How to check if your Secure Boot certs are updated. (three methods)


*edit* ah, i misread something.

If there would be an update for the Surface - wouldn't i get it via Windows Update as always?

Is it recommended to do the update manually? Never did this for a Surface device.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    self built
Normally, MS would push Surface firmware updates thru the Surface app, or by using WU.

Support ended on Oct 2025, so SurfacePro7_Win11_22621_25.090.3489.0.msi is your last update.
Surface devices driver and firmware lifecycle for Windows-based devices - Surface
Surface deviceRelease dateEnd-of-servicing date for firmware & drivers
Surface Pro 7October 22, 2019October 30, 2025
Click to expand...

Download Surface Pro 7 Drivers and Firmware from Official Microsoft Download Center

1. Download from here:
https://download.microsoft.com/down...bf4/SurfacePro7_Win11_22621_25.090.3489.0.msi

2. Run the MSI. Considering it's from Sep 2025, it should have CA 2023 certs baked in.
 

My Computer

System One

  • OS
    Windows 7
Hey garlin,

before i try this - wouldn't this be too optimistic?
Microsoft states, that 17.200.140.0 is the minimum version for the new secure boot certificates.
The 17.200.140.0 is from december 2023.
Or am i getting this wrong?

EDIT: Softpedia gives further information about the official package, listing no change in the UEFI, keeping the 24.109.140 in the SurfacePro7_Win11_22621_25.090.3489.0.msi-Package.
---> Further Information on Softpedia
I of course don't know, if the info there is trustworthy.
 
Last edited:

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    self built
I would assume they added CA 2023 in an earlier firmware, but if you're getting weird results from reading the UEFI variables then it could be a firmware bug. So applying the last firmware would presumably resolve any problems.

The machine is end of life, so this is it in terms of final updates. My script works with a range of different PC's, any returned "Unexpected errors" are caused by BIOS issues that vary from the spec.
 

My Computer

System One

  • OS
    Windows 7
I just did the update, which was kinda weird. It successfully finished and asked me to reboot, which i did. There were no progress bars as usual midboot (there is a special screen for surface devices with a progress bar).

Took like 10 seconds and it feels like it did nothing at all.

Your script:
Same result again unfortunately

cjee:
The result for the Default DB is the same
The result for the DBX gives me errors now in v1.5.1 and v1.6.0
 
Last edited:

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    self built
Hi, here comes the output :) :

---

Die Variable ist zurzeit nicht definiert: 0xC0000100
PKdefault Count: 0

PK Count: 1

Subject
-------
CN=Windows OEM Devices PK, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

Die Variable ist zurzeit nicht definiert: 0xC0000100
KEKdefault Count: 1
CN=Windows OEM Devices PK, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

KEK Count: 2
CN=Microsoft Corporation KEK CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US

Die Variable ist zurzeit nicht definiert: 0xC0000100
DBdefault Count: 2
CN=Microsoft Corporation KEK CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US

DB Count: 5
CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft Corporation UEFI CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US

Die Variable ist zurzeit nicht definiert: 0xC0000100
DBXdefault Count: 5
CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft Corporation UEFI CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US

DBX Count: 0
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    self built
Natürlich sind die Wörter auf Deutsch anders.
"Variable is currently undefined" wird nach als "Die Variable ist zurzeit nicht definiert" geschreibt.

Try this version.
 

Attachments

My Computer

System One

  • OS
    Windows 7
okay, i'm late to the party, i'll go back and read some previous posts, but if anyone has a "ohhh, you need THIS, here" type of thing, i would appreciate it.
 

Attachments

  • 2026-03-27 17_40_15-Select Administrator_ Check UEFI PK, KEK, DB and DBX.webp
    2026-03-27 17_40_15-Select Administrator_ Check UEFI PK, KEK, DB and DBX.webp
    94.1 KB · Views: 6

My Computer

System One

  • OS
    Win 11 pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Asus motherboard
Valis said:
okay, i'm late to the party, i'll go back and read some previous posts, but if anyone has a "ohhh, you need THIS, here" type of thing, i would appreciate it.
Click to expand...


