Updated the graphic, as it had various mistakes: On outdated PCs with Windows 11 25H2 (bypass method) only the UEFI partition recieves certificate updates? On reformatting the SSD on outdated PCs, all certificates will be gone, as the UEFI partition will be gone as well and the BIOS (dbdefault) database will be used again to boot devices. 1.) Will a modern UEFI certificate (2023) USB device still boot on an old PC on a fresh installation (dbdefault beeing in the BIOS)? If not, would I have to install an older OS 1st and then...try to cheat the 2023 certificates onto it once again? 2.) On many outdated DELL/Lenovo AIO PCs with Windows 11 25H2, I did not have to use mbr2gpt, but could just enabled Secure Boot, to be able to install the 2023 certificates. mbr2gpt failed with a "Disk layout validation failed for disk 0". 3.) On some outdated DELL/Lenovo AIO PCs with Windows 25H2, I could not just enable Secure Boot, as 25H2 would not boot anymore. mbr2gpt would fail as well, again claiming "Disk layout validation failed for disk 0". There are only 2 partitions, so my first guess would be, that the 150MB EFI is considered too small? Other than that I wonder if I overlooked anything else in my graphic.
?????????? A) The PK, KEK, DB and DBX databases are stored in the EFI (NVRAM) on the computer board. Only the signed bootmgfw.efi (2011 or 2023) is stored in the EFI partition of the disk. B) Even on old devices, 2023 certificates can be added to the EFI (NVRAM) databases. Certificates can also be added to the EFI (NVRAM) manually. C) When reformatting the disk, bootmgfw.efi is deleted. The databases in EFI (NVRAM) are not reset. D) 150 MB EFI partition is large E) Ask AI for information about secure boot I am happy with my PC Code: B550M DS3H (F20 2025-10-29) 26200.8524 Secure Boot status : Enabled UEFISecureBootEnabled : 1 AvailableUpdates : 0x0000 UEFICA2023Status : Updated WindowsUEFICA2023Capable : 2 PK ✔ GIGABYTE PKDefault ✔ GIGABYTE KEK ✔ Microsoft Corporation KEK CA 2011 ✔ Microsoft Corporation KEK 2K CA 2023 ✔ GIGABYTE KEKDefault ✔ Microsoft Corporation KEK CA 2011 ✔ Microsoft Corporation KEK 2K CA 2023 ✔ GIGABYTE db ✔ Microsoft Windows Production PCA 2011 revoked ✔ Microsoft Corporation UEFI CA 2011 ✔ Windows UEFI CA 2023 ✔ Microsoft UEFI CA 2023 ✔ Microsoft Option ROM UEFI CA 2023 ✔ GIGABYTE ✔ GIGABYTE dbDefault ✔ Microsoft Windows Production PCA 2011 unrevoked ✔ Microsoft Corporation UEFI CA 2011 ✔ Windows UEFI CA 2023 ❌ Microsoft UEFI CA 2023 ❌ Microsoft Option ROM UEFI CA 2023 ✔ GIGABYTE ✔ GIGABYTE dbx Required hash : 259 detected bootmgfw.efi SVN : 8.0 cdboot.efi SVN : 3.0 wdsmgfw.efi SVN : 3.0 FirmwareSVN : 8.0 BootManagerSVN : 8.0 StagedSVN : 8.0 ComplianceStatus : Compliant (Boot Manager SVN meets staged SVN)
I do ask AI as well, but sometimes I prefer additional, anonymous human interaction an a tech forum as well. So thanks for the provided hints, appreciated. I now understand that my graphic is not correct. I stumbled across some powershell-scripts and tools as well (which also installed the certificates without problems), but using mosby (update via EFI-Shell) also looks interesting. Will test it for sure. I read about current-database and default-database. So, a "restore factory keys" (or factory reset) on an older UEFI BIOS, will only offer the 2011 certificates afterwards (dbdefault by the OEM). As the NVRAM gets overwritten and the OEM factory firmware never recieved the up-to-date certificates (current database / db) by the OEM. So a tool like mosby would be the easiest way to prepare certificates on an older machine, even before re-installing windows? Considering that a modern USB device with 2023 certificates will boot on older hardware anyway, as along as secure boot is enabled. While an up-to-date UEFI BIOS would already offer the 2023 certificates, even after a factory reset. I mostly wonder why enabled Secure Boot on some GPT drives wont boot 25H2 anymore then, if 150mb is more than enough space and there arent any other partitions left. The AI answers and MS forums regarding this matter (for example bad Recovery partiiton) werent of much use to me and I will probably end up with reinstalling Windows. I also read that insufficient space on the (NVRAM) chip might be the culprit.