Solved Secure boot update HowTo


Ghot said:
This is a common occurrence.
Do everything in the 1st post again. :-)
Click to expand...
Is anything meant to run after Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update" or does the restart open powershell to run it?
 

My Computer

System One

  • OS
    Windows 11 Pro 64bit
    Computer type
    Laptop
    Manufacturer/Model
    PC Specialist Optimus VII V17-960 Gaming Laptop.
    CPU
    6th Gen Intel Core i7-6700HQ Quad Core processor.
    Memory
    16GB HyperX IMPACT 1600MHz SODIMM DDR3 (2 x 8GB)
    Graphics Card(s)
    NVIDIA® GeForce® GTX 960M - 2.0GB DDR5 Video RAM - DirectX® 12
    Sound Card
    Intel 2 Channel High Def. Audio + SoundBlaster™ Cinema 2 & Realtek
    Monitor(s) Displays
    Optimus Series: 17.3" Matte Full HD IPS LED Widescreen (1920x1080)
    Screen Resolution
    Full HD IPS display (1920 x 1080).
    Hard Drives
    4TB SSD (internal).
    1x 1TB & 1x 5TB external HDDs.
    Cooling
    STANDARD THERMAL PASTE FOR SUFFICIENT COOLING
    Keyboard
    Logitech K800 wireless keyboard
    Mouse
    Logitech M705 wireless mouse
    Internet Speed
    Upto 100Mbps
    Browser
    Edge.
    Antivirus
    Windows Defender & MalwareBytes pro.
Bastet said:
Is anything meant to run after Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update" or does the restart open powershell to run it?
Click to expand...


There is four commands in the first post.
They ALL need to be run as outlined.
Including any restarts mentioned.

The following command is just to check things and need not be run.
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match "Windows UEFI CA 2023"



When finished, you can use either of these two methods to check if you succeeded...

How to check if your Secure Boot certs are updated. (three methods)

Method One Download cjee21's files, attached to the bottom of this post. 1. Save the file to your desktop. 2. Extract the contents to your desktop. 3. Open: Check-UEFISecureBootVariables-main 4. Right click: Check UEFI PK, KEK, DB and DBX.cmd ...and choose: Run as administrator. Your...
www.elevenforum.com www.elevenforum.com
 

My Computers

System One System Two

  • OS
    Win 11 Home ♦♦♦26200.8457 ♦♦♦♦♦♦♦25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® [May 2020]
    CPU
    AMD Ryzen 7 3700X
    Motherboard
    Asus Pro WS X570-ACE (BIOS 5302)
    Memory
    G.Skill (F4-3200C14D-16GTZKW)
    Graphics Card(s)
    EVGA RTX 2070 (08G-P4-2171-KR)
    Sound Card
    Realtek ALC1220P / ALC S1220A
    Monitor(s) Displays
    Dell U3011 30"
    Screen Resolution
    2560 x 1600
    Hard Drives
    2x Samsung 860 EVO 500GB,
    WD 4TB Black FZBX - SATA III,
    WD 8TB Black FZBX - SATA III,
    DRW-24B1ST CD/DVD Burner
    PSU
    PC Power & Cooling 750W Quad EPS12V
    Case
    Cooler Master ATCS 840 Tower
    Cooling
    CM Hyper 212 EVO (push/pull)
    Keyboard
    Ducky DK9008 Shine II Blue LED
    Mouse
    Logitech Optical M-100
    Internet Speed
    300/300
    Browser
    Firefox (latest)
    Antivirus
    Bitdefender Total Security
    Other Info
    Speakers: Klipsch Pro Media 2.1
  • Operating System
    Windows XP Pro 32bit w/SP3
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® (not in use)
    CPU
    AMD Athlon 64 X2 5000+ (OC'd @ 3.2Ghz)
    Motherboard
    ASUS M2N32-SLI Deluxe Wireless Edition
    Memory
    TWIN2X2048-6400C4DHX (2 x 1GB, DDR2 800)
    Graphics card(s)
    EVGA 256-P2-N758-TR GeForce 8600GT SSC
    Sound Card
    Onboard
    Monitor(s) Displays
    ViewSonic G90FB Black 19" Professional (CRT)
    Screen Resolution
    up to 2048 x 1536
    Hard Drives
    WD 36GB 10,000rpm Raptor SATA
    Seagate 80GB 7200rpm SATA
    Lite-On LTR-52246S CD/RW
    Lite-On LH-18A1P CD/DVD Burner
    PSU
    PC Power & Cooling Silencer 750 Quad EPS12V
    Case
    Generic Beige case, 80mm fans
    Cooling
    ZALMAN 9500A 92mm CPU Cooler
    Keyboard
    Logitech Classic Keybooard 200
    Mouse
    Logitech Optical M-BT96a
    Internet Speed
    300/300
    Browser
    Firefox 3.x ??
    Antivirus
    Symantec (Norton)
    Other Info
    Still assembled, still runs. Haven't turned it on for 15 years?
Bastet said:
Followed instructions but Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing shows in progress & not updating.
CMD shows True.
I previously tried via the MS instructions & they showed the same.
I don't think this old laptop can update.
Click to expand...

on some systems it may show 'InProgress' for several days even after several restarts
i have had one oldish 21" Asus all in one take 3 days to move from 'InProgress' to 'Updated'

but 'InProgress' means that the 2023 cert is in the database.
best of luck Steve ..
 

