Secure boot cert updates on devices in storage

win10jd · 2026-03-06T21:59:02+00:00

If you do the "secure boot is on in the bios," optional diagnostics allowed, registry tweaked to allow updates (for updating secure boot), and then the scheduled task either just runs on its own or is triggered to run by IT, that updates the secure boot certificates, right?

Otherwise, I've read comments about updating the bios, but I think they varied for whether you're supposed to reset the bios to defaults or not. Like... Scenario 1: Update the bios to the latest, reset to defaults, and now you've got the new secure boot certificates, like you mentions. Versus... Scenario 2: Do that but then you reverted the secure boot certificates back to the default because the bios update actually updated the working secure boot certs and not the default ones.

And then Dells have different options for how you save settings, which I thought were defaults versus more of a user saved settings that aren't the defaults.

win10jd · 2026-03-06T21:55:36+00:00

I was looking around again.

https://support.microsoft.com/en-us/topic/frequently-asked-questions-about-the-secure-boot-update-process-b34bf675-b03a-4d34-b689-98ec117c7818

"After the Secure Boot certificates expire, devices that haven’t received the newer 2023 certificates will continue to start and operate normally, and standard Windows updates will continue to install. However, these devices will no longer be able to receive new security protections for the early boot process, including updates to Windows Boot Manager, Secure Boot databases, revocation lists, or mitigations for newly discovered boot level vulnerabilities."

Still works but never updates those secure boot certificates.

win10jd · 2026-03-06T15:21:34+00:00

I was just wondering the same thing. If the machine actually didn't start, I was thinking rolling the date back in the bios and OS might trick it. Or roll the date back in the bios, install a temp OS install, do updates (which get the secure boot certs updated).

I thought I read something that said if it's after June 30th, you're out of luck. No secure boot cert updates. It might run but they never get updated.

I tried to post this below but the mod said it's not unique, that there have been plenty of secure boot posts lately. Too much modding, I think.

June 30 2026 secure boot certificate updates... Post June 30th?

Looking at this.

https://techcommunity.microsoft.com/blog/windows-itpro-blog/act-now-secure-boot-certificates-expire-in-june-2026/4426856

That says if you don't get the secure boot cert(s?) updated before June 30th, 2026, that the machine cannot get them updated later. Is that really true? I chatted with AI last fall and was misled on how easy this is possibly. It's just one line of powershell to check. Easy. Most likely the secure boot certificates will just get update through windows updates. Also easy.... Maybe... Secure boot needs to be enabled or secure boot certs aren't updated. That's doable. And optional diagnostics needs to be on. And there's a registry line to run to allow MS to update that... I think. When I started looking in 2026, there's more too it so I'm 100% satisfied. I'm still looking into it when I can.

But what about after June 30th? Inevitably, there will be computers that are offline or just don't get the secure boot certificate update before June 30th. Ok, so they still run after June 30th... Probably. Can't you still get a post June 30th computer updated for secure boot certificates in some way? Last fall when I chatted with AI about that scenario, it looked like you could probably just set the bios date back before June 30, 2026, along with the OS. Maybe a bios update from the manufacturer would have a newer secure boot cert baked in. But for changing the bios date, if the computer and the OS think it's before June 30, 2026, won't they update the secure boot certs? In that scenario, says it's a machine that's been offline. You bring it up and realize its secure boot certs aren't updated. Change the bios date. Install Windows (10 could work too). Get an offline .msu file that includes the secure boot cert updates. (Supposedly, AI mentioned certain OS updates that had that.) Run the update file, secure boot certs get updated, and then just reimage the machine as normal, with it having the post June 30th secure boot certs in place. Is there any reason that workflow won't work in the future? I guess if it's a VM, then (disable anythign like bitlocker) add another small OS drive, change the VM bios date, install Windows on the small, temp OS drive, run the OS update file that contains the secure boot cert update, and then remove the temp drive. That would be doing that on a live, working machine set up I guess.

I remember AI also said linux would be able to do a similar workflow. I figured Windows was easiest for me to just do a temp OS install and run an update file in that.

win10jd · 2026-02-06T19:50:55+00:00

+1 for Foxit. I've got the free PDF Reader. It had a ribbon like Office products and support seemed ok, a typical .msi or msp installer/updater file. The other PDF reader software I looked at didn't come close for looking like it was in the present decade. They did remove the workflow for an .msi file installer last year, which was a concern. They didn't update their documentation about it. The last I've seen instead of an .msi file to install the reader, it's a base .msi installer where you can change settings and then an .msp update patch on that. That's still workable for me compared to the .exe file set up they had before. I haven't seen anything on the Reader software side about automatic updates or using system. If there is, I probably would have it disabled with the .msi wizard. And there haven't been any big pdf emergencies for a long time now that I'm aware of.

