Solved Secure boot update HowTo

Dirtyflash · Dec 12, 2025

garlin said:
When you use File Explorer's context menu to run a PS script, it runs the script inside a PS window. But when the script is done, the default behavior is to close the window. This is fine if all the script does is to perform a task without you needing to see it.

But this script outputs something, then it doesn't help you.

So you can just open Terminal or PowerShell, and run the script so you can see the final output.

Thanks, got my answer: " 'No vendor-provided KEK is currently available.' ".

fg2001gf11F · Dec 12, 2025

garlin said:
That's what I thought. Dell hasn't yet (or never will) post a signed KEK for this generation of BIOS.

As @itsme1 noted, you can use Mosby or manually add the KEK CA 2023.der (certificate file) from the UEFI setup menu. Now I don't have this Dell (since there's so many generations of Dell's out there) to know how difficult it is to navigate the UEFI menus.

Yesterday when I tried to navigate through the BIOS without even changing anything I ended up with the Boot problem that you helped fixing.
I really don't want to mess with the BIOS anymore.
I have no idea how Mosby works. Could you please clarify? Thanks.

garlin · Dec 12, 2025

1. Disable Secure Boot.
2. Re-run the mountvol S: and copy command like you did yesterday.

Mosby works by booting its own platform (without needing Windows) and overwrites the UEFI with its own data.

fg2001gf11F · Dec 12, 2025

garlin said:
1. Disable Secure Boot.
2. Re-run the mountvol S: and copy command like you did yesterday.

Mosby works by booting its own platform (without needing Windows) and overwrites the UEFI with its own data.

Where do I get this Mosby and how do I use it?

garlin · Dec 12, 2025

You can search for Mosby on the other 3-4 Secure Boot threads on ElevenForum.

I think the problem is my script never expected the update process to fail to add KEK CA 2023, while simultaneously allowing the CA 2023 certs to be added to DB. Which means while the new DB certs are added, but they're not enforceable without the KEK 2023. MS has the 0x4000 flag added to AvailableUpdates just for this contingency.

I'll have to add another sanity check and report the newer boot file is disallowed if you don't have KEK 2023 enrolled.

Dirtyflash · Dec 12, 2025

fg2001gf11F said:
Where do I get this Mosby and how do I use it?

Don't take any offense, but quit while you’re ahead, I've been down the Mosby path and it was disastrous as my BIOS just doesn't want to play nice, much like yours. I just finished getting my Lenovo unsupported device running again this morning, thinking I might somehow use @garlin 's method last night without success.

cool59 · Dec 12, 2025

Hello.

I am one of the users who cannot install the KEK cert on a Dell (XPS 13 9360), for which Dell has confirmed that it will not release any BIOS update.
However, I ran @garlin's script and got this result.
Perhaps there is still some hope for me.
I have avoided venturing into the BIOS of my Dell, which several users say is tricky.
I think I'll wait for Microsoft.
PS-Sorry, this post refers to post #252 by @garlin.

!

garlin · Dec 12, 2025

cool59 said:
Hello.

I am one of the users who cannot install yhe KEK cert on a Dell (XPS 13 9360), for which Dell has confirmed that it will not release any BIOS update.
However, I ran @garlin's script and got this result.
Perhaps there is still some hope for me.
I have avoided venturing into the BIOS of my Dell, which several users say is tricky.
I think I'll wait for Microsoft.
!View attachment 156671

MS can update your PC for you, since Dell has cooperated and submitted a signed KEK for this family of PC's (all running the same BIOS version).

You're one of the lucky ones.

itsme1 · Dec 12, 2025

I get the same response as @cool59 with the lenovo.ps1 script. :crossed

SIW2 · Dec 12, 2025

in the right window you will see ..
UEFICA2023Status which will show 'updating'
WindowsUEFICA2023Capable 0x00000001

says not started

SIW2 · Dec 12, 2025

So I ran part B in the first post. Then it said updating which later changed to in progress

fg2001gf11F · Dec 12, 2025

garlin said:
You can search for Mosby on the other 3-4 Secure Boot threads on ElevenForum.

I think the problem is my script never expected the update process to fail to add KEK CA 2023, while simultaneously allowing the CA 2023 certs to be added to DB. Which means while the new DB certs are added, but they're not enforceable without the KEK 2023. MS has the 0x4000 flag added to AvailableUpdates just for this contingency.

I'll have to add another sanity check and report the newer boot file is disallowed if you don't have KEK 2023 enrolled.

I see 0x4000 in SecureBoot AvailableUpdates on this machine that also shows Updated in the Servicing registry.
I believe this one is done and ready, correct?

SIW2 · Dec 12, 2025

garlin said:
That's what I thought. Dell hasn't yet (or never will) post a signed KEK for this generation of BIOS.

As @itsme1 noted, you can use Mosby or manually add the KEK CA 2023.der (certificate file) from the UEFI setup menu. Now I don't have this Dell (since there's so many generations of Dell's out there) to know how difficult it is to navigate the UEFI menus.

Where is the KEK CA 2023.der file ?

SIW2 · Dec 12, 2025

Gigabyte b365m ds3h

I left it few minutes, restarted and now

WEll done post #1

garlin · Dec 12, 2025

SIW2 said:
Where is the KEK CA 2023.der file ?

https://raw.githubusercontent.com/m...ates/microsoft corporation kek 2k ca 2023.der

Copy it to any FAT32 volume, either the existing EFI partition or another USB drive. Then use your UEFI's custom Secure Boot menu to add it (as append, and not replace).

SIW2 · Dec 12, 2025

I dont know how you get to see what is in there

garlin · Dec 12, 2025

I don't know about your BIOS, but some ASUS model have this menu hierarchy:
Secure Boot and Linux nVidia Drivers

Buddywh · Dec 12, 2025

SIW2 said:
I dont know how you get to see what is in there

View attachment 156741

View attachment 156742

It looks like you have a Gigabyte BIOS? if like mine...

Down arrow to (or click on) each of the variables... the first is the PK, the second the KEK, third DB, fourth DBX. There will be a window with a list, click on DETAILS in the list and it shows you all the keys in that variable.

In that list there's also one for appending the .DER.

SIW2 · Dec 12, 2025

I have switched back to csm now.

In this bios just changing csm to enabled in bios tab main screen makes the secure boot label disappear. But in spite of Save and exit, it doesnt stick.

Need to go into secure boot menu , disable it. Then back to main bios screen csm enable. Save and exit

Warre1 · Dec 12, 2025

When I run latest cjee21 Check UEFI PK, KEK, DB and DBX.cmd it shows my bootmgr svn as red 3.0
but when I run Check Windows state.cmd from same zip it tells my bootmgr svn is 7.0 (which current one i think)

Solved Secure boot update HowTo

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Similar threads