How to check if your Secure Boot certs are updated. (three methods)


nikki605 said:
Holy crap! That readme is a monster! Plus RUFUS, disable secure boot in the UEFI, create a bootable USB drive, etc, etc, etc.... :dizzy:
Click to expand...
It reads scarier than it actually is! That put me off from running it at first too.

First thing to understand is how to RESTORE DEFAULT keys. That's the way to recover and get exactly back where you started at any point.

Then simply understand what's happening: MOSBY fully populates all secure boot variables (PK, KEK, DB and DBX). But in order to do that UEFI has to be put in Setup Mode, which means deleting all the keys that were there (especially PK). Not at all a problem if you know how to Restore Default Keys which puts them all back (but only the default keys, which are probably 2011 keys if you're doing this) any time you want.

Since there are no keys Secure Boot has to be disabled so that MOSBY can start from it's USB drive.

Different UEFI's do different things, but "Reset to Setup Mode" in your case almost definitely means it puts it into Setup Mode (that's on the HELP screen to the right of the image you posted). It might also disable Secure Boot at the same time since it's a logical thing to do.

ADDED: Lastly, if this is scary then just realize it's essentially no different from what will be the case in a few months after the 2011 keys are expired: you'll have to disable Secure Boot to even start up and you might as well just delete them from variables for all the good they'd do you. That is, unless you can manage to get 2023 keys loaded using some other method.
 
Last edited:

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 5800X
    Motherboard
    Gigabyte B550M Aorus Pro
    Memory
    GSkill 3200, 2x8GB
    Graphics Card(s)
    MSI RX 6800 XT Gaming Z
    Sound Card
    on-board Realtek
    Monitor(s) Displays
    MSI 180hz
    Screen Resolution
    1440p
    Hard Drives
    Samsung 980 Pro, Samsung 870 Evo, generic PCIe NVME, WD 1TB 2.5" laptop spinner
    PSU
    Corsair RM 650
    Case
    mATX
    Cooling
    BeQuiet 240mm AIO and a bunch of case fans
    Keyboard
    one that clacks softly
    Mouse
    logitech
    Internet Speed
    bunches of bps
    Browser
    Firefox
    Antivirus
    Windows' own
  • Operating System
    Win11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 1700
    Motherboard
    GA-AB350M G-3
    Memory
    16GB DDR4
    Graphics card(s)
    RX-480
    Sound Card
    In-Built Realtek
    Monitor(s) Displays
    Samsung
    Screen Resolution
    1440p
    Hard Drives
    NVME/SSD's
    PSU
    Thermaltake BX1 550W
    Case
    Some junky thing
    Cooling
    ThermalTake Assassin(?)
    Browser
    FF/Edge
    Antivirus
    Whatever Windows does
    Other Info
    Secure Boot enabled updated to 2023 CA keys, TPM2.0 enabled with system drive Bitlocker'd.
nikki605 said:
Holy crap! That readme is a monster! Plus RUFUS, disable secure boot in the UEFI, create a bootable USB drive, etc, etc, etc.... :dizzy:
Click to expand...
After a good night's sleep, I tackled Mosby and Rufus this morning. I was able to create a Rufus UEFI Shell boot USB flash drive and found out from the readme files that it already includes Mosby. Cool! That saved me extra steps. Now I am waiting for my wife to leave for an appointment so I can get back on the desktop to see if I want to fool around with the Secure Boot Setup Mode in the UEFI/BIOS and actually try doing this with out turning the system into a brick.

RufusUEFIShellWithMosby.webp

RufusBootUSBFiles.webp

That brings me to step 3 where I have to start messing with the Secure Boot Setup settings:
Usage.webp
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo T490 (2020 Hardware)
    CPU
    i7-8565U
    Motherboard
    20N20028US
    Memory
    16GB
    Graphics Card(s)
    Intel UHD Graphics 620
    Sound Card
    Realtec Audio
    Monitor(s) Displays
    ASUS VE248
    Screen Resolution
    1920 X 1080
    Hard Drives
    Samsung SSD 970 PRO 512GB NVMe
    Internet Speed
    Frontier fiber 1GB
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Norton 360 Deluxe Plus
    Other Info
    Supported hardware, upgraded from Windows 10 Pro to Windows 11 Pro version 24H2 on 06/01/2025 using the Windows 11 ISO file. Used the enablement package to upgrade to version 25H2 on 10/07/2025. Secure boot enabled. Secure Boot CA 2023 updated.
  • Operating System
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo ThinkCentre M83 (2014 Hardware)
    CPU
    i7-4770 (with SSE4.2, and POPCNT)
    Motherboard
    10AL000GUS
    Memory
    16GB
    Graphics card(s)
    Intel HD Graphics 4600
    Sound Card
    Realtec High Definition Audio
    Monitor(s) Displays
    ASUS VE248
    Screen Resolution
    1920 X 1080
    Hard Drives
    Samsung SSD 860 PRO 1TB SATA
    Internet Speed
    Frontier fiber 1GB
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Norton 360 Deluxe Plus
    Other Info
    Unsupported hardware, upgraded from Windows 10 Pro (TPM 1.2 & unsupported CPU, but does have SSE4.2, and POPCNT) to Windows 11 Pro version 24H2 on 06/15/2025. Added Registry Key HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup – AllowUpgradesWithUnsupportedTPMOrCPU=1 to allow installation using the Windows 11 ISO file. Used the enablement package to upgrade to version 25H2 on 10/08/2025. Secure boot enabled. Secure Boot CA 2023 updated.
nikki605 said:
After a good night's sleep, I tackled Mosby and Rufus this morning. I was able to create a Rufus UEFI Shell boot USB flash drive and found out from the readme files that it already includes Mosby. Cool! That saved me extra steps. Now I am waiting for my wife to leave for an appointment so I can get back on the desktop to see if I want to fool around with the Secure Boot Setup Mode in the UEFI/BIOS and actually try doing this with out turning the system into a brick.

