Microsoft sounds the alarm about Secure Boot certificates expiring later this year

PCs without the new certificates could eventually have trouble booting new OSes.

See full article...

 

[anechoe]

I guess this is one of the vanishingly few reasons I should boot into my windows partition once every few months, given the current state of Windows … rough stuff.
edit: Looks like it was already updated, thankfully. .... back to it.
but thanks to the author of this article for embedding the powershell command to check status

 

[Secondfloor]

So... my Asus mobo (ROG Strix Z390-E Gaming) is from 2018, and while the code Andrew provided for PowerShell shows I'm OK for the new cert, I get "False" for Default DB.

That got me to finally update my mobo yesterday to the latest available from Asus (from 2024), and I followed their really (IMO) crappy broken English instructions that were linked, but I'm still seeing "false" when I check the default db via PowerShell.

Asus vaguely suggests that Windows 11 will update the keys at some point, but that's about it. Is that the case?

Like Arkeo said above, we need a follow-up. I wouldn't have even know about this if I hadn't seen this article.

You’re fine. The NVRam on your system has been updated.

 

[SnakeJG]

I'm running a "not very" old Lenovo Legion laptop that just missed the requirements to officially run Windows 11 (which I'm running) and Lenovo has it listed as out of support so no firmware update with new keys for me.

I found the instructions here to update the certificate actually worked: https://www.elevenforum.com/t/did-you-manually-update-your-secure-boot-keys.36443/

You basically have to run these two commands in an admin powershell and then reboot twice:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot” -Name “AvailableUpdates” -Value 0x40

Start-ScheduledTask -TaskName “\Microsoft\Windows\PI\Secure-Boot-Update”

 

[Yaoshi]

I have a ROG Zephirus G14 from 2022, running Windows 11 25H2 (26200.7705) and with the latest official BIOS (3.19 from August 2023)

When I checked using the commands in the article I got:

• DB: False
• DefaultDB: False

The model in question has a line of beta BIOSes to enable USB4 (long story short, Asus actually advertised USB4 support for the device but it was released without it and never officially enabled), so I quickly looked them up and found out the the latest one is from October 2024.

After flashing it, the same commands returned:

• DB: False
• DefaultDB: True

Rebooting into BIOS, going into Secure Boot settings and resetting the keys to default, then booting into Windows once more finally got me to:

• DB: True
• DefaultDB: True

So for devices where a BIOS update adds the new cert it is necessary to reset the Secure Boot keys to update the certs in NVRAM, it seems.

What I wonder is: what happens to computers that do not have the new certs baked in the firmware and which also do not get the NVRAM updated?

• Does Windows 11 past a certain version just stop booting?
• If one resets the BIOS and also wants to clean install, do they have to use an older installation media because newer ones won't boot?

Also, to avoid having to manually enter Bitlocker recovery keys, you can just suspend Bitlocker before updating the BIOS or messing with Secure Boot settings. Once Windows loads again it will bind the Bitlocker encryption key to the new BIOS binaries and configuration.

 

[daveok]

To some extent, I mean, security is an onion and you want as many layers as possible. But if you have some malware attacking your bootloader things have gone pretty deeply wrong.

Yes, preventing the PC from even booting into the OS install media definitely ensures total security.

I'm in IT, and Secure Boot is something that we absolutely require as part of our CIS standard for Windows 11. Apple has an equivalent called Secure Boot. Its purpose is to ensure only software verified by Apple can load during the startup process.

I'm shocked at the down votes on my original comment. I thought all of this was basic security knowledge?

 

[Kiru]

I have a ROG Zephirus G14 from 2022, running Windows 11 25H2 (26200.7705) and with the latest official BIOS (3.19 from August 2023)

So for devices where a BIOS update adds the new cert it is necessary to reset the Secure Boot keys to update the certs in NVRAM, it seems.

Yeah, I reset the keys following Asus instructions for "Method II", and when I went to check that the keys had indeed been updated ("Confirm that KEK Management contains "Microsoft Corporation KEK 2K CA 2023"" & "Confirm that DB Management contains both "Microsoft UEFI CA 2023" and "Windows UEFI CA 2023""), I found that they did not match what Asus said they should be.

What cracked me up is that Asus doesn't tell you what to do if the keys aren't updated, the instructions just end.

Secondfloor, thanks for your reassurance.

