How to check if your Secure Boot certs are updated. (three methods)

nikki605 · Dec 22, 2025

Dirtyflash said:
Thanks, the M83 has a couple less settings compared to the T460, which also has two additional options: Clear All Keys and Reset Factory Keys in addition to Secure Boot On/Off and turning on Setup Mode. I was also comparing my Mosby output to yours as it progressively installed the keys, some slight differences, not enough to identify the culprit.

You're welcome. Good luck resolving your problem.

garlin · Dec 22, 2025

Buddywh said:
ADDED: Lastly, if this is scary then just realize it's essentially no different from what will be the case in a few months after the 2011 keys are expired: you'll have to disable Secure Boot to even start up and you might as well just delete them from variables for all the good they'd do you. That is, unless you can manage to get 2023 keys loaded using some other method.

This is a big myth. Expired Secure Boot certs are still valid as long as you have them enrolled in UEFI.

A cert cannot authenticate any file SIGNED AFTER THE EXPIRATION DATE. If you're booting from files signed before the cert's end expiration (older Windows releases), those files are still valid. MS cannot release a new patched boot file using an expired certificate. So it needs a new certificate to cover any files released past the CA 2011's end date.

The old files don't get magically cancelled.

The only way to invalidate the boot files (bricking your PC), is to either:

- Remove the CA 2011 cert, so boot files provided from 2011 until mid-2026 are no longer allowed because no cert can be found to validate them.

- Cancelling the CA 2011 cert, by adding it to the DBX list.

Here's a simple analogy: You're install a legacy app or driver which was signed back in the W7/8 days. The installer asks you to accept a cert at install time, and you click "Yes". Even though the cert distributed by the installer is expired, you have chosen to enroll it. Because you trust this cert, those old files are now considered trusted even though they're signed by a long expired cert.

Buddywh · Dec 22, 2025

garlin said:
This is a big myth. Expired Secure Boot certs are still valid as long as you have them enrolled in UEFI.

...

Then why should people be at all concerned about updating secure boot keys?

As I understand it the problem comes when Microsoft wants to push out updates in the future. In particular, that relates to updates to DBX / SVN for revocations. They won't be able to do that for 2011 keys since they can't 'sign' the updated binaries with the expired certificates. In other words: you'd be stuck with a system that has all the current vulnerabilities, and the future ones that will come without regular updates.

So specifically: how long will Microsoft continue to even support Windows 11 with 2011 signed boot manager files that can't ever be revoked as vulnerabilities arise? It's only reasonable that they will only allow 2023 signed boot manager files at some point. That's when the 2011 keys in Secure Boot variables are essentially useless even if still valid, and you might as well delete all your keys if you can't get updates to 2023 keys since you couldn't enable Secure Boot anyway.

nikki605 · Dec 22, 2025

gunrunnerjohn said:
How do I update the Windows Bootmgr SVN to 7.0, it seems the one remaining thing I should address.

View attachment 157659

I was able to get the SVN updates by following instructions from @hader in this post:

How to check if your Secure Boot certs are updated. (two methods)

On my system it took running those four commands a few times before it actually kicked in. Follow the directions in the first post (below), exactly. Take your time. https://www.elevenforum.com/t/secure-boot-update-howto.41997/ The bottom of the Check Script result, should look like...

www.elevenforum.com

garlin · Dec 22, 2025

Buddywh said:
Then why should people be at all concerned about updating secure boot keys?

I thought the problem comes when Microsoft wants to push out updates in the future. In particular, that relates to updates to DBX for revocations. They won't be able to do that for 2011 keys since they can't 'sign' the updates with the expired certificates. In other words: you'd be stuck with a system that has all the current vulnerabilities, and the future ones that will come without regular updates.

In fact, how long will Microsoft continue to even support Windows 11 with 2011 signed boot manager files can't ever be revoked as vulnerabilities arise?

As I've repeated on several of these Secure Boot threads, the goal of the CA 2023 migration are:

1. Cancel CA 2011 because of the Black Lotus UEFI rootkit, which is a known threat and available to hackers.

2. Introduce CA 2023 because the CA 2011's 15 year lifetime is ending. MS would have done this regardless of Black Lotus being reported. W11 26H2 will be released right around the expiration date for CA 2011. They can't sign it using the old cert.