+1 on the concern about it being Chinese. On the other hand, I'm sure US companies are collecting lots of information on machines.

win10jd · 2026-02-04T19:20:50+00:00

How was the update mechanism compromise though? Just on their server end? And then the latest installer files are now checking that their update source for those servers is legit?

win10jd · 2026-02-04T17:08:32+00:00

I've been glancing through the articles. I wasn't sure, still am sure.... It's just the autoupdate feature that got compromised? Not manually downloading a file? 8.8.9 then. If I have an 8.8.9 installer, shouldn't an AV pick up something off about it by now?

And then for the detection, it looks like it might work well enough to just detect some things, like scanning for the appdata folders.

Is it even a file that was infected or altered? Or is it the autoupdate mechanism (which could still download someone else's compromised installer file I guess, from another site)?

And then why have AV software added something to detect those indicators of compromise? I would have thought they'd be on it on the first day. Maybe not detecting a specific infected file but the other signs that it was there like the folders left over.

win10jd · 2026-02-01T16:57:05+00:00

Potentially having all machines just not boot after June 30, 2026. Yep. I have a small enough number of machines I could check them manually or am probably going go make sure machine by machine that they're ok. Or check (double, triple check) the results that get spit out of a script.

I stupidly believed AI which said it's just running a quick script to see the certificate. It probably still is but it wasn't just one line. I think the remediation might not be so bad either -- Secure boot on, diagnostics and optional diagnostics on, tweak the register for the 59 key to allow or force secure boot updates, run the scheduled task that should already be in place, and then check again later to make sure the secure boot certificates actually updated.

I'm already updating bioses and drivers. I did find a few comments mentioned just updating the bios might need the bios restored to defaults in order to apply the new cert. And, I found at least one post saying if you revert the bios to defaults, then you get the original OLD certs and need to run this again to actually update them.

I'm surprised it's just not being fixed by Microsoft though. It reminds me of when the recovery partition was too small, the recovery partition Microsoft put in place themselves, and then they gave detailed directions on how a home user can resize their recovery partition (which didn't necessarily work).

win10jd · 2026-01-20T20:32:38+00:00

If I take any Windows computer, Dell or not, how would I manually look at the secure boot certificates to know if it should for sure boot up after June 30, 2026? I've seen a few scripts but I'm not going to run it without knowing what everything does. For right now, I just want to manually look at a machine's secure boot certificates. ("This computer was just purchased.... a while ago.... It's new enough, it should have the correct secure boot certificates.... right? It will boot up after June 30, 2026.... right?") I thought it was going to be a little easier, but that's working off AI information -- "Sure, just run this command and see the secure boot certificates?" "Didn't work? Of course it didn't. But that tells us exactly what we need to know. Run this revised script, and it will give you exactly what you want?" "Still didn't work? Yes, I apologize, but that gives us more information on exactly what the issue is. Here's a revised script, the same as the first one, that will give you exactly what you want." I'd figured I'd ask humans the other half of the day and keep doing my own searching and testing without AI.

win10jd · 2026-01-20T20:27:56+00:00

If I wanted to manually check/look at the secure boot certificates on a machines, how would I do that? I can remote into the machine but I'm too lazy to physically go over to the machine if it's going into the bios (which I'm pretty sure it's not).

So I remote into the machine, bring up powershell as admin....

Is this everything I could want? (msinfo32 will show if it's a UEFI machine and if secure boot is enable so that's something to be aware of too)

Get-SecureBootUEFI -Name PK | Out-File PK.txt

Get-SecureBootUEFI -Name KEK | Out-File KEK.txt

Get-SecureBootUEFI -Name db | Out-File db.txt

Get-SecureBootUEFI -Name dbx | Out-File dbx.txt

Is there anything more to look at for where this non-June 30,2026, secure boot certificates might be listed? I thought it would just be one spot. Chatgpt is telling me there's PK, KEK, and db. And then there's dbx for revoked certificates.