@garlin
 

My Computers

System One System Two

  • OS
    Win 11 Home ♦♦♦26200.8655 ♦♦♦♦♦♦♦25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® [May 2020]
    CPU
    AMD Ryzen 7 3700X
    Motherboard
    Asus Pro WS X570-ACE (BIOS 5302)
    Memory
    G.Skill (F4-3200C14D-16GTZKW)
    Graphics Card(s)
    EVGA RTX 2070 (08G-P4-2171-KR)
    Sound Card
    Realtek ALC1220P / ALC S1220A
    Monitor(s) Displays
    Dell U3011 30"
    Screen Resolution
    2560 x 1600
    Hard Drives
    2x Samsung 860 EVO 500GB,
    WD 4TB Black FZBX - SATA III,
    WD 8TB Black FZBX - SATA III,
    DRW-24B1ST CD/DVD Burner
    PSU
    PC Power & Cooling 750W Quad EPS12V
    Case
    Cooler Master ATCS 840 Tower
    Cooling
    CM Hyper 212 EVO (push/pull)
    Keyboard
    Ducky DK9008 Shine II Blue LED
    Mouse
    Logitech Optical M-100
    Internet Speed
    300/300
    Browser
    Firefox (latest)
    Antivirus
    Bitdefender Total Security
    Other Info
    Speakers: Klipsch Pro Media 2.1
  • Operating System
    Windows XP Pro 32bit w/SP3
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® (not in use)
    CPU
    AMD Athlon 64 X2 5000+ (OC'd @ 3.2Ghz)
    Motherboard
    ASUS M2N32-SLI Deluxe Wireless Edition
    Memory
    TWIN2X2048-6400C4DHX (2 x 1GB, DDR2 800)
    Graphics card(s)
    EVGA 256-P2-N758-TR GeForce 8600GT SSC
    Sound Card
    Onboard
    Monitor(s) Displays
    ViewSonic G90FB Black 19" Professional (CRT)
    Screen Resolution
    up to 2048 x 1536
    Hard Drives
    WD 36GB 10,000rpm Raptor SATA
    Seagate 80GB 7200rpm SATA
    Lite-On LTR-52246S CD/RW
    Lite-On LH-18A1P CD/DVD Burner
    PSU
    PC Power & Cooling Silencer 750 Quad EPS12V
    Case
    Generic Beige case, 80mm fans
    Cooling
    ZALMAN 9500A 92mm CPU Cooler
    Keyboard
    Logitech Classic Keybooard 200
    Mouse
    Logitech Optical M-BT96a
    Internet Speed
    300/300
    Browser
    Firefox 3.x ??
    Antivirus
    Symantec (Norton)
    Other Info
    Still assembled, still runs. Haven't turned it on for 15 years?
@Valis
Welcome to ElevenForum. :-)
While waiting for garlin, you should fill in your computer specs.
We especially need the CPU and the motherboard model number.

Use CPU-Z to get your System Specs...

CPU-Z (free), will show you make/model for everything except: drives, case and power supply. You'll need to add make/model for monitor, keyboard and mouse as well. That info should be easy to find. Portable version: https://download.cpuid.com/cpu-z/cpu-z_2.17-en.zip
www.elevenforum.com www.elevenforum.com






Here's some other things that you may find useful...

www.elevenforum.com

Quickie Eleven Forum Setup Guide for new Members

Quickie Interface tour... Quickie set up... At the top right, click on your name, then choose "Preferences". Then go through everything on the left side. Quickie navigation... Click Forums and choose a subforum, OR... Click Forums, then New Posts or What's New Ranks, Trophies...
www.elevenforum.com www.elevenforum.com

www.elevenforum.com

Macrium Reflect, AOMEI Backupper and Hasleo Backup Suite - GUIDES

How to use backup software... 1. When everything is working perfectly... make a full Windows backup. 2. Then, if something breaks... restore from the latest backup. 3. Then... try "whatever you were doing" a different way. If it still breaks Windows, then... go to step #2. 4. Repeat...
www.elevenforum.com www.elevenforum.com

www.elevenforum.com

Windows 11 Tweaks - Leader Board.

These are tweaks I've seen asked for... many times. They are collected here for easy access. All of these and more can be found in the Eleven Forum Tutorials Make sure to read the "notes" in the various tutorials. At the bottom of the first post in all the "tutorials", there are links to...
www.elevenforum.com www.elevenforum.com
 

My Computers

System One System Two

  • OS
    Win 11 Home ♦♦♦26200.8655 ♦♦♦♦♦♦♦25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® [May 2020]
    CPU
    AMD Ryzen 7 3700X
    Motherboard
    Asus Pro WS X570-ACE (BIOS 5302)
    Memory
    G.Skill (F4-3200C14D-16GTZKW)
    Graphics Card(s)
    EVGA RTX 2070 (08G-P4-2171-KR)
    Sound Card
    Realtek ALC1220P / ALC S1220A
    Monitor(s) Displays
    Dell U3011 30"
    Screen Resolution
    2560 x 1600
    Hard Drives
    2x Samsung 860 EVO 500GB,
    WD 4TB Black FZBX - SATA III,
    WD 8TB Black FZBX - SATA III,
    DRW-24B1ST CD/DVD Burner
    PSU
    PC Power & Cooling 750W Quad EPS12V
    Case
    Cooler Master ATCS 840 Tower
    Cooling
    CM Hyper 212 EVO (push/pull)
    Keyboard
    Ducky DK9008 Shine II Blue LED
    Mouse
    Logitech Optical M-100
    Internet Speed
    300/300
    Browser
    Firefox (latest)
    Antivirus
    Bitdefender Total Security
    Other Info
    Speakers: Klipsch Pro Media 2.1
  • Operating System
    Windows XP Pro 32bit w/SP3
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® (not in use)
    CPU
    AMD Athlon 64 X2 5000+ (OC'd @ 3.2Ghz)
    Motherboard
    ASUS M2N32-SLI Deluxe Wireless Edition
    Memory
    TWIN2X2048-6400C4DHX (2 x 1GB, DDR2 800)
    Graphics card(s)
    EVGA 256-P2-N758-TR GeForce 8600GT SSC
    Sound Card
    Onboard
    Monitor(s) Displays
    ViewSonic G90FB Black 19" Professional (CRT)
    Screen Resolution
    up to 2048 x 1536
    Hard Drives
    WD 36GB 10,000rpm Raptor SATA
    Seagate 80GB 7200rpm SATA
    Lite-On LTR-52246S CD/RW
    Lite-On LH-18A1P CD/DVD Burner
    PSU
    PC Power & Cooling Silencer 750 Quad EPS12V
    Case
    Generic Beige case, 80mm fans
    Cooling
    ZALMAN 9500A 92mm CPU Cooler
    Keyboard
    Logitech Classic Keybooard 200
    Mouse
    Logitech Optical M-BT96a
    Internet Speed
    300/300
    Browser
    Firefox 3.x ??
    Antivirus
    Symantec (Norton)
    Other Info
    Still assembled, still runs. Haven't turned it on for 15 years?
Valis said:
okay, i'm late to the party, i'll go back and read some previous posts, but if anyone has a "ohhh, you need THIS, here" type of thing, i would appreciate it.
Click to expand...
Wow. Something really corrupted your certs. Did you recently update the firmware?

