Windows 11 UEFI Secure Boot: Updating Microsoft Secure Boot Keys - dcasota/Lenovo83BY GitHub Wiki
Updating Microsoft Secure Boot Keys as soon as possible is not an easy path. The following blog entry has been started in https://learn.microsoft.com/en-us/answers/questions/2153845/windows-11-double-checking-updated-microsoft-secur, after having read quite many internet entries about cve-2023-24932, kb5036210 and more.
Windows 11 Double-checking updated Microsoft Secure Boot keys
In https://techcommunity.microsoft.com/blog/windows-itpro-blog/updating-microsoft-secure-boot-keys/4055324 there is a recipe containing three steps for the Microsoft Secure Boot keys update process:
Step 1) Install the updated certificate definitions to the DB
Step 2) Update the Boot Manager on your device
Step 3) Enable recovation
Step 1: Add Microsoft Windows UEFI CA 2023 to system DB
The first DB update will add the Microsoft Windows UEFI CA 2023 to the system DB. Install the updated certificate definitions to the DB. The new Microsoft Windows UEFI CA 2023 will be used to sign Windows boot components prior to the expiration of the Windows Production CA 2011. First, the check results as false.
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
False
Apply the AvailableUpdates settings and reboot twice.
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x40 /f
# reboot twice
Check again.
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
True
Step 2: Update the Boot Manager on device
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x100 /f
# Reboot twice
Check the properties > Digital Signatures > Windows UEFI CA 2023
mountvol s: /S
$cert = Get-PfxCertificate -FilePath "S:\EFI\Microsoft\Boot\bootmgfw.efi"
$cert.Issuer
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
$cert.GetExpirationDateString()
20.08.2025 21:30:17
mountvol s: /D
Step 3: Enable Revocation (Prephase)
Before processing step 3 'enable revocation', I want to be 100% sure, that the system has been updated properly because the documentation might not double-check all possible permutations.
Who can help me with this? The following contains information, check of certificates on ESP, on system partition and on recovery partition, and questions.
Check of certificates on ESP
First, in Step 2, the check of the certificate of "EFI\Microsoft\Boot\bootmgfw.efi" on ESP was successful, because it shows the 'Windows UEFI CA 2023' certificate as issuer.
mountvol s: /S
$cert = Get-PfxCertificate -FilePath "S:\EFI\Microsoft\Boot\bootmgfw.efi"
$cert.Issuer
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
$cert.GetExpirationDateString()
20.08.2025 21:30:17
mountvol s: /D
The other files on ESP seems okay as well. One question is the BOOT.SDI file:
Question 1: Why it is asking for a password, when processing the get-pfxcertificate?
mountvol s: /S
# BOOT.SDI has a password?
$cert = Get-PfxCertificate -FilePath "S:\BOOT\BOOT.SDI"
Enter password:
# s:\EFI\Microsoft\Boot\bootmgfw.efi
$cert = Get-PfxCertificate -FilePath "s:\EFI\Microsoft\Boot\bootmgfw.efi"
$cert.Issuer
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
$cert = Get-PfxCertificate -FilePath "s:\EFI\Microsoft\Boot\bootmgr.efi"
$cert.Issuer
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
$cert = Get-PfxCertificate -FilePath "s:\EFI\Microsoft\Boot\SecureBootRecovery.efi"
$cert.Issuer
CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
mountvol s: /D
The Windows 11 installation is on a Laptop with two disks 0 and 1.
diskpart > list disk
Datenträger ### Status Größe Frei Dyn GPT
--------------- ------------- ------- ------- --- ---
Datenträger 0 Online 953 GB 953 GB *
Datenträger 1 Online 3726 GB 0 B *
Windows11 is installed on disk 1.
diskpart > list partition
Volume ### Bst Bezeichnung DS Typ Größe Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
Volume 0 C Windows-SSD NTFS Partition 3723 GB Fehlerfre Startpar
Volume 1 SYSTEM_DRV FAT32 Partition 260 MB Fehlerfre System
Volume 2 WINRE_DRV NTFS Partition 2047 MB Fehlerfre Versteck
The UEFI partition is on disk 1 partition 2.
