Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

garlin · May 17, 2026

t2s50 said:
OK, thanks. I did have a different understanding of "banned" since for a bootmanager to boot it has to be signed with a non revoked cert stored in DB, no more no less- if there aren't any other revocations installed.

Maybe in that instance "BANNED" isn't the correct term, but "UNSUPPORTED". But it's just easier to write BANNED, and not have users ask what's the difference between ALLOWED, BANNED, and UNSUPPORTED?

t2s50 said:
Attached the content of \windows\system32\securebootupdates from a W10 pro ESU machine (without BucketConfidenceData.cab)
If needed I could take it from a W11 pro VM, too, it is still on April '26, but I don't think they differ?

Most of the SecureBootUpdates folder is not specific to any Windows release or edition, except for the SkuSiPolicy.p7b. The SkuSiPolicy has banned versions of winload.efi, and those can be inconsistent across the different builds. On paper this file should be synchronized, but it's not.

The BucketConfidence.CAB changes every month, and unlocks a new set of PC's which are identified by their BucketID's ("we collected telemetry data and these PC's can successfully update without problem").

The .bin files work at the signing cert level, so every Monthly Update they should be in sync across W10 ESU, W11 (non-EOL), LTSC and the different Server editions.

t2s50 · May 17, 2026

garlin said:
The bad part is I don't have April 2026's files since Windows Update skipped ahead to May. Might have to re-install using April's image so I can see if any of the .bin files changed.

That was the reason I attached the files, but there's no need, except for KEKUpdateCombined.bin (and BucketConfidenceData.cab) the files from May and April are identical.

garlin · May 17, 2026

KEKUpdateCombined.bin is a giant collection of KEK CA 2023 .bin files contributed by the different OEM's. Basically it's all the individual KEK bin files on the MS GitHub, glued into a single file. It grows every month as new KEK updates are submitted to MS.

Ingenon · May 17, 2026

garlin said:
I have a Lenovo Y50-70. You should have a BIOS option to allow down-level BIOS updates (like if you need to revert a bad update). Maybe you can flash one version back, and flash it forward again. I someone on this thread had cert issues until they reflashed it, and then everything worked.

If the PK was the only thing that wasn't written, it points to BIOS issues. Normally having a PK (of any kind) means having to authenticate each cert write, so the PK is added last so no authentication is required for all of the other cert categories.

I looked online and could not find any BIOS for the Lenovo T460 other than the current version 1.45.1.11 dated 06 Mar 2022 which does not include the CA 2023 certificates. I tried the BIOS option to clear to defaults, but on the Lenovo T460 BIOS it says that does not clear Security settings, which include Secure Boot. And after restarting I still could not enable Secure Boot successfully. Either with the custom keys or with the factory default keys. When I enabled Secure Boot, the laptop would not boot. Even tried disconnecting the batteries (including the button battery on the mother board), and no improvement (still could not Secure Boot).

Finally tried reinstalling Windows 11 using Rufus and told the install to delete all the hard drive partitions first. Success - now I can Secure Boot again.

I was able to Secure Boot with this Lenovo T460 before I put the BIOS Secure Boot into Setup Mode and ran the PowerShell scripts. And now I can again. Of course, the Check script now says all the keys are CA 2011 again.

Searching this forum, I see one person posting that they were successful using the Mosby method on a T460, and another person posting they were not successful using the Mosby method on a T460 and they were getting a PK security violation error.

Seems to me I am not going to be able to get the CA 2023 keys on this Lenovo T460. Sigh. Probably time to budget for a newer laptop that is still getting BIOS updates.

garlin · May 17, 2026

Mosby may have the same issues. You must put the UEFI into Setup Mode, because Mosby creates its own self-signed PK and then signs everything else in turn. If you can't figure how to change modes (or it's not supported by this BIOS), there isn't a lot you can do with it.

When there is a valid PK installed, authentication is required to modify (append) any secure UEFI variable. If you own the PK (as the OEM, or someone who installed a custom PK), then you can properly sign all of the other keys. Since we're not the OEM, clearing all of the keys (which includes the PK) is the only way to get a KEK CA 2023 installed.

Some older BIOS'es were written when Secure Boot wasn't such a big factor, and vendor standards were lower.

Dirtyflash · May 17, 2026

Ingenon said:
Searching this forum, I see one person posting that they were successful using the Mosby method on a T460, and another person posting they were not successful using the Mosby method on a T460 and they were getting a PK security violation error.

