Solved garlin's PowerShell scripts for updating Secure Boot CA 2023


UEFI DB Certs
-------------
MosbyKey [2026.05.18]
MosbyKey [2026.05.18]
Microsoft Corporation UEFI CA 2011
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023
Windows UEFI CA 2023
Did you put the UEFI into Setup Mode first?

This looks like Mosby installed a duplicated copy of every cert. Well technically NOT DUPLICATED since it creates a random new PK, and then proceeds to self-sign the downstream certs. As the new certs are children of the new PK, they're not ignored as duplicates to the existing keys.

Which means you could repeat the process N times, and get N copies of everything. That ought to be a bug.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
I tried what you said and saw no difference in the results. Then I formatted the USB flash drive and started over. When I picked the UEFI Shell in Rufus, I picked 26H1, even though I know that my Lenovo is running 25H2. And then I got different results.

[Mosby session started: 2026-05-18 15:57:00]
Mosby v3.1 x64
UEFI v2.40 (Lenovo, 0x00001450)
LENOVO R06ET71W (1.45 )
LENOVO 20FN002NUS
System SBAT is 2025051000, Embedded SBAT is 2025051000
Not installing SBAT since this system's SBAT is either the same or newer
Generating Secure Boot DB signing credentials...
Saved Secure Boot DB signing credentials as 'MosbyKey'
Generating PK certificate...
Installing DBX: 'DBX for x86 (64 bit) [2025.10.16]'
Installing DBX: 'Windows Bootmgr SVN 7.0 DBX update [2025-06-06]'
Installing DB: 'Microsoft Windows Production PCA 2011'
Installing DB: 'Microsoft Corporation UEFI CA 2011'
Installing DB: 'Windows UEFI CA 2023'
Installing DB: 'Microsoft UEFI CA 2023'
Installing DB: 'Microsoft Option ROM UEFI CA 2023'
Installing DB: 'MosbyKey [2026.05.18]'
Installing KEK: 'Microsoft Corporation KEK CA 2011'
Installing KEK: 'Microsoft Corporation KEK 2K CA 2023'
Installing PK: 'Mosby Generated PK [2026.05.18]'
[Mosby session ended: 2026-05-18 15:57:31]

I set the BIOS to Secure Boot, and my Lenovo is doing Secure Boot. When I check status using Check-UEFI.bat, I see the following:

Secure Boot: ON
Virtualization Based Security: OFF
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
MosbyKey [2026.05.18]
MosbyKey [2026.05.18]
Microsoft Corporation UEFI CA 2011
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
(NONE)
Windows BootMgr SVN 7.0

EFI Files
---------
Windows Boot Manager [Production PCA 2011] is BANNED.
Registry: "WindowsUEFICA2023Capable" = 1
[Windows UEFI CA 2023] in UEFI DB.


REQUIRED ACTION
===============

OPTION 1: DO NOTHING AND WAIT. Windows will apply the UEFI updates (PC has supported BIOS).

OPTION 2: To update Windows Boot Manager [UEFI CA 2023] WITHOUT REVOKING the [PCA 2011] cert, run the commands:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x100 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"


OPTION 3: To update Windows Boot Manager [UEFI CA 2023] and REVOKE the [PCA 2011] cert, run the commands:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x382 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

And Windows Security is still saying Secure Boot is on, but your system is using an older boot trust configuration that should be updated.

How do I fix this?

Congrats, you did it! I think you could go ahead with OPTION 2. Just copy paste the 2 commands, first one you can do in CMD and the second in PowerShell. @garlin can chime in here as he's the Secure Boot guru.

I just noticed @garlin 's previous post. Hmm, yeah, that's a bit messed up, but otherwise progress.
 
Last edited:

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
1. You're running an older version of the script ($RevokeMessage bug was fixed). Check post #1.

2. This PC is in Setup Mode, so the corrected version of the update script should be able to apply the Windows OEM Devices certs. Try it again, and should work much better.

