Solved Secure boot update HowTo

garlin · Dec 11, 2025

0x5944 is add 2023 certs and boot manager, but don't revoke any 2011 certs. It may a few minutes to complete all the tasks.

Code:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

fg2001gf11F · Dec 11, 2025

garlin said:
0x5944 is add 2023 certs and boot manager, but don't revoke any 2011 certs. It may a few minutes to complete all the tasks.

Code:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

OK, I'm back to where I was 2 weeks ago. I hope I have better luck this time.

fg2001gf11F · Dec 11, 2025

garlin said:
0x5944 is add 2023 certs and boot manager, but don't revoke any 2011 certs. It may a few minutes to complete all the tasks.

Code:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Now this?

garlin · Dec 12, 2025

This command will confirm you still have the Secure-Boot-Update task:

Code:

Get-ScheduledTask | Get-ScheduledTaskInfo | where { $_.TaskName -match 'Secure' }

Code:

LastRunTime        : 12/11/2025 9:03:21 PM
LastTaskResult     : 0
NextRunTime        :
NumberOfMissedRuns : 0
TaskName           : Secure-Boot-Update
TaskPath           : \Microsoft\Windows\PI\
PSComputerName     :

fg2001gf11F · Dec 12, 2025

garlin said:

This command will confirm you still have the Secure-Boot-Update task:

Code:

Get-ScheduledTask | Get-ScheduledTaskInfo | where { $_.TaskName -match 'Secure' }

Code:

LastRunTime        : 12/11/2025 9:03:21 PM
LastTaskResult     : 0
NextRunTime        :
NumberOfMissedRuns : 0
TaskName           : Secure-Boot-Update
TaskPath           : \Microsoft\Windows\PI\
PSComputerName     :

I think it was deleted on some previous step instead of just ending it.

How can we recreate that task?

garlin · Dec 12, 2025

Try this:
1. Extract the XML file inside this ZIP file.
2. schtasks.exe /Create /XML task.xml /tn Secure-Boot-Update

fg2001gf11F · Dec 12, 2025

garlin said:
You don't. Restore from a previous backup, or perform an in-place repair install using a MediaCreationTool ISO of 25H2.

I was afraid of that.
I started a reinstall with repair version from Recovery, I hope that will fix it.

If I restore from a backup, I would be back with the secure boot issue.

XxXxX · Dec 12, 2025

@garlin
thank you and well done

@fg2001gf11F
looks like you will have to go to post #1 and start again.

best of luck Steve ..

fg2001gf11F · Dec 12, 2025

XxXxX said:
@garlin
thank you and well done

@fg2001gf11F
looks like you will have to go to post #1 and start again.

best of luck Steve ..

Waiting for the Repair version to complete I hope it fixes the Update task. If that works, I'll be back to your Post #1.

I sure wasted a lot of time on this.

fg2001gf11F · Dec 12, 2025

garlin said:
Try this:
1. Extract the XML file inside this ZIP file.
2. schtasks.exe /Create /XML task.xml /tn Secure-Boot-Update

Where do I put the task.xml file if I have to try that command on line 2?

fg2001gf11F · Dec 12, 2025

garlin said:

This command will confirm you still have the Secure-Boot-Update task:

Code:

Get-ScheduledTask | Get-ScheduledTaskInfo | where { $_.TaskName -match 'Secure' }

Code:

LastRunTime        : 12/11/2025 9:03:21 PM
LastTaskResult     : 0
NextRunTime        :
NumberOfMissedRuns : 0
TaskName           : Secure-Boot-Update
TaskPath           : \Microsoft\Windows\PI\
PSComputerName     :

I have the Task back after reinstalling with the repair version. One step forward.

fg2001gf11F · Dec 12, 2025

@garlin, @XxXxX,

Looks like I'm back where I was earlier today, just by doing the reinstall with the Repair version.

I did not do anything else after the repair version completed.

I don't see InProgress on the servicing registry anymore, and it shows 2 on UEFICA2023Capable.
It is not showing Updated either, I think because CA 2023 is not stored in the UEFI KEK Certs in this BIOS 1.1.31 of this DELL XPS 8930.

XxXxX · Dec 12, 2025

fg2001gf11F said:
@garlin, @XxXxX,

Looks like I'm back where I was earlier today, just by doing the reinstall with the Repair version.
I did not do anything else after the repair version completed.

View attachment 156636

View attachment 156639

I don't see InProgress on the servicing registry anymore, and it shows 2 on UEFICA2023Capable.
It is not showing Updated either, I think because CA 2023 is not stored in the UEFI KEK Certs in this BIOS 1.1.31 of this DELL XPS 8930.
View attachment 156638

View attachment 156641

now please leave the KEK certs alone please. until MS update them.
well done and best of luck Steve ..

no1yak · Dec 12, 2025

I followed MS instructions for the full revocations including revoke CA 2011 on both boards. The Asrock is the only board to show what’s in the KEK, DB and DBX. Asus not so informative . If you ever do a Bios flashback it will remove the settings as all added keys are gone and you have to set the keys back to factory default.

garlin · Dec 12, 2025

@fg2001gf11F
Run the "Lenovo.ps1" script to determine if Dell provided MS with a signed KEK update.

Dirtyflash · Dec 12, 2025

garlin said:
Run this script as Admin, ignore the fact that's named Lenovo.ps1. If you get a named .bin file, then your DELL will be supported.

My Lenovo Y50-70 laptop (for example) returns:
Lenovo/KEKUpdate_Lenovo_PK255.bin

Anytime you get a named file, then your vendor is working with MS to compile a database of eligible KEK's to use for update purposes. The online database might be newer than what the SecureBootUpdates folder has on your PC. I don't know if the scheduled task reads from the repo, or only checks the local Windows folder (which I suspect).

I'm not a wizard at PowerShell, when I right click on it, my option is to " Run with PowerShell " ( not as a Administrator ), it then momentarily opens the PS windows and quickly closes. Sorry if this is a stupid question and the answer is obvious.

fg2001gf11F · Dec 12, 2025

garlin said:
@fg2001gf11F
Run the "Lenovo.ps1" script to determine if Dell provided MS with a signed KEK update.

Here is what I get from this machine Dell XPS 8930.

itsme1 · Dec 12, 2025

We'll have to wait and see if Dell provides a KEK, otherwise, use Mosby. My Dell won't have a BIOS, and I'm waiting...

garlin · Dec 12, 2025

Dirtyflash said:
I'm not a wizard at PowerShell, when I right click on it, my option is to " Run with PowerShell " ( not as a Administrator ), it then momentarily opens the PS windows and quickly closes. Sorry if this is a stupid question and the answer is obvious.

When you use File Explorer's context menu to run a PS script, it runs the script inside a PS window. But when the script is done, the default behavior is to close the window. This is fine if all the script does is to perform a task without you needing to see it.

But this script outputs something, then it doesn't help you.

So you can just open Terminal or PowerShell, and run the script so you can see the final output.

garlin · Dec 12, 2025

fg2001gf11F said:
Here is what I get from this machine Dell XPS 8930.

That's what I thought. Dell hasn't yet (or never will) post a signed KEK for this generation of BIOS.

As @itsme1 noted, you can use Mosby or manually add the KEK CA 2023.der (certificate file) from the UEFI setup menu. Now I don't have this Dell (since there's so many generations of Dell's out there) to know how difficult it is to navigate the UEFI menus.

Solved Secure boot update HowTo

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

Attachments

My Computer

Well-known member

My Computer

Just a Computer User

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Just a Computer User

My Computers

Well-known member

Attachments

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Similar threads