Seems to me I am not going to be able to get the CA 2023 keys on this Lenovo T460. Sigh. Probably time to budget for a newer laptop that is still getting BIOS updates.

It will work. You've got nothing to lose if you are resigned to giving up and buying something else. Why not try?

[Mosby session started: 2026-02-21 18:51:34]
Mosby v3.0 x64
UEFI v2.40 (Lenovo, 0x00001450)
LENOVO R06ET71W (1.45 )
LENOVO 20FN002JUS
Reusing existing MosbyKey.crt certificate...
Not installing SBAT since this system's SBAT is either the same or newer
Generating PK certificate...
Installing SSPV: 'SkuSiPolicyVersion [2023.04.29]'
Installing SSPU: 'SkuSiPolicyUpdateSigners [2023.04.29]'
Installing DBX: 'DBX for x86 (64 bit) [2025.10.16]'
Installing DBX: 'Windows Bootmgr SVN 7.0 DBX update [2025-06-06]'
Installing DB: 'Microsoft Windows Production PCA 2011'
Installing DB: 'Microsoft Corporation UEFI CA 2011'
Installing DB: 'Windows UEFI CA 2023'
Installing DB: 'Microsoft UEFI CA 2023'
Installing DB: 'Microsoft Option ROM UEFI CA 2023'
Installing DB: 'MosbyKey [2026.02.21]'
Installing KEK: 'Microsoft Corporation KEK CA 2011'
Installing KEK: 'Microsoft Corporation KEK 2K CA 2023'
Installing PK: 'Mosby Generated PK [2026.02.21]'
[Mosby session ended: 2026-02-21 18:51:44]

t2s50 · May 18, 2026

garlin said:
Maybe in that instance "BANNED" isn't the correct term, but "UNSUPPORTED". But it's just easier to write BANNED, and not have users ask what's the difference between ALLOWED, BANNED, and UNSUPPORTED?

Well, the bootmgrfw.efi file is still the latest available for 'stock'- installations and you're text referes to EFI files and to this file directly. So the file isn't 'banned' itself but the environment isn't rigged yet to keep secure boot up to date since the KEK is missing.
Since you compare to the revocation files in the securebootupdates- folder it'd be possible to determine the difference between latest file in a non- rigged environment and a banned file itself?

hottroc · May 18, 2026

hi, I need some help please.

I had difficult upgrading from Windows 11 23H2 to Windows 11 25H2. After trying lots of things unsuccessfully (thanks ChatGPT!) I finally tried updating my BIOS to the latest version from my manufacturer, Asus, which was dated March 2024.
I then loaded optimized defaults in the BIOS after which I successfully updated to 25H2 and Windows loaded fine. But I realized Secure Boot was Disabled (it was previously enabled in 23H2).
Every time I enable it now the system crashes on boot. However if I clear the keys it boots with Secure Boot enabled (but shows as or is effectively Off)

First I tried Mosby and it appeared successful but still wouldn't boot, then I found this topic and read all 91 pages. I tried the Check_UEFI-CA2023.ps1 script and received the below output. The formatting error didn't help, but I tried the Update_UEFI-CA2023.ps1 script anyway. It appeared successful in copying the certs but still wouldn't boot after, so I had to clear the keys to get into Windows again. So I'm basically in Setup Mode now but not sure what is going wrong. Here is the output I get (in Setup mode) from the Check script:

Code:

.\Check_UEFI-CA2023.ps1
Secure Boot: OFF
Virtualization Based Security: OFF
BitLocker on (C:) OFF

UEFI is in Setup Mode (NO CERTS)
    Windows BootMgr SVN is MISSING.

EFI Files
---------
    Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.

    Registry: "WindowsUEFICA2023Capable" = 0
        [Windows UEFI CA 2023] not in UEFI DB.


REQUIRED ACTION
===============

OPTION 1:  To install [UEFI CA 2023] certs

        Update_UEFI-CA2023.ps1
InvalidOperation: C:\Users\james\Downloads\SecureBoot-CA-2023-Updates\Check_UEFI-CA2023.ps1:1714
Line |
1714 |              "`n`nOPTION 2:  {1}`n" -f $RevokeMessage
     |              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Error formatting a string: Index (zero based) must be greater than or equal to zero and less than the size of
     | the argument list..
        Update_UEFI-CA2023.ps1 -Revoke

Also what does "Windows BootMgr SVN is MISSING" mean, do I need to correct and how?