My Computers

System One System Two

  • OS
    Windows 11 Home
    Computer type
    PC/Desktop
    Manufacturer/Model
    HP 24" AiO
    CPU
    Ryzen 7 5825u
    Motherboard
    HP
    Memory
    64GB DDR4 3200
    Graphics Card(s)
    Ryzen 7 5825u
    Sound Card
    RealTek
    Monitor(s) Displays
    24" HP AiO
    Screen Resolution
    1920 x 1080 @60 Hz
    Hard Drives
    1TB WD Blue SN580 M2 SSD Partitioned.
    2x 1TB USB HDD External Backup/Storage.
    PSU
    90W external power brick
    Case
    24" All in One
    Cooling
    Default Air Cooling
    Keyboard
    HP WiFi UK extended
    Mouse
    HP WiFi 3 Button
    Internet Speed
    1GB full fibre
    Browser
    Edge & Firefox
    Antivirus
    AVG Internet Security/Windows Defender
    Other Info
    Mainly Open Source Software
  • Operating System
    Ubuntu 22.04.5 LTS
    Computer type
    Laptop
    Manufacturer/Model
    Dell 13" Latitude 2017
    CPU
    i5 7200u
    Motherboard
    Dell
    Memory
    16GB DDR4
    Graphics card(s)
    Intel
    Sound Card
    Intel
    Monitor(s) Displays
    13" Dell Laptop
    Hard Drives
    250GB Crucial 2.5" SSD
    Mouse
    Generic WiFi 3 button
    Internet Speed
    WiFi only
    Browser
    Firefox
    Antivirus
    ClamAV TK
    Other Info
    Mainly Open Source Software
XxXxX said:
on some systems it may show 'InProgress' for several days even after several restarts
i have had one oldish 21" Asus all in one take 3 days to move from 'InProgress' to 'Updated'

but 'InProgress' means that the 2023 cert is in the database.
best of luck Steve ..
Click to expand...
It was showing the same for months after updating previously using MS instructions.

I checked then & the certificates were installed correctly.
 

My Computer

System One

  • OS
    Windows 11 Pro 64bit
    Computer type
    Laptop
    Manufacturer/Model
    PC Specialist Optimus VII V17-960 Gaming Laptop.
    CPU
    6th Gen Intel Core i7-6700HQ Quad Core processor.
    Memory
    16GB HyperX IMPACT 1600MHz SODIMM DDR3 (2 x 8GB)
    Graphics Card(s)
    NVIDIA® GeForce® GTX 960M - 2.0GB DDR5 Video RAM - DirectX® 12
    Sound Card
    Intel 2 Channel High Def. Audio + SoundBlaster™ Cinema 2 & Realtek
    Monitor(s) Displays
    Optimus Series: 17.3" Matte Full HD IPS LED Widescreen (1920x1080)
    Screen Resolution
    Full HD IPS display (1920 x 1080).
    Hard Drives
    4TB SSD (internal).
    1x 1TB & 1x 5TB external HDDs.
    Cooling
    STANDARD THERMAL PASTE FOR SUFFICIENT COOLING
    Keyboard
    Logitech K800 wireless keyboard
    Mouse
    Logitech M705 wireless mouse
    Internet Speed
    Upto 100Mbps
    Browser
    Edge.
    Antivirus
    Windows Defender & MalwareBytes pro.
Ghot said:
There is four commands in the first post.
They ALL need to be run as outlined.
Including any restarts mentioned.

The following command is just to check things and need not be run.
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match "Windows UEFI CA 2023"



When finished, you can use either of these two methods to check if you succeeded...

How to check if your Secure Boot certs are updated. (three methods)

Method One Download cjee21's files, attached to the bottom of this post. 1. Save the file to your desktop. 2. Extract the contents to your desktop. 3. Open: Check-UEFISecureBootVariables-main 4. Right click: Check UEFI PK, KEK, DB and DBX.cmd ...and choose: Run as administrator. Your...
www.elevenforum.com www.elevenforum.com
Click to expand...
I'm running the cmds until part B where it says it should be run when it shows updating.

The secure boot check seems to require Terminal w/Admin which the right click menu doesn't offer.
Tbh I think I'll give up & disable secure bot.
 
Last edited:

My Computer

System One

  • OS
    Windows 11 Pro 64bit
    Computer type
    Laptop
    Manufacturer/Model
    PC Specialist Optimus VII V17-960 Gaming Laptop.
    CPU
    6th Gen Intel Core i7-6700HQ Quad Core processor.
    Memory
    16GB HyperX IMPACT 1600MHz SODIMM DDR3 (2 x 8GB)
    Graphics Card(s)
    NVIDIA® GeForce® GTX 960M - 2.0GB DDR5 Video RAM - DirectX® 12
    Sound Card
    Intel 2 Channel High Def. Audio + SoundBlaster™ Cinema 2 & Realtek
    Monitor(s) Displays
    Optimus Series: 17.3" Matte Full HD IPS LED Widescreen (1920x1080)
    Screen Resolution
    Full HD IPS display (1920 x 1080).
    Hard Drives
    4TB SSD (internal).
    1x 1TB & 1x 5TB external HDDs.
    Cooling
    STANDARD THERMAL PASTE FOR SUFFICIENT COOLING
    Keyboard
    Logitech K800 wireless keyboard
    Mouse
    Logitech M705 wireless mouse
    Internet Speed
    Upto 100Mbps
    Browser
    Edge.
    Antivirus
    Windows Defender & MalwareBytes pro.
Bastet said:
I'm running the cmds until part B where it says it should be run when it shows updating.
Click to expand...