View attachment 157728

View attachment 157729

That brings me to step 3 where I have to start messing with the Secure Boot Setup settings:
View attachment 157730
Click to expand...

The latest Mosby version is v2.8, it's newer than what's in Rufus. You can download it, extract all and copy/paste the contents into UEFI Shell boot USB flash drive you created. It will overwrite 7 of the 8 files, you'll then have the most up-to-date version of Mosby which apparently helps with older Lenovo, HP, Dell and other systems.

github.com

GitHub - pbatard/Mosby: Mosby – More Secure Secure Boot

Mosby – More Secure Secure Boot. Contribute to pbatard/Mosby development by creating an account on GitHub.
github.com github.com
 

My Computer

System One

  • OS
    Windows 11
Dirtyflash said:
The latest Mosby version is v2.8, it's newer than what's in Rufus.
Click to expand...

nikki605 said:
I was able to create a Rufus UEFI Shell boot USB flash drive and found out from the readme files that it already includes Mosby.
Click to expand...
Just download the .zip file and extract its contents into the root folder of the USB boot drive you made with RUFUS, allow it to over-write whatever's there. Very easy to do.

A major benefit is v2.8 has a work-around for installing the KEK key into certain firmwares that have a flawed UEFI implementation which prevent ever updating or appending to the KEK. If yours has that issue this is about the only way to get KEK updated.

Another benefit is it has the most up-to-date DBX revocations.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 5800X
    Motherboard
    Gigabyte B550M Aorus Pro
    Memory
    GSkill 3200, 2x8GB
    Graphics Card(s)
    MSI RX 6800 XT Gaming Z
    Sound Card
    on-board Realtek
    Monitor(s) Displays
    MSI 180hz
    Screen Resolution
    1440p
    Hard Drives
    Samsung 980 Pro, Samsung 870 Evo, generic PCIe NVME, WD 1TB 2.5" laptop spinner
    PSU
    Corsair RM 650
    Case
    mATX
    Cooling
    BeQuiet 240mm AIO and a bunch of case fans
    Keyboard
    one that clacks softly
    Mouse
    logitech
    Internet Speed
    bunches of bps
    Browser
    Firefox
    Antivirus
    Windows' own
  • Operating System
    Win11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 1700
    Motherboard
    GA-AB350M G-3
    Memory
    16GB DDR4
    Graphics card(s)
    RX-480
    Sound Card
    In-Built Realtek
    Monitor(s) Displays
    Samsung
    Screen Resolution
    1440p
    Hard Drives
    NVME/SSD's
    PSU
    Thermaltake BX1 550W
    Case
    Some junky thing
    Cooling
    ThermalTake Assassin(?)
    Browser
    FF/Edge
    Antivirus
    Whatever Windows does
    Other Info
    Secure Boot enabled updated to 2023 CA keys, TPM2.0 enabled with system drive Bitlocker'd.
Dirtyflash said:
The latest Mosby version is v2.8, it's newer than what's in Rufus. You can download it, extract all and copy/paste the contents into UEFI Shell boot USB flash drive you created. It will overwrite 7 of the 8 files, you'll then have the most up-to-date version of Mosby which apparently helps with older Lenovo, HP, Dell and other systems.

github.com

GitHub - pbatard/Mosby: Mosby – More Secure Secure Boot

Mosby – More Secure Secure Boot. Contribute to pbatard/Mosby development by creating an account on GitHub.
github.com github.com
Click to expand...
Thanks for the heads up. I downloaded the Mosby_v2.8.zip file and extracted the files to the USB flash drive previously created. The Mosby files are now all back dated to 12/09/2025. Does this look right?