Ah sorry, it was the latest version before I started reading the rest of the pages, lol. I have redownloaded the latest now from post 1, results below. Basically the update appears to work, then I followed the instructions in the readme to replace the PK manually per the instruction. Should I also have manually replaced the KEK? There doesn't appear to be an "Updates" folder in my EFI folder in my EFI partition. The PK replaced successfully but when I tried to restart (to run the update script again) it wouldn't boot so I had to clear the keys again.

Code:
pwsh -nop -ep bypass -noexit -f .\Check_UEFI-CA2023.ps1
PowerShell 7.6.0

   A new PowerShell stable release is available: v7.6.1
   Upgrade now, or check out the release page at:
     https://aka.ms/PowerShell-Release?tag=v7.6.1

Secure Boot: OFF
Virtualization Based Security: OFF
BitLocker on (C:) OFF

UEFI is in Setup Mode (NO CERTS)

EFI Files
---------
    Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
    Registry: "WindowsUEFICA2023Capable" = 0
        [Windows UEFI CA 2023] not in UEFI DB.


REQUIRED ACTION
===============

OPTION 1:  To install [UEFI CA 2023] certs

        Update_UEFI-CA2023.ps1


OPTION 2:  To install [UEFI CA 2023] certs and REVOKE the [PCA 2011] cert

        Update_UEFI-CA2023.ps1 -Revoke


PS C:\Users\james\Downloads\SecureBoot-CA-2023-Updates> .\Update_UEFI-CA2023.ps1
Downloading "edk2-x64-secureboot-binaries.zip" from GitHub.
Successfully wrote "Default3PDb.bin" to UEFI db.
Successfully wrote "DefaultDbx.bin" to UEFI dbx.
Successfully wrote "DefaultKek.bin" to UEFI KEK.
Successfully wrote "DefaultPk.bin" to UEFI PK.

REQUIRED ACTION
---------------
Please follow the README_UEFI.TXT instructions, for installing the PK cert from BIOS.

Restart Windows, for UEFI updates to take effect.

What should I do next please?
 

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
Computer type
PC/Desktop
Manufacturer/Model
Asus
Before revoking CA 2011, everyone needs to understand two details:

1. You must update any Windows ISO or bootable USB drives (which have older CA 2011 boot files).

2. If that's too much hassle (for some people), you can ALWAYS temporarily disable Secure Boot to install Windows or run the recovery drive. Switch back to Secure Boot mode when you're done.

Knowing those two details, someone should be comfortable with doing the revocation now. It's more a heads up. Older versions of Macirum (v8) are less aware of the boot file versions, Macrium X is fine. Rufus provides an option to use the newer boot files.

You can perform the revocation using AvailableUpdates (which the check script does the math for you), or run "Update-UEFI.bat -Revoke".
Understood both points and fully aware of impacts on bootable medias
Thanks again for taking time to explain it and remind us of the impacts
 

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
Did you put the UEFI into Setup Mode first?

This looks like Mosby installed a duplicated copy of every cert. Well technically NOT DUPLICATED since it creates a random new PK, and then proceeds to self-sign the downstream certs. As the new certs are children of the new PK, they're not ignored as duplicates to the existing keys.

Which means you could repeat the process N times, and get N copies of everything. That ought to be a bug.

From my personal experience ,it might be a good suggestion to wipe the keys as it puts the BIOS into Setup Mode and boot back into the Mosby USB to run the update again.
 

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
PS C:\Users\james\Downloads\SecureBoot-CA-2023-Updates> .\Update_UEFI-CA2023.ps1
Downloading "edk2-x64-secureboot-binaries.zip" from GitHub.
Successfully wrote "Default3PDb.bin" to UEFI db.
Successfully wrote "DefaultDbx.bin" to UEFI dbx.
Successfully wrote "DefaultKek.bin" to UEFI KEK.
Successfully wrote "DefaultPk.bin" to UEFI PK.
Run the check script, you're done adding CA 2023 certs. If you would like to perform revocation (still optional for now), run the update script one last time with -Revoke option.

I split the update actions into two parts, because some users don't feel comfortable doing the revoke while updating.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
Run the check script, you're done adding CA 2023 certs. If you would like to perform revocation (still optional for now), run the update script one last time with -Revoke option.