Just run part A then part B... twice if necessary.
If you read through this topic you will see that I had to do the same thing.

It's up to you of course.
 

My Computers

System One System Two

  • OS
    Win 11 Home ♦♦♦26200.8457 ♦♦♦♦♦♦♦25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® [May 2020]
    CPU
    AMD Ryzen 7 3700X
    Motherboard
    Asus Pro WS X570-ACE (BIOS 5302)
    Memory
    G.Skill (F4-3200C14D-16GTZKW)
    Graphics Card(s)
    EVGA RTX 2070 (08G-P4-2171-KR)
    Sound Card
    Realtek ALC1220P / ALC S1220A
    Monitor(s) Displays
    Dell U3011 30"
    Screen Resolution
    2560 x 1600
    Hard Drives
    2x Samsung 860 EVO 500GB,
    WD 4TB Black FZBX - SATA III,
    WD 8TB Black FZBX - SATA III,
    DRW-24B1ST CD/DVD Burner
    PSU
    PC Power & Cooling 750W Quad EPS12V
    Case
    Cooler Master ATCS 840 Tower
    Cooling
    CM Hyper 212 EVO (push/pull)
    Keyboard
    Ducky DK9008 Shine II Blue LED
    Mouse
    Logitech Optical M-100
    Internet Speed
    300/300
    Browser
    Firefox (latest)
    Antivirus
    Bitdefender Total Security
    Other Info
    Speakers: Klipsch Pro Media 2.1
  • Operating System
    Windows XP Pro 32bit w/SP3
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® (not in use)
    CPU
    AMD Athlon 64 X2 5000+ (OC'd @ 3.2Ghz)
    Motherboard
    ASUS M2N32-SLI Deluxe Wireless Edition
    Memory
    TWIN2X2048-6400C4DHX (2 x 1GB, DDR2 800)
    Graphics card(s)
    EVGA 256-P2-N758-TR GeForce 8600GT SSC
    Sound Card
    Onboard
    Monitor(s) Displays
    ViewSonic G90FB Black 19" Professional (CRT)
    Screen Resolution
    up to 2048 x 1536
    Hard Drives
    WD 36GB 10,000rpm Raptor SATA
    Seagate 80GB 7200rpm SATA
    Lite-On LTR-52246S CD/RW
    Lite-On LH-18A1P CD/DVD Burner
    PSU
    PC Power & Cooling Silencer 750 Quad EPS12V
    Case
    Generic Beige case, 80mm fans
    Cooling
    ZALMAN 9500A 92mm CPU Cooler
    Keyboard
    Logitech Classic Keybooard 200
    Mouse
    Logitech Optical M-BT96a
    Internet Speed
    300/300
    Browser
    Firefox 3.x ??
    Antivirus
    Symantec (Norton)
    Other Info
    Still assembled, still runs. Haven't turned it on for 15 years?
Ghot said:
Just run part A then part B... twice if necessary.
If you read through this topic you will see that I had to do the same thing.

It's up to you of course.
Click to expand...
Thanks. It still says In Progress so I'll leave it & see what happens.
 

My Computer

System One

  • OS
    Windows 11 Pro 64bit
    Computer type
    Laptop
    Manufacturer/Model
    PC Specialist Optimus VII V17-960 Gaming Laptop.
    CPU
    6th Gen Intel Core i7-6700HQ Quad Core processor.
    Memory
    16GB HyperX IMPACT 1600MHz SODIMM DDR3 (2 x 8GB)
    Graphics Card(s)
    NVIDIA® GeForce® GTX 960M - 2.0GB DDR5 Video RAM - DirectX® 12
    Sound Card
    Intel 2 Channel High Def. Audio + SoundBlaster™ Cinema 2 & Realtek
    Monitor(s) Displays
    Optimus Series: 17.3" Matte Full HD IPS LED Widescreen (1920x1080)
    Screen Resolution
    Full HD IPS display (1920 x 1080).
    Hard Drives
    4TB SSD (internal).
    1x 1TB & 1x 5TB external HDDs.
    Cooling
    STANDARD THERMAL PASTE FOR SUFFICIENT COOLING
    Keyboard
    Logitech K800 wireless keyboard
    Mouse
    Logitech M705 wireless mouse
    Internet Speed
    Upto 100Mbps
    Browser
    Edge.
    Antivirus
    Windows Defender & MalwareBytes pro.