 

[Jeff S]

When 'secure boot' was originally announced, Microsoft 'helpfully' offered to hold the keys for everyone, and sign the acceptable EFI for everyone; so redhat, ubuntu, etc all need to get their install binary (or at least the boot part of it) signed by Microsoft before they can be used on a secure boot system.

Since this article is referencing the set of keys that those binaries can be signed by, then it is reasonable to assume that this will matter; not today, as all the existing binaries are signed with existing older keys; but tomorrow, when new binaries start being signed with new keys that existing and older UEFI FW may not have loaded.

What is missing in my head is, if I boot Linux with secure boot off today, is there any way I can load a new key into secure boot's nvram and have it recognised, so I can turn secure boot on and run a liveCD from ubuntu/redhat/SuSe that depends on that new key?

(I know there is a mechanism to enroll new binaries, because installing the nVidia driver on a secure-booted Linux distro requires that I dream up a passphrase, reboot to bios time, enter the passphrase on the UEFI prompt and agree to allow that binary to load; but I can't see if that applies to keys themselves and all the fun that implies)

Well, there is MoK - "Machine owner Key" - basically, self signing the boot binary so that this one machine will boot it.

I would think booting without secure not and loading certs might work.

 

[Lord Evermore]

Dell doesn't seem better, my Dell 7490 hasn't gotten a BIOS update since ... 2018, the year of release. The problem is of course that it's a "modern" hexacore, meaning it can still do normal things (web, movies) without the fans even turning on and it'll even handle light games quite alright but apprently it's too old to function anyway.

Latitude 7490? There have been steady releases of new versions.

https://www.dell.com/support/home/e...ode=w2021&productcode=latitude-14-7490-laptop

 

[BdaLimey]

So... my Asus mobo (ROG Strix Z390-E Gaming) is from 2018, and while the code Andrew provided for PowerShell shows I'm OK for the new cert, I get "False" for Default DB.

That got me to finally update my mobo yesterday to the latest available from Asus (from 2024), and I followed their really (IMO) crappy broken English instructions that were linked, but I'm still seeing "false" when I check the default db via PowerShell.

Asus vaguely suggests that Windows 11 will update the keys at some point, but that's about it. Is that the case?

Like Arkeo said above, we need a follow-up. I wouldn't have even know about this if I hadn't seen this article.

Interesting. I have the same mobo as you and I get False for both checks. I also see the message in Event Viewer mentioned above indicating the certs are available but have not yet been applied to the firmware. Any idea what I need to do to get Windows to use the new certs to boot? I'm already on Win 11 25H2.

According to https://zentalk.asus.com/t5/motherb...-update-for-rog-strix-z390-e-bios/td-p/498418 the latest BIOS for that board does not include the certs and there are no plans for a version that will.

 

[Lord Evermore]

del

 

[Lord Evermore]

delete

 

[Lord Evermore]

You’re fine. The NVRam on your system has been updated.

Updated NVRAM doesn't always mean updated certs in the NVRAM. That's why someone gets false for the "dbdefault" check.

 

[Lord Evermore]

According to https://zentalk.asus.com/t5/motherb...-update-for-rog-strix-z390-e-bios/td-p/498418 the latest BIOS for that board does not include the certs and there are no plans for a version that will.

They went to the effort to release an updated in 2024 to fix the LogoFAIL vulnerability (and improve system stability) after no updates since 2021, so why would they not bother to toss in the new certs, which were available long before that. It can't be so much more work to add in the function to update the certs in NVRAM that they didn't want to waste the additional resources when they were already updating such a legacy platform, can it? And they probably already would have had the code basically done since they were updating more recent boards, needing minor changes to work for this board, unless they hadn't even started updating any of them.

 

[neminew]

I'm so sick of expiring certificates breaking old devices. We need something better than this, though no clue what that would look like

don't set an expiry date in the certificate?

alternatively set one so many years out that it will be reasonable to assume that with advances in computing that generating a fake certificate will be possible with reasonable / low cost computer resources.

Maybe when selecting a certificate you get to chose one with a short lifetime (e.g. 10 years) for something you expect to keep updating the security of, OR a "LTS certificate" for a mission critical device that you accept responsibility for securing but shouldn't have these points of failure (e.g. 999 years).

 

[KobayashiSaru]

I'm in IT, and Secure Boot is something that we absolutely require as part of our CIS standard for Windows 11. Apple has an equivalent called Secure Boot. Its purpose is to ensure only software verified by Apple can load during the startup process.

