Solved Secure boot update HowTo


Buddywh said:
I wouldn't say "best"... but certainly the easiest.

I think there's a lot of security value even for home users with both Secure Boot and Bit Locker. I like knowing that should someone steal my computer it would take nation-state resources to go through my data to pull anything out of it like banking or credit card information.
Click to expand...
Why would you leave credit card / banking stuff on a computer -- Banks etc hold this stuff off your machine -- even if someone saw you had say a Barclays Bank account by reading emails / purchases via say amazon etc - any attempt to use it usually requires all sorts of security measures from that bank to verify it's you - often by so many different layers of security it gets almost impossible to spend YOUR OWN money. !!!!

Scams are much more a problem. A.I and other software is still a long way of being better than "Human Brains".

Cheers
jimbo
 

My Computer My Computer

At a glance

Windows XP,11 Linux Fedora Rawhide pre-releas...2 X Intel i7
OS
Windows XP,11 Linux Fedora Rawhide pre-release 45
Computer type
PC/Desktop
CPU
2 X Intel i7
Screen Resolution
4KUHD X 2
jimbo45 said:
Why would you leave credit card / banking stuff on a computer -- Banks etc hold this stuff off your machine -- even if someone saw you had say a Barclays Bank account by reading emails / purchases via say amazon etc - any attempt to use it usually requires all sorts of security measures from that bank to verify it's you - often by so many different layers of security it gets almost impossible to spend YOUR OWN money. !!!!

Scams are much more a problem. A.I and other software is still a long way of being better than "Human Brains".

Cheers
jimbo
Click to expand...
Stuff left behind in caches mainly, but also financial records of all sorts including tax records. What's the value of having a computer if I can't use it for the thing it does best: maintaining records in machine searchable archives. And if I DIDN'T keep them on my computer then I'd have to maintain them in a paper filing system... well that's so last century. Keeping track of something like that is WAY more difficult than updating secure boot keys has been, and keeping track of a Bitlocker key. And it's a far greater security risk for even a half-smart burglar to harvest data from. And then just how fragile it is in house fire or flooding: all I have to do is grab my external, BitLocker-to-Go protected drive and I have my life's business data with no loss while dragging a file cabinet out is pretty dumb when I'm dying of asphyxiation.

Banking security is pretty silly, when you think about it. I'm rather amazed how easy it is to withdraw funds at my bank... all I need is account number and an ID that shows them my name. It's easy to fool them with the pitiful driver license photos, and signatures are never validated.
 
Last edited:

My Computers My Computers

System One System Two

  • At a glance

    Windows 11 ProRyzen 7 5800XGSkill 3200, 2x8GBMSI RX 6800 XT Gaming Z
    OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 5800X
    Motherboard
    Gigabyte B550M Aorus Pro
    Memory
    GSkill 3200, 2x8GB
    Graphics Card(s)
    MSI RX 6800 XT Gaming Z
    Sound Card
    on-board Realtek
    Monitor(s) Displays
    MSI 180hz
    Screen Resolution
    1440p
    Hard Drives
    Samsung 980 Pro, Samsung 870 Evo, generic PCIe NVME, WD 1TB 2.5" laptop spinner
    PSU
    Corsair RM 650
    Case
    mATX
    Cooling
    BeQuiet 240mm AIO and a bunch of case fans
    Keyboard
    one that clacks softly
    Mouse
    logitech
    Internet Speed
    bunches of bps
    Browser
    Firefox
    Antivirus
    Windows' own