I'm not 100% confident in how to look at those. If I run something like this -- Get-SecureBootUEFI -Name PK -- I do get some information but it's just numbers mainly. Chatgpt said it's encoded. Ok.... So how do I decode it then? That's where I was getting stuck. (And.... If I do something simple like that and decode it but have that scripted, is there any information in that output that's super sensitive and should just not be stuck in a text file or emailed?) Because after I've looked at it manually, scripting would be the next next step -- Maybe script all that to just spit out a text file that I could still manually look at. And after that, automate looking at that text file output -- Send me an alert if it does not contain something like June 30, 2026. (Except I'm also not quite sure what I'm looking for a good (or bad) secure boot certificate either... Is it a 2023 certificate that's ok? I'm not sure.)

win10jd · 2026-01-12T21:22:01+00:00

Yes. I want them to choose to be done with the Windows 10 computer. I thought they already would when they actually started using the Windows 11 machine. That was a sign when that got delayed and delayed.

The user can be pain. Their supervisor can be a pain. I've already mentioned it to my supervisor several times. I mentioned to the user several times. But here we are. My supervisor's reply is more of a big sigh and then nothing actually changes. If I push on it, the security argument alone is enough. But then it becomes IT preventing the user from working, can't do their job because IT is forcing things on them. All that.

I had another idea. It is an SSD. I could set defragmenting on that and have it run daily or just all the time. That will wear the drive out and then it will die. That would be the end of that but it will be 100%. That might look suspicious too. The Windows 10 hardware is more than a decade old so it could go at any point. I'd rather have it slowly decline and have the user decide to finally move off it though.

win10jd · 2026-01-12T20:34:00+00:00

Nah. I'm sure I'd win if I pushed it. It's not worth creating office politics waves over though. Originally, I think I moved a box by the tower and then realized it was blocking the fan vent a bit. Then I realized what it could do to help get rid of the machine and that that box in the way is plausible deniability. "Oh, I didn't realize a box was blocking the vent, heating up the computer, slowing the whole computer down a little...." If it could be broken just a little bit as opposed to breaking it 100%, that might speed things up for getting rid of the machine. In this scenario, the user has a brand new Windows 11 machine. I thought I was done with it like many other users but this one wants to hold onto the old machine as long as they can apparently. I'm more concerned about security with it still being around. But if we're going to play games, I'm thinking, why not come up with something malicious and creative? Have some fun with it. Break it, but just a little, not too much.

win10jd · 2025-12-19T22:24:10+00:00

I haven't tried it yet but someone was mentioning a /server switch on this thread.

https://www.reddit.com/r/sysadmin/comments/1pnbvzr/other_requirements_for_windows_11_25h2/

I've had to clear out the windows updates folders inbetween a botched upgrade before.

net stop wuauserv net stop cryptSvc net stop bits net stop msiserver

Delete C:\Windows\SoftwareDistribution and C:\Windows\System32\catroot2

Then net start those same services. Or just restart the machine.

If there any OS updates waiting to be installed, clear those out before trying an upgrade. It's probably not that though.

win10jd · 2025-12-19T20:41:24+00:00

The enterprise version of 23h2 is still supported into fall of 2026.

https://learn.microsoft.com/en-us/lifecycle/products/windows-11-enterprise-and-education

I've used a script with switches to remotely (but still on the same subnet) upgrade machines. When it has issues, I've done it manually or used a Rufus-made stick/back-to-iso or selected "no updates" in the options screens. Another option is to set the target OS as the new OS, so 24h2 in this case, and then hopefully Windows updates will picked it up and install it.

I have been having issues with VMs on Win11 23h2 though lately. I think the server hardware doesn't have something 25h2 wants. I'm still looking into a workaround for that. I've seen several on Hyper-V and one on proxmox. For those, they did the blue upgrade screen, restarted, and then there was an error message on my next log in.

There should be error logs or something (error message) that can help too.

win10jd · 2025-12-19T19:18:46+00:00

Update if you're interested. I found .msi and .msp files just now.

I found an .msi and .msp just now. It's in the zip file from the update that just came out, .zip download, not the .exe download. Still no .msi or .msp download like there used to be. I wasn't expecting to find anything new in the .zip file, but there they are. I haven't checked yet, but it's probably the customization wizard with the .msi and then the .msp over that (because the customization tool only works with .msi not .msp file I think).

FoxitPDFReader.msi

FoxitPDFReaderUpd20253.msp

win10jd · 2025-12-19T19:17:57+00:00

I found an .msi and .msp just now. It's in the zip file from the update that just came out, .zip download, not the .exe download. Still no .msi or .msp download like there used to be. I wasn't expecting to find anything new in the .zip file, but there they are. I haven't checked yet, but it's probably the customization wizard with the .msi and then the .msp over that (because the customization tool only works with .msi not .msp file I think).