I split the update actions into two parts, because some users don't feel comfortable doing the revoke while updating.
Update Script run once on each computer. Success! Windows Security says Secure Boot is on and all required certificate updates have been applied. No further certificate changes are needed.

Thanks @garlin @Dirtyflash @Akeo for helping update my Lenovo T460 and HP EliteDesk 800 G1!
 

My Computers My Computers

  • At a glance

    Windows 11
    OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo T460
  • At a glance

    Windows 11
    Operating System
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    HP EliteDesk 800 G1 SFF
Run the check script, you're done adding CA 2023 certs. If you would like to perform revocation (still optional for now), run the update script one last time with -Revoke option.

I split the update actions into two parts, because some users don't feel comfortable doing the revoke while updating.

No I think I didn't explain well. I've had to undo the actions again (by clearing the keys again) because it wouldn't boot. So if i run the check script again the results are as per my last post.
 

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
Computer type
PC/Desktop
Manufacturer/Model
Asus
No I think I didn't explain well. I've had to undo the actions again (by clearing the keys again) because it wouldn't boot. So if i run the check script again the results are as per my last post.
Assuming Secure Boot is disabled, you should be allowed to boot anything (no enforcement). You can have an UEFI with updated certs, and it should boot with Secure Boot off. Unless you had VBS previously enabled. What's the error? Does it complain about winload.efi, or throws some BIOS screen error immediately on boot?
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
Older versions of Macirum (v8) are less aware of the boot file versions, Macrium X is fine.

Hasleo is fine too as it now has a 2023 option when creating the rescue media.

I revoked 2011 then tested and the rescue media boots without any issues.

Screenshot 2026-05-18 143228.webp
 

My Computer My Computer

At a glance

Windows 11 Pro
OS
Windows 11 Pro
Well my Macrium Reflect X Rescue Media some reason doesn't boot for some reason.

Hopefully i just won't need to do any recovery til Secure Boot CA 2023 is final lol

Believe i followed Windows PE steps correctly, but i'll check it again possibly later or tomorrow
 

My Computers My Computers

  • At a glance

    Windows 11 Pro 25H2 26200.8037AMD Ryzen 7700X32GB DDR 5 RGB 5600MhzRadeon 7800XT
    OS
    Windows 11 Pro 25H2 26200.8037
    Computer type
    PC/Desktop
    Manufacturer/Model
    PreBuilt
    CPU
    AMD Ryzen 7700X
    Motherboard
    MSI B650 VC WIfi Rev 1.0
    Memory
    32GB DDR 5 RGB 5600Mhz
    Graphics Card(s)
    Radeon 7800XT
    Sound Card
    Onboard Audio
    Monitor(s) Displays
    Asus VG245H
    Screen Resolution
    1920x1080
    Hard Drives
    Samsung 990 Evo Plus NVMe Boot
    Samsung 990 Pro 1TB Game NVMe



    External
    Western Digital Elements 500GB
    Western Digital My Passport 2TB Blue
    Western Digital My Passport 2TB Red
    Toshiba 2TB in External Enclosure
    Seagate 8TB in External Enclosure
    Seagate 1TB Portable USB 3 External Drive
    Western Digital My Book 8TB (Primary Backup drive)
    Western Digital Black 4TB In External Enclosure
    PSU
    750 Watt High Power
    Case
    Lian Li Lan Cool 216 ARGB Airflow
    Cooling
    2 160MM Front, 1 140MM Rear Exhaust
    Keyboard
    Logitech G513
    Mouse
    Logitech G502 X
    Internet Speed
    Gigabit 1100Mb/35 Upload
    Browser
    MS Edge Chromium and Bing Search
    Antivirus
    Windows Defender, Malwarebytes Premium
    Other Info
    UEFI, Secure Boot, TPM 2.0, Macrium Reflect X
  • At a glance