RufusUEFIShellMosby2_8.webp
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo T490 (2020 Hardware)
    CPU
    i7-8565U
    Motherboard
    20N20028US
    Memory
    16GB
    Graphics Card(s)
    Intel UHD Graphics 620
    Sound Card
    Realtec Audio
    Monitor(s) Displays
    ASUS VE248
    Screen Resolution
    1920 X 1080
    Hard Drives
    Samsung SSD 970 PRO 512GB NVMe
    Internet Speed
    Frontier fiber 1GB
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Norton 360 Deluxe Plus
    Other Info
    Supported hardware, upgraded from Windows 10 Pro to Windows 11 Pro version 24H2 on 06/01/2025 using the Windows 11 ISO file. Used the enablement package to upgrade to version 25H2 on 10/07/2025. Secure boot enabled. Secure Boot CA 2023 updated.
  • Operating System
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo ThinkCentre M83 (2014 Hardware)
    CPU
    i7-4770 (with SSE4.2, and POPCNT)
    Motherboard
    10AL000GUS
    Memory
    16GB
    Graphics card(s)
    Intel HD Graphics 4600
    Sound Card
    Realtec High Definition Audio
    Monitor(s) Displays
    ASUS VE248
    Screen Resolution
    1920 X 1080
    Hard Drives
    Samsung SSD 860 PRO 1TB SATA
    Internet Speed
    Frontier fiber 1GB
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Norton 360 Deluxe Plus
    Other Info
    Unsupported hardware, upgraded from Windows 10 Pro (TPM 1.2 & unsupported CPU, but does have SSE4.2, and POPCNT) to Windows 11 Pro version 24H2 on 06/15/2025. Added Registry Key HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup – AllowUpgradesWithUnsupportedTPMOrCPU=1 to allow installation using the Windows 11 ISO file. Used the enablement package to upgrade to version 25H2 on 10/08/2025. Secure boot enabled. Secure Boot CA 2023 updated.
Buddywh said:
Just download the .zip file and extract its contents into the root folder of the USB boot drive you made with RUFUS, allow it to over-write whatever's there. Very easy to do.

A major benefit is v2.8 has a work-around for installing the KEK key into certain firmwares that have a flawed UEFI implementation which prevent ever updating or appending to the KEK. If yours has that issue this is about the only way to get KEK updated.

Another benefit is it has the most up-to-date DBX revocations.
Click to expand...

As you can see with my failed attempt with v2.8 ( also had tried with the previous version), it may,or may not work, really depends on the device. I'm not sure if it was an issue with appending the KEK, other than it most likely being a flawed OEM UEFI implementation.


Mosby BIOS.webp
 

My Computer

System One

  • OS
    Windows 11
Dirtyflash said:
As you can see with my failed attempt with v2.8 ( also had tried with the previous version), it may,or may not work, really depends on the device. I'm not sure if it was an issue with appending the KEK, other than it most likely being a flawed OEM UEFI implementation.


View attachment 157752
Click to expand...
Your failed attempt has me concerned about trying it on my machine. Is your system still running or did this failed attempt brick it?
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo T490 (2020 Hardware)
    CPU
    i7-8565U
    Motherboard
    20N20028US
    Memory
    16GB
    Graphics Card(s)
    Intel UHD Graphics 620
    Sound Card
    Realtec Audio
    Monitor(s) Displays
    ASUS VE248
    Screen Resolution
    1920 X 1080
    Hard Drives
    Samsung SSD 970 PRO 512GB NVMe
    Internet Speed
    Frontier fiber 1GB
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Norton 360 Deluxe Plus
    Other Info
    Supported hardware, upgraded from Windows 10 Pro to Windows 11 Pro version 24H2 on 06/01/2025 using the Windows 11 ISO file. Used the enablement package to upgrade to version 25H2 on 10/07/2025. Secure boot enabled. Secure Boot CA 2023 updated.
  • Operating System
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo ThinkCentre M83 (2014 Hardware)
    CPU
    i7-4770 (with SSE4.2, and POPCNT)
    Motherboard
    10AL000GUS
    Memory
    16GB
    Graphics card(s)
    Intel HD Graphics 4600
    Sound Card
    Realtec High Definition Audio
    Monitor(s) Displays
    ASUS VE248
    Screen Resolution
    1920 X 1080
    Hard Drives
    Samsung SSD 860 PRO 1TB SATA
    Internet Speed
    Frontier fiber 1GB
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Norton 360 Deluxe Plus
    Other Info
    Unsupported hardware, upgraded from Windows 10 Pro (TPM 1.2 & unsupported CPU, but does have SSE4.2, and POPCNT) to Windows 11 Pro version 24H2 on 06/15/2025. Added Registry Key HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup – AllowUpgradesWithUnsupportedTPMOrCPU=1 to allow installation using the Windows 11 ISO file. Used the enablement package to upgrade to version 25H2 on 10/08/2025. Secure boot enabled. Secure Boot CA 2023 updated.
nikki605 said:
Your failed attempt has me concerned about trying it on my machine. Is your system still running or did this failed attempt brick it?
Click to expand...
All you'd have to do is go back into BIOS and then do a "Restore Default Keys". It will be back to the 2011 keys, which WILL expire but at least it will continue to run in Secure Boot for a while yet. And it's definitely not bricked since you can also run it with Secure Boot disabled, which will be the case at some point after they do expire.