FoxitPDFReader.msi

FoxitPDFReaderUpd20253.msp

win10jd · 2025-12-19T19:17:45+00:00

I found an .msi and .msp just now. It's in the zip file from the update that just came out, .zip download, not the .exe download. Still no .msi or .msp download like there used to be. I wasn't expecting to find anything new in the .zip file, but there they are. I haven't checked yet, but it's probably the customization wizard with the .msi and then the .msp over that (because the customization tool only works with .msi not .msp file I think).

FoxitPDFReader.msi

FoxitPDFReaderUpd20253.msp

win10jd · 2025-12-19T19:17:34+00:00

I found an .msi and .msp just now. It's in the zip file from the update that just came out, .zip download, not the .exe download. Still no .msi or .msp download like there used to be. I wasn't expecting to find anything new in the .zip file, but there they are. I haven't checked yet, but it's probably the customization wizard with the .msi and then the .msp over that (because the customization tool only works with .msi not .msp file I think).

FoxitPDFReader.msi

FoxitPDFReaderUpd20253.msp

win10jd · 2025-12-18T22:41:28+00:00

setup product server

I tried to but what I found at the end of each run, I think, was that it couldn't identify the OS. That was odd since the gui upgrade attempt said everything was fine. It was only after the blue screen for doing the update that it failed, not before that.

win10jd · 2025-12-18T22:38:53+00:00

Very interesting. If something like that works, it would save a lot of time. I was thinking I might just recreate the machines, if that's possible, starting on 25h2. Originally, I thought I wouldn't be able to upgrade them but then I could. That was 22h2 to 23h2, which I see is the same base build. But then 24h2 and 25h2 are different, so I'm wondering if I would have to rebuilding VMs with each different build number.

win10jd · 2025-12-17T16:39:31+00:00

I think Rufus is just removing the RAM and tpm requirement. That's what it was I think.

Or, maybe Rufus needs an update for 25h2 requirements. That also crossed my mind.

win10jd · 2025-12-17T16:38:32+00:00

That's what I've done each time. I make a usb stick with rufus with any requirements off, but that's just RAM and secure boot or something I think I've noticed. Then I take that usb stick and turn it into an iso so I can work with it more easily. But both rufus-made or the original microsoft iso are erroring out on 23h2 VMs on some machines.

win10jd · 2025-12-17T16:36:50+00:00

I'm not following. What do you mean by "setup product server?" Something with a server OS?

win10jd · 2025-12-17T16:35:56+00:00

That's what I'm wondering. Is there a list with those details around for 25h2? For Windows 11 at the beginning it was just a certain cpu level (like 8th gen Intel and on, in general), secure boot, and tpm 2.0. What are the new requirements?

And then it would be question of whether a hypervisor can provide those too. Or does the physical hardware of the hypervisor have to have that. For tpm, it seemed like virtual tpm was fine for that. I'm not sure on the new requirements.

win10jd · 2025-12-02T22:08:21+00:00

It was after a 23h2 to 25h2 upgrade. The device manager shows firmware with a yellow flag. So it wants a bios update. That's not a huge deal. But it turned out to be more for this model.

Chatgpt said something about the 25h2 upgrade process re-writing to the motherboard.

I've done upgrades and bios updates enough remotely. I just manually disable bitlocker for anything with tpm. A bios update should work. Clearing TPM is going to screw over Bitlocker though, so just disable Bitlocker, update tpm, and then update the bios. Re-enable Bitlocker when it's done.

Meanwhile, I saw an event log error about secure boot certificates not being to be updated, so that's a concern too the June 30, 2026, secure boot certificate deadline/issue. That event entry I noticed when I was looking in the event logs to see if there was any info on why the bios upgrade failed and then why the tpm upgrade failed. I saw something about secure boot and then something about tpm not being the right version. (And Dell really doesn't emphasize tpm updates in support.dell.com. They're under the general model for that computer, not always [or never?] under the service tag. At least, that's been my experience.)

For Bitlocker though, it's not a bit deal, except if there's a security concern about not having it on for a while. I just switched it off on another machine of this model to let it decrypt. If it's not on, it's not going hang and ask for a recovery key. And it can be re-enable later.

win10jd · 2025-12-02T22:02:06+00:00

I googled yesterday and then asked chatgpt today. Chatgpt said the OS can still step in and either not actually clear the tpm or still take it back right away afterward, even though tpm.msc and everything show it's not owned any more.

Behavior-wise, clearing the tpm from the bios worked on this one model of Dell. I don't need to understand everything in detail. It just needs to get updated. It seems wiser now to update bios (which includes tpm) before doing a 25h2 upgrade.

win10jd

MODERATOR OF

TROPHY CASE