I'm shocked at the down votes on my original comment. I thought all of this was basic security knowledge?

I was unable to install an OS at all with secure boot currently enabled

Like, I would not have been able to use my computer at all. I swear a lot of security IT people just cannot see the forest for the trees. Security is important but when a security feature completely precludes being able to use the device at all it's.. not exactly a solution.

Turning it on going forward? Would be nice, sure, but currently not an option, unfortunately.

My use case (gaming and livestreaming mostly) requires that I reload the kernel with different modules frequently when I make a change to my video capure/EDID settings - often several times in a single session depending on what devices I am using. Now perhaps one day, I will eventually learn how to automatically regenerate keys and apply them in situ multiple times in a session, but that's not something I am currently able to do and I need to be able to use my computer in the meantime, and I'm not going back to using Windows.

Also are are talking about my home, personal computers, not enterprise level workstations or servers.

 

[MrTom]

Interesting. I have the same mobo as you and I get False for both checks. I also see the message in Event Viewer mentioned above indicating the certs are available but have not yet been applied to the firmware. Any idea what I need to do to get Windows to use the new certs to boot? I'm already on Win 11 25H2.

According to https://zentalk.asus.com/t5/motherb...-update-for-rog-strix-z390-e-bios/td-p/498418 the latest BIOS for that board does not include the certs and there are no plans for a version that will.

Have you checked the hidden "optional" updates yet? That's where I found my Firmware for my Dell. Apparently Microsoft didn't force the update on me, they just left it as optional.

If you don't see the Firmware update as optional, maybe try the registry change mentioned earlier, then reboot and check for updates again.

 

[janhec]

These things are each time a trial. Thanks for alerting me. I have a long standing rebuild pc, including new motherboard some time ago. Already out of guarantee, though. Secure boot was not enabled because Asus had Other OS (in the uefi) bios. No idea whether I chose that. Switching to windows UEFI cured that. Then the dbdefault variant did not check out and I updated bios - long time ago since I did that before. After some of the usual dark messages it worked out, so thanks again for the heads-up. Then I was also quite relieved to see Grub also working as usual.
Needed to do the bios upgrade by downloading, loading a usb-stick, executing biosrenamer, restarting and doing the update in bios from the renamed .cap file. The windows-update stuff did not show up, and i have an aggressive yes updates, please policy, so i do not think the bios update is well integrated in windows update.
(updated for a bit more explanation).

 

[real mikeb_60]

I'm running a "not very" old Lenovo Legion laptop that just missed the requirements to officially run Windows 11 (which I'm running) and Lenovo has it listed as out of support so no firmware update with new keys for me.

I found the instructions here to update the certificate actually worked: https://www.elevenforum.com/t/did-you-manually-update-your-secure-boot-keys.36443/

You basically have to run these two commands in an admin powershell and then reboot twice:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot” -Name “AvailableUpdates” -Value 0x40

Start-ScheduledTask -TaskName “\Microsoft\Windows\PI\Secure-Boot-Update”

Thanks! I have a relatively recent (~3 yr old) Lenovo laptop (IdeaPad Flex) that came with Win11. They're simply silent about updates for it. Last bios update was in 2024. So I'm expecting a brick in June. The article's ps scripts say I have the new cert in the DB, but not in the default db which requires firmware update. Will try your alternative, which might also be needed for herself's slightly older Asus.

 

[real mikeb_60]

They went to the effort to release an updated in 2024 to fix the LogoFAIL vulnerability (and improve system stability) after no updates since 2021, so why would they not bother to toss in the new certs, which were available long before that. It can't be so much more work to add in the function to update the certs in NVRAM that they didn't want to waste the additional resources when they were already updating such a legacy platform, can it? And they probably already would have had the code basically done since they were updating more recent boards, needing minor changes to work for this board, unless they hadn't even started updating any of them.

And ... while I have a problem with the more recent Lenovo laptop that came with Win11, the older (MSI Z490 PRO with 10th gen i5) passes all the tests. So 'legacy' stuff can be patched.

 

[Meathim]

Dell doesn't seem better, my Dell 7490 hasn't gotten a BIOS update since ... 2018, the year of release. The problem is of course that it's a "modern" hexacore, meaning it can still do normal things (web, movies) without the fans even turning on and it'll even handle light games quite alright but apprently it's too old to function anyway.

