Solved Secure boot update HowTo

garlin · May 17, 2026

Secure Boot task will install any new boot managers (and SVN), if your PC has already reached UEFICA2023Status = Updated. This means a KEK CA 2023 was installed, and the other CA 2023 certs and the current boot manager was copied.

PC's already on SVN 7.0 would be self-updated to SVN 8.0.

But of your PC hasn't gotten there yet, because it's still blocked by "More Data Needed", manual intervention is still needed unless you wait to for MS.

acer54 · May 28, 2026

XxXxX said:
i have put this together as i had problems updating 2 desktops and 3 laptops.
which have now all had their Secure Boot Certs updated to the new 2023 secure boot cert
also the other post about this were getting very long and confusing.
this is in two parts. part A and part B.
edit by me. please note, your system must be online for part A to update

Part A.
open a PowerShell as Admin
then copy and paste these two commands in this order.
thanks to @Brink tutorial.

1.

then press enter

2.

press enter and now restart your computer TWICE

##### to check that the 2023 cert is now available #####
to check that the 2023 cert is available after the 2 restarts
open a PowerShell as Admin copy and paste this command

the result of the command should show as 'True'

and then open the Windows registry to this key
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing

in the right window you will see ..
UEFICA2023Status which will show 'updating'
WindowsUEFICA2023Capable 0x00000001

close the registry and you can now begin part B.

######

Part B.
open a CMD Prompt as Admin
then copy and paste this command
thanks to @Scott

1. at the CMD Prompt as Admin

press enter and now close the CMD Prompt terminal

then open a PowerShell as Admin

2. within the PowerShell

press enter and restart you computer.

Final Check once the system has restarted
open the registry and find this key (again)
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing

in the right Window you will see ..
UEFICA2023Status which will now show 'Updated'
WindowsUEFICA2023Capable 0x00000002

your system is now updated to the new 2023 certs
if this post is in the wrong part of the Forum please move it to the correct one.

edit by me. missed this out .. your system needs to be online for the update to work
best of luck Steve ..

Is this still the preferred method and does it still work?

XxXxX · May 28, 2026

it is one of several ways to update the secure boot certs.
follow this how to, then check to see if its updated

you can decide afterwards if another method is required to update the secure boot certs.
best of luck Steve ..

XyeZURDseSSzcGT · Jun 5, 2026

any idea how to get UEFI DBX fixed up on Gigabyte ga-z170-hd3? I had to manually add the 2023 certs in the bios secure boot keys section but still showing "under observation - more data needed" for confidence level and still showing "failed attestation" in CoD Warzone when i try to play.

---------------------------------------------------

UEFICA2023Status: Updated
WindowsEUFICA2023Capable: 0x00000002 (2)

---------------------------------------------------

Checking for Administrator permission...
Running as administrator - continuing execution...

05 June 2026
Manufacturer: Gigabyte Technology Co., Ltd.
Model: Z170-HD3
BIOS: American Megatrends Inc., F22f, F22f, ALASKA - 1072009
Windows version: 22H2 (Build 19045.7291)

Secure Boot status: Enabled

Current UEFI PK
√ DO NOT TRUST - AMI Test PK

Default UEFI PK
√ DO NOT TRUST - AMI Test PK
Current UEFI KEK
X Microsoft Corporation KEK CA 2011
√ Microsoft Corporation KEK 2K CA 2023 (revoked: False)

Default UEFI KEK
√ Microsoft Corporation KEK CA 2011 (revoked: False)
X Microsoft Corporation KEK 2K CA 2023

Current UEFI DB
X Microsoft Windows Production PCA 2011
X Microsoft Corporation UEFI CA 2011
√ Windows UEFI CA 2023 (revoked: False)
√ Microsoft UEFI CA 2023 (revoked: False)
X Microsoft Option ROM UEFI CA 2023

Default UEFI DB
√ Microsoft Windows Production PCA 2011 (revoked: False)
√ Microsoft Corporation UEFI CA 2011 (revoked: False)
X Windows UEFI CA 2023
X Microsoft UEFI CA 2023
X Microsoft Option ROM UEFI CA 2023

Current UEFI DBX
2025-10-14 (v1.6.0) : FAIL: 404 failures, 27 successes detected
Windows Bootmgr SVN : None
Windows cdboot SVN : None
Windows wdsmgfw SVN : None

garlin · Jun 5, 2026

XyeZURDseSSzcGT said:
any idea how to get UEFI DBX fixed up on Gigabyte ga-z170-hd3? I had to manually add the 2023 certs in the bios secure boot keys section but still showing "under observation - more data needed" for confidence level and still showing "failed attestation" in CoD Warzone when i try to play.

