Solved updating Secure Boot certificates for Dell G5 15 5500

Autobahn said:

revoke the [PCA 2011] cert: This will be done by a Windows Update in the coming weeks?
I can run another Garlin script which will do this but I can also just wait for the Windows Update?

Click to expand...

WU will revoke PCA 2011 later this year, but MS has not announced the timeframe.

You can wait, or run the update script to force a revocation:

You will remain on the 2011 secure boot certificate. Your PC will continue to boot normally after June 2026. All that will happen is you won't receive Secure Boot protection updates in the future.

NormanF said:

You will remain on the 2011 secure boot certificate. Your PC will continue to boot normally after June 2026. All that will happen is you won't receive Secure Boot protection updates in the future.

Click to expand...

That's false. If you only own CA 2011 certs (and have not added CA 2023 certs), then you can only run with CA 2011-signed boot files. When CA 2011 expires in October, MS cannot sign a newer boot file using this cert. At the point, anyone who only has CA 2011 is forever stuck on the last boot file version released before the signing window expired.

If you have added CA 2023 certs, you can also boot CA 2023-signed boot files. Regardless of whether PCA 2011 was revoked or not. PCA 2011 is being revoked for separate security reasons, to block Black Lotus-based UEFI rootkits.

The UEFI only has one Platform Key (owned by the OEM). The PK can enroll multiple KEK's in parallel (from MS and other vendors). Each KEK can undersign multiple DB's. Assuming you didn't revoke PCA 2011, then you have two parallel cert chains: one for CA 2011, and one for CA 2023.

By adding CA 2023 and switching the boot manager (same file, different cert), you no longer care about CA 2011. Until CA 2011 is banned, @Autobahn's PC can use either signed version of the boot file.

The Windows migration process is done in three stages:

1. Everyone only has CA 2011 certs, and can only boot using CA 2011 boot manager.

2. Everyone adds the CA 2023 certs, allowing either version of the boot manager to run (if you need to boot from unpatched legacy media). But Windows switches to CA 2023 boot manager.

3. Everyone has both CA 2011 and CA 2023 certs, but CA 2011 is now banned. Unpatched legacy media is not allowed to boot in Secure Boot mode.

@Autobahn's PC, like the majority of Windows users, is in stage 2.

HP only updated my workstations to around 2021. They're out of support. And secure cert keys are stored in the BIOS not on Windows. I tested this and while I can load updated certificates, the BIOS won't apply them. Microsoft and OEMs would rather sell you a new PC than deal with the fact the majority of Windows users have no intention of giving up on perfectly capable hardware.

Some higher-end HP's have Smart Start, which is an anti-rootkit protection mechanism that needs to be disabled in BIOS. Other HP's (and Dells) have a crappy older version of the BIOS which makes updating a hassle.

For some HP's, it may be possible to manually enroll the KEK CA 2023 using a local certificate file from the UEFI menu. The KEK file is not signed by HP, but by importing it from the BIOS, you're now trusting it. Once you have the KEK CA 2023, Windows or an update script can finish the rest of the job.

For other versions, you can delete all Secure Boot keys and enter "Setup Mode". When all the keys are cleared (especially the HP PK), then you can install a complete set of replacement certs. MS provides a Windows OEM Devices set of keys that can be used.

Just because it's a 2021, doesn't mean it can't be updated. But it will require manual intervention, and no way will HP support waste hours walking through customers on how to perform this. But other users have successfully followed the update methods listed here.

No they're from the 2014-2015 era. The BIOS were updated to around 2019 for the Ultrabook, 2023 for the workstation. They run the secure boot certificates by design and Microsoft and the OEMs know that disabling them would lead to mass breakage. I don't have the CA 2023 chain my DB. Lots of legacy hardware simply won't receive a new BIOS.

No sweat, just disable Secure Boot in UEFI firmware (aka BIOS) and you won't have to worry about certificates again. This implies that you keep Windows Defender updated and watch what you are doing online. No fool around. Exactly what all users of unsupported computers do or those still running Windows 7 or even XP. Keep antivirus updated and use common sense.