Also in the registry is shown my ConfidenceLevel is "High Confidence" but my UEFICA2023Status shows as "InProgress", if that helps the diagnosis.

anchamp65 · May 18, 2026

Hi @garlin

I know you previously mentioned that MS will revoke 2011 certs later this year
And I think you also mentioned something like "if they do it" but could not find that message in the thread

What's your gut telling you, will they just leave the 2011 certs there without revoking them, or they will some day actually revoke them ?

Windows itself would use the 2023 certs but MS would not want to revoke the 2011 ones to prevent causing issues with bootable drives that would not be properly updated to 2023 certs, like Macrium (for now at least) that we have to patch

garlin · May 18, 2026

t2s50 said:
Well, the bootmgrfw.efi file is still the latest available for 'stock'- installations and you're text referes to EFI files and to this file directly. So the file isn't 'banned' itself but the environment isn't rigged yet to keep secure boot up to date since the KEK is missing.
Since you compare to the revocation files in the securebootupdates- folder it'd be possible to determine the difference between latest file in a non- rigged environment and a banned file itself?

Try this version, I've added UNTRUSTED as a new state.

1. PCA 2011 is supported by KEK CA 2011; and PCA 2011 could be on the DBX (BANNED) or not on DBX (ALLOWED).

2. Windows UEFI CA 2023 is supported by KEK CA 2023; and Windows CA 2023 could be on the DBX (BANNED) or not on DBX (ALLOWED).

3. Any MS cert which doesn't have the underlying KEK is UNTRUSTED.

4. I don't validate the non-MS certs because they're not relevant to the Secure Boot update process.

garlin · May 18, 2026

hottroc said:

Code:

.\Check_UEFI-CA2023.ps1
Secure Boot: OFF
Virtualization Based Security: OFF
BitLocker on (C:) OFF

UEFI is in Setup Mode (NO CERTS)
    Windows BootMgr SVN is MISSING.
[/QUOTE]
[QUOTE="hottroc, post: 741558, member: 67353"]
REQUIRED ACTION
===============

OPTION 1:  To install [UEFI CA 2023] certs

        Update_UEFI-CA2023.ps1
InvalidOperation: C:\Users\james\Downloads\SecureBoot-CA-2023-Updates\Check_UEFI-CA2023.ps1:1714
Line |
1714 |              "`n`nOPTION 2:  {1}`n" -f $RevokeMessage
     |              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | Error formatting a string: Index (zero based) must be greater than or equal to zero and less than the size of
     | the argument list..
        Update_UEFI-CA2023.ps1 -Revoke

1. You're running an older version of the script ($RevokeMessage bug was fixed). Check post #1.

2. This PC is in Setup Mode, so the corrected version of the update script should be able to apply the Windows OEM Devices certs. Try it again, and should work much better.

garlin · May 18, 2026

anchamp65 said:
Hi @garlin

I know you previously mentioned that MS will revoke 2011 certs later this year
And I think you also mentioned something like "if they do it" but could not find that message in the thread

What's your gut telling you, will they just leave the 2011 certs there without revoking them, or they will some day actually revoke them ?

Windows itself would use the 2023 certs but MS would not want to revoke the 2011 ones to prevent causing issues with bootable drives that would not be properly updated to 2023 certs, like Macrium (for now at least) that we have to patch

The whole point of the CA 2011 revocation is closing the door on Black Lotus (or similar) UEFI rootkits.

MS originally intended to follow this exercise back in 2021-2022, but got sidetracked by all the OEM's complaining about how much headache this would cause them. And it got delayed, delayed, delayed (by OEM's) until MS ended up overlapping the eventual CA 2023 refresh. CA 2023 was going to happen anyway, regardless of Black Lotus forcing MS's hand on CA 2011.

When is the exact date for mandatory revocation? MS is very silent right now.

I believe they're hedging bets until the last minute, because they're not sure how well installing CA 2023 certs is going (due to the lack of vendor support for older PC's). I'm sure they really, really know from telemetry data. But aren't going to share that. You can't nuke PCA 2011 until most of the Windows PC's have moved to CA 2023, which is the big hangup.

Previously, MS mentioned they would provide 6 months of advance warning for mandatory revocation. But that KB is gone from the main Secure Boot portal.

Ingenon · May 18, 2026

Dirtyflash said:
It will work. You've got nothing to lose if you are resigned to giving up and buying something else. Why not try?

[Mosby session started: 2026-02-21 18:51:34]
Mosby v3.0 x64
UEFI v2.40 (Lenovo, 0x00001450)
LENOVO R06ET71W (1.45 )
LENOVO 20FN002JUS
Reusing existing MosbyKey.crt certificate...
Not installing SBAT since this system's SBAT is either the same or newer
Generating PK certificate...
Installing SSPV: 'SkuSiPolicyVersion [2023.04.29]'
Installing SSPU: 'SkuSiPolicyUpdateSigners [2023.04.29]'
Installing DBX: 'DBX for x86 (64 bit) [2025.10.16]'
Installing DBX: 'Windows Bootmgr SVN 7.0 DBX update [2025-06-06]'
Installing DB: 'Microsoft Windows Production PCA 2011'
Installing DB: 'Microsoft Corporation UEFI CA 2011'
Installing DB: 'Windows UEFI CA 2023'
Installing DB: 'Microsoft UEFI CA 2023'
Installing DB: 'Microsoft Option ROM UEFI CA 2023'
Installing DB: 'MosbyKey [2026.02.21]'
Installing KEK: 'Microsoft Corporation KEK CA 2011'
Installing KEK: 'Microsoft Corporation KEK 2K CA 2023'
Installing PK: 'Mosby Generated PK [2026.02.21]'
[Mosby session ended: 2026-02-21 18:51:44]

[Mosby session started: 2026-05-18 14:23:04 [UTC]
UEFI v2.40 (Lenovo, 0x00001450)
LENOVO R06ET71W (1.45 )
LENOVO 20FN002NUS
Generating Secure Boot signing credentials...
Saved Secure Boot signing credentials as 'MosbyKey'
Generating PK certificate...
Installing SSPV: 'SkuSiPolicyVersion [2023.04.29]'
Installing SSPU: 'SkuSiPolicyUpdateSigners [2023.04.29]'
Installing SBAT: 'SbatLevel.txt [2025.05.10]'
Installing DBX: 'Windows Bootmgr SVN 7.0 DBX update [2025-06-06]'
Installing DBX: 'DBX for x86 (64 bit) [2025.10.16]'
Installing DB: 'Windows UEFI CA 2023'
Installing DB: 'Microsoft Option ROM UEFI CA 2023'
Installing DB: 'Microsoft Corporation UEFI CA 2011'
Installing DB: 'Microsoft Windows Production PCA 2011'
Installing DB: 'Microsoft UEFI CA 2023'
Installing DB: 'MosbyKey [2026.05.18]'
Installing KEK: 'Microsoft Corporation KEK CA 2011'
Installing KEK: 'Microsoft Corporation KEK 2K CA 2023'
Installing PK: 'Mosby Generated PK [2026.05.18]'
Failed to set Secure Boot variable: Security Violation
[Mosby session ended: 2026-05-18 14:23:31 [UTC]

I'm glad Mosby worked for you. When I tried it a few minutes ago, I got a Security Violation.
How do I fix this?

Also, I decided to try Mosby on the second computer I have that needs new certificates, an HP EliteDesk 800 G1 SFF desktop that is also running Windows 11 only because Rufus allows it to bypass compatibility checks. This HP also has the issue that it is running the most recent BIOS; and no updated BIOS is available. The Mosby install for this HP computer also fails with a Security Violation.

[Mosby session started: 2026-05-18 14:50:13 [UTC]
UEFI v2.31 (American Megatrends, 0x0004028E)
Hewlett-Packard L01 v02.78
Hewlett-Packard HP EliteDesk 800 G1 SFF
Reusing existing MosbyKey.crt certificate...
Generating PK certificate...
Installing SSPV: 'SkuSiPolicyVersion [2023.04.29]'
Installing SSPU: 'SkuSiPolicyUpdateSigners [2023.04.29]'
Installing SBAT: 'SbatLevel.txt [2025.05.10]'
Installing DBX: 'Windows Bootmgr SVN 7.0 DBX update [2025-06-06]'
Failed to set Secure Boot variable: Security Violation
[Mosby session ended: 2026-05-18 14:50:19 [UTC]

anchamp65 · May 18, 2026

garlin said:
.............

Previously, MS mentioned they would provide 6 months of advance warning for mandatory revocation. But that KB is gone from the main Secure Boot portal.

Thanks

EDIT: basically, it will eventually be revoke and no reason to leave it there waiting to see when MS will do it, and just use your script or the 0x280 to revoke it
Wright ?