I would ignore "More Data Needed", because the Confidence Level status is derived from a static JSON file that's pushed out in the Monthly Updates. It doesn't reflect your UEFI's current state.

XyeZURDseSSzcGT said:
Current UEFI PK
√ DO NOT TRUST - AMI Test PK

Current UEFI KEK
√ Microsoft Corporation KEK 2K CA 2023 (revoked: False)

Current UEFI DB
√ Windows UEFI CA 2023 (revoked: False)
√ Microsoft UEFI CA 2023 (revoked: False)

This is the minimum set of CA 2023 certs required to run Secure Boot mode. Attestation is a fancy security term for "we checked the Windows boot logs and confirmed Secure Boot was running". I'm not sure what COD:WZ considers as the minimum threshold for compliance.

Some observations:

1. You're still running the factory "DO NOT TRUST" PK. BIOS'es running this PK have long been considered insecure, because it's suspected the private signing key for the OEM reference example ("Test PK") was leaked years ago. Most security experts recommend replacing this PK with another one.

2. While it's the minimal set of certs, typically some Windows processes like to see the Option ROM present (even if it's optional). It may get flagged by TPM-WMI in the event logs as noise.

My recommendation is to delete all current Secure Boot keys and drop in the cert bundle from Windows OEM Devices. This gets rid of the "DO NOT TRUST" PK and makes sure your UEFI passes every test, so nothing will complain in the future.

You can try my upgrade script from:
garlin's PowerShell scripts for updating Secure Boot CA 2023

1. Confirm BitLocker is not enabled on system drive, and you're not using Windows Hello PIN for logon. Disable both of them if enabled.

2. From the BIOS menus, Delete All Keys or the equivalent option for Setup Mode (no keys).

3. Run the update script.

Code:

Update-UEFI.bat

If you want to revoke now, instead of waiting for Windows to do this later:

Code:

Update-UEFI.bat -Revoke

XyeZURDseSSzcGT · Jun 5, 2026

appreciate the quick reply! followed your recommendation and this is where i'm at currently:

Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 8.0

EFI Files
---------
Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
Registry: "WindowsUEFICA2023Capable" = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

[OPTIONAL] SkuSiPolicy.p7b (for VBS) is MISSING.

STATUS REPORT
-------------
Registry: "UEFICA2023Status" = Updated

SUCCESS: UPDATES ARE FINISHED.
UEFI CA 2023 certs are present, PCA 2011 cert is revoked.

-----------------------------------------------------------------------------------------------

Checking for Administrator permission...
Running as administrator - continuing execution...

05 June 2026
Manufacturer: Gigabyte Technology Co., Ltd.
Model: Z170-HD3
BIOS: American Megatrends Inc., F22f, F22f, ALASKA - 1072009
Windows version: 22H2 (Build 19045.7291)

Secure Boot status: Enabled

Current UEFI PK
√ Windows OEM Devices PK

Default UEFI PK
√ DO NOT TRUST - AMI Test PK
Current UEFI KEK
X Microsoft Corporation KEK CA 2011
√ Microsoft Corporation KEK 2K CA 2023 (revoked: False)

Default UEFI KEK
√ Microsoft Corporation KEK CA 2011 (revoked: False)
X Microsoft Corporation KEK 2K CA 2023

Current UEFI DB
X Microsoft Windows Production PCA 2011
X Microsoft Corporation UEFI CA 2011
√ Windows UEFI CA 2023 (revoked: False)
√ Microsoft UEFI CA 2023 (revoked: False)
√ Microsoft Option ROM UEFI CA 2023 (revoked: False)

Default UEFI DB
√ Microsoft Windows Production PCA 2011 (revoked: True)
√ Microsoft Corporation UEFI CA 2011 (revoked: False)
X Windows UEFI CA 2023
X Microsoft UEFI CA 2023
X Microsoft Option ROM UEFI CA 2023

Current UEFI DBX
2025-10-14 (v1.6.0) : FAIL: 154 failures, 277 successes detected
Windows Bootmgr SVN : 8.0
Windows cdboot SVN : 3.0
Windows wdsmgfw SVN : 3.0

Press any key to continue . . .

garlin · Jun 5, 2026

XyeZURDseSSzcGT said:
appreciate the quick reply! followed your recommendation and this is where i'm at currently:

Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 8.0

EFI Files
---------
Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
Registry: "WindowsUEFICA2023Capable" = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

[OPTIONAL] SkuSiPolicy.p7b (for VBS) is MISSING.

