internet Speed
    30 Mbps
    Browser
    Brave
    Antivirus
    Webroot SecureAnywhere Complete beta
  • At a glance

    Windows 11 Pro 23H2 22631.2506Atom N450 1.66GHz2GB
    Operating System
    Windows 11 Pro 23H2 22631.2506
    Computer type
    Laptop
    Manufacturer/Model
    HP Mini 210-1090NR PC (bought in late 2009!)
    CPU
    Atom N450 1.66GHz
    Memory
    2GB
    Browser
    Brave
    Antivirus
    Webroot
  • Acer Swift SF114-34 laptop
    OS Windows 11 Pro 26200.8737
    CPU Pentium Silver N6000
    RAM 4GB
    BIOS v1.17
    SSD Samsung 970 EVO Plus SSD 2TB (an upgrade)
If the manual enrollment wants an ".efi" file, then you can try these steps:

1. Run the Check_UEFI-CA2023.ps1 script.
2. Confirm BitLocker is not ON. If it's enabled, then disable BitLocker on C: drive.

3. Disable Secure Boot in BIOS.
4. Erase all Secure Boot Settings.
5. Restart Windows.

6. Run the Update_UEFI-CA2023.ps1 script. It should detect you're in Setup Mode.
7. Restart Windows.
When I run the Update_UEFI-CA2023.ps1, I get :
ERROR: Failed to read UEFI Secure Boot settings

When I run the Check_UEFI-CA2023.ps1, I get the same error and:
UEFI is in setup mode (no certs)
 

My Computer My Computer

At a glance

Windows 10 x64 PRO N with ESUi3-4005U8 GB DDR3Intel HD Graphics 4400 / NVIDIA GeForce 920M
OS
Windows 10 x64 PRO N with ESU
Computer type
Laptop
Manufacturer/Model
Acer
CPU
i3-4005U
Memory
8 GB DDR3
Graphics Card(s)
Intel HD Graphics 4400 / NVIDIA GeForce 920M
Hard Drives
512 GB SSD
Browser
Firefox
Other Info
10 years old, still running
Back
Top Bottom