  • At a glance

    Win11 ProRyzen 7 170016GB DDR4RX-480
    Operating System
    Win11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 1700
    Motherboard
    GA-AB350M G-3
    Memory
    16GB DDR4
    Graphics card(s)
    RX-480
    Sound Card
    In-Built Realtek
    Monitor(s) Displays
    Samsung
    Screen Resolution
    1440p
    Hard Drives
    NVME/SSD's
    PSU
    Thermaltake BX1 550W
    Case
    Some junky thing
    Cooling
    ThermalTake Assassin(?)
    Browser
    FF/Edge
    Antivirus
    Whatever Windows does
    Other Info
    Secure Boot enabled updated to 2023 CA keys, TPM2.0 enabled with system drive Bitlocker'd.
Buddywh said:
Stuff left behind in caches mainly, but also financial records of all sorts. What's the value of having a computer if I can't use it for the thing it does best: maintaining records in machine searchable archives. And if I DIDN'T keep them on my computer then I'd have to maintain them in a paper filing system... well that's so last century. Keeping track of something like that is WAY more difficult than updating secure boot keys has been, and keeping track of a Bitlocker key. And it's a far greater security risk for a half-smart burglar to harvest data from. And then just how fragile it is in house fire or flooding: all I have to do is grab my external, BitLocker-to-Go protected drive and I have my life's business data with no loss while dragging a file cabinet out is pretty dumb when I'm dying of asphyxiation.

Banking security is pretty silly, when you think about it. I'm rather amazed how easy it is to withdraw funds at my bank... all I need is account number and an ID that shows them my name. It's easy to fool them with the pitiful DL photos, and signatures are never validated.
Click to expand...
Depends on where you are and what bank(s) you use.
Over in Isl and in the UK Banks - which might have the worst apalling customer service anywhere in the entire universe are usually pretty good with security (often too good) and will return any money unless it's quite obvious YOU have made transactions under no duress -- being scammed is NO excuse for a bank to refund money -- that type of fraud is 100% the customers own fault if they fall victim to this type of stuff.

Cheers
jimbo
 

My Computer My Computer

At a glance

Windows XP,11 Linux Fedora Rawhide pre-releas...2 X Intel i7
OS
Windows XP,11 Linux Fedora Rawhide pre-release 45
Computer type
PC/Desktop
CPU
2 X Intel i7
Screen Resolution
4KUHD X 2
jimbo45 said:
it's quite obvious YOU have made transactions under no duress
Click to expand...
That one does make me laugh...

I can't imagine someone withdrawing a few hundred dollars to pay an impound lot to return your car that was towed because you were 5 minutes late to feed the meter is NOT under some level of duress. Highly specific example you might say... but it happened to me when we were on a vaca. in California. You could doubtless generalize to any number of different scenarios that might ring more familiar to your life experiences
 

My Computers My Computers

System One System Two

  • At a glance

    Windows 11 ProRyzen 7 5800XGSkill 3200, 2x8GBMSI RX 6800 XT Gaming Z
    OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 5800X
    Motherboard
    Gigabyte B550M Aorus Pro
    Memory
    GSkill 3200, 2x8GB
    Graphics Card(s)
    MSI RX 6800 XT Gaming Z
    Sound Card
    on-board Realtek
    Monitor(s) Displays
    MSI 180hz
    Screen Resolution
    1440p
    Hard Drives
    Samsung 980 Pro, Samsung 870 Evo, generic PCIe NVME, WD 1TB 2.5" laptop spinner
    PSU
    Corsair RM 650
    Case
    mATX
    Cooling
    BeQuiet 240mm AIO and a bunch of case fans
    Keyboard
    one that clacks softly
    Mouse
    logitech
    Internet Speed
    bunches of bps
    Browser
    Firefox
    Antivirus
    Windows' own

  • At a glance

    Win11 ProRyzen 7 170016GB DDR4RX-480
    Operating System
    Win11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 1700
    Motherboard
    GA-AB350M G-3
    Memory
    16GB DDR4
    Graphics card(s)
    RX-480
    Sound Card
    In-Built Realtek
    Monitor(s) Displays
    Samsung
    Screen Resolution
    1440p
    Hard Drives
    NVME/SSD's
    PSU
    Thermaltake BX1 550W
    Case
    Some junky thing
    Cooling
    ThermalTake Assassin(?)
    Browser
    FF/Edge
    Antivirus
    Whatever Windows does
    Other Info
    Secure Boot enabled updated to 2023 CA keys, TPM2.0 enabled with system drive Bitlocker'd.
Buddywh said:
That makes me laugh

I can't imagine someone withdrawing a few hundred dollars to pay an impound lot to return your car that was towed because you were 5 minutes late to feed the meter is NOT under some level of duress. Highly specific example you might say... but you can generalize to any number of different scenarios that might ring more familiar to your life experiences
Click to expand...
Paying even these sorts of jobsworths isn't a hack. It's 100% OK to verify if the towing company is legit - and if not then the Police or other authorities can be used - assuming you are in a reasonably democratic country.

