Solved updating Secure Boot certificates for Dell G5 15 5500

Autobahn · Mar 1, 2026

I have just come across this issue and from what I've read my laptop will not be updated by bios or Windows updates (I could be wrong).
Secure boot is enabled.
Bitlocker is off
I use incontrol.exe to keep my current version of windows but I still receive security updates.

I'm no computer expert and I've read about scripts that are available to update the secure boot certificates but I'm worried about bricking my laptop.
Can someone let me know what I should be doing?
Will incontrol.exe cause any problems?

Thank you.

antspants · Mar 1, 2026

Hi.

garlin's PowerShell scripts for updating Secure Boot CA 2023

INTRO For the last two months, I've been working on new PowerShell scripts to automate the Secure Boot CA 2023 update process. A number of contributed scripts or guides presented on various ElevenForum threads (including a few of my earlier scripts) are lacking in clarity. There's simply too...

www.elevenforum.com

Autobahn · Mar 1, 2026

I ran: Check_UEFI-CA2023.ps1

Option 1: Do nothing
Option 2: Install [UEFI CA 2023] certs without revoking the [PCA 2011] cert
Option 3: Install [UEFI CA 2023] certs and revoke the [PCA 2011] cert

What does it mean if I revoke or not the [PCA 2011] cert?

Install SkuSiPolicy.p7b - What does this mean?

Will incontrol.exe cause an issue if updating the certs?

spapakons · Mar 1, 2026

As long as you don't use Secure Boot, it doesn't matter if you have old version (2011) or new version (2023) certificates. This only matters when you have Secure Boot enabled. For all of us with old version certificates or no certificates at all, just keep Secure Boot disabled you we can load Windows 11 as normal.

Autobahn · Mar 1, 2026

spapakons said:
As long as you don't use Secure Boot, it doesn't matter if you have old version (2011) or new version (2023) certificates. This only matters when you have Secure Boot enabled. For all of us with old version certificates or no certificates at all, just keep Secure Boot disabled you we can load Windows 11 as normal.

I do have Secure Boot enabled.
I'll turn it off then?

antspants · Mar 1, 2026

Autobahn said:
I ran: Check_UEFI-CA2023.ps1

Option 1: Do nothing
Option 2: Install [UEFI CA 2023] certs without revoking the [PCA 2011] cert
Option 3: Install [UEFI CA 2023] certs and revoke the [PCA 2011] cert

What does it mean if I revoke or not the [PCA 2011] cert?

Install SkuSiPolicy.p7b - What does this mean?

Will incontrol.exe cause an issue if updating the certs?

Do you have the full results, looks similar to this:

Code:

Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011
    Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Microsoft Option ROM UEFI CA 2023
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023

UEFI DBX Certs
--------------
    Microsoft Windows Production PCA 2011
    Windows BootMgr SVN 7.0

EFI Files
---------
    Disk 0: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.

    Registry: WindowsUEFICA2023Capable = 2
        [Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

    Disk 0: SkuSiPolicy.p7b (for VBS) is CURRENT.

STATUS REPORT
-------------
    Registry: UEFICA2023Status = Updated

SUCCESS: NO UPDATES ARE REQUIRED.

Autobahn · Mar 1, 2026

Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011

UEFI DBX Certs
--------------
Microsoft Windows PCA 2010

EFI Files
---------
Disk 0: Windows Boot Manager [Production PCA 2011] is ALLOWED.

Registry: WindowsUEFICA2023Capable = 0
[Windows UEFI CA 2023] not in UEFI DB.

Disk 0: SkuSiPolicy.p7b (for VBS) is NOT PRESENT.

REQUIRED ACTION
===============

OPTION 1: DO NOTHING. Windows will apply the UEFI updates in 2026 (supported BIOS).

OPTION 2: To install [UEFI CA 2023] certs WITHOUT REVOKING the [PCA 2011] cert, run the commands:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

OPTION 3: To install [UEFI CA 2023] certs and REVOKE the [PCA 2011] cert, run the commands:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5bc4 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

To install SkuSiPolicy.p7b, run the command:
Update_UEFI-CA2023.ps1 -SkuSiPolicy

PS C:\WINDOWS\system32>

antspants · Mar 1, 2026

So you haven’t tried running the other file, Update_UEFI-CA2023.ps1

Your laptop was produced in 2020, my last bios update was around 2015, I built the PC in 2013.
The results I posted above, are from running the scripts in that thread.

Sorry, I know noting of incontrol

Autobahn · Mar 1, 2026

I don't think my laptop will be one that will get a bios update that will include [UEFI CA 2023].

antspants said:
So you haven’t tried running the other file, Update_UEFI-CA2023.ps1

Your laptop was produced in 2020, my last bios update was around 2015, I built the PC in 2013.
The results I posted above, are from running the scripts in that thread.

Sorry, I know noting of incontrol

No, I've not tried Update_UEFI-CA2023.ps1
Worried something might go wrong.