If your system has the problem with updating KEK, it's certainly worth a try no matter what.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 5800X
    Motherboard
    Gigabyte B550M Aorus Pro
    Memory
    GSkill 3200, 2x8GB
    Graphics Card(s)
    MSI RX 6800 XT Gaming Z
    Sound Card
    on-board Realtek
    Monitor(s) Displays
    MSI 180hz
    Screen Resolution
    1440p
    Hard Drives
    Samsung 980 Pro, Samsung 870 Evo, generic PCIe NVME, WD 1TB 2.5" laptop spinner
    PSU
    Corsair RM 650
    Case
    mATX
    Cooling
    BeQuiet 240mm AIO and a bunch of case fans
    Keyboard
    one that clacks softly
    Mouse
    logitech
    Internet Speed
    bunches of bps
    Browser
    Firefox
    Antivirus
    Windows' own
  • Operating System
    Win11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 1700
    Motherboard
    GA-AB350M G-3
    Memory
    16GB DDR4
    Graphics card(s)
    RX-480
    Sound Card
    In-Built Realtek
    Monitor(s) Displays
    Samsung
    Screen Resolution
    1440p
    Hard Drives
    NVME/SSD's
    PSU
    Thermaltake BX1 550W
    Case
    Some junky thing
    Cooling
    ThermalTake Assassin(?)
    Browser
    FF/Edge
    Antivirus
    Whatever Windows does
    Other Info
    Secure Boot enabled updated to 2023 CA keys, TPM2.0 enabled with system drive Bitlocker'd.
How do I update the Windows Bootmgr SVN to 7.0, it seems the one remaining thing I should address.


1766349704003.webp
 

My Computers

System One System Two

  • OS
    Win 11 Pro 25H2, Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14500
    Motherboard
    Gigabyte B760M G P WIFI
    Memory
    64GB DDR4
    Graphics Card(s)
    GeForce RTX 4060
    Sound Card
    Chipset Realtek
    Monitor(s) Displays
    LG 45" Ultragear, Acer 24" 1080p
    Screen Resolution
    5120x1440, 1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 3D NAND NVMe M.2 SSD (O/S)
    Silicon Power 2TB US75 NVMe PCIe Gen4 M.2 2280 SSD (backup)
    Crucial BX500 2TB 3D NAND (2nd backup)
    Seagate 4TB Ironwolf, rotating HDD archive files
    External off-line backup Drives: 2 NVMe 4TB drives in external enclosures
    PSU
    Thermaltake Toughpower GF3 750W
    Case
    LIAN LI LANCOOL 216 E-ATX PC Case
    Cooling
    Lots of fans!
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
  • Operating System
    Win 11 Pro 25H2, Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14400
    Motherboard
    Gigabyte B760M DS3H AX
    Memory
    32GB DDR5
    Graphics card(s)
    Intel 700 Embedded GPU
    Sound Card
    Realtek Embedded
    Monitor(s) Displays
    27" HP 1080p
    Screen Resolution
    1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 eD NAND PCIe SSD
    Samsung EVO 990 2TB NVMe Gen4 SSD
    Samsung 2TB SATA SSD
    PSU
    Thermaltake Smart BM3 650W
    Case
    Okinos Micro ATX Case
    Cooling
    Fans
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
Buddywh said:
All you'd have to do is go back into BIOS and then do a "Restore Default Keys". It will be back to the 2011 keys, which WILL expire but at least it will continue to run in Secure Boot for a while yet. And it's definitely not bricked since you can also run it with Secure Boot disabled, which will be the case at some point after they do expire.

If your system has the problem with updating KEK, it's certainly worth a try no matter what.
Click to expand...
Okay, I disabled Secure Boot and put it in Setup mode. Looks like I can easily return to the factory defaults if Mosby doesn't work. Here I go, trying to boot the Rufus with Mosby USB drive. Wish me luck. 🤞SecureBootSetupMode.webp
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo T490 (2020 Hardware)
    CPU
    i7-8565U
    Motherboard
    20N20028US
    Memory
    16GB
    Graphics Card(s)
    Intel UHD Graphics 620
    Sound Card
    Realtec Audio
    Monitor(s) Displays
    ASUS VE248
    Screen Resolution
    1920 X 1080
    Hard Drives
    Samsung SSD 970 PRO 512GB NVMe
    Internet Speed
    Frontier fiber 1GB
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Norton 360 Deluxe Plus
    Other Info
    Supported hardware, upgraded from Windows 10 Pro to Windows 11 Pro version 24H2 on 06/01/2025 using the Windows 11 ISO file. Used the enablement package to upgrade to version 25H2 on 10/07/2025. Secure boot enabled. Secure Boot CA 2023 updated.
  • Operating System
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo ThinkCentre M83 (2014 Hardware)
    CPU
    i7-4770 (with SSE4.2, and POPCNT)
    Motherboard
    10AL000GUS
    Memory
    16GB
    Graphics card(s)
    Intel HD Graphics 4600
    Sound Card
    Realtec High Definition Audio
    Monitor(s) Displays
    ASUS VE248
    Screen Resolution
    1920 X 1080
    Hard Drives
    Samsung SSD 860 PRO 1TB SATA
    Internet Speed
    Frontier fiber 1GB
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Norton 360 Deluxe Plus
    Other Info
    Unsupported hardware, upgraded from Windows 10 Pro (TPM 1.2 & unsupported CPU, but does have SSE4.2, and POPCNT) to Windows 11 Pro version 24H2 on 06/15/2025. Added Registry Key HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup – AllowUpgradesWithUnsupportedTPMOrCPU=1 to allow installation using the Windows 11 ISO file. Used the enablement package to upgrade to version 25H2 on 10/08/2025. Secure boot enabled. Secure Boot CA 2023 updated.
gunrunnerjohn said:
How do I update the Windows Bootmgr SVN to 7.0, it seems the one remaining thing I should address.
Click to expand...
I see you have a MOSBY generated PK, so you must have run MOSBY to update keys previously.