It's hardly the authorities fault if you "overstay your welcome" at a parking lot -- I know there's a huge amount of these agressive jobsworths around and privately I'd love to have a 357 magnum and use it !!! but the law is the law and in most democratic jursidictions you have the power to elect people via the ballot box who can adjust these sorts of laws -- why not give people a 10 min grace period for example -- however this is drifting away from the point.

Cheers
jimbo
 

My Computer My Computer

At a glance

Windows XP,11 Linux Fedora Rawhide pre-releas...2 X Intel i7
OS
Windows XP,11 Linux Fedora Rawhide pre-release 45
Computer type
PC/Desktop
CPU
2 X Intel i7
Screen Resolution
4KUHD X 2
jimbo45 said:
Paying even these sorts of jobsworths isn't a hack. It's 100% OK to verify if the towing company is legit - and if not then the Police or other authorities can be used - assuming you are in a reasonably democratic country.

It's hardly the authorities fault if you "overstay your welcome" at a parking lot -- I know there's a huge amount of these agressive jobsworths around and privately I'd love to have a 357 magnum and use it !!! but the law is the law and in most democratic jursidictions you have the power to elect people via the ballot box who can adjust these sorts of laws -- why not give people a 10 min grace period for example -- however this is drifting away from the point.

Cheers
jimbo
Click to expand...
It's not a question of "fault", 5 min's late is pretty pissy of them but I wouldn't have minded just the fine since I WAS late (it was probably a 60 min meter but think of it as a 55min meter with a 5 minute grace period the good citizens of that very democratic community had doubtless insisted on... i was there at 65 min's ). But there it was sitting there with out-of-state plates making me an easy mark. So they just play the easiest scam of all: one the law those good citizens also doubtless allowed. So I'm getting stuck with a tow fee, impound fee and repairs for whatever damage they do to it while thousands of miles from home (sure, I can file a claim for repairs but I have to get home first and that needs a safe vehicle).

Very much a duress-inducing situation, even though it drifts from the point.
 
Last edited:

My Computers My Computers

System One System Two

  • At a glance

    Windows 11 ProRyzen 7 5800XGSkill 3200, 2x8GBMSI RX 6800 XT Gaming Z
    OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 5800X
    Motherboard
    Gigabyte B550M Aorus Pro
    Memory
    GSkill 3200, 2x8GB
    Graphics Card(s)
    MSI RX 6800 XT Gaming Z
    Sound Card
    on-board Realtek
    Monitor(s) Displays
    MSI 180hz
    Screen Resolution
    1440p
    Hard Drives
    Samsung 980 Pro, Samsung 870 Evo, generic PCIe NVME, WD 1TB 2.5" laptop spinner
    PSU
    Corsair RM 650
    Case
    mATX
    Cooling
    BeQuiet 240mm AIO and a bunch of case fans
    Keyboard
    one that clacks softly
    Mouse
    logitech
    Internet Speed
    bunches of bps
    Browser
    Firefox
    Antivirus
    Windows' own

  • At a glance

    Win11 ProRyzen 7 170016GB DDR4RX-480
    Operating System
    Win11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 1700
    Motherboard
    GA-AB350M G-3
    Memory
    16GB DDR4
    Graphics card(s)
    RX-480
    Sound Card
    In-Built Realtek
    Monitor(s) Displays
    Samsung
    Screen Resolution
    1440p
    Hard Drives
    NVME/SSD's
    PSU
    Thermaltake BX1 550W
    Case
    Some junky thing
    Cooling
    ThermalTake Assassin(?)
    Browser
    FF/Edge
    Antivirus
    Whatever Windows does
    Other Info
    Secure Boot enabled updated to 2023 CA keys, TPM2.0 enabled with system drive Bitlocker'd.
Buddywh said:
It's not a question of "fault", 5 min's late is pretty pissy of them but I wouldn't have minded just the fine since I WAS late (it was probably a 60 min meter but think of it as a 55min meter with a 5 minute grace period the good citizens of that very democratic community had doubtless insisted on... i was there at 65 min's ). But there it was sitting there with out-of-state plates making me an easy mark. So they just play the easiest scam of all: one the law those good citizens also doubtless allowed. So I'm getting stuck with a tow fee, impound fee and repairs for whatever damage they do to it while thousands of miles from home (sure, I can file a claim for repairs but I have to get home first and that needs a safe vehicle).