My Computers

System One System Two

  • OS
    Windows 11 Home, ver 25H2 build 26200.8246
    Computer type
    Laptop
    Manufacturer/Model
    Hewlett-Packard Spectre 13-4001 x360 convertable
    CPU
    Intel Core i5 5200U @ 2.20GH
    Motherboard
    Hewlett-Packard 802D
    Memory
    4 GB
    Graphics Card(s)
    Intel HD Graphics 5500 on board
    Sound Card
    Intel Smart Sound Technology (Intel SST)
    Hard Drives
    Micron 256GB M.2 2280 NGFF SSD MTFDDAV256TBN, (SATA 6.0 Gb/s)
    Keyboard
    Model # G01KB
    Antivirus
    Microsoft Defender
    Other Info
    born on date: 25 Feb 2016
  • Operating System
    Win 11 Home 25H2 build 26200.7922
    Computer type
    PC/Desktop
    Manufacturer/Model
    Asus Desktop model M32AD-US019S (DOM: 6/9/2014 )
    CPU
    Intel Core i7 4th Gen 4790 (3.60GHz), Haswell 22nm Technology, SOCKET 1150
    Motherboard
    H81M-E/M51AD/DP_MB
    Memory
    Samsung 16 GB DDR3 (8GB in 2 modules)
    Graphics card(s)
    NVIDIA GeForce GTX 760, 3GB, and on-board Intel HD Graphics 4600 Rev 6
    Monitor(s) Displays
    HP EliteDisplay E241i LED; HP EliteDisplay E243
    Hard Drives
    Samsung 500GB SSD, 870 EVO (SATA 6.0 )
    Micron 250GB SSD, CT250MX500
    Toshiba HDD, 3GB (original drive w/PC)
    Case
    ASUS
    Keyboard
    ASUS-------------------------
    Antivirus
    MS Defender
    Other Info
    Additional Laptops:

    HEWLETT PACKARD
    HP OmniBook X Flip NGAI (Next Gen AI),
    Model: 16-as0023dx
    PT# B5UH1UA#ABA Product #: B5UH1UA
    delivered and setup 7/25/25
    16" 2K Touch-Screen Laptop
    Intel Core Ultra 7 256V '24 Series 2 - CPU
    Boost Clock Frequency 4.8 gigahertz; Neural Processing Unit (NPU) Yes;
    16GB Memory, LPDDR5X
    1TB SSD PCIe 4.0
    Graphics: Intel Arc 140V
    1 x HDMI 2.1
    1 x Thunderbolt 4
    2K Touch-Screen display, LED, IPS; 1920 x 1200 (Full HD+)
    USB Ports: 1 x USB-C 3.1, 2 x USB-A 3.1
    Wi-Fi 6E
    weight 4.15 pounds

    DELL
    Model:I7591-7483BLK-PUS 2-in-1 (7000 Series)
    purchased 12/3/2019,
    15.6 inch 2-IN-1;
    4K Ultra HD Touch-Screen, 3840 x 2160,
    Intel Core i7 10510U CPU 1.80GHz,
    16GB RAM DDR4 SDRAM 2400 megahert (2 slots),
    dedicated graphics Nvidia GeForce MX250 2 GB Graphics,
    PCIe 512GB Intel SSD + 32GB Optane Memory (Intel Optane Memory H10 with solid-state storage),
    wireless-AX & Bluetooth
    Battery: 68wh, Type 4VGMP 4 cell

My Computers

System One System Two

  • OS
    Win 11 Home ♦♦♦26200.8457 ♦♦♦♦♦♦♦25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® [May 2020]
    CPU
    AMD Ryzen 7 3700X
    Motherboard
    Asus Pro WS X570-ACE (BIOS 5302)
    Memory
    G.Skill (F4-3200C14D-16GTZKW)
    Graphics Card(s)
    EVGA RTX 2070 (08G-P4-2171-KR)
    Sound Card
    Realtek ALC1220P / ALC S1220A
    Monitor(s) Displays
    Dell U3011 30"
    Screen Resolution
    2560 x 1600
    Hard Drives
    2x Samsung 860 EVO 500GB,
    WD 4TB Black FZBX - SATA III,
    WD 8TB Black FZBX - SATA III,
    DRW-24B1ST CD/DVD Burner
    PSU
    PC Power & Cooling 750W Quad EPS12V
    Case
    Cooler Master ATCS 840 Tower
    Cooling
    CM Hyper 212 EVO (push/pull)
    Keyboard
    Ducky DK9008 Shine II Blue LED
    Mouse
    Logitech Optical M-100
    Internet Speed
    300/300
    Browser
    Firefox (latest)
    Antivirus
    Bitdefender Total Security
    Other Info
    Speakers: Klipsch Pro Media 2.1
  • Operating System
    Windows XP Pro 32bit w/SP3
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® (not in use)
    CPU
    AMD Athlon 64 X2 5000+ (OC'd @ 3.2Ghz)
    Motherboard
    ASUS M2N32-SLI Deluxe Wireless Edition
    Memory
    TWIN2X2048-6400C4DHX (2 x 1GB, DDR2 800)
    Graphics card(s)
    EVGA 256-P2-N758-TR GeForce 8600GT SSC
    Sound Card
    Onboard
    Monitor(s) Displays
    ViewSonic G90FB Black 19" Professional (CRT)
    Screen Resolution
    up to 2048 x 1536
    Hard Drives
    WD 36GB 10,000rpm Raptor SATA
    Seagate 80GB 7200rpm SATA
    Lite-On LTR-52246S CD/RW
    Lite-On LH-18A1P CD/DVD Burner
    PSU
    PC Power & Cooling Silencer 750 Quad EPS12V
    Case
    Generic Beige case, 80mm fans
    Cooling
    ZALMAN 9500A 92mm CPU Cooler
    Keyboard
    Logitech Classic Keybooard 200
    Mouse
    Logitech Optical M-BT96a
    Internet Speed
    300/300
    Browser
    Firefox 3.x ??
    Antivirus
    Symantec (Norton)
    Other Info
    Still assembled, still runs. Haven't turned it on for 15 years?
Looks like I fibbed. I couldn't wait so I asked Copilot about inserting the Windows UEFI CA 2023 which I had in the UEFI DB into the Boot Manager and I followed the instructions. There was one mistake it made but it worked. Here is my current state of Certs.

