Microsoft, in collaboration with our ecosystem partners, is preparing to roll out replacement certificates that’ll set new Unified Extensible Firmware Interface (UEFI) Certificate Authorities (CAs) trust anchors in Secure Boot for the future. Look out for Secure Boot database updates rolling out in phases to add trust for the new database (DB) and Key Exchange Key (KEK) certificates. This new DB update is available as an optional servicing update for all Secure Boot enabled devices from February 13, 2024…
Formal DB update steps
Apply the February 2024 (or later) security update.
Open a PowerShell console and ensure that PowerShell is running as an administrator before running the following commands:
Set the registry key to Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot” -Name “AvailableUpdates” -Value 0x40Run the following scheduled task as Start-ScheduledTask -TaskName “\Microsoft\Windows\PI\Secure-Boot-Update”
Reboot the machine twice after running these commands to confirm that the machine is booting with the updated DB.
To verify that the Secure Boot DB update was successful, open a PowerShell console and ensure that PowerShell is running as an administrator before running the following command: [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023’..
* I wonder what can go wrong.
|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
-
Updating Microsoft Secure Boot keys
- This topic has 4 replies, 4 voices, and was last updated 7 months, 2 weeks ago by
.
AuthorViewing 1 reply threadAuthor-
* I wonder what can go wrong.
Holy Universe,
this is all they give while MODIFYING/TAMPERING the Secured Boot and UEFI ?
Is this a new Tryout and everyone is a GUINEAPIG
Indeed @.Alex5723 “what can/will go wrong” ??
Nice, Microsoft mentions their “EcoSystem-partners”, those terms sell best nowadays, though it’s nothing more than cleaning-up and repairing holes, they Hope.
* _ ... _ *1 user thanked author for this post.
-
@ Alex5723 I took the liberty to give Microsoft some opinion that they asked for, in a different environment, thus not Askwoody’s
Quote:
This is very bad, tampering with SecuredBoot and UEFI in this way, while most National States Security flaws/break-ins/data-thefts are orientated in this Bootenvironment related structures.
I think it’s a shame you do not give more and better info ABOUT YOUR vulnerabilities.
.
February 15, 2024.* _ ... _ *1 user thanked author for this post.
-
Be glad they aren’t rolling it out on Windows update.
I wouldn’t call it “tampering” though. They are trying to ensure that malcious actors don’t tamper with it.
Susan Bradley Patch Lady/Prudent patcher
1 user thanked author for this post.
-
-
Viewing 1 reply thread - This topic has 4 replies, 4 voices, and was last updated 7 months, 2 weeks ago by
Plus Membership
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Get Plus!
Recent Topics
-
Sometimes I wonder about these bots
by 5 hours, 35 minutes ago
-
Does windows update component store “self heal”?
by 11 hours, 39 minutes ago
-
Windows 11 Insider Preview build 27858 released to Canary
by 12 hours, 39 minutes ago
-
Pwn2Own Berlin 2025: Day One Results
by 12 hours, 4 minutes ago
-
Windows 10 might repeatedly display the BitLocker recovery screen at startup
by 8 hours, 34 minutes ago
-
Windows 11 Insider Preview Build 22631.5409 (23H2) released to Release Preview
by 15 hours, 21 minutes ago
-
Windows 10 Build 19045.5912 (22H2) to Release Preview Channel
by 15 hours, 22 minutes ago
-
Kevin Beaumont on Microsoft Recall
by 3 hours, 57 minutes ago
-
The Surface Laptop Studio 2 is no longer being manufactured
by 23 hours, 30 minutes ago
-
0Patch, where to begin
by 17 hours, 32 minutes ago
-
CFPB Quietly Kills Rule to Shield Americans From Data Brokers
by 1 day, 13 hours ago
-
89 million Steam account details just got leaked,
by 1 day ago
-
KB5058405: Linux – Windows dual boot SBAT bug, resolved with May 2025 update
by 1 day, 21 hours ago
-
A Validation (were one needed) of Prudent Patching
by 1 day, 12 hours ago
-
Master Patch Listing for May 13, 2025
by 23 hours, 47 minutes ago
-
Installer program can’t read my registry
by 6 hours, 27 minutes ago
-
How to keep Outlook (new) in off position for Windows 11
by 1 day, 10 hours ago
-
Intel : CVE-2024-45332, CVE-2024-43420, CVE-2025-20623
by 1 day, 17 hours ago
-
False error message from eMClient
by 2 days, 8 hours ago
-
Awoke to a rebooted Mac (crashed?)
by 2 days, 17 hours ago
-
Office 2021 Perpetual for Mac
by 2 days, 19 hours ago
-
AutoSave is for Microsoft, not for you
by 5 hours, 43 minutes ago
-
Difface : Reconstruction of 3D Human Facial Images from DNA Sequence
by 2 days, 22 hours ago
-
Seven things we learned from WhatsApp vs. NSO Group spyware lawsuit
by 6 hours, 3 minutes ago
-
Outdated Laptop
by 3 days, 4 hours ago
-
Updating Keepass2Android
by 3 days, 9 hours ago
-
Another big Microsoft layoff
by 3 days, 9 hours ago
-
PowerShell to detect NPU – Testers Needed
by 11 hours, 16 minutes ago
-
May 2025 updates are out
by 12 hours, 58 minutes ago
-
Windows 11 Insider Preview build 26200.5600 released to DEV
by 3 days, 15 hours ago
Remembering Woody