Very much a duress-inducing situation, even though it drifts from the point.
Click to expand...
In the 1990's Police in Texas (where Car insurance at that time wasn't compulsory -- not sure now - it might still not be compulsory -- I like Texas but it's definitely unique in the USA !!!)) used to go to bars and put special UV paint over car license plates that were in the parking lots - especially from out of state one's -- and then would stop these cars detecting them via an infra red reader or similar and then they would award "DUI's" like confetti or if they had Texas plates they'd get payback from Insurance companies by issuing threats to drivers -- while suggesting or recommending "good Insurance companies" with severe penalties if they didn't take out car insurance.

Sounds in a similar vein to the late Robin Cook's great medical thrillers on malpractice in the US health system !!! Read / watch Coma as a starter !!

I know this sounds like Hollywood to anybody born around 2003 and later -- but this was definitely true !!!

However time to drop this political topic -- suffice to say I and many like me don't need / want / to use secure boot or bit locker and have never had problems with hacks etc. (Besides if you use an Ms account there's always the "Find my device" option if it goes missing).

Cheers
jimbo
 

My Computer My Computer

At a glance

Windows XP,11 Linux Fedora Rawhide pre-releas...2 X Intel i7
OS
Windows XP,11 Linux Fedora Rawhide pre-release 45
Computer type
PC/Desktop
CPU
2 X Intel i7
Screen Resolution
4KUHD X 2
jimbo45 said:
In the 1990's Police in Texas (where Car insurance at that time wasn't compulsory -- not sure now - it might still not be compulsory -- I like Texas but it's definitely unique in the USA !!!)) used to go to bars and put special UV paint over car license plates that were in the parking lots - especially from out of state one's -- and then would stop these cars detecting them via an infra red reader or similar and then they would award "DUI's" like confetti or if they had Texas plates they'd get payback from Insurance companies by issuing threats to drivers -- while suggesting or recommending "good Insurance companies" with severe penalties if they didn't take out car insurance.

Sounds in a similar vein to the late Robin Cook's great medical thrillers on malpractice in the US health system !!! Read / watch Coma as a starter !!

I know this sounds like Hollywood to anybody born around 2003 and later -- but this was definitely true !!!

However time to drop this political topic -- suffice to say I and many like me don't need / want / to use secure boot or bit locker and have never had problems with hacks etc. (Besides if you use an Ms account there's always the "Find my device" option if it goes missing).

Cheers
jimbo
Click to expand...
Much better than going to Mexico back in the day... that's where you haggle out the "mordida" the cops expected. Woe unto you if you didn't have the cash to pay it.

That's probably better than today though... now-a-days the cartels take care of business entirely differently. Getting that way in a few of the more "democratic" cities of the US too, as the cartels are taking over city "life" there in many areas.

Car insurance was compulsory in Texas in the 90's (liability by the state, collision/comp by whoever's financing it so if not financed it was the owner if they found it important). It's just like now, but many people could just ignore liability before they started closing up the loopholes that made it easy to do so. I know these things because I lived there, right on the Mexico border.

If you want to rag on Texas do so for something real: like allowing open containers of alcohol in your vehicle. Yep, it was legal, and there were even drive-throughs where you could get your Harvy Wallbangers served up just like a Starbucks. Only in a "wet" county, of course, since there were (maybe still are!) "dry" counties where no liquor sales are allowed at all... if that's not strange I don't know what is.
 