$UEFIPartitionsArray = @()
$diskCount = (Get-Disk).Count
for ($i = 0; $i -lt $diskCount; $i=$i+1) {
$partitions = Get-Partition -DiskNumber $i -ErrorAction SilentlyContinue
if ($partitions) {
$partitionCount = ($partitions).Count
for ($j = 0; $j -lt $partitionCount; $j=$j+1) {
$partition = $partitions[$j].GptType
if ($partition -imatch 'EBD0A0A2-B9E5-4433-87C0-68B6B72699C7') {$UEFIPartitionsArray += "$i,$j"}
}
}
}
Write-Output $UEFIPartitionsArray
1,2
BCD output shows Windows Start Manager is on C:
bcdedit /enum
Windows-Start-Manager
---------------------
Bezeichner {bootmgr}
device partition=C:
path \EFI\Microsoft\Boot\bootmgfw.efi
description Windows Boot Manager
locale en-us
inherit {globalsettings}
isolatedcontext Yes
default {current}
resumeobject {eaa42b36-d5fa-11ef-8d61-b73d7aac6eb7}
displayorder {current}
{73cf08be-8d26-11ef-b186-00d49e89c870}
toolsdisplayorder {memdiag}
timeout 0
displaybootmenu No
Windows-Startladeprogramm
-------------------------
Bezeichner {current}
device partition=C:
path \Windows\system32\winload.efi
description Windows 11
locale en-us
inherit {bootloadersettings}
isolatedcontext Yes
allowedinmemorysettings 0x15000075
osdevice partition=C:
systemroot \Windows
resumeobject {eaa42b36-d5fa-11ef-8d61-b73d7aac6eb7}
nx OptIn
bootmenupolicy Standard
Windows-Startladeprogramm
-------------------------
Bezeichner {73cf08be-8d26-11ef-b186-00d49e89c870}
device partition=C:
path \Windows\system32\winload.exe
description Windows 11
locale de-DE
inherit {bootloadersettings}
recoverysequence {73cf08c0-8d26-11ef-b186-00d49e89c870}
displaymessageoverride Recovery
recoveryenabled Yes
isolatedcontext Yes
allowedinmemorysettings 0x15000075
osdevice partition=C:
systemroot \Windows
resumeobject {73cf08bd-8d26-11ef-b186-00d49e89c870}
nx OptIn
bootmenupolicy Standard
hypervisorlaunchtype Auto
Disk 1 contains the UEFI partition. As double check, yes, it's the 2023 certificate.
# Check certificate of bootx64.efi on uefi partition
Set-Partition -DiskNumber 1 -PartitionNumber 1 -NewDriveLetter Z
$cert = Get-PfxCertificate -FilePath "Z:\EFI\Boot\bootx64.efi"
$cert.Issuer
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
$cert.GetExpirationDateString()
20.08.2025 21:30:17
Remove-PartitionAccessPath -DiskNumber 1 -PartitionNumber 1 -AccessPath "Z:"
Check of certificates on system partition
Question2: On the system partition C: why are the boot executables signed with the 'Microsoft Windows Production PCA 2011' only and not with a 2023 certificate? How can it be changed manually?
# Check certificate of "c:\EFI\Microsoft\Boot\bootmgfw.efi" on system partition
$cert = Get-PfxCertificate -FilePath "c:\EFI\Microsoft\Boot\bootmgfw.efi"
$cert.Issuer
# CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
$cert.GetExpirationDateString()
# 11.09.2025 22:04:06
# Check certificate of recovery app "C:\windows\boot\efi\securebootrecovery.efi" on system partition
$cert = Get-PfxCertificate -FilePath "C:\windows\boot\efi\securebootrecovery.efi"
$cert.issuer
CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
$cert.getexpirationdatestring()
11.09.2025 22:04:06
Check of certificates on recovery partition
Question3: Disk 1 contains a recovery partition. Why are the relevant boot executables signed with the 'Microsoft Windows Production PCA 2011' only and not with a 2023 certificate? How can it be changed manually?
# Check certificate of winre.wim on recovery partition
Set-Partition -DiskNumber 1 -PartitionNumber 4 -NewDriveLetter Z
# cd z:
# get-childitem -force
$cert = Get-PfxCertificate -FilePath "Z:\Recovery\WindowsRE\winre.wim"
CN=Microsoft Root Certificate Authority 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
$cert.Issuer
$cert.getexpirationdatestring()
21.06.2027 19:43:35
Remove-PartitionAccessPath -DiskNumber 1 -PartitionNumber 4 -AccessPath "Z:"
Question 4: Actually creating a recovery drive on usb media fails with "Cannot create a recovery drive on this PC". How to fix?
reagentc /info
Konfigurationsinformationen zur Windows-Wiederherstellungsumgebung (WinRE) und
zur Systemwiederherstellung:
WinRE-Status: Disabled
WinRE-Ort:
Startkonfigurationsdaten-ID: 73cf08c0-8d26-11ef-b186-00d49e89c870
Ort des Wiederherstellungsimages:
Index des Wiederherstellungsimages: 0
Ort des benutzerdefinierten Images:
Index des benutzerdefinierten Images: 0
REAGENTC.EXE: Vorgang erfolgreich.