Spectre Secure Boot.webp

Here are the instructions I followed. (With edits!)

Code: 
SAFE PROCEDURE FOR SWITCHING TO THE 2023 SIGNED BOOT MANAGER


Preparation and Prerequisites:
1.  Secure Book must be on and the UEFI DB includes the Windows UEFI CA 2023 cert
2.  Open Powershell as Administrator
3.  You'll mount the EFI System Partition to a temporary drive letter


Backup the Current EFI Boot Manager
1.  Mount the EFI Partition:

mountvol S: /s

2.  Create a backup folder

command:
mkdir S:\EFI\Microsoft\Boot\Backup_2011

3.  Copy current boot manager

command:
copy S:\EFI\Microsoft\Boot\bootmgfw.efi S:\EFI\Microsoft\Boot\Backup_2011\bootmgfw_2011.efi

4.  Optional: backup BCD and fallback loader

command:
copy S:\EFI\Microsoft\Boot\BCD S:\EFI\Microsoft\Boot\Backup_2011\BCD.bak
copy S:\EFI\Boot\bootx64.efi S:\EFI\Microsoft\Boot\Backup_2011\bootx64_2011.efi



Replace with the 2023-signed boot manager

1.  Verify source file exists
    Check path: C:\Windows\Boot\EFI\bootmgfw_EX.efi (or C:\Windows\Boot\EFI_EX\bootmgfw_EX.efi depending on your system) my system was the latter, C:\Windows\Boot\EFI_EX\bootmgfw_EX.efi.

command:
dir C:\Windows\Boot\EFI\bootmgfw_EX.efi
dir C:\Windows\Boot\EFI_EX\bootmgfw_EX.efi

2.  Copy 2023-signed boot manager to EFI (use correct path above!)

command:
copy C:\Windows\Boot\EFI_EX\bootmgfw_EX.efi S:\EFI\Microsoft\Boot\bootmgfw.efi

3.  Optional: update fallback loader to 2023 (I didn't follow this optional step)

command:
copy C:\Windows\Boot\EFI\bootmgfw_EX.efi S:\EFI\Boot\bootx64.efi



4.  Unmount EFI partition

command:
mountvol S: /d

That's it!

Verify and confirm compliance

- Reboot: Restart the system to load the new boot manager.
- Run your checker script:
- Expected:
Disk 0: Boot Manager [Windows UEFI CA 2023] is ALLOWED.
Registry: WindowsUEFICA2023Capable = 2
"[Windows UEFI CA 2023] is in UEFI DB, and Windows is starting from CA 2023 Boot Manager."
 

My Computers

System One System Two

  • OS
    Windows 11 Home, ver 25H2 build 26200.8246
    Computer type
    Laptop
    Manufacturer/Model
    Hewlett-Packard Spectre 13-4001 x360 convertable
    CPU
    Intel Core i5 5200U @ 2.20GH
    Motherboard
    Hewlett-Packard 802D
    Memory
    4 GB
    Graphics Card(s)
    Intel HD Graphics 5500 on board
    Sound Card
    Intel Smart Sound Technology (Intel SST)
    Hard Drives
    Micron 256GB M.2 2280 NGFF SSD MTFDDAV256TBN, (SATA 6.0 Gb/s)
    Keyboard
    Model # G01KB
    Antivirus
    Microsoft Defender
    Other Info
    born on date: 25 Feb 2016
  • Operating System
    Win 11 Home 25H2 build 26200.7922
    Computer type
    PC/Desktop
    Manufacturer/Model
    Asus Desktop model M32AD-US019S (DOM: 6/9/2014 )
    CPU
    Intel Core i7 4th Gen 4790 (3.60GHz), Haswell 22nm Technology, SOCKET 1150
    Motherboard
    H81M-E/M51AD/DP_MB
    Memory
    Samsung 16 GB DDR3 (8GB in 2 modules)
    Graphics card(s)
    NVIDIA GeForce GTX 760, 3GB, and on-board Intel HD Graphics 4600 Rev 6
    Monitor(s) Displays
    HP EliteDisplay E241i LED; HP EliteDisplay E243
    Hard Drives
    Samsung 500GB SSD, 870 EVO (SATA 6.0 )
    Micron 250GB SSD, CT250MX500
    Toshiba HDD, 3GB (original drive w/PC)
    Case
    ASUS
    Keyboard
    ASUS-------------------------
    Antivirus
    MS Defender
    Other Info
    Additional Laptops:

    HEWLETT PACKARD
    HP OmniBook X Flip NGAI (Next Gen AI),
    Model: 16-as0023dx
    PT# B5UH1UA#ABA Product #: B5UH1UA
    delivered and setup 7/25/25
    16" 2K Touch-Screen Laptop
    Intel Core Ultra 7 256V '24 Series 2 - CPU
    Boost Clock Frequency 4.8 gigahertz; Neural Processing Unit (NPU) Yes;
    16GB Memory, LPDDR5X
    1TB SSD PCIe 4.0
    Graphics: Intel Arc 140V
    1 x HDMI 2.1
    1 x Thunderbolt 4
    2K Touch-Screen display, LED, IPS; 1920 x 1200 (Full HD+)
    USB Ports: 1 x USB-C 3.1, 2 x USB-A 3.1
    Wi-Fi 6E
    weight 4.15 pounds

    DELL
    Model:I7591-7483BLK-PUS 2-in-1 (7000 Series)
    purchased 12/3/2019,
    15.6 inch 2-IN-1;
    4K Ultra HD Touch-Screen, 3840 x 2160,
    Intel Core i7 10510U CPU 1.80GHz,
    16GB RAM DDR4 SDRAM 2400 megahert (2 slots),
    dedicated graphics Nvidia GeForce MX250 2 GB Graphics,
    PCIe 512GB Intel SSD + 32GB Optane Memory (Intel Optane Memory H10 with solid-state storage),
    wireless-AX & Bluetooth
    Battery: 68wh, Type 4VGMP 4 cell
I hope I'm finally updated on this Dell XPS 8930. 🤞

1766118363920.webp





1766117741991.webp
 

My Computer

System One

  • OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell XPS 8930
    CPU
    Intel I9-9900K
    Memory
    64GB
    Graphics Card(s)
    NVIDIA RTX 2060
    Sound Card
    NVIDIA High Definition Audio
    Monitor(s) Displays
    4k Samsung
    Screen Resolution
    3840 x 2160
    Hard Drives
    512GB NVMe, ADATA SU 800, 2TB HDD
garlin said:
Instead of asking AI, how about a live human?
Code: 
mountvol s: /s
bcdboot C:\Windows /f UEFI /s S: /bootex /d
mountvol s: /d
Click to expand...
I thought it might be interesting to see the difference in what the 2 entities came up with. I kind of suspected that a human might have distilled the process into a small number of lines. Looks like I was right! :think:
 

My Computers

System One System Two

  • OS
    Windows 11 Home, ver 25H2 build 26200.8246
    Computer type
    Laptop
    Manufacturer/Model
    Hewlett-Packard Spectre 13-4001 x360 convertable
    CPU
    Intel Core i5 5200U @ 2.20GH
    Motherboard
    Hewlett-Packard 802D
    Memory
    4 GB
    Graphics Card(s)
    Intel HD Graphics 5500 on board
    Sound Card
    Intel Smart Sound Technology (Intel SST)
    Hard Drives
    Micron 256GB M.2 2280 NGFF SSD MTFDDAV256TBN, (SATA 6.0 Gb/s)
    Keyboard
    Model # G01KB
    Antivirus
    Microsoft Defender
    Other Info
    born on date: 25 Feb 2016
  • Operating System
    Win 11 Home 25H2 build 26200.7922
    Computer type
    PC/Desktop
    Manufacturer/Model
    Asus Desktop model M32AD-US019S (DOM: 6/9/2014 )
    CPU
    Intel Core i7 4th Gen 4790 (3.60GHz), Haswell 22nm Technology, SOCKET 1150
    Motherboard
    H81M-E/M51AD/DP_MB
    Memory
    Samsung 16 GB DDR3 (8GB in 2 modules)
    Graphics card(s)
    NVIDIA GeForce GTX 760, 3GB, and on-board Intel HD Graphics 4600 Rev 6
    Monitor(s) Displays
    HP EliteDisplay E241i LED; HP EliteDisplay E243
    Hard Drives
    Samsung 500GB SSD, 870 EVO (SATA 6.0 )
    Micron 250GB SSD, CT250MX500
    Toshiba HDD, 3GB (original drive w/PC)
    Case
    ASUS
    Keyboard
    ASUS-------------------------
    Antivirus
    MS Defender
    Other Info
    Additional Laptops:

    HEWLETT PACKARD
    HP OmniBook X Flip NGAI (Next Gen AI),
    Model: 16-as0023dx
    PT# B5UH1UA#ABA Product #: B5UH1UA
    delivered and setup 7/25/25
    16" 2K Touch-Screen Laptop
    Intel Core Ultra 7 256V '24 Series 2 - CPU
    Boost Clock Frequency 4.8 gigahertz; Neural Processing Unit (NPU) Yes;
    16GB Memory, LPDDR5X
    1TB SSD PCIe 4.0
    Graphics: Intel Arc 140V
    1 x HDMI 2.1
    1 x Thunderbolt 4
    2K Touch-Screen display, LED, IPS; 1920 x 1200 (Full HD+)
    USB Ports: 1 x USB-C 3.1, 2 x USB-A 3.1
    Wi-Fi 6E
    weight 4.15 pounds

    DELL
    Model:I7591-7483BLK-PUS 2-in-1 (7000 Series)
    purchased 12/3/2019,
    15.6 inch 2-IN-1;
    4K Ultra HD Touch-Screen, 3840 x 2160,
    Intel Core i7 10510U CPU 1.80GHz,
    16GB RAM DDR4 SDRAM 2400 megahert (2 slots),
    dedicated graphics Nvidia GeForce MX250 2 GB Graphics,
    PCIe 512GB Intel SSD + 32GB Optane Memory (Intel Optane Memory H10 with solid-state storage),
    wireless-AX & Bluetooth
    Battery: 68wh, Type 4VGMP 4 cell
Doing everything in the first post, Parts A & B worked for me. I'll be trying an older machine in a couple days using the same steps. 🤞
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo T490 (2020 Hardware)
    CPU
    i7-8565U
    Motherboard
    20N20028US
    Memory
    16GB
    Graphics Card(s)
    Intel UHD Graphics 620
    Sound Card
    Realtec Audio
    Monitor(s) Displays
    ASUS VE248
    Screen Resolution
    1920 X 1080
    Hard Drives
    Samsung SSD 970 PRO 512GB NVMe
    Internet Speed
    Frontier fiber 1GB
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Norton 360 Deluxe Plus
    Other Info
    Supported hardware, upgraded from Windows 10 Pro to Windows 11 Pro version 24H2 on 06/01/2025 using the Windows 11 ISO file. Used the enablement package to upgrade to version 25H2 on 10/07/2025. Secure boot enabled. Secure Boot CA 2023 updated.
  • Operating System
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo ThinkCentre M83 (2014 Hardware)
    CPU
    i7-4770 (with SSE4.2, and POPCNT)
    Motherboard
    10AL000GUS
    Memory
    16GB
    Graphics card(s)
    Intel HD Graphics 4600
    Sound Card
    Realtec High Definition Audio
    Monitor(s) Displays
    ASUS VE248
    Screen Resolution
    1920 X 1080
    Hard Drives
    Samsung SSD 860 PRO 1TB SATA
    Internet Speed
    Frontier fiber 1GB
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Norton 360 Deluxe Plus
    Other Info
    Unsupported hardware, upgraded from Windows 10 Pro (TPM 1.2 & unsupported CPU, but does have SSE4.2, and POPCNT) to Windows 11 Pro version 24H2 on 06/15/2025. Added Registry Key HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup – AllowUpgradesWithUnsupportedTPMOrCPU=1 to allow installation using the Windows 11 ISO file. Used the enablement package to upgrade to version 25H2 on 10/08/2025. Secure boot enabled. Secure Boot CA 2023 updated.
XxXxX said:
i have put this together as i had problems updating 2 desktops and 3 laptops.
which have now all had their Secure Boot Certs updated to the new 2023 secure boot cert
also the other post about this were getting very long and confusing.
this is in two parts. part A and part B.
edit by me. please note, your system must be online for part A to update

Part A.
open a PowerShell as Admin
then copy and paste these two commands in this order.
thanks to @Brink tutorial.

1.


then press enter

2.


press enter and now restart your computer TWICE

##### to check that the 2023 cert is now available #####
to check that the 2023 cert is available after the 2 restarts
open a PowerShell as Admin copy and paste this command

the result of the command should show as 'True'

and then open the Windows registry to this key
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing

in the right window you will see ..
UEFICA2023Status which will show 'updating'
WindowsUEFICA2023Capable 0x00000001

close the registry and you can now begin part B.

######

Part B.
open a CMD Prompt as Admin
then copy and paste this command
thanks to @Scott

1. at the CMD Prompt as Admin


press enter and now close the CMD Prompt terminal

then open a PowerShell as Admin

2. within the PowerShell


press enter and restart you computer.

Final Check once the system has restarted
open the registry and find this key (again)
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing

in the right Window you will see ..
UEFICA2023Status which will now show 'Updated'
WindowsUEFICA2023Capable 0x00000002


your system is now updated to the new 2023 certs
if this post is in the wrong part of the Forum please move it to the correct one.

edit by me. missed this out .. your system needs to be online for the update to work
best of luck Steve ..
Click to expand...
Hello! I'd like something to ask about this Secure boot issue..
Since upgrading from win 11 24h2 to win11 25h2, the known error secure boot ca/keys needs to be updated, was replaced at every restart/shutdown by

Secure Boot certificates have been updated but are not yet applied to the device firmware. Review the published guidance to complete the update and ensure full protection. This device signature information is included here.
DeviceAttributes: BaseBoardManufacturer:ASUSTeK COMPUTER INC.;FirmwareManufacturer:American Megatrends Inc.;FirmwareVersion:5031;OEMModelNumber:System Product Name;OEMModelBaseBoard:ROG STRIX X570-F GAMING;OEMModelSystemFamily:To be filled by O.E.M.;OEMManufacturerName:System manufacturer;OEMModelSKU:SKU;OSArchitecture:amd64;
BucketId: 36af41ac3e6ad12f297d98409236fdbdde1fcc8ce511063e81fbbb17bb41370f
BucketConfidenceLevel:
UpdateType:
For more information, please see Windows Secure Boot certificate expiration and CA updates - Microsoft Support

Ok! So am I updated and have just to wait the next upcoming windows updates in 2026 so as to fix this issue?
I have not applied this fix, as I am already updated! But why is this error message appearing in my event viewer? I'd prefer Microsoft to fix it via its upcoming updates...Am I wrong?
 

My Computer

System One

  • OS
    win 11 pro 25 h2
    Computer type
    PC/Desktop
larysid said:
Ok! So am I updated and have just to wait the next upcoming windows updates in 2026 so as to fix this issue?
I have not applied this fix, as I am already updated! But why is this error message appearing in my event viewer? I'd prefer Microsoft to fix it via its upcoming updates...Am I wrong?
Click to expand...
MS is in the middle of a planned migration from now until mid-2026.

Earlier this year, they provided the tools for IT admins to voluntarily update their Secure Boot certs. Normal home users were not expected to do anything at this time. Recently, Windows pushed a Monthly Update where Event Viewer may report a TPI WMI "error" in the logs.

While it's categorized as an "error", it actually functions as a warning. In this migration phase, MS wants to increase awareness of the upcoming migration for IT admins and expert users. If you don't do anything, Windows will begin adding the CA 2023 certs for you next year. Later in the 2026, the migration will conclude by Windows revoking the CA 2011 certs.

If you own a relatively newer PC purchased in the last 3-4 years, you're probably supported and don't need to do anything. Check your PC's support site, and install any BIOS updates you're missing.

If you have an older PC, or it's not manufactured by a brand name company, then it may be helpful to try the update steps to see if they work or not.
 

My Computer

System One

  • OS
    Windows 7
garlin said:
MS is in the middle of a planned migration from now until mid-2026.

Earlier this year, they provided the tools for IT admins to voluntarily update their Secure Boot certs. Normal home users were not expected to do anything at this time. Recently, Windows pushed a Monthly Update where Event Viewer may report a TPI WMI "error" in the logs.

While it's categorized as an "error", it actually functions as a warning. In this migration phase, MS wants to increase awareness of the upcoming migration for IT admins and expert users. If you don't do anything, Windows will begin adding the CA 2023 certs for you next year. Later in the 2026, the migration will conclude by Windows revoking the CA 2011 certs.

If you own a relatively newer PC purchased in the last 3-4 years, you're probably supported and don't need to do anything. Check your PC's support site, and install any BIOS updates you're missing.

If you have an older PC, or it's not manufactured by a brand name company, then it may be helpful to try the update steps to see if they work or not.
Click to expand...
Hello again! Thank you very much for the explanation provided above!! Yes of course I agree. My desktop PC is 4 years old and my laptop is brand new bought 3 months ago! We all have the same message that they keys have been updated so MS is responsible to fix it via its upcoming updates... And as I wrote above, I have already a task in my task scheduler regarding secure boot update, but in the service folder in registry, the update status is shown as NOT STARTED (as other users above who ran this forum script).. All in all I believe that MS will fix it because it is insane my PCs not to reboot because they expect us to do these steps manually...
 

My Computer

System One

  • OS
    win 11 pro 25 h2
    Computer type
    PC/Desktop
Not Started may indicate it's waiting for the next Windows restart to make some changes.
 

My Computer

System One

  • OS
    Windows 7
In part A, the command always returns "true". After restarting twice, the registry showed "NotStarted". However, after repeating step A and restarting twice, it briefly showed "inProgress", but without doing anything, not even restarting, it reverted to the "NotStarted" state.

In my case, it's a desktop PC with an Asus Z790-A WiFi motherboard. How can I get part A to work?

Thanks.
 

My Computer

System One

  • OS
    Windows 11
francisco94 said:
In part A, the command always returns "true". After restarting twice, the registry showed "NotStarted". However, after repeating step A and restarting twice, it briefly showed "inProgress", but without doing anything, not even restarting, it reverted to the "NotStarted" state.

In my case, it's a desktop PC with an Asus Z790-A WiFi motherboard. How can I get part A to work?

Thanks.
Click to expand...
I had to manually add the CA 2023 to my BIOS to finally get this Updated state. See Posts #138 and #140 in the link below.

How to check if your Secure Boot certs are updated. (three methods)

Yes! Everything looks fine. All current values do have Green checkmarks. UEFI PK, KEK, DB and DBX. You're done. Congratulations. (y) (Script writer forgot to issue a new-line statement in the Current UEFI KEK section. If you make the CMD-box bigger than the spacing is not correct. (Less...
www.elevenforum.com www.elevenforum.com

1766262558146.webp



1766263252131.webp
 

My Computer

System One

  • OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell XPS 8930
    CPU
    Intel I9-9900K
    Memory
    64GB
    Graphics Card(s)
    NVIDIA RTX 2060
    Sound Card
    NVIDIA High Definition Audio
    Monitor(s) Displays
    4k Samsung
    Screen Resolution
    3840 x 2160
    Hard Drives
    512GB NVMe, ADATA SU 800, 2TB HDD
You must log in or register to reply here.

Similar threads

Secure boot update via Windows update
Replies
3
Views
2K
hader
hader
Secure Boot Update Issue for 2014 Dell Laptop
Replies
7
Views
2K
SIW2
SIW2
Solved garlin's PowerShell scripts for updating Secure Boot CA 2023
105 106 107
Replies
2K
Views
172K
garlin
G
Solved Finding the UEFI's DBX SVN number using PowerShell
2 3 4
Replies
73
Views
10K
Ghot
Ghot
Solved Secure Boot update failed to update a Secure boot variable - possible after 24H2 update
Replies
8
Views
11K
FreeBooter
FreeBooter

Latest Support Threads

Latest Tutorials

Back
Top Bottom