Solved Secure boot update HowTo

DJNelson · Nov 17, 2025

Event Viewer is where the error logs can be read (found easily by searching from the start menu). Secure Boot settings.. "Audit" and "Deployed" are found in BIOS. Obviously your machine might have a bios interface different from mine, but chances are it will be found under Boot Options. In my experience with Dell laptops, there usually isn't much difference in the interfaces between different models of the same generation. To get there: shut down your computer completely, then power it back up, tapping the F2 key 1-2 times a second immediately after hitting the power button.

hsehestedt · Nov 17, 2025

neves said:
-match can be case insensitive, -like works better

Thanks, will try that.

XxXxX · Nov 17, 2025

fg2001gf11F said:
Where did you see the logged errors, and where did you change from "deployed" to "audit" and back?
Please clarify. Thanks.

please enter the BIOS of that system and re-set the TPM to factory defaults
this should repair/reset/unlock any problems within the TPM then save settings and exit.

then try the secure boot 2023 cert update.
best of luck Steve ..

fg2001gf11F · Nov 17, 2025

XxXxX said:
please enter the BIOS of that system and re-set the TPM to factory defaults
this should repair/reset/unlock any problems within the TPM then save settings and exit.

then try the secure boot 2023 cert update.
best of luck Steve ..

I can only disable and enable TPM there are no factory defaults.

XxXxX · Nov 17, 2025

fg2001gf11F said:
I can only disable and enable TPM there are no factory defaults.

if you disable TPM also it maybe an idea to disable secure boot at this time as well
save settings and restart which will clear the TPM keys.

then shut down and reboot back into the BIOS and enable TPM and secure boot
save settings and restart back into the system.

this should do exactly the same as resetting the TPM to its defaults
best of luck Steve ..

fg2001gf11F · Nov 17, 2025

XxXxX said:
if you disable TPM also it maybe an idea to disable secure boot at this time as well
save settings and restart which will clear the TPM keys.

then shut down and reboot back into the BIOS and enable TPM and secure boot
save settings and restart back into the system.

this should do exactly the same as resetting the TPM to its defaults
best of luck Steve ..

I'll give it a try later and let you know how it goes.

KevTech · Nov 17, 2025

Not so sure consumers need to do this manually.
Just checked and my system updated on it's own without running anything.

fg2001gf11F · Nov 17, 2025

XxXxX said:
if you disable TPM also it maybe an idea to disable secure boot at this time as well
save settings and restart which will clear the TPM keys.

then shut down and reboot back into the BIOS and enable TPM and secure boot
save settings and restart back into the system.

this should do exactly the same as resetting the TPM to its defaults
best of luck Steve ..

I tried what your suggested and got the same results. Never changes to "Updated" on this Dell XPS 8930.

XxXxX · Nov 18, 2025

@fg2001gf11F
then something is blocking your ability to update.
firewall, security settings. can you or are you able to log in to the built in Administrator account.

Enable or Disable Built-in Administrator Account Lockout in Windows 11

This tutorial will show you how to enable or disable the Allow Administrator account lockout policy in Windows 11. Someone who attempts to use more than a few unsuccessful passwords while trying to log on to your system might be a malicious user who is attempting to determine an account...

www.elevenforum.com

please try the update from there. if it cant be done from there i have no idea where the update can be done.
best of luck Steve ..

fg2001gf11F · Nov 18, 2025

XxXxX said:
@fg2001gf11F
then something is blocking your ability to update.
firewall, security settings. can you or are you able to log in to the built in Administrator account.

Enable or Disable Built-in Administrator Account Lockout in Windows 11

This tutorial will show you how to enable or disable the Allow Administrator account lockout policy in Windows 11. Someone who attempts to use more than a few unsuccessful passwords while trying to log on to your system might be a malicious user who is attempting to determine an account...

www.elevenforum.com

please try the update from there. if it cant be done from there i have no idea where the update can be done.
best of luck Steve ..

I think the block is in the Dell BIOS of the XPS 8930.

suatcini54 · Nov 18, 2025

fg2001gf11F said:
I tried what your suggested and got the same results. Never changes to "Updated" on this Dell XPS 8930.

View attachment 153360

Some PCs have Secure Boot Key protection feature that does not allow key updating. You may wish to check your PC BIOS settings.

This is from HP EliteBook series notebook:

Hope this helps.

Fabler2 · Nov 18, 2025

fg2001gf11F said:
I think the block is in the Dell BIOS of the XPS 8930.

One of my laptops (Acer) has same issue. UEFI not updated since 11 July 2023. So I found this ASUS site and a post by @MoKiChU . (kudos)

It makes it easy to keep checking UEFICA 2023 Status. I believe this ACER will need UEFI update before it will work- just my opinion.

[INFORMATION] Secure Boot : Windows UEFI CA 2023 Update

Hi everyone, https://support.microsoft.com/topic/1db237d8-9f3b-4218-9515-3e0a32729685 https://support.microsoft.com/topic/a7be69c9-4634-42e1-9ca1-df06f43f360d - Secure Boot Windows UEFI CA 2023 Updater : Download : Link Check/Update Process : Check Windows UEFI CA 2023 Update...

rog-forum.asus.com

drminer · Nov 18, 2025

fg2001gf11F said:
I tried what your suggested and got the same results. Never changes to "Updated" on this Dell XPS 8930.

View attachment 153360

If Dell no longer supports that computer, you will never get past "InProgress". Dell has to sign the update before Microsoft can install it. I have an older XPS 8930 that has not received a UEFI update for 2 years. Since I don't expect to ever get another update, I used the Mosby tool to update the certificates. It has the downside of overwriting the OEM certificate, but as I say, Dell no longer supports the computer anyway.

fg2001gf11F · Nov 18, 2025

drminer said:
If Dell no longer supports that computer, you will never get past "InProgress". Dell has to sign the update before Microsoft can install it. I have an older XPS 8930 that has not received a UEFI update for 2 years. Since I don't expect to ever get another update, I used the Mosby tool to update the certificates. It has the downside of overwriting the OEM certificate, but as I say, Dell no longer supports the computer anyway.

My BIOS is Version 1.1.31, Dated 2923-11-21. Dell is saying that it is the latest for my XPS 8930.

So much for supporting their machines.

What is this Mosby tool you are mentioning?

Buddywh · Nov 18, 2025

fg2001gf11F said:
What is this Mosby tool

GitHub - pbatard/Mosby: Mosby – More Secure Secure Boot

Mosby – More Secure Secure Boot. Contribute to pbatard/Mosby development by creating an account on GitHub.

github.com

A tool to replace all the Secure Boot keys... or selected keys. Even the PK, which it generates unique for your machine. You have to be able to put Secure Boot into setup mode first. It's all covered in README's.

You can also get RUFUS v2.2 or later, it creates the needed UEFI bootable USB and populates it with the MOSBY tool.

fg2001gf11F · Nov 18, 2025

Buddywh said:
GitHub - pbatard/Mosby: Mosby – More Secure Secure Boot

Mosby – More Secure Secure Boot. Contribute to pbatard/Mosby development by creating an account on GitHub.

github.com

A tool to replace all the Secure Boot keys... or selected keys. Even the PK, which it generates unique for your machine. You have to be able to put Secure Boot into setup mode first. It's all covered in README's.

You can also get RUFUS v2.2 or later, it creates the needed UEFI bootable USB and populates it with the MOSBY tool.

Thanks,
That README file is quite a long read, I'll see what I can make out of it.

Buddywh · Nov 18, 2025

fg2001gf11F said:
what I can make out of it

It sounds more difficult than it actually is. It's a tool very useful for installing custom boot objects, but we'd be using it in it's default mode which is prepare it for booting Windows in Secure Boot with a unique PK .

The way I'd go about it is to download the latest RUFUS, then use it to create a UEFI bootable USB using version 2.2. When it's done, check the USB and it should have the MOSBY files on it. Read through the README's in there too.

Then restart into BIOS, disable Secure Boot, find a setting to put Secure Boot into SETUP MODE, or DELETE ALL KEYS... not reset them, delete them. Don't worry, if it has a DELETE KEYS or SETUP MODE then it has a RESTORE DEFAULT KEYS setting too (or d**mn well better) so you can go back to where you are now if it all goes south.

Then reboot into the USB.

Run MOSBY. It will prepare a cryptographicaly unique PK, sign a KEK with it, then install the PK, KEK and DB secure boot keys. It will also revoke trust in the 2011 key if you use the -X option, but I wouldn't do that until you know for a fact you have a 2023 signed boot files or it will not start in Secure Boot mode.

Then restart back into BIOS, put it in Secure Boot mode, restart.

XxXxX · Nov 18, 2025

Buddywh said:
It sounds more difficult than it actually is. It's a tool very useful for installing custom boot objects, but we'd be using it in it's default mode which is prepare it for booting Windows in Secure Boot with a unique PK .

The way I'd go about it is to download the latest RUFUS, then use it to create a UEFI bootable USB using version 2.2. When it's done, check the USB and it should have the MOSBY files on it. Read through the README's in there too.

Then restart into BIOS, disable Secure Boot, find a setting to put Secure Boot into SETUP MODE, or DELETE ALL KEYS... not reset them, delete them. Don't worry, if it has a DELETE KEYS or SETUP MODE then it has a RESTORE DEFAULT KEYS setting too (or d**mn well better) so you can go back to where you are now if it all goes south.

Then reboot into the USB.

Run MOSBY. It will prepare a cryptographicaly unique PK, sign a KEK with it, then install the PK, KEK and DB secure boot keys. It will also revoke trust in the 2011 key if you use the -X option, but I wouldn't do that until you know for a fact you have a 2023 signed boot files or it will not start in Secure Boot mode.

Then restart back into BIOS, put it in Secure Boot mode, restart.

i have a feeling that many people are going to have use Mosby as its looking more and more likely that there is going to be some sort of cut off date where they wont update the systems.

yet Linux when installed, as updating the firmware using a live USB distro wont work, have been updating the secure boot cert for about the last 6 months using the installed Linux firmware updater if an update is available from the sources that issue them.

i wonder if this is a new wheeze to increase sales of new computers.

just my thoughts
best of luck Steve ..

Buddywh · Nov 18, 2025

XxXxX said:
this is a new wheeze to increase sales of new computers

I can't imagine so... it's a problem brewing since 2011 because they knew the keys would expire in 15 years.

But OEM's failing to provide the necessary tools and functions and updates to maintain the devices they sell is definitely just a way to generate new sales... the very essence of "planned obsolescence" marketing.

fg2001gf11F · Nov 18, 2025

Buddywh said:
I can't imagine so... it's a problem brewing since 2011 because they knew the keys would expire in 15 years.

But OEM's failing to provide the necessary tools and functions and updates to maintain the devices they sell is definitely just a way to generate new sales... the very essence of "planned obsolescence" marketing.

I opened a case with Dell support.
This is the last reply I got today.

Solved Secure boot update HowTo

Well-known member

My Computer My Computer

At a glance

Well-known member

My Computers My Computers

At a glance

At a glance

Just a Computer User

My Computers My Computers

At a glance

At a glance

Well-known member

My Computer My Computer

At a glance

Just a Computer User

My Computers My Computers

At a glance

At a glance

Well-known member

My Computer My Computer

At a glance

Well-known member

My Computer My Computer

At a glance

Well-known member

My Computer My Computer

At a glance

Just a Computer User

My Computers My Computers

At a glance

At a glance

Well-known member

My Computer My Computer

At a glance

Well-known member

My Computers My Computers

At a glance

At a glance

Well-known member

My Computers My Computers

At a glance

At a glance

Well-known member

My Computer My Computer

At a glance

Well-known member

My Computer My Computer

At a glance

Well-known member

My Computers My Computers

At a glance

At a glance

Well-known member

My Computer My Computer

At a glance

Well-known member

My Computers My Computers

At a glance

At a glance

Just a Computer User

My Computers My Computers

At a glance

At a glance

Well-known member

My Computers My Computers

At a glance

At a glance

Well-known member

My Computer My Computer

At a glance

Similar threads

My Computer

My Computers

My Computers

My Computer

My Computers

My Computer

My Computer

My Computer

My Computers

My Computer

My Computers

My Computers

My Computer

My Computer

My Computers

My Computer

My Computers

My Computers

My Computers

My Computer