Solved Secure boot update HowTo

neldog · Dec 27, 2025

fg2001gf11F said:
Thanks, looks like that worked on my 4 machines too.
Where was that posted? Post #180 in the thread below?

How to check if your Secure Boot certs are updated. (three methods)

Okay... one more little thing cleared up. I'm not sure why this wasn't showing up before that my system was using the Do Not Trust AMI test platform key. I was able to append the microsoft platform key without issues directly in the BIOS using the Windows OEM PK certificate.

www.elevenforum.com

Yes, it is in post 180 in that thread. That is where I first seen it. The SVN update instructions are in a few other threads here as well. Thank you for your post that it worked for you.

Steve C · Dec 27, 2025

neldog said:
Thanks... That is what I am going to do. From all that I have read about the SVN update it looks as though MS thru Windows Update "should" take care of this later in 2026 sometime. I "think" I have got everything in place right now on both my machines and ready for Windows Update to take it from here. Thank you for all your help.

This is some of what I found on this issue:

Applying the SVN update to the firmware" refers to updating the Secure Version Number (SVN) in the UEFI firmware.

**Important Considerations
Irreversible: Once the SVN is updated in the firmware, downgrading to older, non-updated firmware or boot managers is no longer possible.

Compatibility: All bootable media (PXE, ISOs, USB drives) must be updated with the new boot manager that is signed with the 2023 CA, or they will fail to boot.

** Automatic updates:
For "most" users, Windows Update should handle this process automatically if Secure Boot is enabled. The manual steps are primarily for "system administrators managing enterprise environments" or troubleshooting issues.

Verification: The SVN update prevents an older boot manager (with a lower SVN) from running by comparing the boot manager's SVN with the one stored in the firmware. You can verify the status through PowerShell commands.

Exactly. I plan to do nothing and keep my fingers crossed MS doesn't screw up.

TheOnlyVnz · Dec 27, 2025

Any idea on what to do here? I've done the first step 3 times and nothing. It's just stuck in "InProgress"

XxXxX · Dec 28, 2025

TheOnlyVnz said:
View attachment 158185Any idea on what to do here? I've done the first step 3 times and nothing. It's just stuck in "InProgress"

please now do Part B.
1. first command is an Admin CMD prompt

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f

close the Admin CMD prompt then the second command
2. second command is in an Admin PowerShell

Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

once completed close all programs and restart your computer and recheck that registry key again.
best of luck Steve ..

Grouwdi · Dec 28, 2025

I have followed the OP to a T but I always get this after the two restarts:

Code:

PS C:\WINDOWS\system32>  [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match "Windows UEFI CA 2023"
False
PS C:\WINDOWS\system32>

When checking my registry, it says "In Progress"

Ghot · Dec 28, 2025

Hello @Grouwdi and welcome to ElevenForum.

It takes a little bit of time for it to update.
I just ran the whole thing (part A and part B), twice, and mine updated.

When it does update, you can check it, here...

How to check if your Secure Boot certs are updated. (three methods)

Method One Download cjee21's files, attached to the bottom of this post. 1. Save the file to your desktop. 2. Extract the contents to your desktop. 3. Open: Check-UEFISecureBootVariables-main 4. Right click: Check UEFI PK, KEK, DB and DBX.cmd ...and choose: Run as administrator. Your...

www.elevenforum.com

Here's some other things that you may find useful...

Quickie Eleven Forum Setup Guide for new Members

Quickie Interface tour... Quickie set up... At the top right, click on your name, then choose "Preferences". Then go through everything on the left side. Quickie navigation... Click Forums and choose a subforum, OR... Click Forums, then New Posts or What's New Ranks, Trophies...

www.elevenforum.com

Macrium Reflect, AOMEI Backupper and Hasleo Backup Suite - GUIDES

How to use backup software... 1. When everything is working perfectly... make a full Windows backup. 2. Then, if something breaks... restore from the latest backup. 3. Then... try "whatever you were doing" a different way. If it still breaks Windows, then... go to step #2. 4. Repeat...

www.elevenforum.com

Windows 11 Tweaks - Leader Board.