Autobahn · Mar 1, 2026

So when using the script: Update_UEFI-CA2023.ps1
Will this do the same as if I had the update from Windows Update?

pseymour · Mar 1, 2026

antspants said:
Sorry, I know noting of incontrol

InControl is Steve Gibson’s utility to set the TargetReleaseSomethingSomething registry entries, so you’re frozen at a certain feature update. People tend to think it’s magical, but it’s just a one-trick regedit pony.

Autobahn · Mar 1, 2026

pseymour said:
pseymour said:

InControl is Steve Gibson’s utility to set the TargetReleaseSomethingSomething registry entries, so you’re frozen at a certain feature update. People tend to think it’s magical, but it’s just a one-trick regedit pony.

Click to expand...

It's magical for me.

garlin · Mar 1, 2026

Autobahn said:
I ran: Check_UEFI-CA2023.ps1

Option 1: Do nothing

When the script reports you have the choice to "Do nothing", Windows can perofmr the Secure Boot updates by itself (at later date).
The last BIOS update for this PC was Nov. 2024, so it's probably got the required Secure Boot keys in the BIOS image.

Autobahn said:
What does it mean if I revoke or not the [PCA 2011] cert?

Revoking the CA 2011 cert increases the security of Secure Boot, by banning older boot files. But you shouldn't take this step until you're prepared.

Prepared means if you have a Windows install ISO or Macrium (or other backup tool) bootable recovery drives, you have performed steps to update those USB drives. Windows will eventually revoke the PCA 2011 later this year, whether you want to or not.

If you don't know to update them, you can always temporarily disable Secure Boot (from BIOS) before re-installing Windows or restoring from an old backup. Afterwards, you can re-enable Secure Boot.

Autobahn said:
Will incontrol.exe cause an issue if updating the certs?

InControl is not involved in the Secure Boot update deployment, as it only prevents Windows Update from installing a feature upgrade. For example, 24H2 -> 25H2.

antspants · Mar 1, 2026

Autobahn said:
It's magical for me.

Specify Target Feature Update Version in Windows 11

This tutorial will show you how to specify a TargetReleaseVersion version of Windows 11 you want to move to or stay on in Windows Update until it reaches end of service in Windows 11 Pro, Enterprise, or Education. Windows Update keeps Windows 11 updated by automatically downloading and...

www.elevenforum.com

spapakons · Mar 1, 2026

I agree to manually install the new version of the certificates if possible, but DON'T revoke the old version unless you are 100% sure you won't have any old USB flash drives to boot from.

garlin · Mar 1, 2026

spapakons said:
I agree to manually install the new version of the certificates if possible, but DON'T revoke the old version unless you are 100% sure you won't have any old USB flash drives to boot from.

The workaround has always been to temporarily disable Secure Boot. Do your thing, and re-enable Secure Boot.

Autobahn · Mar 1, 2026

garlin said:
When the script reports you have the choice to "Do nothing", Windows can perofmr the Secure Boot updates by itself (at later date).
The last BIOS update for this PC was Nov. 2024, so it's probably got the required Secure Boot keys in the BIOS image.

Is it a guarantee that I will get a Secure Boot update via Windows Update in the coming months?

If I update using your script (thank you by the way for putting the work in) is the certificate exactly the same that I would receive in Windows Update?

garlin · Mar 1, 2026

The script follows the same steps as the Windows process, the main difference is everything happens immediately and you'll know it worked (or failed). Windows takes a few seconds for part of it, and then mysteriously takes a longer time to finish the other steps.

By default, the script will only do the first half (adding CA 2023 certs), but it won't revoke the CA 2011 unless you ask it to. You can always re-run the script, it will finish whatever steps were not completed before. There's extensive sanity checking in the script so it doesn't do the "wrong thing" if there's an error.

Autobahn · May 13, 2026

I've put off updating the secure boot certificate but have just done it.
It looks like it went well. Can someone let me know if everything looks ok:

Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
Microsoft Windows PCA 2010

EFI Files
---------
Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

[OPTIONAL] SkuSiPolicy.p7b (for VBS) is MISSING.

REQUIRED ACTION
===============

To revoke the [PCA 2011] cert, run the commands:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x280 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Autobahn · May 13, 2026

revoke the [PCA 2011] cert: This will be done by a Windows Update in the coming weeks?
I can run another Garlin script which will do this but I can also just wait for the Windows Update?

Solved updating Secure Boot certificates for Dell G5 15 5500

Member

My Computer

Like a rolling drone.

My Computers

Member

My Computer

Well-known member

My Computers

Member

My Computer

Like a rolling drone.

My Computers

Member

My Computer

Like a rolling drone.

My Computers

Member

My Computer

Member

My Computer

putting the mental back in experimental

My Computer

Member

My Computer

Well-known member

My Computer

Like a rolling drone.

My Computers

Well-known member

My Computers

Well-known member

My Computer

Member

My Computer

Well-known member

My Computer

Member

My Computer

Member

My Computer

Similar threads