Try "Reset to factory defaults", and re-run the script.
 

My Computer

System One

  • OS
    Windows 7
garlin said:
Natürlich sind die Wörter auf Deutsch anders.
"Variable is currently undefined" wird nach als "Die Variable ist zurzeit nicht definiert" geschreibt.

Try this version.
Click to expand...
Hi Garlin,

this is the newest script:

---

SetupMode = 0

PKdefault Count: 0

PK Count: 1

Subject
-------
CN=Windows OEM Devices PK, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

KEKdefault Count: 0

KEK Count: 2
CN=Microsoft Corporation KEK CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US

DBdefault Count: 0

DB Count: 5
CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft Corporation UEFI CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US

DBXdefault Count: 0

DBX Count: 0
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    self built
Hi, I ran the script, and applied the updates using the method OP linked on his original post, however only my SVN results changed after doing all that.
And while I had success using these scripts: garlin's PowerShell scripts for updating Secure Boot CA 2023
My results still shows two "X"s, and I was wondering if that's normal.
1774725040365.webp
Thanks in advance.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    CPU
    i5-10400F
    Motherboard
    Gigabyte H510M H
    Memory
    16GB DDR4
    Graphics Card(s)
    GTX 1660 Super
    Hard Drives
    WD Green SN350 1TB
    KINGSTON SA400S37120G 120GB
    SAMSUNG HD502HJ 500GB
    ST2000DM008-2UB102 2TB
    Browser
    Firefox Developer Edition
    Antivirus
    Windows Defender
Bonzo said:
Hi, I ran the script, and applied the updates using the method OP linked on his original post, however only my SVN results changed after doing all that.
And while I had success using these scripts: garlin's PowerShell scripts for updating Secure Boot CA 2023
My results still shows two "X"s, and I was wondering if that's normal.
Click to expand...
The key difference between cjee21's script and my own, is I don't inaccurately report some conditions as errors.

Factory keys hold whatever default certs the OEM has decided to include in the firmware. MS has informed OEM's that MS UEFI CA 2023 (primarily used by Linux) and Option ROM can be optional. But those two certs can always be applied to the UEFI, at any time.

Their absence in the defaults isn't something you can change (it's part of the firmware), and it's not really a problem.

And strangely cjee21's script doesn't explicitly inform you that PCA 2011 is on the DBX...
 

My Computer

System One

  • OS
    Windows 7
garlin said:
The key difference between cjee21's script and my own, is I don't inaccurately report some conditions as errors.

Factory keys hold whatever default certs the OEM has decided to include in the firmware. MS has informed OEM's that MS UEFI CA 2023 (primarily used by Linux) and Option ROM can be optional. But those two certs can always be applied to the UEFI, at any time.

Their absence in the defaults isn't something you can change (it's part of the firmware), and it's not really a problem.

And strangely cjee21's script doesn't explicitly inform you that PCA 2011 is on the DBX...
Click to expand...
Oh, got it, thank you. I don't quite understand the part about the PCA 2011, but I'm assuming it isn't an issue?
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    CPU
    i5-10400F
    Motherboard
    Gigabyte H510M H
    Memory
    16GB DDR4
    Graphics Card(s)
    GTX 1660 Super
    Hard Drives
    WD Green SN350 1TB
    KINGSTON SA400S37120G 120GB
    SAMSUNG HD502HJ 500GB
    ST2000DM008-2UB102 2TB
    Browser
    Firefox Developer Edition
    Antivirus
    Windows Defender
The other script reports that "PCA 2011 (revoked: True)" in the DB category, which implies PCA 2011 was added to the DBX list.

But if you're not familiar with how Secure Boot variables work, you would feel more comfortable seeing an explicit list of DBX certs. That explanation is easier for most people to follow, and doesn't lead to more follow up questions.
 

My Computer

System One

  • OS
    Windows 7
You must log in or register to reply here.

Latest Support Threads

Latest Tutorials

Back
Top Bottom