3. Future Windows won't include the CA 2011 boot file, for backward compatibility. You will have to replace your UEFI certs just to boot it. I have read from a GitHub comment by a MS dev that they're planning to push UEFI updates in future OOBE sessions. So they will presumably auto-upgrade you in 26H2.

4. MS has wanted to revoke the 2011 cert for the past 3-4 years, but it's been held up by slow moving PC OEM's who won't cooperate by releasing signed KEK CA 2023 certs, either by firmware updates or by giving them to MS. In the UEFI security model, MS presents a master KEK certificate to sign all its other certificates, but your PC maker has to bless the KEK by signing it with their Platform Key.

MS can't go around the OEM's PK. Except to offer a replacement PK for users who chose to go into Setup mode, this key functionally replaces your OEM's PK, and then MS owns both the PK and KEK. That's a drastic step, and MS would prefer not to do that.

Buddywh · Dec 22, 2025

garlin said:
As I've repeated on several of these Secure Boot threads, the goal of the CA 2023 migration are:
..

I dunno what you're going on about. You just didn't read the whole thing I wrote initially.

The Windows PCA 2011 key (in particular) may be valid, but it's still going to be effectively worthless for purpose soon after it expires once Microsoft revokes the 2011 signed boot manager files (which they can never change to mitigate emergent vulnerabilities) and allows only 2023 signed files (which they can). At that point, IF you haven't gotten updates to the necessary 2023 keys through some means you'll have to disable Secure Boot to start up.

If Microsoft is going to keep the 2011 boot manager in use at that time active, even with an inevitably ever-growing list of vulnerabilities, then let us know that at least.

Dirtyflash · Dec 22, 2025

Buddywh said:
I dunno what you're going on about. You just didn't read the whole thing I wrote initially. The 2011 keys may be valid, but they're still going to be worthless soon after they expire once Microsoft revokes the 2011 boot manager files. At that time, IF you don't get updates to the necessary 2023 keys through some other means you'll have to disable Secure Boot to start up.

If Microsoft is going to keep the 2011 boot manager active, even with its current and inevitably ever-growing list of vulnerabilities, then let us know that at least.

If a person uses the current commands to install the certificates, would those same commands work in future to keep the certificates current? In my case, I've been able to manually install all the certificates with the exception of the 2023 KEK, or would that option be blocked in future builds once the 2011 certs expire.

Buddywh · Dec 22, 2025

Dirtyflash said:
If a person uses the current commands to install the certificates, would those same commands work in future to keep the certificates current? In my case, I've been able to manually install all the certificates with the exception of the 2023 KEK, or would that option be blocked in future builds once the 2011 certs expire.View attachment 157786

As far as I'm aware, the only variable that sees regular maintenance, or "kept current", is DBX for SVN updates. Without a 2023 signed key in KEK then DBX could not be updated with updates signed only with a 2023 key. Since the 2011 key is expired at that point it can no longer be used to sign the updates. This is going to be the case regardless of what commands may or may not work.

Dirtyflash · Dec 22, 2025

Buddywh said:
As far as I'm aware, the only variable that sees regular maintenance, or "kept current", is DBX for SVN updates. Without a 2023 signed key in KEK then DBX could not be updated after the 2011 KEK certificate has expired. And that is going to be true regardless of what commands may or may not work since there is no valid KEK to validate the updates to DBX that will come signed only with a 2023 certificate.

So the issue is strictly whether, or not the DBX gets updated. If a user chooses to run on a system without ongoing updates to the DBX, then that's their choice? Otherwise, Windows will continue to operate as normal if all the other 2023 keys are in place?

Buddywh · Dec 22, 2025

Dirtyflash said:
So the issue is strictly whether, or not the DBX gets updated. If a user chooses to run on a system without ongoing updates to the DBX, then that's their choice? Otherwise, Windows will continue to operate as normal if all the other 2023 keys are in place?

That's actually a good question... one I've also asked and haven't gotten clear, concise answers to. Mostly, it almost always goes back to "When Microsoft revokes trust in compromised boot managers you'd never get it posted to DBX". Which is bad enough I suppose since it essentially means Secure Boot has become pretty much pointless (more so than many considered it before at least) or soon will be as the bad actors start throwing exploits into the wild to take advantage of that.