    Windows 11 Pro 25H2 26200.8037Ryzen 7 7735HS16GB DDR 5AMD Radeon™ 680M & Radeon 7700S
    Operating System
    Windows 11 Pro 25H2 26200.8037
    Computer type
    Laptop
    Manufacturer/Model
    Asus TUF A16 Advantage Edition FA617NT.A16.R7700
    CPU
    Ryzen 7 7735HS
    Motherboard
    OEM Asus Motherboard
    Memory
    16GB DDR 5
    Graphics card(s)
    AMD Radeon™ 680M & Radeon 7700S
    Sound Card
    Onboard
    Monitor(s) Displays
    16inch FHD 165hz
    Screen Resolution
    1920x1080
    Hard Drives
    512GB NVMe Boot Drive
    PSU
    Laptop PSU
    Case
    Laptop Case
    Cooling
    OEM Cooling
    Keyboard
    OEM Laptop Keyboard
    Mouse
    Touchpad & G502 Hero
    Internet Speed
    Gigabit 1100 Download/35 Upload
    Browser
    MS Edge with Bing search
    Antivirus
    Windows Defender & Malwarebytes Premium
    Other Info
    Macrium Reflect X
Assuming Secure Boot is disabled, you should be allowed to boot anything (no enforcement). You can have an UEFI with updated certs, and it should boot with Secure Boot off. Unless you had VBS previously enabled. What's the error? Does it complain about winload.efi, or throws some BIOS screen error immediately on boot?
Yes it boots fine with Secure Boot disabled, no errors, but when SB is Enabled it goes into a boot loop, no error messages, unless I clear the keys.
 

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
Computer type
PC/Desktop
Manufacturer/Model
Asus
Can you boot with Secure Disabled, and run the check script to see what's going on?
Code:
Check-UEFI.bat -Verbose
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
Its only the Macrium Reflect X Rescue USB that doesn't boot for some reason. Windows 11 Flash drive created with Rufus, booted just fine, then i exited the setup area, as wasn't gonna do a full install again at this time.

Anyways i'll get it sorted sometime soon here--Don't have the USB Rescue Flash drive connected right now, i could get it out if need be


Code:
Here is Result of CheckCA2023 with Verbose

PS C:\Temp> .\Check-UEFI.bat -Verbose
PowerShell 7.6.1
Windows 11 25H2 (26200.8457)

Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

BIOS Firmware
-------------
    Micro-Star International Co. MS-7D78
    Version: 1.L7
    Date: 2026-03-16

Factory Default UEFI PK Cert
----------------------------
    MSI SHIP PK

UEFI PK Cert
------------
    MSI SHIP PK

Factory Default UEFI KEK Certs
------------------------------
    Microsoft Corporation KEK CA 2011
    Microsoft Corporation KEK 2K CA 2023
    MSI SHIP KEK

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011
    Microsoft Corporation KEK 2K CA 2023
    MSI SHIP KEK

Factory Default UEFI DB Certs
-----------------------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Microsoft Option ROM UEFI CA 2023
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023
    MSI SHIP DB

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Microsoft Option ROM UEFI CA 2023
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023
    MSI SHIP DB

Factory Default UEFI DBX Certs
------------------------------
    (NONE)
    EFI_CERT_SHA256_GUID Signatures: 431

UEFI DBX Certs
--------------
    Microsoft Windows Production PCA 2011
    Windows BootMgr SVN 8.0
    EFI_CERT_SHA256_GUID Signatures: 439

UEFI Variables
--------------
    Credential Guard: ON
    SBAT (Linux only): sbat,1,2024010900 / shim,4 / grub,3 / grub.debian,4

EFI Files
---------
    Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
        \\.\HarddiskVolume1\EFI\Microsoft\Boot\bootmgfw.efi
        File Version: 28000.322, SVN 8.0

    Registry: "WindowsUEFICA2023Capable" = 2
        [Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

    SkuSiPolicy.p7b is CURRENT.
        \\.\HarddiskVolume1\EFI\Microsoft\Boot\SkuSiPolicy.p7b
        Version: 3.0.0.14


STATUS REPORT
-------------
    Registry: "UEFICA2023Status" = Updated

    SUCCESS: UPDATES ARE FINISHED.
    UEFI CA 2023 certs are present, PCA 2011 cert is revoked.
 

