Secure boot update via Windows update


X

xrms3

Active member
Local time
9:08 PM
Posts
8
Location
London, UK
OS
Windows 11
Hitherto I've made no changes to Secure Boot certificates, belonging firmly to the DO NOTHING group. But this morning received a 'Restart' notification because of a KEK update. The @garlin Check-UEFI script now shows:

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
Microsoft Windows PCA 2010

EFI Files
---------
Disk 1: Windows Boot Manager [Production PCA 2011] is ALLOWED.

Registry: WindowsUEFICA2023Capable = 1
[Windows UEFI CA 2023] in UEFI DB.

Disk 1: SkuSiPolicy.p7b (for VBS) is WRONG VERSION.

No log entries that I could see apart from Windows Update ->Update History ->Other updates.

This is on a Dell XPS8940 - which hasn't had a BIOS update with new certificates. Windows 11 26200.8037

bob
 

My Computer

System One

  • OS
    Windows 11
Considering the device is Windows 11 supported, not surprising. Dell signed off on the KEK, the rest will follow in due course.
 

My Computer

System One

  • OS
    Windows 11
xrms3 said:
Hitherto I've made no changes to Secure Boot certificates, belonging firmly to the DO NOTHING group. But this morning received a 'Restart' notification because of a KEK update.
Click to expand...
The script may suggest "DO NOTHING", meaning your BIOS is fully supported for Secure Boot updates.

While the Secure Boot certs can be applied to a live system, it requires a reboot for changes to take effect. This is an expected event, much like Windows needing to restart after a monthly update.

The only pending action is to update the SkuSiPolicy.p7b file. Run these commands as Admin:
Code: 
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x20 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
 

My Computer

System One

  • OS
    Windows 7
As far as I can see it. Nothing has changed since Dec 2025. I see the same results. Looking in the Certificate Store no sign still of a intermediate CA2023 certificate.
 

My Computer

System One

  • OS
    Win 11 Pro "25H2" Build 26200.8524, Zorin OS Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self built
    CPU
    Intel® Core™ i7-12700KF 12th Gen.
    Motherboard
    ASUS Prime Z690-A, BIOS v4505
    Memory
    32GB DDR5 5600-36 Vengeance
    Graphics Card(s)
    PCIe4.0 Asus NVIDIA RTX3060Ti
    Sound Card
    Onboard; Realtek
    Monitor(s) Displays
    34" LG 34UC79G-B Curved 21:9 144Hz
    Screen Resolution
    2560x1080 (No HDR)
    Hard Drives
    250Gb Samsung 870PRO NVMe (Win 11 Pro)
    1Tb Samsung 980PRO NVMe
    1Tb Samsung 970EVO NVMe
    2Tb Samsung 990PRO NVMe with heatsink.
    4Tb WDC WD40EZRZ Blue SATA (Int.)
    4Tb WDC WD40EZRZ Blue SATA (Int.)
    3Tb WDC WD30EFRZ Red SATA (Int.)
    256Gb Samsung 840PRO SSD (RHEL 9,5)
    256Gb Samsung 850PRO SSD (Zorin OS Pro 18)
    PSU
    Coolermaster 850W V2 Gold with internal 12cm exaust fan
    Case
    Be-Quiet Pure Base 600.
    Cooling
    3x Be-Quiet! 12/14cm "Silent Wings 4" casefans, 1x Arctic Freezer i35 CPU towerblock with fan.
    Keyboard
    Steelseries APEX 7 keyboard.
    Mouse
    Logitech G-502 Hero
    Internet Speed
    1Gb
    Browser
    Brave
    Antivirus
    F-Secure
    Other Info
    No Noise system.
    256Gb Kingston Travler USB 3.0 drive.
    64Gb Sandisk USB 3.2 drive. (Ventoy)
    8Gb Philips USB 3.0 drive. (Win. Inst.)
    8Gb Philips USB 3.0 drive. (Rescue disk)
    2Tb WD USB 3.0 Passport drive.
    USB Ext. 500Gb WD SATA drive.
    External USB 3.0 C.A. CD/DVD* burner.
You must log in or register to reply here.

Similar threads

Secure Boot Update Issue for 2014 Dell Laptop
Replies
7
Views
2K
SIW2
SIW2
Solved garlin's PowerShell scripts for updating Secure Boot CA 2023
105 106 107
Replies
2K
Views
172K
garlin
G
Solved Secure boot update HowTo
30 31 32
Replies
624
Views
101K
garlin
G
Solved Finding the UEFI's DBX SVN number using PowerShell
2 3 4
Replies
73
Views
10K
Ghot
Ghot
  • Article Article
Apps Check for App Updates via Windows Update in Windows 11
Replies
12
Views
4K
Brink
Brink

Latest Support Threads

Latest Tutorials

Back
Top Bottom