This is false BTW, I was looking in the wrong place. Intels Coffee Lake (late 2017) seems to be the cut off for HP, Dell and Lenovo. It's honestly cool they're still releasing BIOSes and stuff for machines that are now eight years old, but not all models are there, seemingly. A relative have a maxed out HP Zbook 17 G5, with the Dreamcolor display, and that is not on the list, as of yet anyway. Which sucks, because that is still a pretty good powerhouse.

 

[SnakeJG]

Thanks! I have a relatively recent (~3 yr old) Lenovo laptop (IdeaPad Flex) that came with Win11. They're simply silent about updates for it. Last bios update was in 2024. So I'm expecting a brick in June. The article's ps scripts say I have the new cert in the DB, but not in the default db which requires firmware update. Will try your alternative, which might also be needed for herself's slightly older Asus.

My alternative just put the new cert in the DB, not in the default db, which is the best you can hope for (I think) if your OEM doesn't provide an update. Hopefully Lenovo will get an update out to you.

 

[Meathim]

As someone currently in the process of moving to Linux from Windows, all I can say is "BS." I won't bother listing the numerous issues I've encountered on my quest to install Mint (massaged Ubuntu) on my laptop, but I will mention the most serious.

My laptop won't currently boot into Mint, probably because of a change I made (using the GUI) to the resolution of my two monitors. It was perfectly happy talking to both of them and then I foolishly rebooted. Now the Linux installation is effectively bricked.

Yeah... I've been dabbling in Linux for about 20 years (I still have the stickers that came with the Ubuntu 6.06LTS CDs!) and I have not once had an installation where everything just worked the way Windows did. It's been alright, but it there is always something that just doesn't work, like background lightning on laptop keyboards, power saving options, network shenanigans. It's always been something. I still recommend more people getting into it, but I asbolutely agree it's in no way as universally working as well as Windows.

 

[Zloster]

Dell doesn't seem better, my Dell 7490 hasn't gotten a BIOS update since ... 2018, the year of release. The problem is of course that it's a "modern" hexacore, meaning it can still do normal things (web, movies) without the fans even turning on and it'll even handle light games quite alright but apprently it's too old to function anyway.

My 2016 HP Precision 7810 from 2016 last had a BIOS update in 2016. And still works fine too*. And I use it for computationally intensive work.
* Actually, it causes me fewer headaches than my Surface Laptop Studio purchased in 2023

I even joined the Win10 ESU to try to keep it going longer. But this part slightly concerns me:

“However, the device will enter a degraded security state that limits its ability to receive future boot-level protections. As new boot‐level vulnerabilities are discovered, affected systems become increasingly exposed because they can no longer install new mitigations. Over time, this may also lead to compatibility issues, as newer operating systems, firmware, hardware, or Secure Boot–dependent software may fail to load.”

Although, in fairness, the ESU was only fixing things until next fall, so it was only a matter of time anyways.

 

[arkeo]

So... my Asus mobo (ROG Strix Z390-E Gaming) is from 2018, and while the code Andrew provided for PowerShell shows I'm OK for the new cert, I get "False" for Default DB.

That got me to finally update my mobo yesterday to the latest available from Asus (from 2024), and I followed their really (IMO) crappy broken English instructions that were linked, but I'm still seeing "false" when I check the default db via PowerShell.

Asus vaguely suggests that Windows 11 will update the keys at some point, but that's about it. Is that the case?

Like Arkeo said above, we need a follow-up. I wouldn't have even know about this if I hadn't seen this article.

I agree 100%, I've only seen this issue reported here on Ars but this is serious. It's not W11 or Linux (if you're still stuck there please don't bother), it's both: it's the damn BIOS or UEFI or Secure Boot. I tried to follow on from OP to Microsoft's, per the link provided, but it immediately became incomprehensible (I can recompile the Kernel, but this is totally new and totally beyond me). I downloaded the .crt file and installed it, both PowerShell prompts still report False.

I'm not complaining, just asking for help and deeper understanding (and possibly solutions).

Thank you all.

 

[arkeo]

I'm in IT, and Secure Boot is something that we absolutely require as part of our CIS standard for Windows 11. Apple has an equivalent called Secure Boot. Its purpose is to ensure only software verified by Apple can load during the startup process.

I'm shocked at the down votes on my original comment. I thought all of this was basic security knowledge?

It's just the way M$ handles these things, then people get angry - you know the drill.