I'd download MOSBY v2.8, unzip the contents into the bootable USB drive you created to run MOSBY previously (allow it to overwrite existing files) and run it again, using the "-U" runtime parameter to only update the revocation databases. v2.8 has all the latest DBX revocations included (SVN and including SBAT if you need that too).
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 5800X
    Motherboard
    Gigabyte B550M Aorus Pro
    Memory
    GSkill 3200, 2x8GB
    Graphics Card(s)
    MSI RX 6800 XT Gaming Z
    Sound Card
    on-board Realtek
    Monitor(s) Displays
    MSI 180hz
    Screen Resolution
    1440p
    Hard Drives
    Samsung 980 Pro, Samsung 870 Evo, generic PCIe NVME, WD 1TB 2.5" laptop spinner
    PSU
    Corsair RM 650
    Case
    mATX
    Cooling
    BeQuiet 240mm AIO and a bunch of case fans
    Keyboard
    one that clacks softly
    Mouse
    logitech
    Internet Speed
    bunches of bps
    Browser
    Firefox
    Antivirus
    Windows' own
  • Operating System
    Win11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 1700
    Motherboard
    GA-AB350M G-3
    Memory
    16GB DDR4
    Graphics card(s)
    RX-480
    Sound Card
    In-Built Realtek
    Monitor(s) Displays
    Samsung
    Screen Resolution
    1440p
    Hard Drives
    NVME/SSD's
    PSU
    Thermaltake BX1 550W
    Case
    Some junky thing
    Cooling
    ThermalTake Assassin(?)
    Browser
    FF/Edge
    Antivirus
    Whatever Windows does
    Other Info
    Secure Boot enabled updated to 2023 CA keys, TPM2.0 enabled with system drive Bitlocker'd.
nikki605 said:
Your failed attempt has me concerned about trying it on my machine. Is your system still running or did this failed attempt brick it?
Click to expand...

Yeah it caused some problems, I couldn't turn secure boot back on as it was stuck in setup mode. Had to reinstall the factory keys to get back into user mode. Then it wouldn't boot if I turned on secure boot. I think the reason for that is there's a bootloader mismatch once you reset the factory keys, the firmware was likely using 2011 and W11 2023. Long story short, I clean installed W11 ( turns on secure boot by itself afterwards ), installed Windows UEFI CA 2023 and restored a backup image, all in that order. I don't intend to try again, but if I did and it failed once more, I would first try to fix the bootloader, assuming factory key reset is 2011 and the OS was 2023.
 

My Computer

System One

  • OS
    Windows 11
Dirtyflash said:
a bootloader mismatch once you reset the factory keys
Click to expand...
You probably picked up the 2023 boot manager somewhere along the way. There is a way to fix that by rebuilding the EFI partition. Not too difficult to do, I had to do it once also. It's all laid out in the Recover Procedure of this Microsoft document:

How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support

support.microsoft.com support.microsoft.com

But I'd probably not have bothered with re-installing Windows as the recovery in any case. Reason being, if the system can not get updated with 2023 keys it's going to have to run with Secure Boot disabled soon after the 2011 keys expire anyway.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 5800X
    Motherboard
    Gigabyte B550M Aorus Pro
    Memory
    GSkill 3200, 2x8GB
    Graphics Card(s)
    MSI RX 6800 XT Gaming Z
    Sound Card
    on-board Realtek
    Monitor(s) Displays
    MSI 180hz
    Screen Resolution
    1440p
    Hard Drives
    Samsung 980 Pro, Samsung 870 Evo, generic PCIe NVME, WD 1TB 2.5" laptop spinner
    PSU
    Corsair RM 650
    Case
    mATX
    Cooling
    BeQuiet 240mm AIO and a bunch of case fans
    Keyboard
    one that clacks softly
    Mouse
    logitech
    Internet Speed
    bunches of bps
    Browser
    Firefox
    Antivirus
    Windows' own
  • Operating System
    Win11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 1700
    Motherboard
    GA-AB350M G-3
    Memory
    16GB DDR4
    Graphics card(s)
    RX-480
    Sound Card
    In-Built Realtek
    Monitor(s) Displays
    Samsung
    Screen Resolution
    1440p
    Hard Drives
    NVME/SSD's
    PSU
    Thermaltake BX1 550W
    Case
    Some junky thing
    Cooling
    ThermalTake Assassin(?)
    Browser
    FF/Edge
    Antivirus
    Whatever Windows does
    Other Info
    Secure Boot enabled updated to 2023 CA keys, TPM2.0 enabled with system drive Bitlocker'd.
Buddywh said:
All you'd have to do is go back into BIOS and then do a "Restore Default Keys". It will be back to the 2011 keys, which WILL expire but at least it will continue to run in Secure Boot for a while yet. And it's definitely not bricked since you can also run it with Secure Boot disabled, which will be the case at some point after they do expire.