These are tweaks I've seen asked for... many times. They are collected here for easy access. All of these and more can be found in the Eleven Forum Tutorials Make sure to read the "notes" in the various tutorials. At the bottom of the first post in all the "tutorials", there are links to...

www.elevenforum.com

Grouwdi · Dec 28, 2025

Hi - it finally says Updated in the registry <3 (( Wanted to add a Thank you to all those who put in the work to help others out ))

now off to fix the kernel error and random restarts I've encountered recently

TrebleTA · Dec 31, 2025

Hi and thanks for this update, all worked fine for me.
One question, if I reinstall windows on this pc will I have to do the above again after the reinstall?

Buddywh · Dec 31, 2025

TrebleTA said:
Hi and thanks for this update, all worked fine for me.
One question, if I reinstall windows on this pc will I have to do the above again after the reinstall?

The Secure Boot keys are stored in firmware so reinstalling Windows will have no effect on them. And either Setup checks to see if your system has the 2023 keys in firmware when it installs or it checks during the Updates I always do after an installation so it will use the 2023 signed boot manager files too. I discovered this on two different systems I ran a clean install on.

The only way to remove the 2023 keys is to do a Restore Default Keys (or whatever your BIOS calls it) in your BIOS settings. Many systems have BIOS updates from the OEM that add 2023 keys as defaults, if you get yours updated it would make even that have no effect.

Anibor_11 · Dec 31, 2025

A somewhat related question is:

What happens if I restore a backup image created before the certificates were updated?

In this case, Secure Boot will block the Windows boot, because the restored image has a CA 2011-signed Windows bootloader.

To solve this: disable Secure Boot to be able to boot, then update the Windows bootloader, and enable Secure Boot again.

john1955 · Jan 2, 2026

I'm not getting past this part . . .
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match "Windows UEFI CA 2023"
When I copy it, it will not paste into Powershell, I have to paste it into Notepad and then recopy and paste into Powershell. But I get this back . . .

PS C:\WINDOWS\system32> [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match "Windows UEFI CA 2023"
Get-SecureBootUEFI : Variable is currently undefined: 0xC0000100
At line:1 char:42
+ ... System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) ...
+ ~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (Microsoft.Secur...BootUefiCommand:GetSecureBootUefiCommand) [Get-S
ecureBootUEFI], StatusException
+ FullyQualifiedErrorId : GetFWVarFailed,Microsoft.SecureBoot.Commands.GetSecureBootUefiCommand

Not sure I care about this right now but thought I would check it out.
Secure boot is turned on in my Bios but there's no details.

Note: The other two lines in 1. and 2 copy/pasted just fine so I dont know why this one won't.

XxXxX · Jan 2, 2026

john1955 said:
I'm not getting past this part . . .
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match "Windows UEFI CA 2023"
When I copy it, it will not paste into Powershell, I have to paste it into Notepad and then recopy and paste into Powershell. But I get this back . . .

PS C:\WINDOWS\system32> [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match "Windows UEFI CA 2023"
Get-SecureBootUEFI : Variable is currently undefined: 0xC0000100
At line:1 char:42
+ ... System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) ...
+ ~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (Microsoft.Secur...BootUefiCommand:GetSecureBootUefiCommand) [Get-S
ecureBootUEFI], StatusException
+ FullyQualifiedErrorId : GetFWVarFailed,Microsoft.SecureBoot.Commands.GetSecureBootUefiCommand

Not sure I care about this right now but thought I would check it out.
Secure boot is turned on in my Bios but there's no details.

please do Part A of the HowTo
both of the commands in Part A are PowerShell commands in a Admin PowerShell

then restart the system twice
giving about 5 minutes between re-starts.

then try that command again in in a Admin PowerShell.
best of luck Steve ..

Dirtyflash · Jan 2, 2026

john1955 said:
I'm not getting past this part . . .
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match "Windows UEFI CA 2023"
When I copy it, it will not paste into Powershell, I have to paste it into Notepad and then recopy and paste into Powershell. But I get this back . . .

PS C:\WINDOWS\system32> [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match "Windows UEFI CA 2023"
Get-SecureBootUEFI : Variable is currently undefined: 0xC0000100
At line:1 char:42
+ ... System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) ...
+ ~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (Microsoft.Secur...BootUefiCommand:GetSecureBootUefiCommand) [Get-S
ecureBootUEFI], StatusException
+ FullyQualifiedErrorId : GetFWVarFailed,Microsoft.SecureBoot.Commands.GetSecureBootUefiCommand

Not sure I care about this right now but thought I would check it out.
Secure boot is turned on in my Bios but there's no details.