Dirtyflash · Dec 22, 2025

Buddywh said:
That's actually a good question... one I've also asked and haven't gotten clear, concise answers to. Mostly, it almost always goes back to "When Microsoft revokes trust in compromised boot managers you'd never get it posted to DBX". Which is bad enough I suppose since it essentially means Secure Boot has become pretty much pointless (more so than many considered it before at least) or soon will be as the bad actors start throwing exploits into the wild to take advantage of that.

By the time the 2011 certificates expire, the bad actors will have had 3 years to be naughty, perhaps longer if they've been busy prior to 2023. Think of all the systems they've been able to infect/exploit over the years. The whole thing sometimes seems like an exercise in damage control and showing they're doing something about it. What's worse is the fear mongering, which has created so many threads and posts, which in turn has created so much confusion, further feeding on the fear.

TheOne320 · Jan 3, 2026

I am getting this:

---

---

Disk 3 is my boot drive:

So how can I check why the one script is showing "BANNED"?

Ghot · Jan 3, 2026

TheOne320 said:
So how can I check why the one script is showing "BANNED"?

Check the registry, here...
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing

On the right side, you should see...

UEFICA2023Status Updated
WindowsUEFICA2023Capable 0x00000002 (2)

And here's ten points for filling out your computer specs.

TheOne320 · Jan 3, 2026

Check the registry

I posted a screenshot of my registry already in my post. It has the settings exactly like you indicated.

colinp · Jan 3, 2026

As an aside, I noticed that Asus has updated my 2021 B560M-A AC motherboard BIOS on December 26 2025, after 2 years since the last update (2023). Even though I am good to go, as far as the 2023 secure keys - hopefully

, it's a good sign that "old" boards may get the needed update for the new keys.

Version 2803
9.29 MB
2025/12/26
SHA-256 ：E0CE74CABE9466E6DA72B2A17FCACB05DDF00BDAA62127692743455EA0BE4042
"1. Update Intel microcode
2. Improved system performance, stability, and device compatibility.
3. Implemented security updates."

garlin · Jan 3, 2026

TheOne320 said:
So how can I check why the one script is showing "BANNED"?

You're running an edited copy of my original script, and that copy has known bugs (reporting a blank value).

Please download a new version of the script from:
garlin's PowerShell scripts for updating Secure Boot CA 2023

Scroll all the way to the bottom of the thread's first post, for the ZIP file or GitHub link. With the updated script, there is frankly no need to run either of the two older scripts and to run the registry command. That functionality is all rolled into a single script.

TheOne320 · Jan 4, 2026

You're running an edited copy of my original script

Thank you. With the new scripts, everything appears to be fine.

Are the steps from the ReadMe necessary? My Secure Boot option in BIOS is set to "Standard". The stuff that is written about in the ReadMe is only possible if I set it to "Custom".

garlin · Jan 4, 2026

TheOne320 said:
Thank you. With the new scripts, everything appears to be fine.

Looks good.

TheOne320 said:
Are the steps from the ReadMe necessary? My Secure Boot option in BIOS is set to "Standard". The stuff that is written about in the ReadMe is only possible if I set it to "Custom".

The README.TXT is instructions for folks who have to manually update their keys (because they have unsupported BIOSes). In your case, none of those steps are required. I'll probably have to rewrite the README to make it more obvious.

Ghot · Jan 4, 2026

Look Ma, I aced the test.

I just updated post #3, of this topic. Re-arranged things and added SVN update and cjee21's files.

Added a link to this topic in the "Windows itself..." section of the following topic...

Windows 11 Tweaks - Leader Board.

These are tweaks I've seen asked for... many times. They are collected here for easy access. All of these and more can be found in the Eleven Forum Tutorials Make sure to read the "notes" in the various tutorials. At the bottom of the first post in all the "tutorials", there are links to...

www.elevenforum.com

Scott · Jan 4, 2026

Ghot said:
Look Ma, I aced the test.

My latest BIOS did the same for me

I used cjee21's command line version.

GitHub - cjee21/Check-UEFISecureBootVariables: PowerShell scripts to check the UEFI KEK, DB and DBX Secure Boot variables as well as scripts for other Secure Boot related items.

PowerShell scripts to check the UEFI KEK, DB and DBX Secure Boot variables as well as scripts for other Secure Boot related items. - cjee21/Check-UEFISecureBootVariables

github.com

Just select, right click, Run as Administrator. Easy peasy

How to check if your Secure Boot certs are updated. (three methods)

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Member

My Computer

Well-known member

My Computers

Member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers