Solved Secure boot update HowTo

fg2001gf11F · Dec 11, 2025

garlin said:
If you're comfortable navigating your UEFI's Secure Boot setup menu, then run these steps.

1. Download this MS certificate file:
https://raw.githubusercontent.com/microsoft/secureboot_objects/main/PreSignedObjects/KEK/Certificates/microsoft corporation kek 2k ca 2023.der

2. Mount the EFI partition, and copy the downloaded file to it.

Code:

mountvol S: /s copy "microsoft corporation kek 2k ca 2023.der" S:\EFI mountvol S: /d

3. Shutdown the PC, and enter BIOS. Navigate to your Secure Boot menu. Find the KEK key management screen (appearance depends on your BIOS), there should be an option to manage keys or "enroll a file". Enter that menu, you'll be asked to pick a drive volume to find the file. One of them will have the <EFI> folder underneath.

Navigate inside the <EFI> folder, and select the "microsoft corporation kek 2k ca 2023.der" file. Enroll it, and submit changes.

4. Restart Windows, check if KEK CA 2023 now appears in the script.

Hello garlin,
I checked on a machine that has it listed correctly, and that file is not in the EFI folder. I think that CA 2023 is stored in the BIOS.

larysid · Dec 11, 2025

RJARRRPCGP said:
Looks like people keep getting this message in the event log:

Code:

Secure Boot certificates have been updated but are not yet applied to the device firmware.

What is this? Is this faulty UEFI?

I am also facing (like the most of us) the same error in my event viewer..Bios update and secure boot keys erase (and install default keys) did not fix the issue..Of course I will not get the risk to do it manually, because Microsoft said that they will fix it via their released updates soon.. I believe that is because my desktop PC was formatted 2 years ago as I upgraded from win 11 23h2 to 24h2 and since October to 25h2...So the only fix here I believe is either a PC format to be done (so as to get only win 11 25h2 with the new certificates installed) or wait Microsoft to fix it via their upcoming updates..

Dirtyflash · Dec 11, 2025

garlin said:
If you're comfortable navigating your UEFI's Secure Boot setup menu, then run these steps.

1. Download this MS certificate file:
https://raw.githubusercontent.com/microsoft/secureboot_objects/main/PreSignedObjects/KEK/Certificates/microsoft corporation kek 2k ca 2023.der

2. Mount the EFI partition, and copy the downloaded file to it.

Code:

mountvol S: /s copy "microsoft corporation kek 2k ca 2023.der" S:\EFI mountvol S: /d

3. Shutdown the PC, and enter BIOS. Navigate to your Secure Boot menu. Find the KEK key management screen (appearance depends on your BIOS), there should be an option to manage keys or "enroll a file". Enter that menu, you'll be asked to pick a drive volume to find the file. One of them will have the <EFI> folder underneath.

Navigate inside the <EFI> folder, and select the "microsoft corporation kek 2k ca 2023.der" file. Enroll it, and submit changes.

4. Restart Windows, check if KEK CA 2023 now appears in the script.

Was this the project you were working on recently, which is now ready for users wishing to install the MS KEK 2k CA 2023 certificate? I looked at the instructions and will hold off for now as the BIOS in the Lenovo is setup differently than what you have described. The BIOS only has 3 options, Enter Setup Mode, Reset Factory Keys and Clear All Keys. I was wondering if the 2023 KEK key could be used with Mosby if the Lenovo BIOS doesn't offer a way to install the key in the manner you described? Your efforts are very much appreciated!

garlin · Dec 11, 2025

fg2001gf11F said:
Hello garlin,
I checked on a machine that has it listed correctly, and that file is not in the EFI folder. I think that CA 2023 is stored in the BIOS.

Those instructions for PC's that don't have KEK CA 2023 visible, but have all the other 2023 certs.

The current MS update process depends on having a properly signed KEK from your PC's vendor. Some vendors have not provided KEK's for all possible firmwares they've sold. If your vendor has submitted it to MS, then the update is flawless. If you're not so fortunate, the manual method can be done.

fg2001gf11F · Dec 11, 2025

garlin said:
Those instructions for PC's that don't have KEK CA 2023 visible, but have all the other 2023 certs.

The current MS update process depends on having a properly signed KEK from your PC's vendor. Some vendors have not provided KEK's for all possible firmwares they've sold. If your vendor has submitted it to MS, then the update is flawless. If you're not so fortunate, the manual method can be done.

I'll give it a try; I guess I can always restore a backup if something is not working correctly.

garlin · Dec 11, 2025

Dirtyflash said:
Was this the project you were working on recently, which is now ready for users wishing to install the MS KEK 2k CA 2023 certificate? I looked at the instructions and will hold off for now as the BIOS in the Lenovo is setup differently than what you have described. The BIOS only has 3 options, Enter Setup Mode, Reset Factory Keys and Clear All Keys. I was wondering if the 2023 KEK key could be used with Mosby if the Lenovo BIOS doesn't offer a way to install the key in the manner you described? Your efforts are very much appreciated!

Mosby uses custom code to directly talk to the UEFI, and replaces the variable values. As such, it doesn't have self-restrictions that the Windows scheduled task has (for safety reasons). For obvious reasons, it's programmed not to do anything stupid.

I believe on some UEFI's, it's called "Enter Setup Mode". The problem is I don't own some of these PC models to know what it's supposed to look like. But playing around with Setup Mode can unlock the key management options. You may have to Google an example for your vendor (not necessarily the exact PC model).

garlin · Dec 11, 2025

fg2001gf11F said:
I'll give it a try; I guess I can always restore a backup if something is not working correctly.

Just copying the file to the EFI partition doesn't hurt it. Nothing will read that file.

We're just saving you the traditional step of "First format an USB drive with a FAT32 volume, now copy the file to the drive." By re-using the existing system's EFI partition to store the cert file, we can skip the need for a spare USB drive. Unless you enjoy making FAT32 volumes on spare USB drives...

garlin · Dec 11, 2025

Maybe some of these menus make sense on your Lenovo:
Secure Boot Configuration | UEFI_IOT | Lenovo Docs

XxXxX · Dec 11, 2025

fg2001gf11F said:
That did not work

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot
change the reg entry from 0x00000000 to 0x00000004 again please and save settings.

>>> then open a Admin PowerShell and run

Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

close the PowerShell window and the restart your system
once restarted please check your UEFI KEK cert again.

the system will continue to check for updates every 12 hours.
best of luck Steve ..

fg2001gf11F · Dec 11, 2025

garlin said:
If you're comfortable navigating your UEFI's Secure Boot setup menu, then run these steps.

1. Download this MS certificate file:
https://raw.githubusercontent.com/microsoft/secureboot_objects/main/PreSignedObjects/KEK/Certificates/microsoft corporation kek 2k ca 2023.der

2. Mount the EFI partition, and copy the downloaded file to it.

Code:

mountvol S: /s copy "microsoft corporation kek 2k ca 2023.der" S:\EFI mountvol S: /d

3. Shutdown the PC, and enter BIOS. Navigate to your Secure Boot menu. Find the KEK key management screen (appearance depends on your BIOS), there should be an option to manage keys or "enroll a file". Enter that menu, you'll be asked to pick a drive volume to find the file. One of them will have the <EFI> folder underneath.

Navigate inside the <EFI> folder, and select the "microsoft corporation kek 2k ca 2023.der" file. Enroll it, and submit changes.

4. Restart Windows, check if KEK CA 2023 now appears in the script.

I don't see a key management screen on my Dell XPS 8930 BIOS.

fg2001gf11F · Dec 11, 2025

XxXxX said:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot
change the reg entry from 0x00000000 to 0x00000004 again please and save settings.

>>> then open a Admin CMD prompt and run

close the CMD prompt window and the restart your system
once restarted please check your UEFI KEK cert again.

the system will continue to check for updates every 12 hours.
best of luck Steve ..

That is a P.S. command it does not work from command prompt.

garlin · Dec 11, 2025

Run this script as Admin, ignore the fact that's named Lenovo.ps1. If you get a named .bin file, then your DELL will be supported.

My Lenovo Y50-70 laptop (for example) returns:
Lenovo/KEKUpdate_Lenovo_PK255.bin

Anytime you get a named file, then your vendor is working with MS to compile a database of eligible KEK's to use for update purposes. The online database might be newer than what the SecureBootUpdates folder has on your PC. I don't know if the scheduled task reads from the repo, or only checks the local Windows folder (which I suspect).

XxXxX · Dec 11, 2025

fg2001gf11F said:
That is a P.S. command it does not work from command prompt.

View attachment 156603

i have just edited my post it should be run in an Admin PowerShell
sorry about that trying to do too many things at once.

best of luck Steve ..

fg2001gf11F · Dec 11, 2025

XxXxX said:
i have just edited my post it should be run in an Admin PowerShell
sorry about that trying to do too many things at once.

best of luck Steve ..

Same results.

XxXxX · Dec 11, 2025

fg2001gf11F said:
Same results.

View attachment 156606

View attachment 156607
View attachment 156605

this will be like your update to the secure boot certs it will happen at some stage
but that stage is, at this time, unknown. but the update requirements are now in place.

best of luck Steve ..

fg2001gf11F · Dec 11, 2025

garlin said:
Run this script as Admin, ignore the fact that's named Lenovo.ps1. If you get a named .bin file, then your DELL will be supported.

My Lenovo Y50-70 laptop (for example) returns:
Lenovo/KEKUpdate_Lenovo_PK255.bin

Anytime you get a named file, then your vendor is working with MS to compile a database of eligible KEK's to use for update purposes. The online database might be newer than what the SecureBootUpdates folder has on your PC. I don't know if the scheduled task reads from the repo, or only checks the local Windows folder (which I suspect).

I think I screwed up my Dell XPS 8930, it will not boot anymore.

garlin · Dec 11, 2025

Turn off Secure Boot. Restart Windows, and run the reporting script again.
BitLocker is off, so you don't have to worry about that detail.

fg2001gf11F · Dec 11, 2025

garlin said:
Turn off Secure Boot. Restart Windows, and run the reporting script again.
BitLocker is off, so you don't have to worry about that detail.

This is quite messy.

garlin · Dec 11, 2025

The worst case is you disable Secure Boot. Enter the BIOS menu, find the "reset to factory default" and start over. With Secure Boot disabled, any boot file is eligible to boot Windows. Then redo the whole update process from the beginning.

fg2001gf11F · Dec 11, 2025

garlin said:
The worst case is you disable Secure Boot. Enter the BIOS menu, find the "reset to factory default" and start over. With Secure Boot disabled, any boot file is eligible to boot Windows. Then redo the whole update process from the beginning.

I get this if I try to boot with Secure boot on? How do I fix it?

Solved Secure boot update HowTo

Well-known member

My Computer

Active member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Just a Computer User

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

Attachments

My Computer

Just a Computer User

My Computers

Well-known member

My Computer

Just a Computer User

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Similar threads