But if the original article is correct this is indeed a MAJOR fsck up - I built my desktop and paid the W11 license ($10), I bought my wonderful HP ProBook, and by June I won't be able to boot?

Read again the lines above, something like this should not happen.

---

Does RISC V have Secure Bull? 1st time in 23 years I'm actually considering switching (again) to a whole different arch...

 

[tigerhawkvok]

Me: "I should probably re-enable secure boot now that I'm happy with my Ubuntu setup existing alongside Windows"

<opens https://wiki.ubuntu.com/UEFI/SecureBoot/Testing >
scroll... scroll.... scrollscroll.... scrollscrollscrollscrollscrollscrollscrollscrollscrollscrollscrollscrollscrollscroll....

Me: "Looks like next holiday break I should investigate re-enabling secure boot, I'm sure nothing else pressing will come up in the next 10.5 months"

 

[Kiru]

I just followed the instructions Snake JG posted above, which include a line of code to check if the process was successful.

What's interesting is that that line of code is almost identical to the line that was included in the article to check the default db: "The second thing to check is the “default db,” which shows whether the new Secure Boot certificates are baked into your PC’s firmware".

I've bolded the difference between the two lines below.

The code from the article is:

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) -match 'Windows UEFI CA 2023')

The code from the instructions in the link above is:

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023’

After I'd completed the process and restarted twice, I ran the code from the instructions in the link in terminal as admin, and got a "True" return.

Then, for shitzengiggles, I ran the code from the article in terminal as admin, and got a "False" return.

I assume I'm good to go?

 

[alansh42]

It's just the way M$ handles these things, then people get angry - you know the drill.

But if the original article is correct this is indeed a MAJOR fsck up - I built my desktop and paid the W11 license ($10), I bought my wonderful HP ProBook, and by June I won't be able to boot?

Read again the lines above, something like this should not happen.

It's not happening. Your system will continue to boot. It will only fail to boot if bootx86.efi is updated to a new version signed with the new cert without updating the cert.

Microsoft is doing a staged release, with the new key being installed being a requirement before an updated bootx86.efi is installed. Not that they couldn't screw it up, but they're not going to intentionally brick your system.

The steps will be to stage the new cert, install it, verify it's installed, then install a newly signed bootx86.efi with each step having to succeed.

If you're on a Win10 system that's getting updates, same thing. If you're not getting updates, no problem because bootx86.efi won't get updated and will still match the old cert.

 

[arkeo]

I just followed the instructions Snake JG posted above, which include a line of code to check if the process was successful.

What's interesting is that that line of code is almost identical to the line that was included in the article to check the default db: "The second thing to check is the “default db,” which shows whether the new Secure Boot certificates are baked into your PC’s firmware".

I've bolded the difference between the two lines below.

The code from the article is:

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) -match 'Windows UEFI CA 2023')

The code from the instructions in the link above is:

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023’

After I'd completed the process and restarted twice, I ran the code from the instructions in the link in terminal as admin, and got a "True" return.

Then, for shitzengiggles, I ran the code from the article in terminal as admin, and got a "False" return.

I assume I'm good to go?

Still False for me. I'm beginning to get uncomfortable- the HP laptop is my test system because it works wonderfully with W10, W11 and any GNU/Linux distro you can think of. The desktop is for gaming and/or writing (2 4K screens). False as well.
Another HP OmniBook is DOA, still waiting for that to come back to daddy...

 

[Secondfloor]

Updated NVRAM doesn't always mean updated certs in the NVRAM. That's why someone gets false for the "dbdefault" check.

It’s literally reading the certificate description from the NVRAM. If it comes back as true, then the certificate is there.

 

[barich]

It's not happening. Your system will continue to boot. It will only fail to boot if bootx86.efi is updated to a new version signed with the new cert without updating the cert.

Microsoft is doing a staged release, with the new key being installed being a requirement before an updated bootx86.efi is installed. Not that they couldn't screw it up, but they're not going to intentionally brick your system.

The steps will be to stage the new cert, install it, verify it's installed, then install a newly signed bootx86.efi with each step having to succeed.

If you're on a Win10 system that's getting updates, same thing. If you're not getting updates, no problem because bootx86.efi won't get updated and will still match the old cert.

Yep. The only way someone would end up with an unbootable system, in theory, is if their BIOS hasn't been updated to a version with the new certs and they restore their Secure Boot settings to defaults after the bootloader has been updated.

At that point to fix it you'd just have to turn Secure Boot off temporarily and reinstall the new certificates.