STATUS REPORT
-------------
Registry: "UEFICA2023Status" = Updated

SUCCESS: UPDATES ARE FINISHED.
UEFI CA 2023 certs are present, PCA 2011 cert is revoked.

You're done with CA 2023 updates. Hopefully, you can run COD now.

garlin · Jun 5, 2026

OMG. I didn't realize they were serious enough about anti-cheat to release a "COD Secure Attestation Wizard". :boom:

XyeZURDseSSzcGT · Jun 5, 2026

Yep, and I'm still failing it

Also, just now seeing that my i7-7700k isn't supported either so that's likely the reason unless MoKiChU can save the day with another Intel ME Consumer FW update!

garlin · Jun 5, 2026

OK. I'm failing TPM 2.0 (but that's because my test system is a VM). Are you passing the Secure Boot check?

XyeZURDseSSzcGT · Jun 5, 2026

for anybody still following along with pre-8th generation Intel CPU's and/or older motherboards not receiving updates - the comment from u/lokidvane in this reddit thread fixed my final attestation issue! I only needed to run the SetupME.exe in Main_DCH folder and then rebooted. Fresh issue now is not seeing the initial Failed Attestation in Warzone when i first login but then when i go to start a game, it says i still have that status

another couple steps forward and one back.

Muddy3 · 2026-06-20T12:38:21-0400

XxXxX said:
i have put this together as i had problems updating 2 desktops and 3 laptops.
which have now all had their Secure Boot Certs updated to the new 2023 secure boot cert
also the other post about this were getting very long and confusing.
this is in two parts. part A and part B.
edit by me. please note, your system must be online for part A to update

Part A.
open a PowerShell as Admin
then copy and paste these two commands in this order.
thanks to @Brink tutorial.

1.

then press enter

2.

press enter and now restart your computer TWICE

##### to check that the 2023 cert is now available #####
to check that the 2023 cert is available after the 2 restarts
open a PowerShell as Admin copy and paste this command

the result of the command should show as 'True'

and then open the Windows registry to this key
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing

in the right window you will see ..
UEFICA2023Status which will show 'updating'
WindowsUEFICA2023Capable 0x00000001

close the registry and you can now begin part B.

######

Part B.
open a CMD Prompt as Admin
then copy and paste this command
thanks to @Scott

1. at the CMD Prompt as Admin

press enter and now close the CMD Prompt terminal

then open a PowerShell as Admin

2. within the PowerShell

press enter and restart you computer.

Final Check once the system has restarted
open the registry and find this key (again)
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing

in the right Window you will see ..
UEFICA2023Status which will now show 'Updated'
WindowsUEFICA2023Capable 0x00000002

your system is now updated to the new 2023 certs
if this post is in the wrong part of the Forum please move it to the correct one.

edit by me. missed this out .. your system needs to be online for the update to work
best of luck Steve ..

This has been super-helpful to me! Many, many thanks!

I am actually on a very old Windows 10 device (Processor: Intel Core i3-6100U). Update to the new certificates was problematic because the Secure Boot Update task in Task Scheduler was constantly hanging my computer. In fact, I didn't even know that the Secure Boot Update task was the source of this problem of hanging until a a couple of weeks ago.

The issue began with an update in January, and therefore I restored to an old image, and decided not to renew my enrolment to Extended Services Update (ESU) for fear of accumulating further problems.

Having finally located the cause of my computer hanging, I of course disabled the Secure Boot Update task. (Before then, I was manually disconnecting my WiFi connection at 5m after, and 12h5m after booting as a temporary workaround, until I found the true source of the problem.) Since finding the cause, I have re-enrolled to ESU and, after receiving the latest updates, tried following your easy to follow instructions to update to the new 2023 secure boot certificates.

Before doing this:
1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing "WindowsUEFICA2023Capable" held a value of "1" : "“Windows UEFI CA 2023” certificate is in the DB" *
2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing "UEFICA2023Status" held a value of "NotStarted": "The update has not yet run." *
3. Secure Boot in Settings>Update & Security>Windows Security>Device Security had a green checkmark but with the following description: "Secure Boot is on, but your device is using an older boot trust configuration and should be updated to remain serviceable."

