How to check if your Secure Boot certs are updated. (three methods)

It doesn't matter the boot type. The script runs in Windows to write the new certs through the supported PowerShell functions. If you see success, then restart Wndows to force changes to take effect.

Assuming the check script reports everything is updated (except for the DBX revocation), then you can re-enable Secure Boot afterwards.

Hi garlin, Making progress but not sure how to continue.

1) deleted keys and restart with Secure Boot enabled
2) failed restart, had to disable Secure Boot
3) successfully booted windows
4 executed Update-UEFI.bat and here's the output


Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! Windows PowerShell update message FAQ - PowerShell

Downloading "Microsoft Corporation KEK 2K CA 2023.der" from GitHub.
Copying "Microsoft Corporation KEK 2K CA 2023.der" to EFI.
Successfully appended "dbupdate2024.bin" to UEFI DB.
Successfully appended "DBUpdate3P2023.bin" to UEFI DB.
Successfully appended "DBUpdateOROM2023.bin" to UEFI DB.
Copying EFI boot files.
Boot files successfully created.

REQUIRED ACTION
---------------
Please follow the README_UEFI.TXT instructions, for installing the [KEK CA 2023] cert from BIOS.

Restart Windows, for UEFI updates to take effect.

PS C:\Windows\System32>



5) executed Check UEFI PK, KEK, DB and DBX.cmd and here's the output

Checking for Administrator permission...
Running as administrator - continuing execution...

24 May 2026
Manufacturer: Dell Inc.
Model: XPS 8930
BIOS: Dell Inc., 1.1.31, 1.1.31, DELL - 1072009
Windows version: 25H2 (Build 26200.8457)

Secure Boot status: Enabled

Current UEFI PK
√ Pegatron PK

Default UEFI PK
√ Pegatron PK

Current UEFI KEK
√ Microsoft Corporation KEK CA 2011 (revoked: False)
X Microsoft Corporation KEK 2K CA 2023 <================= If this still an issue????????????


Default UEFI KEK
√ Microsoft Corporation KEK CA 2011 (revoked: False)
X Microsoft Corporation KEK 2K CA 2023

Current UEFI DB
√ Microsoft Windows Production PCA 2011 (revoked: False)
√ Microsoft Corporation UEFI CA 2011 (revoked: False)
√ Windows UEFI CA 2023 (revoked: False)
√ Microsoft UEFI CA 2023 (revoked: False)
√ Microsoft Option ROM UEFI CA 2023 (revoked: False)

Default UEFI DB
√ Microsoft Windows Production PCA 2011 (revoked: False)
√ Microsoft Corporation UEFI CA 2011 (revoked: False)
X Windows UEFI CA 2023
X Microsoft UEFI CA 2023
X Microsoft Option ROM UEFI CA 2023

Current UEFI DBX
2025-10-14 (v1.6.0) : FAIL: 404 failures, 27 successes detected
Windows Bootmgr SVN : None
Windows cdboot SVN : None
Windows wdsmgfw SVN : None

Press any key to continue . . .


6) So I think the certs are updated?

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! Windows PowerShell update message FAQ - PowerShell

PS C:\Users\BarryD> ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')
True
PS C:\Users\BarryD>


7) And not in the Default DB is not a problem?
PS C:\Users\BarryD> ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) -match 'Windows UEFI CA 2023')
False
PS C:\Users\BarryD>


8) I still think I need to complete this action:
REQUIRED ACTION
---------------
Please follow the README_UEFI.TXT instructions, for installing the [KEK CA 2023] cert from BIOS.

9) When I read this TXT file I am a little confused Do I need to do this step?

Manual installation of [KEK 2K CA 2023]
=======================================

1. Shutdown Windows, and enter your UEFI's Secure Boot menu.

2. Enter "KEK Options / Enroll KEK / Enroll KEK Using File" or "Key Management / KEK Management / Append Key".
The menu options may be different for your BIOS.

- Browse the system drive's EFI partition
- Enter the <EFI> folder
- Enter the <Certs> sub-folder

3. Find the file "Microsoft Corporation KEK 2K CA 2023.der". Add this certificate.
If you encounter an error, try the file "Microsoft Corporation KEK 2K CA 2023.crt".

4. Save changes and exit.

5. Start Windows, and re-run the 'Update-UEFI_CA2023.ps1' script.


10) I did look at the PK and KEK editing in the BIOS and here are what the screens looked like"

Here is PK



Here is KEK




In the TXT the PK file names are listed as Find the file "WindowsOEMDevicesPK.der".
In the BIOS for the PK there are 2 files listed: Microsort Corporation KEK 2K CA 2023.crt and .der

In the TXT the KEK file names are listed as Find the file "Microsoft Corporation KEK 2K CA 2023.der
In the BIOS for the KEK there are 2 files listed match the expected file name: Microsort Corporation KEK 2K CA 2023.crt and .der

Hopefully this makes sense

Thanks
Barry

barryde said:

Hi garlin, Making progress but not sure how to continue.