My Computers My Computers

  • At a glance

    Windows 11 Pro 25H2 26200.8037AMD Ryzen 7700X32GB DDR 5 RGB 5600MhzRadeon 7800XT
    OS
    Windows 11 Pro 25H2 26200.8037
    Computer type
    PC/Desktop
    Manufacturer/Model
    PreBuilt
    CPU
    AMD Ryzen 7700X
    Motherboard
    MSI B650 VC WIfi Rev 1.0
    Memory
    32GB DDR 5 RGB 5600Mhz
    Graphics Card(s)
    Radeon 7800XT
    Sound Card
    Onboard Audio
    Monitor(s) Displays
    Asus VG245H
    Screen Resolution
    1920x1080
    Hard Drives
    Samsung 990 Evo Plus NVMe Boot
    Samsung 990 Pro 1TB Game NVMe



    External
    Western Digital Elements 500GB
    Western Digital My Passport 2TB Blue
    Western Digital My Passport 2TB Red
    Toshiba 2TB in External Enclosure
    Seagate 8TB in External Enclosure
    Seagate 1TB Portable USB 3 External Drive
    Western Digital My Book 8TB (Primary Backup drive)
    Western Digital Black 4TB In External Enclosure
    PSU
    750 Watt High Power
    Case
    Lian Li Lan Cool 216 ARGB Airflow
    Cooling
    2 160MM Front, 1 140MM Rear Exhaust
    Keyboard
    Logitech G513
    Mouse
    Logitech G502 X
    Internet Speed
    Gigabit 1100Mb/35 Upload
    Browser
    MS Edge Chromium and Bing Search
    Antivirus
    Windows Defender, Malwarebytes Premium
    Other Info
    UEFI, Secure Boot, TPM 2.0, Macrium Reflect X
  • At a glance

    Windows 11 Pro 25H2 26200.8037Ryzen 7 7735HS16GB DDR 5AMD Radeon™ 680M & Radeon 7700S
    Operating System
    Windows 11 Pro 25H2 26200.8037
    Computer type
    Laptop
    Manufacturer/Model
    Asus TUF A16 Advantage Edition FA617NT.A16.R7700
    CPU
    Ryzen 7 7735HS
    Motherboard
    OEM Asus Motherboard
    Memory
    16GB DDR 5
    Graphics card(s)
    AMD Radeon™ 680M & Radeon 7700S
    Sound Card
    Onboard
    Monitor(s) Displays
    16inch FHD 165hz
    Screen Resolution
    1920x1080
    Hard Drives
    512GB NVMe Boot Drive
    PSU
    Laptop PSU
    Case
    Laptop Case
    Cooling
    OEM Cooling
    Keyboard
    OEM Laptop Keyboard
    Mouse
    Touchpad & G502 Hero
    Internet Speed
    Gigabit 1100 Download/35 Upload
    Browser
    MS Edge with Bing search
    Antivirus
    Windows Defender & Malwarebytes Premium
    Other Info
    Macrium Reflect X
@garlin

Another revoke question...
Does your script with -revoke do the samething that 0x280 does or you do more ?
 

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
Another revoke question...
Does your script with -revoke do the samething that 0x280 does or you do more ?
It does more or less the same things, but with some catches.

Code:
0x0400 Add SBAT
0x0200 Append DBX SVN
0x0080 Append PCA 2011 to DBX
0x0020 Copy SkuSiPolicy.p7b to EFI
0x0010 Enable SkuSiPolicy enforcement
0x0002 Append DBX Updates

1. The original script didn't apply the SBAT (which is the Linux equivalent of SVN). Mostly because there was a huge panic two years ago when MS first tried pushing SBAT to everyone's PC, and knocked out many users' Linux systems by mistake.

You could manually add it using the script's rarely used -SBAT option. Did anyone actually use this feature?

After adding SBAT detection, I noticed several users had the SBAT variable even though my update script didn't provide it. Which means Windows was returning to the old behavior of blasting SBAT. To be "backwards compatible" with the Secure Boot task, I removed the manual update option and run the task with 0x400.