 

[arkeo]

It's not happening. Your system will continue to boot. It will only fail to boot if bootx86.efi is updated to a new version signed with the new cert without updating the cert.

Microsoft is doing a staged release, with the new key being installed being a requirement before an updated bootx86.efi is installed. Not that they couldn't screw it up, but they're not going to intentionally brick your system.

The steps will be to stage the new cert, install it, verify it's installed, then install a newly signed bootx86.efi with each step having to succeed.

If you're on a Win10 system that's getting updates, same thing. If you're not getting updates, no problem because bootx86.efi won't get updated and will still match the old cert.

Thanks for clarifying!
But I still believe there should be a comprehensive guide somewhere though...
So far, AFAIK, it's just us on Ars.

 

[Secondfloor]

assume I'm good to go?

Yep, you are fine.

 

[alansh42]

People are misunderstanding what expired means. It does not mean that code signed with the expired cert won't run after that date.

What it means is that no new code can be signed after that date. The reason for a hard expiration date is that encryption algorithms improve.

 

[cwaynerl]

Something to note on updating your secureboot certificate is if you have uefi passwords installed (supervisor password specifically) to boot your machine that you will need to use the supervisor password to allow updates to access uefi. After I figured that out I used the regedit method to force update successfully after a lot of frustration trying for a few hours.

After a calming pot of coffee and some critical thinking it was that lightbulb moment I realized what I had been doing wrong!

 

[YetAnotherAnonymousAppellation]

Yeah... I've been dabbling in Linux for about 20 years (I still have the stickers that came with the Ubuntu 6.06LTS CDs!) and I have not once had an installation where everything just worked the way Windows did. It's been alright, but it there is always something that just doesn't work, like background lightning on laptop keyboards, power saving options, network shenanigans. It's always been something. I still recommend more people getting into it, but I asbolutely agree it's in no way as universally working as well as Windows.

It's interesting that both of us who have real experience with Linux problems are being downvoted for suggesting that switching to Linux isn't as easy as the fanbois would have us believe. Confirmation bias is rampant in this forum.

 

[mpotter1024]

Thanks for the info. Wouldn’t you know my 2 year old MSI Windows 11 Pro/ 32GB RAM/high end Core i7 productivity laptop doesn’t have the certs either place although has Secure Boot enabled and 25H2. Cost $1600 at the time. Nice.

 

[Meathim]

My 2016 HP Precision 7810 from 2016 last had a BIOS update in 2016. And still works fine too*. And I use it for computationally intensive work.
* Actually, it causes me fewer headaches than my Surface Laptop Studio purchased in 2023

I even joined the Win10 ESU to try to keep it going longer. But this part slightly concerns me:


Although, in fairness, the ESU was only fixing things until next fall, so it was only a matter of time anyways.

It's a dual socket workstation, a bit different beast than a modern laptop. Anyway here's a BIOS from 2020, but double check. Personally I'm just going to keep to Windows 10 on the desktop.

 

[arkeo]

It's interesting that both of us who have real experience with Linux problems are being downvoted for suggesting that switching to Linux isn't as easy as the fanbois would have us believe. Confirmation bias is rampant in this forum.

While I truly appreciate the sentiment this doesn't feel like an OS-related issue: SB (and the mess M$ is making) affects UEFI, not W11 or Ubuntu or Debian specifically.
My first distro was Slackware in 2004. So I'm very far from biased.
That anyone concerned should be called a fanboi reveals more about the author than the supposed target.
Please remember that this is a public forum.

 

[Vooglaid]

I get the same result as Kiru (see quotation below). If I run the code line from the article in Ars, I get FALSE. If I run the slightly different line of code, I get TRUE. Does this mean that everything is OK?

I just followed the instructions Snake JG posted above, which include a line of code to check if the process was successful.

What's interesting is that that line of code is almost identical to the line that was included in the article to check the default db: "The second thing to check is the “default db,” which shows whether the new Secure Boot certificates are baked into your PC’s firmware".

I've bolded the difference between the two lines below.

The code from the article is:

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) -match 'Windows UEFI CA 2023')

The code from the instructions in the link above is:

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023’

After I'd completed the process and restarted twice, I ran the code from the instructions in the link in terminal as admin, and got a "True" return.

Then, for shitzengiggles, I ran the code from the article in terminal as admin, and got a "False" return.

I assume I'm good to go?