Last edited:

My Computers My Computers

System One System Two

  • At a glance

    Windows 11 ProRyzen 7 5800XGSkill 3200, 2x8GBMSI RX 6800 XT Gaming Z
    OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 5800X
    Motherboard
    Gigabyte B550M Aorus Pro
    Memory
    GSkill 3200, 2x8GB
    Graphics Card(s)
    MSI RX 6800 XT Gaming Z
    Sound Card
    on-board Realtek
    Monitor(s) Displays
    MSI 180hz
    Screen Resolution
    1440p
    Hard Drives
    Samsung 980 Pro, Samsung 870 Evo, generic PCIe NVME, WD 1TB 2.5" laptop spinner
    PSU
    Corsair RM 650
    Case
    mATX
    Cooling
    BeQuiet 240mm AIO and a bunch of case fans
    Keyboard
    one that clacks softly
    Mouse
    logitech
    Internet Speed
    bunches of bps
    Browser
    Firefox
    Antivirus
    Windows' own

  • At a glance

    Win11 ProRyzen 7 170016GB DDR4RX-480
    Operating System
    Win11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 1700
    Motherboard
    GA-AB350M G-3
    Memory
    16GB DDR4
    Graphics card(s)
    RX-480
    Sound Card
    In-Built Realtek
    Monitor(s) Displays
    Samsung
    Screen Resolution
    1440p
    Hard Drives
    NVME/SSD's
    PSU
    Thermaltake BX1 550W
    Case
    Some junky thing
    Cooling
    ThermalTake Assassin(?)
    Browser
    FF/Edge
    Antivirus
    Whatever Windows does
    Other Info
    Secure Boot enabled updated to 2023 CA keys, TPM2.0 enabled with system drive Bitlocker'd.
Thierry 83200 said:
Hello, what does my screenshot mean? Am I on the right track, or do I need to make further changes? Thank you for your answers.View attachment 153989
Click to expand...

The entries in your UEFU DBX look encouraging (although I dont really know what they're actally supposed to look like), but I would have expected all the green, ticked 2011 entries in the DBs and KEKs to be"(revoked: True)".

And I certainly dont understand why your Option ROM UEFI CA 2023 is "revoked: True"!

Did you use Check UEFI KEK, DB and DBX.ps1 created by github.com/cjee21? Maybe a chat with him might clarify?

Could you share your method for how you applied the revocations?
 

My Computer My Computer

At a glance

Win11 Pro 23H2 Final?...i3 gen 108GNVidia GTX
OS
Win11 Pro 23H2 Final?...
Computer type
PC/Desktop
Manufacturer/Model
DIY
CPU
i3 gen 10
Motherboard
MSI
Memory
8G
Graphics Card(s)
NVidia GTX
Sound Card
Integrated
Monitor(s) Displays
TV
Screen Resolution
HD
Hard Drives
SSD
Other Info
System fully W11 compliant (per WhyNotWin11 2.7.0.0.)
It is Local Account only and never knowingly been attached to a MS Account.
513964738-4f8082e2-d337-4598-8583-892bb0d9d958.webp
I see the script auther provides an example output of the script, very much like yours...

Including un-revoked 2011 certificates...

Confusing! What does this mean?
 

My Computer My Computer

At a glance

Win11 Pro 23H2 Final?...i3 gen 108GNVidia GTX
OS
Win11 Pro 23H2 Final?...
Computer type
PC/Desktop
Manufacturer/Model
DIY
CPU
i3 gen 10
Motherboard
MSI
Memory
8G
Graphics Card(s)
NVidia GTX
Sound Card
Integrated
Monitor(s) Displays
TV
Screen Resolution
HD
Hard Drives
SSD
Other Info
System fully W11 compliant (per WhyNotWin11 2.7.0.0.)
It is Local Account only and never knowingly been attached to a MS Account.
After updating my RAID status on boot doesn't show I now have to disable secure boot to see it and get into its setup menu
ASUS H97M Plus
 

My Computer My Computer

At a glance

11Intel Core i5 469016GB DDR3Intel HD Graphics 4600
OS
11
Computer type
PC/Desktop
Manufacturer/Model
Asus
CPU
Intel Core i5 4690
Motherboard
H97M-PLUS
Memory
16GB DDR3
Graphics Card(s)
Intel HD Graphics 4600
Sound Card
Realtek HD audio
Monitor(s) Displays
SONIQ
Screen Resolution
1366x768
Hard Drives
5 x 250GB RAID 0
PSU
500W
Case
Classic black
Cooling
Fans
Keyboard
Microsoft
Mouse
Microsoft
Internet Speed
not bad
Browser
Firefox
Antivirus
Microsoft
loomajoo said:
The entries in your UEFU DBX look encouraging (although I dont really know what they're actally supposed to look like), but I would have expected all the green, ticked 2011 entries in the DBs and KEKs to be"(revoked: True)".