Note: The other two lines in 1. and 2 copy/pasted just fine so I dont know why this one won't.

Try this, notice the difference " vs ' "Windows UEFI CA 2023" vs 'Windows UEFI CA 2023'

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023’

fg2001gf11F · Jan 2, 2026

Dirtyflash said:
Try this, notice the difference " vs ' "Windows UEFI CA 2023" vs 'Windows UEFI CA 2023'

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023’

No difference here with ' or "

I noticed that with the older Power Shell if I paste this below the ' is removed, and in that case it fails. I just make sure that the quotes are there when I paste. ' '

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023’

john1955 · Jan 2, 2026

Dirtyflash said:
Try this, notice the difference " vs ' "Windows UEFI CA 2023" vs 'Windows UEFI CA 2023'

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023’

Dang, Same results

I'll start over from the beginning AGAIN after checking the bios settings again.
Event viewer says I don't have secure boot enabled but my Bios says I do. (enabled but not active)

garlin · Jan 2, 2026

john1955 said:
I'm not getting past this part . . .
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match "Windows UEFI CA 2023"
When I copy it, it will not paste into Powershell, I have to paste it into Notepad and then recopy and paste into Powershell. But I get this back . . .

PS C:\WINDOWS\system32> [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match "Windows UEFI CA 2023"
Get-SecureBootUEFI : Variable is currently undefined: 0xC0000100

"Variable is currently undefined: 0xC0000100" is literally what it means.

Your UEFI currently doesn't have the DB variable populated with any certs. Most likely your UEFI is in Setup Mode (which deletes all the current certs in preparation for manual updates), or your UEFI is in a confused state. Shutdown Windows, go into the BIOS menu and under UEFI (or Secure Boot), see if it indeed says "Setup Mode".

john1955 · Jan 2, 2026

garlin said:
"Variable is currently undefined: 0xC0000100" is literally what it means.

Your UEFI currently doesn't have the DB variable populated with any certs. Most likely your UEFI is in Setup Mode (which deletes all the current certs in preparation for manual updates), or your UEFI is in a confused state. Shutdown Windows, go into the BIOS menu and under UEFI (or Secure Boot), see if it indeed says "Setup Mode".

If it's this hard to do it probably does not need to be done

Dirtyflash · Jan 2, 2026

john1955 said:
View attachment 158681

If it's this hard to do it probably does not need to be done

Looks like it's in Setup mode, second row from the top.

john1955 · Jan 2, 2026

Dirtyflash said:
Looks like it's in Setup mode, second row from the top.

I'll have to read the manual because it's not obvious what to change. The other options are not available unless I change the "Standard" to "Custom" and then what? It shows System Mode as "setup" but it shows Secure Boot Mode as "Standard" which is confusing. I'm glad I'm not in any rush to do this but I would like to know I can ~~when~~ if I need to.

Dirtyflash · Jan 2, 2026

john1955 said:
I'll have to read the manual because it's not obvious what to change. The other options are not available unless I change the "Standard" to "Custom" and then what? It shows System Mode as "setup" but it shows Secure Boot Mode as "Standard" which is confusing. I'm glad I'm not in any rush to do this but I would like to know I can ~~when~~ if I need to.

I have the impression you were trying to determine the status of the Windows UEFI CA 2023, whether it was, or wasn't installed. Don't know if you had done any other PowerShell commands, or changes prior, so it's hard to say how you got to into Setup mode. Somehow things went off the rails for you. The quick fix, which I'm not suggesting you do, is to Restore Factory Keys, that usually causes my system to exit Setup and switch to User mode. If you choose to do that, once you're done, save the change, reboot your device and it should be good to go. If it for whatever reason it doesn't boot, go back into BIOS and turn off Secure Boot. It will mean you'll have to do a quick fix of the bootloader and then you'll be able to turn Secure Boot back on.

Solved Secure boot update HowTo

Well-known member

My Computers

Well-known member

My Computer

Member

My Computer

Just a Computer User

My Computers

Member

My Computer

Well-known member

My Computers

Member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Jack of all trades

My Computers

Just a Computer User

My Computers

Well-known member

My Computer

Well-known member

My Computer

Jack of all trades

My Computers

Well-known member

My Computer

Jack of all trades

My Computers

Well-known member

My Computer

Jack of all trades

My Computers

Well-known member

My Computer

Similar threads