Since running your instructions:
1. The Secure Boot Update task continues to hang about 5 seconds after each time I execute your command in Administrator Power Shell (so essentially same behaviour as before), but...
2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing "WindowsUEFICA2023Capable" now holds a value of "2" : "“Windows UEFI CA 2023” certificate is in the DB and the system is starting from the 2023 signed boot manager" *
3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing "UEFICA2023Status" now holds a data status of "InProgress" (the equivalent of your "Updating") : "The update is actively in progress." *
4. Secure Boot in Settings>Update & Security>Windows Security>Device Security still has a green checkmark but also still has the same description: "Secure Boot is on, but your device is using an older boot trust configuration and should be updated to remain serviceable."
* See https://support.microsoft.com/en-gb/topic/registry-key-updates-for-secure-boot-windows-devices-with-it-managed-updates-a7be69c9-4634-42e1-9ca1-df06f43f360d#bkmk_registry_keys_described

So real progress has been made, thanks to you! However, as you can see from points 3 and 4, Part B has unfortunately not fully completed.

I wonder if you can give me any suggestions as to what I might do next to resolve this problem? Hoping you can help.

XxXxX · 2026-06-20T13:17:04-0400

@Muddy3
once you have set the task to update the secure boot certs the system will keep checking every 12 hours to see if an update is available.
this will rely on several factors, does MS have all the correct data to download and up date the certs, has the manufacturer made a BIOS update available for your system with the updated certs, or have they decided that the system is too outdated and abandoned any attempt at a update.

all the above are out of your and anybody else's hands.
so i would just wait a few days checking to see if the update has happened, check Windows update to check to see if they have any updates and restarting the system every day to see if any update has installed.

you can update the system manually using Mosby secure boot updater if all else fails.
best of luck Steve ..

riverofwind · 2026-06-20T13:32:19-0400

@XxXxX Hi I mentioned to Garlin just wanted to tell you as well on the several computers I've worked on, in Part A UEFICA2023Status says 'in progress' not 'updating'. Is this a different condition or did MS change things maybe?

Muddy3 · 2026-06-20T14:02:51-0400

@XxXxX

Thank you, Steve, for such a rapid response! And even at the weekend!! God bless you.

Well, that's a real pearl of knowledge you've given me about Mosby Secure Boot Updater — in all my research, albeit as a pretty ignorant computer user, I hadn't come across that brilliant last ditch solution — which I can use as a fallback measure if the manufacturer does not provide an update (I am in touch with the manufacturer's Support service but they don't seem to be very clear in their responses ☹ ... at least not so far. And for your information, the last BIOS update on my computer and on the manufacturer's download page was in 2018 *sigh*.). I believe Windows Support for the old safe boot certificates expires on 24 June which is next Wednesday, so I'll see what happens in the meantime. Of course, I will execute the Secure Update Task manually (through Task Scheduler or PowerShell) because otherwise, if automated, my computer will just crash unexpectedly for the reasons described in my previous post. At least, if I execute the task manually, I can plan when it will crash!!

Anyway, I've quickly perused Mosby's page GitHub - pbatard/Mosby: Mosby – More Secure Secure Boot, and if I understand correctly, although I will need to create a bootable USB to install the new certificates, once they have been successfully installed, my computer will boot securely with the new certificates without the need any more for the bootable external device, and they will, as and when necessary, receive Windows Updates. Is that correct??

Thanks once again.

garlin · 2026-06-20T14:51:14-0400

riverofwind said:
@XxXxX Hi I mentioned to Garlin just wanted to tell you as well on the several computers I've worked on, in Part A UEFICA2023Status says 'in progress' not 'updating'. Is this a different condition or did MS change things maybe?

It would be helpful to post the script's verbose output. That particular reg key doesn't really provide enough debugging details, which is easier to interpret based on the script's verbose mode.

Solved Secure boot update HowTo

Well-known member

My Computer My Computer

At a glance

Well-known member

My Computer My Computer

At a glance

Just a Computer User

My Computers My Computers

At a glance

At a glance

Member

My Computer My Computer

At a glance

Well-known member

My Computer My Computer

At a glance

Member

My Computer My Computer

At a glance

Well-known member

My Computer My Computer

At a glance

Well-known member

My Computer My Computer

At a glance

Member

My Computer My Computer

At a glance

Well-known member

My Computer My Computer

At a glance

Member

My Computer My Computer

At a glance

New member

My Computer My Computer

At a glance

Just a Computer User

My Computers My Computers

At a glance

At a glance

New member

My Computer My Computer

At a glance

New member

My Computer My Computer

At a glance

Well-known member

My Computer My Computer

At a glance

Similar threads

My Computer

My Computer

My Computers

My Computer

My Computer

My Computer

My Computer

My Computer

My Computer

My Computer

My Computer

My Computer

My Computers

My Computer

My Computer

My Computer