And I certainly dont understand why your Option ROM UEFI CA 2023 is "revoked: True"!

Did you use Check UEFI KEK, DB and DBX.ps1 created by github.com/cjee21? Maybe a chat with him might clarify?

Could you share your method for how you applied the revocations?
Click to expand...

Revoked: False = Certificate is valid and trusted. Not on the DBX blacklist.

Revoked: True = Certificate is in the DBX blacklist and will be blocked for security reasons.

Microsoft Option ROM UEFI CA 2023 should normally be Revoked: False. Tho, even If his system shows Revoked: True - it's still not wrong.... That simply means his firmware OEM (Asus, Dell, etc) - chose to block it for extra security. There are two different kinds of UEFI certificates:

1 > Bootloader certificates (DB / KEK) - intended for Windows Boot Manager, Linux shim (contains and launches the Linux boot manager), OEM bootloaders (usually, these shouldn't be revoked unless compromised).

2 > Option ROM certificates - intended for GPU UEFI drivers, RAID and/or Storage controller firmware and NIC drivers (these run before the OS bootloader - and can pose a high-risk).

Anyway... Option ROM UEFI CA 2023 - is actually a certificate Microsoft provides to hardware vendors (Intel, AMD, NVIDIA, Broadcom, etc.) - to sign their embedded Option ROM UEFI driver code. It's not required for Windows to boot. It is only needed for some PCIe expansion cards to load their own UEFI drivers.
 

My Computer My Computer

At a glance

WinDOS 25H2Intel & AMDSO-DIMM SK Hynix 15.8 GB Dual-Channel DDR4-26...nVidia RTX 2060 6GB Mobile GPU (TU106M)
OS
WinDOS 25H2
Computer type
Laptop
CPU
Intel & AMD
Memory
SO-DIMM SK Hynix 15.8 GB Dual-Channel DDR4-2666 (2 x 8 GB) 1329MHz (19-19-19-43)
Graphics Card(s)
nVidia RTX 2060 6GB Mobile GPU (TU106M)
Sound Card
Onbord Realtek ALC1220
Screen Resolution
1920 x 1080
Hard Drives
1x Samsung PM981 NVMe PCIe M.2 512GB / 1x Seagate Expansion ST1000LM035 1TB
A lot of emphasis is being placed on the Windows UEFI CA 2023 certificate. Is that the only one really required to run the Windows OS? So, if it's installed, where do the other certificates come into play?
 

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
Last edited:

My Computers My Computers

System One System Two

  • At a glance

    Windows 11 Pro 25H2Intel Core i9 13900KCorsair Dominator Platinum 64gb 5600MT/s DDR5...Sapphire NITRO+ AMD Radeon RX 7900 XTX Vapor-...
    OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Homebuilt
    CPU
    Intel Core i9 13900K
    Motherboard
    Asus ProArt Z790 Creator WiFi - Bios 3107
    Memory
    Corsair Dominator Platinum 64gb 5600MT/s DDR5 Dual Channel
    Graphics Card(s)
    Sapphire NITRO+ AMD Radeon RX 7900 XTX Vapor-X 24GB
    Sound Card
    External DAC: Cambridge Audio DACMagic200M - Headphone Amp: Topping L50
    Monitor(s) Displays
    Panasonic MX950 Mini LED 55" TV 120hz
    Screen Resolution
    3840 x 2160 120hz
    Hard Drives
    Samsung 980 Pro 2TB (OS)
    Samsung 980 Pro 1TB (Files)
    Lexar NZ790 4TB
    LaCie d2 Professional 6TB external - USB 3.1
    Seagate Expansion 16TB external - USB 3.2
    Seagate One Touch 18TB external HD - USB 3.0
    PSU
    Corsair RM1200x Shift
    Case
    Corsair RGB Smart Case 5000x (white)
    Cooling
    Corsair iCue H150i Elite Capellix XT
    Keyboard
    Incase Ergonomic USB (Microsoft clone)
    Mouse
    Logitech MX Master 3S
    Internet Speed
    Fibre 900/500 Mbps
    Browser
    Microsoft Edge Chromium
    Antivirus
    Bitdefender Total Security
    Other Info
    AMD Radeon Software & Drivers 26.1.1
    Hasleo Backup Suite
    Dashlane password manager
    Kensington Verimark fingerprint reader
    Logitech Brio 4K webcam
    Orico 10-port powered USB 3.0 hub