Dirtyflash · May 18, 2026

Ingenon said:
[Mosby session started: 2026-05-18 14:23:04 [UTC]
UEFI v2.40 (Lenovo, 0x00001450)
LENOVO R06ET71W (1.45 )
LENOVO 20FN002NUS
Generating Secure Boot signing credentials...
Saved Secure Boot signing credentials as 'MosbyKey'
Generating PK certificate...
Installing SSPV: 'SkuSiPolicyVersion [2023.04.29]'
Installing SSPU: 'SkuSiPolicyUpdateSigners [2023.04.29]'
Installing SBAT: 'SbatLevel.txt [2025.05.10]'
Installing DBX: 'Windows Bootmgr SVN 7.0 DBX update [2025-06-06]'
Installing DBX: 'DBX for x86 (64 bit) [2025.10.16]'
Installing DB: 'Windows UEFI CA 2023'
Installing DB: 'Microsoft Option ROM UEFI CA 2023'
Installing DB: 'Microsoft Corporation UEFI CA 2011'
Installing DB: 'Microsoft Windows Production PCA 2011'
Installing DB: 'Microsoft UEFI CA 2023'
Installing DB: 'MosbyKey [2026.05.18]'
Installing KEK: 'Microsoft Corporation KEK CA 2011'
Installing KEK: 'Microsoft Corporation KEK 2K CA 2023'
Installing PK: 'Mosby Generated PK [2026.05.18]'
Failed to set Secure Boot variable: Security Violation
[Mosby session ended: 2026-05-18 14:23:31 [UTC]

I'm glad Mosby worked for you. When I tried it a few minutes ago, I got a Security Violation.
How do I fix this?

Also, I decided to try Mosby on the second computer I have that needs new certificates, an HP EliteDesk 800 G1 SFF desktop that is also running Windows 11 only because Rufus allows it to bypass compatibility checks. This HP also has the issue that it is running the most recent BIOS; and no updated BIOS is available. The Mosby install for this HP computer also fails with a Security Violation.

[Mosby session started: 2026-05-18 14:50:13 [UTC]
UEFI v2.31 (American Megatrends, 0x0004028E)
Hewlett-Packard L01 v02.78
Hewlett-Packard HP EliteDesk 800 G1 SFF
Reusing existing MosbyKey.crt certificate...
Generating PK certificate...
Installing SSPV: 'SkuSiPolicyVersion [2023.04.29]'
Installing SSPU: 'SkuSiPolicyUpdateSigners [2023.04.29]'
Installing SBAT: 'SbatLevel.txt [2025.05.10]'
Installing DBX: 'Windows Bootmgr SVN 7.0 DBX update [2025-06-06]'
Failed to set Secure Boot variable: Security Violation
[Mosby session ended: 2026-05-18 14:50:19 [UTC]

If you look at the example of the successful Mosby installation I provided, you'll see that the version of Mosby is noted on the 2nd line as version 3.0. What you need to do is copy all the files from the Github Mosby download and paste/override them into the USB UEFI Shell you created. Otherwise, it seems you were on the right track. I had the same problem until it was pointed out to me, it then successfully installed.

TheVisitor · May 18, 2026

This gets more confusing all the time. I just updated to your latest check_uefi-ca2023.ps1 and this are the results:

PS C:\WINDOWS\system32> powershell -nop -ep bypass -f C:\temp7\check_uefi-ca2023.ps1
Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 8.0

EFI Files
---------
Boot File [Windows UEFI CA 2023] is BANNED
Registry: "WindowsUEFICA2023Capable" = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

SkuSiPolicy.p7b is CURRENT.

STATUS REPORT
-------------
Registry: "UEFICA2023Status" = Updated

SUCCESS: UPDATES ARE FINISHED.
UEFI CA 2023 certs are present, PCA 2011 cert is revoked. Previous checks with the check file shows Windows Boot Manager is ALLOWED, this new check is showing Boot File Windows UEFI CA 2023 is BANNED' therefore I'm confused , yet again.

garlin · May 18, 2026

anchamp65 said:
EDIT: basically, it will eventually be revoke and no reason to leave it there waiting to see when MS will do it, and just use your script or the 0x280 to revoke it
Wright ?

Before revoking CA 2011, everyone needs to understand two details:

1. You must update any Windows ISO or bootable USB drives (which have older CA 2011 boot files).

2. If that's too much hassle (for some people), you can ALWAYS temporarily disable Secure Boot to install Windows or run the recovery drive. Switch back to Secure Boot mode when you're done.