2. The script performs three of the major revocation steps in one pass: Adds the PCA 2011 to the DBX list (banning it), appends any missing EFI signatures from DBXUpdate.bin, and bumps up the SVN from DBXUpdateSVN.bin. The file that provides PCA 2011 to DBX (DBXUpdate2024.bin) also contains a "starter" SVN as a baseline, but you're expected to apply the SVN file afterwards to reach the same SVN as shipped with boot manager.

3. Previously, the update script would always copy the SkuSiPolicy to EFI whenever you had VBS enabled (per MS's recommendations). But that was causing too many problems with certain dual-boot setups and blocking a few Macrium recovery drives. Most of that is caused by mismatched boot files. Since I can't manage what the user does after running the script, it's bad for me to enforce SkuSiPolicy by default.

If you want to have SkuSiPolicy copied to the EFI, use the -SkuSiPolicy option.

The check script is smart and does the hex math for you. If you already have one of the revocations already applied, it doesn't ask the Secure Boot task to repeat something that's already done. Not like the task is dumb, but we should be precise instead of slapping a generic value for AvailableUpdates.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
I build my Macrium X USB boot disk and performed Check_UEFI-CA2023.ps1 -bootmedia -verbose and get:
Bootable Media
--------------
USB Drive I: "8 GB"
Boot File [Production PCA 2011] is BANNED
I:\EFI\Microsoft\Boot\bootmgfw.efi
File Version: 28000.322, SVN 7.0

So I'm good here?
 

My Computer My Computer

At a glance

win 11Intell Core i7 4900 MQDDR3 16 GB
OS
win 11
Computer type
Laptop
Manufacturer/Model
Dell Precision M4800
CPU
Intell Core i7 4900 MQ
Motherboard
Dell QT3YTY A00
Memory
DDR3 16 GB
I build my Macrium X USB boot disk and performed Check_UEFI-CA2023.ps1 -bootmedia -verbose and get:
Bootable Media
--------------
USB Drive I: "8 GB"
Boot File [Production PCA 2011] is BANNED
I:\EFI\Microsoft\Boot\bootmgfw.efi
File Version: 28000.322, SVN 7.0

So I'm good here?
Aren't you worried that the Boot File is BANNED? :whistle:

Leave the Macrium drive plugged in.
Code:
Update_UEFI-CA2023.ps1 -BootMedia
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
Aren't you worried that the Boot File is BANNED? :whistle:

Leave the Macrium drive plugged in.
Code:
Update_UEFI-CA2023.ps1 -BootMedia
Ok, Now I get:
Bootable Media
--------------
USB Drive I: "8 GB"
Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
I:\EFI\Microsoft\Boot\bootmgfw.efi
File Version: 28000.322, SVN 8.0
 

My Computer My Computer

At a glance

win 11Intell Core i7 4900 MQDDR3 16 GB
OS
win 11
Computer type
Laptop
Manufacturer/Model
Dell Precision M4800
CPU
Intell Core i7 4900 MQ
Motherboard
Dell QT3YTY A00
Memory
DDR3 16 GB
[Mosby session started: 2026-05-18 14:23:04 [UTC]
UEFI v2.40 (Lenovo, 0x00001450)
LENOVO R06ET71W (1.45 )
LENOVO 20FN002NUS
Generating Secure Boot signing credentials...
Saved Secure Boot signing credentials as 'MosbyKey'
Generating PK certificate...
Installing SSPV: 'SkuSiPolicyVersion [2023.04.29]'
Installing SSPU: 'SkuSiPolicyUpdateSigners [2023.04.29]'
Installing SBAT: 'SbatLevel.txt [2025.05.10]'
Installing DBX: 'Windows Bootmgr SVN 7.0 DBX update [2025-06-06]'
Installing DBX: 'DBX for x86 (64 bit) [2025.10.16]'
Installing DB: 'Windows UEFI CA 2023'
Installing DB: 'Microsoft Option ROM UEFI CA 2023'
Installing DB: 'Microsoft Corporation UEFI CA 2011'
Installing DB: 'Microsoft Windows Production PCA 2011'
Installing DB: 'Microsoft UEFI CA 2023'
Installing DB: 'MosbyKey [2026.05.18]'
Installing KEK: 'Microsoft Corporation KEK CA 2011'
Installing KEK: 'Microsoft Corporation KEK 2K CA 2023'
Installing PK: 'Mosby Generated PK [2026.05.18]'
Failed to set Secure Boot variable: Security Violation
[Mosby session ended: 2026-05-18 14:23:31 [UTC]

I'm glad Mosby worked for you. When I tried it a few minutes ago, I got a Security Violation.