  • At a glance

    Windows 11 Pro 25H2Intel® Core™ i9-13900H32GB DDR4-3200 Dual channel*Intel Iris Xᵉ Graphics G7
    Operating System
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    Asus Vivobook X1605VA
    CPU
    Intel® Core™ i9-13900H
    Motherboard
    Asus X1605VA bios 309
    Memory
    32GB DDR4-3200 Dual channel
    Graphics card(s)
    *Intel Iris Xᵉ Graphics G7
    Sound Card
    Realtek | Intel SST Bluetooth & USB
    Monitor(s) Displays
    16.0-inch, WUXGA 16:10 aspect ratio, IPS-level Panel
    Screen Resolution
    1920 x 1200 60hz
    Hard Drives
    512GB M.2 NVMe™ PCIe® 3.0 SSD
    Mouse
    Logitech MX Ergo Trackball
    Antivirus
    Bitdefender Total Security
    Other Info
    720p Webcam
    WiFi & USB to ethernet
1764027691692.webp

Here are my results, some of which are quite alarming, such as “Do not ship, OEM1 Test DB” and “59/60 failures.” I'm wondering what I should do with this now. The computer is a brand new device that was delivered to me a week ago.
 

My Computer My Computer

At a glance

Windows 11 ProIntel Core Ultra 9 285H32 GB DDR5Intel Arc 140T
OS
Windows 11 Pro
Computer type
PC/Desktop
Manufacturer/Model
Geekom GT 2 Mega
CPU
Intel Core Ultra 9 285H
Memory
32 GB DDR5
Graphics Card(s)
Intel Arc 140T
Monitor(s) Displays
Asus Rog Strix
Screen Resolution
2560 x 1440 (144 Hz)
Hard Drives
2 TB SSD
PSU
BSY 120 W
Keyboard
Logitech MX Keys S
Mouse
G Pro X Superlight 2
Internet Speed
500 Mbit/s
Antivirus
Microsoft Defender
@ChrisVie
you have the secure boot cert available but not enabled.
please read post #1 > part B

using > part B in post #1 < should enable the 2023 secure boot cert.
best of luck Steve ..
 

My Computers My Computers

System One System Two

  • At a glance

    Debian 13 KDE .. Windows 11 HomeRyzen 7 5825u64GB DDR4 3200Ryzen 7 5825u
    OS
    Debian 13 KDE .. Windows 11 Home
    Computer type
    PC/Desktop
    Manufacturer/Model
    HP 24" AiO
    CPU
    Ryzen 7 5825u
    Motherboard
    HP
    Memory
    64GB DDR4 3200
    Graphics Card(s)
    Ryzen 7 5825u
    Sound Card
    RealTek
    Monitor(s) Displays
    24" HP AiO
    Screen Resolution
    1920 x 1080 @60 Hz
    Hard Drives
    1TB WD Blue SN580 M2 SSD Partitioned.
    2x 1TB USB HDD External Backup/Storage.
    PSU
    90W external power brick
    Case
    24" All in One
    Cooling
    Default Air Cooling
    Keyboard
    HP WiFi UK extended
    Mouse
    HP WiFi 3 Button
    Internet Speed
    1GB full fibre
    Browser
    Edge & Firefox
    Antivirus
    AVG Internet Security/Windows Defender
    Other Info
    Mainly Open Source Software