The following Get-SecureBootUEFI bit output indicates that there are 8 Microsoft certificates actually. (There are Laptop vendor certificates in addition). The detection method simply looks for the first 52 characters. The visualization of the string isn't optimal, but sufficient.
# Get the Secure Boot UEFI database as a string
$secureBootDB = [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI -Name db).bytes)
# Define the substring to search for
$substring = "Microsoft"
# Initialize an array to store the results
$results = @()
# Find all occurrences of the substring and extract the following 20 characters
$position = 0
while ($position -ne -1) {
$position = $secureBootDB.IndexOf($substring, $position)
if ($position -ne -1) {
$start = $position
$length = 52
$result = $secureBootDB.Substring($start, [math]::Min($length, $secureBootDB.Length - $start))
if ($result -ilike '*Microsoft Corporation*') {
$results += $result
}
$position += $substring.Length
}
}
# Display the results
$results
Microsoft Corporation1200U)Microsoft Root Certi
Microsoft Corporation1.0,U%Microsoft Windows Pr
Microsoft Corporation1;09U2Microsoft Corporatio
Microsoft Corporation Third Party Marketplace Root0
Microsoft Corporation1+0)U"Microsoft Corporatio
Microsof*?H??poration UEFI CA 20110?"0
Microsoft Corporation1200U)Microsoft Root Certi
Microsoft Corporation10Windows UEFI CA 2023
A better solutions is to use the Get-UEFIDatabaseSignatures.ps1 from https://github.com/cjee21/Check-UEFISecureBootVariables/.
import-module Get-UEFIDatabaseSignatures.ps1
(Get-SecureBootUEFI -Name db | Get-UEFIDatabaseSignatures).SignatureList.SignatureData | select-object {$_.Issuer +" : "+ $_.Subject}
CN=Microsoft Root Certificate Authority 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US : CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft Corporation Third Party Marketplace Root, O=Microsoft Corporation, L=Redmond, S=Washington, C=US : CN=Microsoft Corporation UEFI CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=[Hersteller-spezifisch] : CN=[Hersteller-spezifisch]
CN=Microsoft Root Certificate Authority 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US : CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
Question 5: With Step 3 'enable revocation' will the 'Microsof*?H??poration UEFI CA 2011' entry be removed as well or must it be removed manually? How?
I've checked Microsoft ISO builds
-
https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewiso
Windows 11 Client Insider Preview - Build 27774 English 64bit: Windows11_InsiderPreview_Client_x64_en-us_27774.iso
For instance,\efi\boot\bootx64.efiis signed withCN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`only. -
The windows iso created by the Media creation tool https://go.microsoft.com/fwlink/?linkid=2156295 - it does not contain UEFI 2023 CA signed boot loader bits as well.
Reassign the Windows Recovery environment
Actually, the recovery bits are not signed with UEFI CA 2023. Beside that, the recovery partition seems okay, but it isn't assigned anymore.
This can be changed by specifying disk and partition.
In my case it's disk 1 and partition 4: reagentc /setreimage /path \\?\GLOBALROOT\device\harddisk1\partition4\Recovery\WindowsRE.
reagentc /info
Konfigurationsinformationen zur Windows-Wiederherstellungsumgebung (WinRE) und
zur Systemwiederherstellung:
WinRE-Status: Disabled
WinRE-Ort:
Startkonfigurationsdaten-ID: 73cf08c0-8d26-11ef-b186-00d49e89c870
Ort des Wiederherstellungsimages:
Index des Wiederherstellungsimages: 0
Ort des benutzerdefinierten Images:
Index des benutzerdefinierten Images: 0
REAGENTC.EXE: Vorgang erfolgreich.
PS C:\Windows\System32> reagentc /enable
REAGENTC.EXE: Das Windows RE-Image wurde nicht gefunden.
PS C:\Windows\System32> reagentc /setreimage /path \\?\GLOBALROOT\device\harddisk1\partition4\Recovery\WindowsRE
Verzeichnis festgelegt auf: \\?\GLOBALROOT\device\harddisk1\partition4\Recovery\WindowsRE
REAGENTC.EXE: Vorgang erfolgreich.
PS C:\Windows\System32> reagentc /info
Konfigurationsinformationen zur Windows-Wiederherstellungsumgebung (WinRE) und
zur Systemwiederherstellung:
WinRE-Status: Disabled
WinRE-Ort:
Startkonfigurationsdaten-ID: 73cf08c0-8d26-11ef-b186-00d49e89c870
Ort des Wiederherstellungsimages:
Index des Wiederherstellungsimages: 0
Ort des benutzerdefinierten Images:
Index des benutzerdefinierten Images: 0
REAGENTC.EXE: Vorgang erfolgreich.
