Hello! I need to add CA2023 secureboot keys to old BIOS F9 & EC F006 download gigabyte com/FileList/BIOS/nb-bios-aorus16x-vg-win11-64bit-f9-ec-f006.zip?v=9cdb8c9c7622c0f2da590161aac22c63 Global problem: gigabyte released new version of BIOS FF2 & EC F008 with CA2023 support( download gigabyte com/FileList/BIOS/nb-bios-aorus16x-vg-win11-64bit-ff2-ec-f008.zip?v=944b767e8ab7315b65e0542e557fc738 ) , but also disabled advanced tuning menu in bios (no undervolt or overclocking allowed). After downgrade bios to previos version F9, Secure Boot got invalid signing key errors and allow to boot only without enabled secure boot options. There are no options to enable/disable Secure Boot, but only 'delete current keys'/'restore factory defaults keys'. So, I think, if it possible to add CA2023 keys to factory default and enable secure boot?
Thank you for the information, it is very useful. When the current Gigabyte BIOS's Secure Boot is in "system" mode (e.g., disabled), there is no UEFI DB or UEFI KEK, so Windows updates and utilities cannot update certificates. I could only reinstall Windows 11 and update the certificates in the UEFI DB, but if I reinstall the BIOS after the CA2011 certificate has expired, I wouldn't be able to use Secure Boot(bye some Online games) or BIOS tweaks(hello, noisy heater) So, I need a BIOS with CA2023 keys in the default UEFI KEK and default UEFI DB. Current UEFI KEK √ Microsoft Corporation KEK CA 2011 (revoked: False) √ Microsoft Corporation KEK 2K CA 2023 (revoked: False) √ GIGABYTE Default UEFI KEK √ Microsoft Corporation KEK CA 2011 (revoked: False) X Microsoft Corporation KEK 2K CA 2023 √ GIGABYTE Current UEFI DB √ Microsoft Windows Production PCA 2011 (revoked: False) √ Microsoft Corporation UEFI CA 2011 (revoked: False) √ Windows UEFI CA 2023 (revoked: False) √ Microsoft UEFI CA 2023 (revoked: False) √ Microsoft Option ROM UEFI CA 2023 (revoked: False) √ GIGABYTE √ GIGABYTE Default UEFI DB √ Microsoft Windows Production PCA 2011 (revoked: False) √ Microsoft Corporation UEFI CA 2011 (revoked: False) X Windows UEFI CA 2023 X Microsoft UEFI CA 2023 X Microsoft Option ROM UEFI CA 2023 √ GIGABYTE √ GIGABYTE
I have only two options: "delete ALL keys"(e.g. turn Secure boot OFF) and "restore factory defaults keys (CE2011)"
@vint08 If windows 11 update trigger for MS CA2023 keus didn't work, you could contact Gigabyte eSupport, i personally select the region to taiwan and language to english since the taiwan eSupport team are pretty much responsive and elaborative. Ask and persuade them about your need for updated secure boot keys, make it sound important so they will look towards the issue and gave you an updated bios. I had done some requests to them for motherboard, basically i asked them for new SB2023 Keys for H77-DS3H, Z97X-UD5H-BK, and Z97-HD3 (for Z97 boards, i also asked the addition of Above 4G Decoding in the settings and TPM2.0 Module support, and they did, just last month they gave me the completely updated bios). Wish you luck!