1) deleted keys and restart with Secure Boot enabled
2) failed restart, had to disable Secure Boot
3) successfully booted windows
4 executed Update-UEFI.bat and here's the output


Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! Windows PowerShell update message FAQ - PowerShell

Downloading "Microsoft Corporation KEK 2K CA 2023.der" from GitHub.
Copying "Microsoft Corporation KEK 2K CA 2023.der" to EFI.
Successfully appended "dbupdate2024.bin" to UEFI DB.
Successfully appended "DBUpdate3P2023.bin" to UEFI DB.
Successfully appended "DBUpdateOROM2023.bin" to UEFI DB.
Copying EFI boot files.
Boot files successfully created.

Click to expand...

From this output, not all the keys were deleted. Otherwise you would see everything as "Successfully appended".

barryde said:

In the TXT the KEK file names are listed as Find the file "Microsoft Corporation KEK 2K CA 2023.der
In the BIOS for the KEK there are 2 files listed match the expected file name: Microsort Corporation KEK 2K CA 2023.crt and .der

Click to expand...

From the KEK screen, pick the .der file. The two files are actually the same (because some BIOS'es expect a specific file extension for the filename). If that works, then re-run the update script to finish the job.

If the KEK key add fails, then go back and check how you deleted all keys. Because according to update script, the keys weren't all deleted.

garlin said:

From the KEK screen, pick the .der file. The two files are actually the same (because some BIOS'es expect a specific file extension for the filename). If that works, then re-run the update script to finish the job.

Click to expand...

I completed the action above with the .der file

Re-ran the update script and here is the output:
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! Windows PowerShell update message FAQ - PowerShell

SUCCESS: NO UPDATES ARE REQUIRED.

PS C:\Windows\System32>



I ran an Check UEFI PK, KEK, DB and DBX.cmd and here is the output:

Checking for Administrator permission...
Running as administrator - continuing execution...

25 May 2026
Manufacturer: Dell Inc.
Model: XPS 8930
BIOS: Dell Inc., 1.1.31, 1.1.31, DELL - 1072009
Windows version: 25H2 (Build 26200.8457)

Secure Boot status: Enabled

Current UEFI PK
√ Pegatron PK

Default UEFI PK
√ Pegatron PK

Current UEFI KEK
√ Microsoft Corporation KEK CA 2011 (revoked: False)
√ Microsoft Corporation KEK 2K CA 2023 (revoked: False

Default UEFI KEK
√ Microsoft Corporation KEK CA 2011 (revoked: False)
X Microsoft Corporation KEK 2K CA 2023

Current UEFI DB
√ Microsoft Windows Production PCA 2011 (revoked: False)
√ Microsoft Corporation UEFI CA 2011 (revoked: False)
√ Windows UEFI CA 2023 (revoked: False)
√ Microsoft UEFI CA 2023 (revoked: False)
√ Microsoft Option ROM UEFI CA 2023 (revoked: False)

Default UEFI DB
√ Microsoft Windows Production PCA 2011 (revoked: False)
√ Microsoft Corporation UEFI CA 2011 (revoked: False)
X Windows UEFI CA 2023
X Microsoft UEFI CA 2023
X Microsoft Option ROM UEFI CA 2023

Current UEFI DBX
2025-10-14 (v1.6.0) : FAIL: 404 failures, 27 successes detected
Windows Bootmgr SVN : None
Windows cdboot SVN : None
Windows wdsmgfw SVN : None


Press any key to continue . . .


So it looks like the only thing changed is:
Current UEFI KEK
√ Microsoft Corporation KEK CA 2011 (revoked: False)
√ Microsoft Corporation KEK 2K CA 2023 (revoked: False <==================== now CHECKED



So I think everything is updated to CA 2023 but there are a few issues
1. None of the CA 2011 are revoked or should they no longer be listed at all?
2. Is this an issue:
Default UEFI KEK
√ Microsoft Corporation KEK CA 2011 (revoked: False)
X Microsoft Corporation KEK 2K CA 2023 <==========================

From what I read this means if you do a reset to the BIOS Secure Boot Security it will not use CA 2023 and revert to CA 2011

When I got done updating the KEK and I tried to switch the Secure Boot Security out of Custom Mode I was presented with this screen. I didn't think "Install factory defaults" was the right thing to do so I guess now this parm will remain in Custom


When the KEK was appended I noticed that the Keys field incremented from 1 to 2 and the PK still shows 1. Am I still missing something for PK?