Knowing those two details, someone should be comfortable with doing the revocation now. It's more a heads up. Older versions of Macirum (v8) are less aware of the boot file versions, Macrium X is fine. Rufus provides an option to use the newer boot files.

You can perform the revocation using AvailableUpdates (which the check script does the math for you), or run "Update-UEFI.bat -Revoke".

garlin · May 18, 2026

TheVisitor said:
Previous checks with the check file shows Windows Boot Manager is ALLOWED, this new check is showing Boot File Windows UEFI CA 2023 is BANNED' therefore I'm confused , yet again.

My bad. Download the script again from post #1810.

I hacked the script to ignore the system's actual certs and forced my own settings, for testing the script's logic. Forgot to remove the test settings from the script. This way was faster than deleting some certs on a live system to find out whether it worked or not.

TheVisitor · May 18, 2026

@garlin thanks, looks OK . I too my bad as I downloaded that check file and let it over write the older one, guess that don't work to well.

Ingenon · May 18, 2026

Dirtyflash said:
If you look at the example of the successful Mosby installation I provided, you'll see that the version of Mosby is noted on the 2nd line as version 3.0. What you need to do is copy all the files from the Github Mosby download and paste/override them into the USB UEFI Shell you created. Otherwise, it seems you were on the right track. I had the same problem until it was pointed out to me, it then successfully installed.

I tried what you said and saw no difference in the results. Then I formatted the USB flash drive and started over. When I picked the UEFI Shell in Rufus, I picked 26H1, even though I know that my Lenovo is running 25H2. And then I got different results.

[Mosby session started: 2026-05-18 15:57:00]
Mosby v3.1 x64
UEFI v2.40 (Lenovo, 0x00001450)
LENOVO R06ET71W (1.45 )
LENOVO 20FN002NUS
System SBAT is 2025051000, Embedded SBAT is 2025051000
Not installing SBAT since this system's SBAT is either the same or newer
Generating Secure Boot DB signing credentials...
Saved Secure Boot DB signing credentials as 'MosbyKey'
Generating PK certificate...
Installing DBX: 'DBX for x86 (64 bit) [2025.10.16]'
Installing DBX: 'Windows Bootmgr SVN 7.0 DBX update [2025-06-06]'
Installing DB: 'Microsoft Windows Production PCA 2011'
Installing DB: 'Microsoft Corporation UEFI CA 2011'
Installing DB: 'Windows UEFI CA 2023'
Installing DB: 'Microsoft UEFI CA 2023'
Installing DB: 'Microsoft Option ROM UEFI CA 2023'
Installing DB: 'MosbyKey [2026.05.18]'
Installing KEK: 'Microsoft Corporation KEK CA 2011'
Installing KEK: 'Microsoft Corporation KEK 2K CA 2023'
Installing PK: 'Mosby Generated PK [2026.05.18]'
[Mosby session ended: 2026-05-18 15:57:31]

I set the BIOS to Secure Boot, and my Lenovo is doing Secure Boot. When I check status using Check-UEFI.bat, I see the following:

Secure Boot: ON
Virtualization Based Security: OFF
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
MosbyKey [2026.05.18]
MosbyKey [2026.05.18]
Microsoft Corporation UEFI CA 2011
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
(NONE)
Windows BootMgr SVN 7.0

EFI Files
---------
Windows Boot Manager [Production PCA 2011] is BANNED.
Registry: "WindowsUEFICA2023Capable" = 1
[Windows UEFI CA 2023] in UEFI DB.

REQUIRED ACTION
===============

OPTION 1: DO NOTHING AND WAIT. Windows will apply the UEFI updates (PC has supported BIOS).

OPTION 2: To update Windows Boot Manager [UEFI CA 2023] WITHOUT REVOKING the [PCA 2011] cert, run the commands:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x100 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

OPTION 3: To update Windows Boot Manager [UEFI CA 2023] and REVOKE the [PCA 2011] cert, run the commands:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x382 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

And Windows Security is still saying Secure Boot is on, but your system is using an older boot trust configuration that should be updated.

How do I fix this?

Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

Well-known member

My Computer

Member

My Computer

Well-known member

My Computer

New member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Member

My Computer

New member

My Computer

Member

My Computer

Well-known member

Attachments

My Computer

Well-known member

My Computer

Well-known member

My Computer

New member

My Computers

Member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

New member

My Computers