Help needed for update of older mainboard!

[AseKarlsson]

Hi All,
I have an ASUS X99-Deluxe mainboard that will not update the SecureBoot Certificates to 2023 using Windows Update.

I was able to download the following files with PowerShell and put them on an USB stick using:

Create a temporary folder

New-Item -ItemType Directory -Force -Path "C:\SecureBootUpdate"

Download the 2023 DB Certificate

Invoke-WebRequest -Uri "https://github.com/microsoft/secureboot_objects/raw/main/PostSignedObjects/Optional/DB/amd64/DBUpdate3P2023.bin" -OutFile "C:\SecureBootUpdate\DBUpdate3P2023.bin"

Download the 2023 KEK Certificate

Invoke-WebRequest -Uri "https://github.com/microsoft/secureboot_objects/raw/main/PostSignedObjects/KEK/Microsoft/KEKUpdate_Microsoft_PK1.bin" -OutFile "C:\SecureBootUpdate\KEKUpdate_Microsoft_PK1.bin"

PowerShell fails to update these keys with error (0xC0000022).

My tried workaround:
The DBUpdate3P2023.bin updates fine from within BIOS from the stick, Good!
The KEKUpdate_Microsoft_PK1.bin file fails to load within BIOS, I found some info to convert this file to a format that support ASUS (cannot find back to that article anymore) but the conversion had to be made using Linux (not my operating system in use).

Anyone seen this same behavior and can suggest the path forward?

Any advice is welcome,
Thanks a lot,

//Ase

[garlin-cant-code]

Please check if ASUS has submitted a post-signed KEK for your specific BIOS.

1. (Get-SecurebootUEFI -Name PK -Decoded).SerialNumber.ToLower()

2. Search for the returned value in the file kek_update_map.json

If you don't see a match, then ASUS has not provided a .bin object which you can use. You should try to see if your BIOS Secure Boot menu supports manual key enrollment using the file microsoft corporation kek 2k ca 2023.der copied to your FAT32 USB.

[AseKarlsson]

Thanks @garlin-cant-code !
I found a serial match with KEKUpdate_ASUS_PK8.bin file and downloaded that.
Went into BIOS and tried to Append that KEK file, but that failed.
Any more tips how to proceed and is the whole procedure explained somewhere?

//Ase

[AseKarlsson]

Some more info:
After loading the KEKUpdate_ASUS_PK8.bin file first as a PK I could also load it as KEK Key after that.
So now:
KEK 2023=True
Windows UEFI CA 2023=False
Microsoft UEFI CA 2023=True

Still working on it but will keep you posted on the progress.
//Ase

[garlin-cant-code]

Try running the Secure Boot task:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x1944 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

[AseKarlsson]

After this I had to extract the "DefaultDb.bin" from within "edk2-x64-secureboot-binaries.zip" and now:
KEK 2023=True
Windows UEFI CA 2023=True
Microsoft UEFI CA 2023=True

Thanks for the Support!

//Ase

[Flickdm]

Thanks everyone! I'm actually out of office and just saw this but I'm glad to see the community being supportive!

@AseKarlsson can I close this?

[AseKarlsson]

Absolutely, Thanks for all help!