This is because you were using an old version of Mosby. This is evidenced by Mosby not reporting its version from the log, whereas all the latest versions do (precisely so that we can tell if you are not using the latest).

As you have seen, once you used the latest version your results improved.

And the reason why you may get duplicates is probably because you didn't clear your Secure Boot database after the first operation failed. Mosby always try to clear any existing Secure Boot variables before it installs the new ones, but depending on the machine, that might not always work as this is left to the OEM implementation of EDK2. I'll try to validate that and see if there's anything I should do about it, but this really only is a problem because you used an old version prior to using the latest, and your machine doesn't honour DeleteSecureBootVariables(), which I believe is a very uncommon scenario.

Oh and if you look at the chronology of the reports for the T460, you will have seen that the report of success was after the report of failure, precisely because, 5 month ago, Mosby was fixed to work on the T460 (which is why you really should have tried to locate the latest version of Mosby -- when dealing with security matters, always strive to use the latest!), so the report of the failure is moot.

Finally, since this is a topic related to running PowerShell scripts, and in case this hasn't already been mentioned here, please be aware that mandatory Windows Update KB5089549 from May 12th installs a new C:\Windows\SecureBoot\ directory where you will find multiple official scripts for the validation and updating of your platform when it comes to the 2023 certs. For instance, running .\Detect-SecureBootCertUpdateStatus.ps1 (elevated) on an updated platform will yield (with nicer colours than this output):
Code:
PS C:\Windows\SecureBoot\ExampleRolloutScripts> .\Detect-SecureBootCertUpdateStatus.ps1
Hostname: ########
Collection Time: 05/19/2026 12:28:05
Secure Boot Enabled: True
High Confidence Opt Out: Not Set
Microsoft Update Managed Opt In: Not Set
Available Updates: 0x0
Available Updates Policy: Not Set
Windows UEFI CA 2023 Status: Updated
UEFI CA 2023 Error: None
UEFI CA 2023 Error Event: Not Available
OEM Manufacturer Name: ########
OEM Model System Family: ########
OEM Model Number: ########
Firmware Version: ########
Firmware Release Date: ######
OS Architecture: AMD64
Can Attempt Update After: 05/15/2026 20:23:26
Latest Event ID: 1808
Bucket ID: 9489562971cbe3e065d354545b88d3f9763e43e0f0541e53ffc49250f3a75ef8
Confidence: Under Observation - More Data Needed
Event 1801 Count: 0
Event 1808 Count: 50
Update complete (Event 1808 or Status=Updated) - skipping error analysis
OS Version: 10.0.26200
Last Boot Time: 05/19/2026 09:28:42
Baseboard Manufacturer: ########
Baseboard Product: ########
SecureBoot Update Task: Ready (Enabled: True)
WinCS Key F33E0C8E002: Applied

=== Certificate Update Summary ===
  [1P] Windows UEFI CA 2023 (db):                   Updated
  [1P] Microsoft Corporation KEK 2K CA 2023 (KEK):   Updated
  [3P] Microsoft Corporation UEFI CA 2011 (db):      Present - 3P 2023 certs required
  [3P] Microsoft UEFI CA 2023 (db):                  Updated
  [3P] Microsoft Option ROM UEFI CA 2023 (db):       Updated
===================================

The interesting part is that you can see your "Confidence" bucket, along with the earliest date at which Microsoft plans to update your certs.
 

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
Computer type
PC/Desktop
Manufacturer/Model
Home Built
Screen Resolution
4k

Latest Support Threads

Back
Top Bottom