[Mosby session started: 2026-05-18 14:23:04 [UTC]
UEFI v2.40 (Lenovo, 0x00001450)
LENOVO R06ET71W (1.45 )
LENOVO 20FN002NUS
Generating Secure Boot signing credentials...
Saved Secure Boot signing credentials as 'MosbyKey'
Generating PK certificate...
Installing SSPV: 'SkuSiPolicyVersion [2023.04.29]'
Installing SSPU: 'SkuSiPolicyUpdateSigners [2023.04.29]'
Installing SBAT: 'SbatLevel.txt [2025.05.10]'
Installing DBX: 'Windows Bootmgr SVN 7.0 DBX update [2025-06-06]'
Installing DBX: 'DBX for x86 (64 bit) [2025.10.16]'
Installing DB: 'Windows UEFI CA 2023'
Installing DB: 'Microsoft Option ROM UEFI CA 2023'
Installing DB: 'Microsoft Corporation UEFI CA 2011'
Installing DB: 'Microsoft Windows Production PCA 2011'
Installing DB: 'Microsoft UEFI CA 2023'
Installing DB: 'MosbyKey [2026.05.18]'
Installing KEK: 'Microsoft Corporation KEK CA 2011'
Installing KEK: 'Microsoft Corporation KEK 2K CA 2023'
Installing PK: 'Mosby Generated PK [2026.05.18]'
Failed to set Secure Boot variable: Security Violation
[Mosby session ended: 2026-05-18 14:23:31 [UTC]
I'm glad Mosby worked for you. When I tried it a few minutes ago, I got a Security Violation.
This is because you were using an old version of Mosby. This is evidenced by Mosby not reporting its version from the log, whereas all the latest versions do (precisely so that we can tell if you are not using the latest).
As you have seen, once you used the latest version your results improved.
And the reason why you may get duplicates is probably because you didn't clear your Secure Boot database after the first operation failed.
Mosby always try to clear any existing Secure Boot variables before it installs the new ones, but
depending on the machine, that might not always work as this is left to the OEM implementation of EDK2. I'll try to validate that and see if there's anything I should do about it, but this really only is a problem because you used an old version prior to using the latest, and your machine doesn't honour
DeleteSecureBootVariables(), which I believe is a very uncommon scenario.
Oh and if you look at the chronology of the reports for the T460, you will have seen that the report of success was after the report of failure, precisely because, 5 month ago, Mosby was fixed to work on the T460 (which is why you really should have tried to locate the latest version of Mosby -- when dealing with security matters,
always strive to use the latest!), so the report of the failure is moot.
Finally, since this is a topic related to running PowerShell scripts, and in case this hasn't already been mentioned here, please be aware that mandatory Windows Update
KB5089549 from May 12th installs a new
C:\Windows\SecureBoot\ directory where you will find multiple official scripts for the validation and updating of your platform when it comes to the 2023 certs. For instance, running
.\Detect-SecureBootCertUpdateStatus.ps1 (elevated) on an updated platform will yield (with nicer colours than this output):
Code:
PS C:\Windows\SecureBoot\ExampleRolloutScripts> .\Detect-SecureBootCertUpdateStatus.ps1
Hostname: ########
Collection Time: 05/19/2026 12:28:05
Secure Boot Enabled: True
High Confidence Opt Out: Not Set
Microsoft Update Managed Opt In: Not Set
Available Updates: 0x0
Available Updates Policy: Not Set
Windows UEFI CA 2023 Status: Updated
UEFI CA 2023 Error: None
UEFI CA 2023 Error Event: Not Available
OEM Manufacturer Name: ########
OEM Model System Family: ########
OEM Model Number: ########
Firmware Version: ########
Firmware Release Date: ######
OS Architecture: AMD64
Can Attempt Update After: 05/15/2026 20:23:26
Latest Event ID: 1808
Bucket ID: 9489562971cbe3e065d354545b88d3f9763e43e0f0541e53ffc49250f3a75ef8
Confidence: Under Observation - More Data Needed
Event 1801 Count: 0
Event 1808 Count: 50
Update complete (Event 1808 or Status=Updated) - skipping error analysis
OS Version: 10.0.26200
Last Boot Time: 05/19/2026 09:28:42
Baseboard Manufacturer: ########
Baseboard Product: ########
SecureBoot Update Task: Ready (Enabled: True)
WinCS Key F33E0C8E002: Applied
=== Certificate Update Summary ===
[1P] Windows UEFI CA 2023 (db): Updated
[1P] Microsoft Corporation KEK 2K CA 2023 (KEK): Updated
[3P] Microsoft Corporation UEFI CA 2011 (db): Present - 3P 2023 certs required
[3P] Microsoft UEFI CA 2023 (db): Updated
[3P] Microsoft Option ROM UEFI CA 2023 (db): Updated
===================================
The interesting part is that you can see your "Confidence" bucket, along with the earliest date at which Microsoft plans to update your certs.