  • At a glance

    Ubuntu 22.04.5 LTSi5 7200u16GB DDR4Intel
    Operating System
    Ubuntu 22.04.5 LTS
    Computer type
    Laptop
    Manufacturer/Model
    Dell 13" Latitude 2017
    CPU
    i5 7200u
    Motherboard
    Dell
    Memory
    16GB DDR4
    Graphics card(s)
    Intel
    Sound Card
    Intel
    Monitor(s) Displays
    13" Dell Laptop
    Hard Drives
    250GB Crucial 2.5" SSD
    Mouse
    Generic WiFi 3 button
    Internet Speed
    WiFi only
    Browser
    Firefox
    Antivirus
    ClamAV TK
    Other Info
    Mainly Open Source Software
Anibor_11 said:
About the "DO NOT TRUST" thing, there is an explanation here:

Secure Boot is completely broken on 200+ models from 5 big device makers

This link comes from Mosby - More Secure Secure Boot
Click to expand...
That's due to those machines' PK being compromised. That potential problem doesn't get mitigated by revoking trust in the Windows CA 2011 key.

MOSBY generates a unique-in-all-the-world PK for your machine and then signs KEK (both 2011 and 2023) with it before installing in it's secure boot variables. THAT is what mitigates that problem.
 

My Computers My Computers

System One System Two

  • At a glance

    Windows 11 ProRyzen 7 5800XGSkill 3200, 2x8GBMSI RX 6800 XT Gaming Z
    OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 5800X
    Motherboard
    Gigabyte B550M Aorus Pro
    Memory
    GSkill 3200, 2x8GB
    Graphics Card(s)
    MSI RX 6800 XT Gaming Z
    Sound Card
    on-board Realtek
    Monitor(s) Displays
    MSI 180hz
    Screen Resolution
    1440p
    Hard Drives
    Samsung 980 Pro, Samsung 870 Evo, generic PCIe NVME, WD 1TB 2.5" laptop spinner
    PSU
    Corsair RM 650
    Case
    mATX
    Cooling
    BeQuiet 240mm AIO and a bunch of case fans
    Keyboard
    one that clacks softly
    Mouse
    logitech
    Internet Speed
    bunches of bps
    Browser
    Firefox
    Antivirus
    Windows' own

  • At a glance

    Win11 ProRyzen 7 170016GB DDR4RX-480
    Operating System
    Win11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 7 1700
    Motherboard
    GA-AB350M G-3
    Memory
    16GB DDR4
    Graphics card(s)
    RX-480
    Sound Card
    In-Built Realtek
    Monitor(s) Displays
    Samsung
    Screen Resolution
    1440p
    Hard Drives
    NVME/SSD's
    PSU
    Thermaltake BX1 550W
    Case
    Some junky thing
    Cooling
    ThermalTake Assassin(?)
    Browser
    FF/Edge
    Antivirus
    Whatever Windows does
    Other Info
    Secure Boot enabled updated to 2023 CA keys, TPM2.0 enabled with system drive Bitlocker'd.
What does this mean?
Boot Manager [ ] is BANNED.

1764038049733.webp
 

My Computer My Computer

At a glance

Windows 11 Pro 25H2Intel I9-9900K64GBNVIDIA RTX 2060
OS
Windows 11 Pro 25H2
Computer type
PC/Desktop
Manufacturer/Model
Dell XPS 8930
CPU
Intel I9-9900K
Memory
64GB
Graphics Card(s)
NVIDIA RTX 2060
Sound Card
NVIDIA High Definition Audio
Monitor(s) Displays
4k Samsung
Screen Resolution
3840 x 2160
Hard Drives
512GB NVMe, ADATA SU 800, 2TB HDD
You must log in or register to reply here.

Similar threads

Secure boot update via Windows update
Replies
3
Views
2K
hader
hader
Secure Boot Update Issue for 2014 Dell Laptop
Replies
7
Views
2K
SIW2
SIW2
Solved Successful manual update of Secure Boot on Dell XPS8930 with older BIOS that will never update.
2
Replies
21
Views
2K
garlin
G
Solved garlin's PowerShell scripts for updating Secure Boot CA 2023
128 129 130
Replies
3K
Views
205K
iFX_Legacy
I
Solved Finding the UEFI's DBX SVN number using PowerShell
2 3 4
Replies
73
Views
11K
Ghot
Ghot

Latest Support Threads

Latest Tutorials

Back
Top Bottom