If your system has the problem with updating KEK, it's certainly worth a try no matter what.
Click to expand...
I think I got it. Here are my steps:

Boot Rufus USB
RufusBoot.webp

Start Mosby
Step1.webp

I used their recommended GENERATE option, but I know anything about DB credentials. Should I have picked DON'T INSTALL?
Step2.webp

Step3.webp

The screen above says the following files should be generated: 'MosbyKey.pfx', MosbyKey.crt', 'MosbyKey.key'. But the screen below shows one file is different: 'MosbyKey.pfx', MosbyKey.crt', 'MosbyKey.pem'. Is that just a missed update (typo) or is it a problem?
RufusMosbyAfterRunning.webp

MosbyFinish.webp


CheckScriptAfterMosby.webp

I believe the WARNINGS in the Default sections are okay to ignore because Current sections all look correct. Am I right about that?
Variables3.webp
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo T490 (2020 Hardware)
    CPU
    i7-8565U
    Motherboard
    20N20028US
    Memory
    16GB
    Graphics Card(s)
    Intel UHD Graphics 620
    Sound Card
    Realtec Audio
    Monitor(s) Displays
    ASUS VE248
    Screen Resolution
    1920 X 1080
    Hard Drives
    Samsung SSD 970 PRO 512GB NVMe
    Internet Speed
    Frontier fiber 1GB
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Norton 360 Deluxe Plus
    Other Info
    Supported hardware, upgraded from Windows 10 Pro to Windows 11 Pro version 24H2 on 06/01/2025 using the Windows 11 ISO file. Used the enablement package to upgrade to version 25H2 on 10/07/2025. Secure boot enabled. Secure Boot CA 2023 updated.
  • Operating System
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo ThinkCentre M83 (2014 Hardware)
    CPU
    i7-4770 (with SSE4.2, and POPCNT)
    Motherboard
    10AL000GUS
    Memory
    16GB
    Graphics card(s)
    Intel HD Graphics 4600
    Sound Card
    Realtec High Definition Audio
    Monitor(s) Displays
    ASUS VE248
    Screen Resolution
    1920 X 1080
    Hard Drives
    Samsung SSD 860 PRO 1TB SATA
    Internet Speed
    Frontier fiber 1GB
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Norton 360 Deluxe Plus
    Other Info
    Unsupported hardware, upgraded from Windows 10 Pro (TPM 1.2 & unsupported CPU, but does have SSE4.2, and POPCNT) to Windows 11 Pro version 24H2 on 06/15/2025. Added Registry Key HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup – AllowUpgradesWithUnsupportedTPMOrCPU=1 to allow installation using the Windows 11 ISO file. Used the enablement package to upgrade to version 25H2 on 10/08/2025. Secure boot enabled. Secure Boot CA 2023 updated.
nikki605 said:
I think I got it. Here are my steps:

Boot Rufus USB
View attachment 157762

Start Mosby
View attachment 157763

I used their recommended GENERATE option, but I know anything about DB credentials. Should I have picked DON'T INSTALL?
View attachment 157764

View attachment 157765

The screen above says the following files should be generated: 'MosbyKey.pfx', MosbyKey.crt', 'MosbyKey.key'. But the screen below shows one file is different: 'MosbyKey.pfx', MosbyKey.crt', 'MosbyKey.pem'. Is that just a missed update (typo) or is it a problem?
View attachment 157766

View attachment 157768


View attachment 157769

I believe the WARNINGS in the Default sections are okay to ignore because Current sections all look correct. Am I right about that?
View attachment 157770
Click to expand...
I'm impressed you got through without any problems on your Lenovo ThinkCentre M83 from 2013. Can you do a screenshot of your BIOS secure boot settings. Trying to see how it may be different than what I have in the Lenovo T460, perhaps it may be a clue as to why my attempts failed.
 

My Computer

System One

  • OS
    Windows 11
nikki605 said:
I believe the WARNINGS in the Default sections are okay to ignore because Current sections all look correct. Am I right about that?
Click to expand...
I get the same warnings in a couple of my systems after doing a MOSBY update. I think it has more to do with the fact so many OEM's use non-standard UEFI implementations which don't always work as expected. But if it works, it works, and yours (like mine) is working with a 2023 signed boot manager, a complete complement of 2023 keys AND the latest DBX revocations!

I'm also not that worried what it means since I REALLY don't ever want to restore default keys in the future since I don't want 2011 (exclusively) keys again. And I don't think that's an issue either since I've gone over 10 years now running UEFI and Secure Boot enabled on my systems without ever having to restore keys or even knowing it existed before this, so I see no reason I should need to in the future.

The issue with the .PEM file is something to ask @Akeo , the MOSBY author here in the forum. It's not really that important unless you plan on creating your own, custom, boot manager files. You'll need these files and keys to sign them in order to get Secure Boot to work... and also to use for creating keys on every other computer you'd want the custom boot manager files running on. We're using it to get updated keys on difficult computers, but this is the real purpose of MOSBY: to create the foundation for a "hardened" computing environment that starts with a unique in all the world Secure Boot chain of trust.
 
