Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

[INFORMATION] Secure Boot : Windows UEFI CA 2023 Update

MoKiChU
Level 40

‎10-23-2025 08:37 AM - edited ‎10-23-2025 08:41 AM

Hi everyone,

MoKiChU_1-1761233314470.png
https://support.microsoft.com/topic/1db237d8-9f3b-4218-9515-3e0a32729685
https://support.microsoft.com/topic/a7be69c9-4634-42e1-9ca1-df06f43f360d

- Secure Boot Windows UEFI CA 2023 Updater :

Download : Link

Check/Update Process :

Check Windows UEFI CA 2023 Update Status/Capable : Right click on "Check.cmd" > Run as administrator

Windows UEFI CA 2023 Update Status :

NotStarted – The update has not yet run.
InProgress – The update is actively in progress.
Updated – The update has completed successfully.

Windows UEFI CA 2023 Update Capable :

0x0  Windows UEFI CA 2023 certificate is not in the DB (or key does not exist).
0x1  Windows UEFI CA 2023 certificate is in the DB.
0x2  Windows UEFI CA 2023 certificate is in the DB and the system is starting from the 2023 signed boot manager.

Update Windows UEFI CA 2023 :

- Right click on "1-Setup.cmd" > Run as administrator > Close the command prompt window
- Right click on "2-Update.cmd" > Run as administrator > Close the command prompt window
Right click on "Check.cmd" > Run as administrator > Check that Windows UEFI CA 2023 Update Status is InProgress > Close the command prompt window > Wait 5 minutes then restart your PC
Right click on "Check.cmd" > Run as administrator > Check that Windows UEFI CA 2023 Update Status is InProgress > Close the command prompt window > Wait 5 minutes then restart your PC
- Right click on "Check.cmd" > Run as administrator :

- If the Windows UEFI CA 2023 Update Status is still InProgress : Right click on "2-Update.cmd" > Run as administrator > Close the command prompt window > Wait 5 minutes then restart your PC (redo as much as necessary)
- If the Windows UEFI CA 2023 Update Status is Updated and the Windows UEFI CA 2023 Update Capable is 0x2 : Right click on "3-Cleanup.cmd" > Run as administrator > Close the command prompt window > Done. 


OS requirements : Windows 10 build 19044.6456/19045.6456 or more recent | Windows 11 build 26100.6899/26200.6899 or more recent.

[INDEX] All My Drivers/Firmware/Software Threads
[ALTERNATIVE INDEX] All My Drivers/Firmware/Software Threads
15,088 Views
42 REPLIES 42

Tinka75
Level 7

‎10-24-2025 05:34 AM

Hi there,

thank you very much for the great tutorial. It worked well on three of my four computers. But I just cannot make it work on the fourth one. I updated to the newest BIOS version which was published because of those new certificates a while back and there is no newer update available. So everything is up to date there. I also have the newest Windows 11 25H2 up and running. 

I have the following entries in the relevant registry keys "not started" and "1"

But when I change the registry key to 0x5944 and run the task it doesn't switch to in progress it stays on not started and after a few seconds the task ends with the error  0xC0000005

Even if I restart with the registry key set to 0x5944 nothing happens. 

When I go back to the original setting of the registry key and run the task it completes successfully. So it seems it just cannot handle the other registry key because of whatever reason. 

Is there a way to still make it work?

Thanks in advance for your answer. 

0 Kudos

drminer
Level 9
In response to Tinka75

‎10-24-2025 03:56 PM

The status indicates that the 2023 certificate has been inserted into DB, but that  the bootloader in the EFI partition has not been updated. This can be fixed manually if you are comfortable with using the Command Prompt. (See note below before starting this procedure.)

  1. Open Command Prompt in Administrator mode.
  2. mountvol q: /s (This mounts the EFI partition to the q: drive. Choose a different letter if q: is already assigned.)
  3. rename q:\EFI\boot\bootx64.efi q:\EFI\boot\bootx64.efi.bak (Save old bootloader just in case.)
  4. xcopy C:\Windows\Boot\EFI_EX\bootmgfw_EX.efi q:\EFI\boot\bootx64.efi (Installs the 2023-signed bootloader into the EFI partition.)
  5. mountvol q: /d (Unmounts the EFI partition.)
  6. Reboot.