PS C:\Windows\System32> reagentc /enable
REAGENTC.EXE: Vorgang erfolgreich.
PS C:\Windows\System32> reagentc /info
Konfigurationsinformationen zur Windows-Wiederherstellungsumgebung (WinRE) und
zur Systemwiederherstellung:
WinRE-Status: Enabled
WinRE-Ort: \\?\GLOBALROOT\device\harddisk1\partition4\Recovery\WindowsRE
Startkonfigurationsdaten-ID: 256ff03d-e333-11ef-b243-00d49e89c870
Ort des Wiederherstellungsimages:
Index des Wiederherstellungsimages: 0
Ort des benutzerdefinierten Images:
Index des benutzerdefinierten Images: 0
REAGENTC.EXE: Vorgang erfolgreich.
With this manual step, RecoveryDrive.exe does not fail anymore. The possibility is back to create an usb recovery media.
Microsoft Bitlocker secure boot vulnerability
On January 17th 2025, there was a blog entry on a webpage neodyme.io, here the pdf version of the blog entry, about a Microsoft Bitlocker vulnerability related to Secure Boot.
manage-bde -protectors -get $env:systemdrive
BitLocker-Laufwerkverschlüsselung: Konfigurationstool, Version 10.0.26100
Copyright (C) 2013 Microsoft Corporation. Alle Rechte vorbehalten.
Volume "C:" [Windows-SSD]
Alle Schlüsselschutzvorrichtungen
TPM:
ID: {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
PCR-Validierungsprofil:
7, 11
(Verwendet den sicheren Start für die Integritätsüberprüfung)
Numerisches Kennwort:
ID: {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
Kennwort:
xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx-xxxxxx
Sicherungstyp:
Microsoft-Kontosicherung
AAD-Sicherung
In Datei gespeichert
Externer Schlüssel:
ID: {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}
Name der externen Schlüsseldatei:
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.BEK
Weblinks
Microsoft Support and Tech Community
[1] https://support.microsoft.com/en-us/topic/how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d
[2] https://support.microsoft.com/en-gb/topic/kb5036210-deploying-windows-uefi-ca-2023-certificate-to-secure-boot-allowed-signature-database-db-a68a3eae-292b-4224-9490-299e303b450b
[3] https://techcommunity.microsoft.com/blog/windows-itpro-blog/updating-microsoft-secure-boot-keys/4055324
[4] https://techcommunity.microsoft.com/blog/hardwaredevcenter/updated-uefi-signing-requirements/1062916
[5] https://support.microsoft.com/en-us/topic/kb5025175-updating-the-winre-partition-on-deployed-devices-to-address-security-vulnerabilities-in-cve-2022-41099-ba6621fa-5a9f-48f1-9ca3-e13eb56fb589
[6] https://support.microsoft.com/en-us/topic/updating-windows-bootable-media-to-use-the-pca2023-signed-boot-manager-d4064779-0e4e-43ac-b2ce-24f434fcfa0f
Weblinks Microsoft Learn and Github
[1] https://github.com/microsoft/secureboot_objects
[2] https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance?view=windows-11
[3] https://learn.microsoft.com/en-us/previous-versions/windows/drivers/bringup/boot-and-uefi
[4] https://learn.microsoft.com/en-us/windows-hardware/drivers/install/preproduction-driver-signing-and-install
Various Blog entries
[1] https://borncity.com/win/2024/08/07/attention-microsofts-uefi-certificate-expires-on-oct-19-2026-secure-boot-affected/
[2] https://www.borncity.com/blog/2024/08/22/microsoft-uert-sich-zu-per-windows-august-2024-update-lahm-gelegtem-linux-boot/
[3] https://www.deskmodder.de/blog/2025/01/30/cve-2023-24932-windows-bootmedium-sollte-aktualisiert-werden-wegen-secure-boot-aenderungen/
[4] https://garytown.com/powershell-script-kb5025885-how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932
[5] https://superuser.com/questions/1867093/setting-up-secure-dual-boot-w-tpm2-and-whole-disk-hardware-encryption-for-ope
[6] https://www.anoopcnair.com/powershell-script-to-update-winre-fix-bitlocker/
[7] https://www.borncity.com/blog/2025/02/05/windows-10-11-kb5053484-neues-ps-script-fuer-zertifikate-in-boot-medien/