Last edited:

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 5800X
    Motherboard
    Gigabyte B550M Aorus Pro
    Memory
    GSkill 3200, 2x8GB
    Graphics Card(s)
    MSI RX 6800 XT Gaming Z
    Sound Card
    on-board Realtek
    Monitor(s) Displays
    MSI 180hz
    Screen Resolution
    1440p
    Hard Drives
    Samsung 980 Pro, Samsung 870 Evo, generic PCIe NVME, WD 1TB 2.5" laptop spinner
    PSU
    Corsair RM 650
    Case
    mATX
    Cooling
    BeQuiet 240mm AIO and a bunch of case fans
    Keyboard
    one that clacks softly
    Mouse
    logitech
    Internet Speed
    bunches of bps
    Browser
    Firefox
    Antivirus
    Windows' own
  • Operating System
    Win11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 1700
    Motherboard
    GA-AB350M G-3
    Memory
    16GB DDR4
    Graphics card(s)
    RX-480
    Sound Card
    In-Built Realtek
    Monitor(s) Displays
    Samsung
    Screen Resolution
    1440p
    Hard Drives
    NVME/SSD's
    PSU
    Thermaltake BX1 550W
    Case
    Some junky thing
    Cooling
    ThermalTake Assassin(?)
    Browser
    FF/Edge
    Antivirus
    Whatever Windows does
    Other Info
    Secure Boot enabled updated to 2023 CA keys, TPM2.0 enabled with system drive Bitlocker'd.
nikki605 said:
I believe the WARNINGS in the Default sections are okay to ignore because Current sections all look correct. Am I right about that?
Click to expand...
I got the same result from my application of Mosby and I'm supposing the warnings concern the Default DB because we deleted all the keys in the preparation to install Mosby. So that Default Data Base is empty. In any event, you are good to go per the results of your running the Check_EFIBootFile.ps1 script. Good job!!
 

My Computers

System One System Two

  • OS
    Windows 11 Home, ver 25H2 build 26200.8246
    Computer type
    Laptop
    Manufacturer/Model
    Hewlett-Packard Spectre 13-4001 x360 convertable
    CPU
    Intel Core i5 5200U @ 2.20GH
    Motherboard
    Hewlett-Packard 802D
    Memory
    4 GB
    Graphics Card(s)
    Intel HD Graphics 5500 on board
    Sound Card
    Intel Smart Sound Technology (Intel SST)
    Hard Drives
    Micron 256GB M.2 2280 NGFF SSD MTFDDAV256TBN, (SATA 6.0 Gb/s)
    Keyboard
    Model # G01KB
    Antivirus
    Microsoft Defender
    Other Info
    born on date: 25 Feb 2016
  • Operating System
    Win 11 Home 25H2 build 26200.7922
    Computer type
    PC/Desktop
    Manufacturer/Model
    Asus Desktop model M32AD-US019S (DOM: 6/9/2014 )
    CPU
    Intel Core i7 4th Gen 4790 (3.60GHz), Haswell 22nm Technology, SOCKET 1150
    Motherboard
    H81M-E/M51AD/DP_MB
    Memory
    Samsung 16 GB DDR3 (8GB in 2 modules)
    Graphics card(s)
    NVIDIA GeForce GTX 760, 3GB, and on-board Intel HD Graphics 4600 Rev 6
    Monitor(s) Displays
    HP EliteDisplay E241i LED; HP EliteDisplay E243
    Hard Drives
    Samsung 500GB SSD, 870 EVO (SATA 6.0 )
    Micron 250GB SSD, CT250MX500
    Toshiba HDD, 3GB (original drive w/PC)
    Case
    ASUS
    Keyboard
    ASUS-------------------------
    Antivirus
    MS Defender
    Other Info
    Additional Laptops:

    HEWLETT PACKARD
    HP OmniBook X Flip NGAI (Next Gen AI),
    Model: 16-as0023dx
    PT# B5UH1UA#ABA Product #: B5UH1UA
    delivered and setup 7/25/25
    16" 2K Touch-Screen Laptop
    Intel Core Ultra 7 256V '24 Series 2 - CPU
    Boost Clock Frequency 4.8 gigahertz; Neural Processing Unit (NPU) Yes;
    16GB Memory, LPDDR5X
    1TB SSD PCIe 4.0
    Graphics: Intel Arc 140V
    1 x HDMI 2.1
    1 x Thunderbolt 4
    2K Touch-Screen display, LED, IPS; 1920 x 1200 (Full HD+)
    USB Ports: 1 x USB-C 3.1, 2 x USB-A 3.1
    Wi-Fi 6E
    weight 4.15 pounds

    DELL
    Model:I7591-7483BLK-PUS 2-in-1 (7000 Series)
    purchased 12/3/2019,
    15.6 inch 2-IN-1;
    4K Ultra HD Touch-Screen, 3840 x 2160,
    Intel Core i7 10510U CPU 1.80GHz,
    16GB RAM DDR4 SDRAM 2400 megahert (2 slots),
    dedicated graphics Nvidia GeForce MX250 2 GB Graphics,
    PCIe 512GB Intel SSD + 32GB Optane Memory (Intel Optane Memory H10 with solid-state storage),
    wireless-AX & Bluetooth
    Battery: 68wh, Type 4VGMP 4 cell
Dirtyflash said:
I'm impressed you got through without any problems on your Lenovo ThinkCentre M83 from 2013. Can you do a screenshot of your BIOS secure boot settings. Trying to see how it may be different than what I have in the Lenovo T460, perhaps it may be a clue as to why my attempts failed.
Click to expand...
There is very little on the Security tab on the M83 (2014) desktop.

