Legacy Dell pc Successful Windows UEFI CA 2023 update

Get-AuthenticodeSignature returns only the first line of certificate which is 2011.

Follow the Dell instruction to check secure boot signature

I got this result:

Thumbprint                                Subject

----------                                -------
CN=Microsoft Windows Production PCA 2011

CN=Microsoft Corporation UEFI CA 2011

CN=Windows UEFI CA 2023

I got this check result using Dell method 2

I tested the update commands on Dell latitude laptop i5-6300 and HP desktop i7-8700.  Both returned False when matching 2023 certificate.  I am confused what is going on now.

@redxps630​ ,

I am confused what is going on now.

I suggest you start by reviewing some of my previous messages here in the forum. I think your confusion might stem from "how you check or verify" their current status.

There are now four 2023-CA's, in two separate databases (named Current and Default). Plus you have KEK's and PK's in both databases. Then you have your UEFI-DBX Revocations.

So, when you take a report or try to analyze a Windows computer, I think it needs to show all 13 items to have a fairly accurate summary of its CA-2023 status.

Yeah I agree it is a complex topic and I am testing water.

good news is now after enabling secure boot in Dell latitude laptop bios and repeat the steps I was able to match TRUE for 2023 secure boot and confirm by powershell Dell method 2.  I installed Win 11 25h2 via Rufus usb.

HP desktop still match false due to high security built in bios.  It would not pass Rufus usb due to a secure boot certificate, whereas Dell would let it pass.

@redxps630​ ,

Dell latitude ... I installed Win 11 25h2 via Rufus usb.

Nice. Good work.

I found out it is the bios settings that determines whether 2023 secure boot certificate is loaded. I imaged a working ssd that has 2023 cert on a hp desktop. But it simply would not load the cert.  And if I disable secure boot in a Dell pc bios, even though I have updated windows secure boot, it wouldn’t load. The second case makes sense, while the first case makes me believe HP firmware (business class) is much more stringent than Dell Optiplex to allow loading of new certificate.  Since this is a Dell desktop forum I won’t dwell further on hp but just use the case as a learning example.

Tested this method on Inspiron 3668 i5-7400.

It works beautifully.

I should clarify this is for Windows UEFI CA 2023 alone.  So far I am not able to manually download the Microsoft KEK 2k 2023.  Research ongoing

@redxps630​ ,

I should clarify this is for Windows UEFI CA 2023 alone.  

At the bottom of the "chain of trust" along with this one, there are 3-others. All 4 are equally important.

At the top of the chain, the KEK and PK provide the required foundation of the chain (or your chain is broken and non-functional as a whole).

Registry key updates for Secure Boot: Windows devices with IT-managed updates - Microsoft Support

When testing individual devices to ensure that the devices will process the updates correctly, the registry keys can be a straightforward way to test. 

To test, run each of the following commands separately from an administrator PowerShell prompt: 

I was able to add two more 2023 certificate but the KEK 2k 2023 is still not added.

I could not replicate the success in Optiplex 7010 yet.  My hp laptop is newer with i7 8th gen cpu.  7010 is Dell i7 3rd gen.  firmware is different.  I suspect the 7010 firmware is preventing update of its KEK.

I downloaded KEK 2023.crt which I used openSSL to convert to .der in an attempt to have it signed by PK.  I used powershell command which is another adventure in command line land.  It gave error which leads to requirement of time-stamp in the command, not to mention openSSL did not run in Windows after install at first which google lead to correct fix to edit system environment variables, something I had never done before but worked.

in the end I successfully? signed the .der but still 7010 bios secure boot custom mode append KEK says error.

this is unnecessarily painful as the original way of adding kek key in theory should work but in practice is difficult sometimes.

PS 

1. Open Settings: Search for "environment variables" in the Start menu and select Edit the system environment variables.
2. Access Variables: Click the Environment Variables button at the bottom of the System Properties window.
3. Edit PATH: Under "System variables," select Path and click Edit. Add the path to your OpenSSL bin folder (e.g., C:\OpenSSL-Win64\bin).

**do not read further if you are not a tech expert (like Tesla)."  this is beta experiment land.  do not mess with it on your pc if you do not know what you are doing.

https://pureinfotech.com/install-secure-boot-certificates-windows-11/

to get GUID, powershell (admin)

(Get-CimInstance -ClassName Win32_ComputerSystemProduct).UUID

Manual UEFI KEK/db Provisioning: Bypassing the LVFS CHID Block on Lenovo Systems · fwupd/fwupd · Discussion #9724 · GitHub

2023 KEK deployment is blocked to prevent firmware errors. This guide provides a verified manual path to inject the Microsoft 2023 certificates using a unified file approach.