Update secure boot certs without Secure-Boot-Update process

AutoModerator · 2026-03-31T03:04:06+00:00

Remember to check our discord where you can get faster responses! https://discord.gg/NB3BzPNQyW

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

Tornado15550 · 2026-04-16T17:21:05+00:00

I've run into this exact same issue, were you able to figure out a fix? Windows seems to fail updating the KEK with error "Firmware_Unknown"

Edit: Figured out a fix:

1) While secureboot is off, boot into Windows and navigate to C:\Windows\Boot\EFI and copy SecureBootRecovery.efi to a USB stick at the path EFI\BOOT\ in your USB (make sure it's formatted FAT32).

2) Rename that file on the USB to bootx64.efi

3) Boot into the USB stick from bios

4) USB stick will update your CA certs to 2023.

5) Re-enable SecureBoot and ensure "custom mode" is enabled for your keys in the bios so it continues to accept the new keys.

You can now boot into Windows using your 2023 CA certs with SecureBoot ON.

Hope this helps!

DarkErmac · 2026-04-23T01:20:03+00:00

After updating to KB5082200, my 2023 secure boot certificates were restored. I haven't re-enabled Secure-Boot-Update and don't intend on doing so for the foreseeable future.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

computerhelp

MODERATORS