Post #240 on page 12 of this topic shows all that is on the Security tab (2 screen shots) before I changed anything - How to check if your Secure Boot certs are updated. (two methods)

Post #251 on this page (13) shows after I Disabled Secure Boot and selected 'Reset To Setup Mode' - How to check if your Secure Boot certs are updated. (two methods)

My T490 laptop (2020) was already Windows 11 ready, so I didn't need to go into the BIOS/UEFI settings at all to change any of it's Secure Boot settings.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo T490 (2020 Hardware)
    CPU
    i7-8565U
    Motherboard
    20N20028US
    Memory
    16GB
    Graphics Card(s)
    Intel UHD Graphics 620
    Sound Card
    Realtec Audio
    Monitor(s) Displays
    ASUS VE248
    Screen Resolution
    1920 X 1080
    Hard Drives
    Samsung SSD 970 PRO 512GB NVMe
    Internet Speed
    Frontier fiber 1GB
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Norton 360 Deluxe Plus
    Other Info
    Supported hardware, upgraded from Windows 10 Pro to Windows 11 Pro version 24H2 on 06/01/2025 using the Windows 11 ISO file. Used the enablement package to upgrade to version 25H2 on 10/07/2025. Secure boot enabled. Secure Boot CA 2023 updated.
  • Operating System
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo ThinkCentre M83 (2014 Hardware)
    CPU
    i7-4770 (with SSE4.2, and POPCNT)
    Motherboard
    10AL000GUS
    Memory
    16GB
    Graphics card(s)
    Intel HD Graphics 4600
    Sound Card
    Realtec High Definition Audio
    Monitor(s) Displays
    ASUS VE248
    Screen Resolution
    1920 X 1080
    Hard Drives
    Samsung SSD 860 PRO 1TB SATA
    Internet Speed
    Frontier fiber 1GB
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Norton 360 Deluxe Plus
    Other Info
    Unsupported hardware, upgraded from Windows 10 Pro (TPM 1.2 & unsupported CPU, but does have SSE4.2, and POPCNT) to Windows 11 Pro version 24H2 on 06/15/2025. Added Registry Key HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup – AllowUpgradesWithUnsupportedTPMOrCPU=1 to allow installation using the Windows 11 ISO file. Used the enablement package to upgrade to version 25H2 on 10/08/2025. Secure boot enabled. Secure Boot CA 2023 updated.
Buddywh said:
I see you have a MOSBY generated PK, so you must have run MOSBY to update keys previously.

I'd download MOSBY v2.8, unzip the contents into the bootable USB drive you created to run MOSBY previously (allow it to overwrite existing files) and run it again, using the "-U" runtime parameter to only update the revocation databases. v2.8 has all the latest DBX revocations included (SVN and including SBAT if you need that too).
Click to expand...
Well, turns out I don't have the RUFUS USB that I used previously, so I'll need to to make another one.
 

My Computers

System One System Two

  • OS
    Win 11 Pro 25H2, Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14500
    Motherboard
    Gigabyte B760M G P WIFI
    Memory
    64GB DDR4
    Graphics Card(s)
    GeForce RTX 4060
    Sound Card
    Chipset Realtek
    Monitor(s) Displays
    LG 45" Ultragear, Acer 24" 1080p
    Screen Resolution
    5120x1440, 1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 3D NAND NVMe M.2 SSD (O/S)
    Silicon Power 2TB US75 NVMe PCIe Gen4 M.2 2280 SSD (backup)
    Crucial BX500 2TB 3D NAND (2nd backup)
    Seagate 4TB Ironwolf, rotating HDD archive files
    External off-line backup Drives: 2 NVMe 4TB drives in external enclosures
    PSU
    Thermaltake Toughpower GF3 750W
    Case
    LIAN LI LANCOOL 216 E-ATX PC Case
    Cooling
    Lots of fans!
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
  • Operating System
    Win 11 Pro 25H2, Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14400
    Motherboard
    Gigabyte B760M DS3H AX
    Memory
    32GB DDR5
    Graphics card(s)
    Intel 700 Embedded GPU
    Sound Card
    Realtek Embedded
    Monitor(s) Displays
    27" HP 1080p
    Screen Resolution
    1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 eD NAND PCIe SSD
    Samsung EVO 990 2TB NVMe Gen4 SSD
    Samsung 2TB SATA SSD
    PSU
    Thermaltake Smart BM3 650W
    Case
    Okinos Micro ATX Case
    Cooling
    Fans
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
nikki605 said:
There is very little on the Security tab on the M83 (2014) desktop.

Post #240 on page 12 of this topic shows all that is on the Security tab before I changed anything - How to check if your Secure Boot certs are updated. (two methods)

Post #251 on this page (13) shows after I Disabled Secure Boot and selected 'Reset To Setup Mode' - How to check if your Secure Boot certs are updated. (two methods)

My T490 laptop (2020) was already Windows 11 ready, so I didn't need to go into the BIOS/UEFI settings at all to change any of it's Secure Boot settings.
Click to expand...
Thanks, the M83 has a couple less settings compared to the T460, which also has two additional options: Clear All Keys and Reset Factory Keys in addition to Secure Boot On/Off and turning on Setup Mode. I was also comparing my Mosby output to yours as it progressively installed the keys, some slight differences, not enough to identify the culprit.
 

My Computer

System One

  • OS
    Windows 11
You must log in or register to reply here.

Latest Support Threads

Latest Tutorials

Back
Top Bottom