Also I used the "Delete All Secure Boot Variables" to delete keys when I started the other day. Was this not correct. It certainly deleted something because the pc wouldn't boot until I disabled Secure Boot. Did I need to drill into PK and KEK and delete the actual certificates.



Thanks
Barry

barryde said:

I completed the action above with the .der file

Re-ran the update script and here is the output:

SUCCESS: NO UPDATES ARE REQUIRED.

Click to expand...

barryde said:

I ran an Check UEFI PK, KEK, DB and DBX.cmd and here is the output:

Current UEFI KEK
√ Microsoft Corporation KEK CA 2011 (revoked: False)
√ Microsoft Corporation KEK 2K CA 2023 (revoked: False

Current UEFI DB
√ Microsoft Windows Production PCA 2011 (revoked: False)
√ Microsoft Corporation UEFI CA 2011 (revoked: False)
√ Windows UEFI CA 2023 (revoked: False)
√ Microsoft UEFI CA 2023 (revoked: False)
√ Microsoft Option ROM UEFI CA 2023 (revoked: False)

Current UEFI DBX
2025-10-14 (v1.6.0) : FAIL: 404 failures, 27 successes detected
Windows Bootmgr SVN : None
Windows cdboot SVN : None
Windows wdsmgfw SVN : None

Click to expand...

You're done with adding CA 2023 certs, but have not revoked the CA 2011 cert. For now, revocation (DBX certs) isn't mandatory until later this year. Windows can take care of the rest when it's time.

If you have a bootable Windows ISO, or any USB recovery drive, those will have to be updated after revocation because the old PCA 2011 version of the boot file will be banned as a result. The update process is switching out the boot file to the newer CA 2023 version.

Hi garlin,

garlin said:

You're done with adding CA 2023 certs, but have not revoked the CA 2011 cert. For now, revocation (DBX certs) isn't mandatory until later this year. Windows can take care of the rest when it's time.

If you have a bootable Windows ISO, or any USB recovery drive, those will have to be updated after revocation because the old PCA 2011 version of the boot file will be banned as a result. The update process is switching out the boot file to the newer CA 2023 version.

Click to expand...

All sounds good. Thanks again for you expertise and help with this.

You know what's really funny is I have an older Lenovo laptop with a i7-6500 cpu and a BIOS dated 1011/2016 and these certificates were all updated via windows update sucessfully.

Thanks again
Barry

barryde said:

You know what's really funny is I have an older Lenovo laptop with a i7-6500 cpu and a BIOS dated 1011/2016 and these certificates were all updated via windows update sucessfully.

Click to expand...

A BIOS update isn't required if Lenovo previously submitted a signed KEK file to MS. As long as the file matches the PC's Platform Key, then it can be updated by Windows. The problem is nobody publishes a list of PC models where this method is supported.

Sometimes it's a happy surprise.

barryde said:

Hi garlin,

All sounds good. Thanks again for you expertise and help with this.

You know what's really funny is I have an older Lenovo laptop with a i7-6500 cpu and a BIOS dated 1011/2016 and these certificates were all updated via windows update sucessfully.

Thanks again
Barry

Click to expand...

Which Lenovo model was it from 2016? I find your experience very interesting! I have a T460 that Lenovo never signed off on a KEK for when checking with @garlin 's script.

Using method 1, I got this? Can somebody tell what I need to do next please?

√ Microsoft Corporation KEK CA 2011 (revoked: False)
√ Microsoft Corporation KEK 2K CA 2023 (revoked: False)
√ Dell Inc. Key Exchange Key (revoked: False)

Default UEFI KEK
√ Microsoft Corporation KEK CA 2011 (revoked: False)
X Microsoft Corporation KEK 2K CA 2023
√ Dell Inc. Key Exchange Key (revoked: False)

Current UEFI DB
√ Microsoft Windows Production PCA 2011 (revoked: False)
√ Microsoft Corporation UEFI CA 2011 (revoked: False)
√ Windows UEFI CA 2023 (revoked: False)
√ Microsoft UEFI CA 2023 (revoked: False)
√ Microsoft Option ROM UEFI CA 2023 (revoked: False)
√ Dell Inc. UEFI DB (revoked: False)

Default UEFI DB
√ Microsoft Windows Production PCA 2011 (revoked: False)
√ Microsoft Corporation UEFI CA 2011 (revoked: False)
X Windows UEFI CA 2023
X Microsoft UEFI CA 2023
X Microsoft Option ROM UEFI CA 2023
√ Dell Inc. UEFI DB (revoked: False)

Current UEFI DBX
2025-10-14 (v1.6.0) : SUCCESS: 431 successes detected
Windows Bootmgr SVN : None
Windows cdboot SVN : None
Windows wdsmgfw SVN : None

Jeddie said:

Using method 1, I got this? Can somebody tell what I need to do next please?