NOTE: If the 2023 certificate is not, in fact, in the DB, the computer won't boot. You will need to disable Secure Boot in the UEFI. Boot to Windows. Mount the EFI partition, restore the backed-up bootloader, unmount, then reboot. Secure Boot can then be re-enabled.

0 Kudos

Tinka75
Level 7

‎10-24-2025 10:21 PM

That sounds a bit too stressful to me. Will it also be an option to just wait until Microsoft implements the Certificates?

0 Kudos

drminer
Level 9
In response to Tinka75

‎10-24-2025 10:56 PM

There is no rush. But if the bootloader is still not updated by June 2026, the system will not boot with Secure Boot enabled. Hopefully, Microsoft's update will install before then. Just in case, you might want to bookmark this thread!

0 Kudos

Tinka75
Level 7

‎10-24-2025 11:17 PM

I already did bookmark the thread - just in case. And I would have tried now if there wasn't the chance that the certificate is not in the db yet. Do you think it will definitely be there at the time of the expiration. What do I do if then it is still not actually there? Or is that a scenario that just cannot happen? 

0 Kudos

drminer
Level 9
In response to Tinka75

‎10-24-2025 11:28 PM

It currently looks like the 2023 certificate is installed in DB, but for some reason the bootloader has not been updated. I have no idea why Windows failed to update it or whether this will be resolved. I would suggest rerunning the script periodically and checking if the final status has changed to a 2. If not, you have two choices when June 2026 arrives, permanently turn off Secure Boot or attempt the manual fix I outlined. (Technically, there is a third option. There is a program called Mosby that will update Secure Boot, but it wipes out the OEM PK, which means you would be unable to update the BIOS/UEFI ever again. Also, Mosby is a more complicated to setup and run than the manual fix I gave.) Good luck!

0 Kudos

Tinka75
Level 7

‎10-24-2025 11:39 PM

That was exactly my plan. Check if the status has changed to a 2 after Patchday Updates and try your manual fix after Patchday in June - hoping that I won't have to. 

What seems odd to me is that the Task Secure-Boot-Update ends with an error 0xC0000005 when I try to run it after changing the registry key to 0x5944. It won't even change not started to in progress. My research indicates that it means something like "a program tried to access memory it doesn't have permission for".

Maybe something is just not right, yet. Fact is that the computer I fail to get updated will still be in warranty at the time the changes need to happen. That is a good thing, right?

0 Kudos

Tinka75
Level 7

‎10-25-2025 09:47 PM

I have an addition and a further question.

Addition: I also tried setting the Available Updates Key to 0x40 as described here https://learn.microsoft.com/en-us/answers/questions/5582589/how-to-update-to-windows-uefi-ca-2023

This at least changes the not started into in progress but doesn't complete the update.

If I use this Power Shell command [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023' the status returned is TRUE

Question:

If this is the procedure to try and complete the update how do I revert back if it doesn't work?

  1. Open Command Prompt in Administrator mode.
  2. mountvol q: /s 
  3. rename q:\EFI\boot\bootx64.efi q:\EFI\boot\bootx64.efi.bak 
  4. xcopy C:\Windows\Boot\EFI_EX\bootmgfw_EX.efi q:\EFI\boot\bootx64.efi 
  5. mountvol q: /d 
  6. Reboot.

Will I be still able to enter the BIOS to disable Secure Boot? What are the exact commands to restore the backed-up bootloader? And the re-enabling of Secure Boot also happens in the BIOS, right?

 

0 Kudos

drminer
Level 9
In response to Tinka75

‎10-25-2025 10:17 PM

You have asked Windows to update the DB, which had already been updated. That is OK. The best way to proceed, if you are determined is to set up a free account on www.elevenforum.com. Then you can download a free script that will analyze the state of your Secure Boot setup. I would not suggest proceeding till you know where things stand. Here is a link to download BoScript.zip: https://www.elevenforum.com/t/did-you-manually-update-your-secure-boot-keys.36443/page-17#post-64342...

Just unzip the file. Double click the .bat file. Then in a minute or two, a text file will appear on the desktop. (Normally, I would advise against running a batch file from an unknown source, but I have gone over it, and it is safe.) Post the results of the text file here. It will tell us exactly what has been updated and what has not.

0 Kudos