√ Microsoft Corporation KEK CA 2011 (revoked: False)
√ Microsoft Corporation KEK 2K CA 2023 (revoked: False)
√ Dell Inc. Key Exchange Key (revoked: False)

Current UEFI DB
√ Microsoft Windows Production PCA 2011 (revoked: False)
√ Microsoft Corporation UEFI CA 2011 (revoked: False)
√ Windows UEFI CA 2023 (revoked: False)
√ Microsoft UEFI CA 2023 (revoked: False)
√ Microsoft Option ROM UEFI CA 2023 (revoked: False)
√ Dell Inc. UEFI DB (revoked: False)

Current UEFI DBX
2025-10-14 (v1.6.0) : SUCCESS: 431 successes detected
Windows Bootmgr SVN : None
Windows cdboot SVN : None
Windows wdsmgfw SVN : None

Click to expand...

Your BIOS has the CA 2023 certs added, but has not revoked CA 2011. Revocation is not yet mandatory, so you can wait for MS to finish the rest of the updates this year. You don't have to do anything, Windows can finish the job.

garlin said:

Your BIOS has the CA 2023 certs added, but has not revoked CA 2011. Revocation is not yet mandatory, so you can wait for MS to finish the rest of the updates this year. You don't have to do anything, Windows can finish the job.

Click to expand...

Indeed. I updated my MSI BIOS and all the certificates were updated. The 2011 certificates haven't yet been revoked and I'm not doing it myself, so I'll just wait for Windows to do it.

Reading through countless threads, not just here but also on the MSI Global Forum, I'm amazed at the amount of problems a lot of folks are having updating the certificates. I personally haven't had any issues at all. Maybe it's me, but I think that updating the BIOS is a simple enough task, having done it frequently on my own motherboard without any problems. Perhaps I'm just being a little too critical of the abilities of others, or I don't appreciate the age of some of the kit people have.

The problem is each BIOS can be different, depending on which generation of BIOS code is used. Almost every PC vendor licenses their BIOS code from one of the primary providers (AMI, Phoenix, Insyde, etc.), and then adds their customization.

Adding new certs to an existing BIOS isn't too difficult. You simply append more bytes to the reserved variables. MS even provides the binary files to every OEM for this task. But doing the right thing can open an ugly can of worms, with customers asking why you've released a new BIOS to support CA 2023 while not fixing all the other bugs people have been complaining about.

Some BIOS'es will allow you to manually add new keys. But the supported methods may differ. Maybe only a binary file containing an "all or nothing" set of certs, or better yet the option to import a single cert file.

Some BIOS'es have really weird BIOS bugs, where you can import the new certs but they don't work. Having Secure Boot mode enabled means you can't get a bootable system.

It's kinda of luck of the draw, depending on your PC's age. The further back in time you go, the more challenging it gets. Back in earlier days, supporting Secure Boot was something "nice to have" but not considered mandatory.

Hi all,

I get the below when I run the script, however if I use this powershell script I get a True as the output:
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023') Do I need to do anything else to this pc?

These commands will add the missing Microsoft UEFI CA 2023 (for Linux) and Option ROM:

Thank you! Are these necessary or optional for Windows based machines?

jpp7717 said:

Thank you! Are these necessary or optional for Windows based machines?

Click to expand...

They're entirely optional. But Windows engages in some conflicting behavior. The Secure Boot update task will call out the 3P (Third-Party) cert as missing, and your Security Center status doesn't get the "preferred" assessment when they're not installed.

It's easier to have the two certs added, instead of watching Windows internally complain about it. There is no setting for "I don't need to run Linux, so stop checking for these things".

Dirtyflash said:

Which Lenovo model was it from 2016? I find your experience very interesting! I have a T460 that Lenovo never signed off on a KEK for when checking with @garlin 's script.

Click to expand...

Hi Dirtyflash, according to the label on the bottom of the laptop it's a Lenovo YOGA 900-131SK

Barry

barryde said:

Hi Dirtyflash, according to the label on the bottom of the laptop it's a Lenovo YOGA 900-131SK

Barry

Click to expand...

I'm impressed it updated without much effort, seems Lenovo can be inconsistent with unsupported devices. Perhaps there's difference between retail and enterprise devices which may have a locked down BIOS for security reasons.