Mijn vraag
Hoe activeer ik "normaal" alle secureboot updates in windows 11 voor Valorant?
Relevante software en hardware die ik gebruik
Windows 11 (25H2)
Valorant
Riot Anti Cheat Client
Wat ik al gevonden of geprobeerd heb
We hebben alle updates omtrend windows er al op staan.
maar we "Missen" nog 6 UEFI Certificaten.
Want gek genoeg op een andere Windows 10 PC werkt de game wel namelijk naar behoren.
Deze onderstaande stappen hebben tot nu toe samen met andere er toe gezorgd dat er meer vinkjes groen worden. Maar Valorant blijft zeuren omtrend de UEFI SecureBoot.
>
Disclaimer Understanding the risks
How to manage the Windows Boot Manager revocations for Secure Boot changes as...
my fresh patched virtual windows 10 with secure boot enabled
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
was reading false before mitigations
so step by step on this client
- Update certificate definitions
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot" -Name "AvailableUpdates" -Value 0x40
you may wish to manually check this value in the registry during this process for understanding
then run
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
can check the registry again, you will see that the value just set is no longer present and the schtask reset it
Reboot the machine
- Verify that the Secure Boot DB update was successful
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
should now see True
- Update the Boot Manager
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot" -Name "AvailableUpdates" -Value 0x100
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
can check the registry again, you will see that the value just set is no longer present and the schtask reset it
Reboot the machine
- Verify the update
mountvol s: /s
copy S:\EFI\Microsoft\Boot\bootmgfw.efi c:\bootmgfw_2023.efi
# mountvol s: /d
Right-click the file C:\bootmgfw_2023.efi, click Properties, and then select the Digital Signatures tab.
In the Signature list, confirm that the certificate chain should match Windows UEFI CA 2023
- Enable the revocation
"The UEFI Forbidden List (DBX) is used to block untrusted UEFI modules from loading. In this step, updating the DBX will add the “Windows Production CA 2011” certificate to the DBX. This will cause all boot managers signed by this certificate to no longer be trusted"
WARNING: Before applying the third mitigation, create a recovery flash drive that can be used to boot the system
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot" -Name "AvailableUpdates" -Value 0x80
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
can check the registry again etc
Reboot the machine
- Verify the revocation
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbx).bytes) -match 'Microsoft Windows Production PCA 2011'
- Apply the update to the firmware
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot" -Name "AvailableUpdates" -Value 0x200
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
Reboot the machine
Hoe activeer ik "normaal" alle secureboot updates in windows 11 voor Valorant?
Relevante software en hardware die ik gebruik
Windows 11 (25H2)
Valorant
Riot Anti Cheat Client
Wat ik al gevonden of geprobeerd heb
We hebben alle updates omtrend windows er al op staan.
maar we "Missen" nog 6 UEFI Certificaten.
- Current UEFI KEK
- Microsoft Corporation KEK 2K CA 2023
- Default UEFI KEK
- Microsoft Corporation KEK 2K CA 2023
- Current UEFI DB
- EUFI CA 2023
- Default UEFI DB
- Windows UEFI CA 2023
- Microsoft UEFI CA 2023
- Microsoft Option ROM UEFI CA 2023
Want gek genoeg op een andere Windows 10 PC werkt de game wel namelijk naar behoren.
:strip_exif()/f/image/IvEG7xlWMyVLxQDJ2kXvlEoh.png?f=user_large) | :strip_exif()/f/image/5XjraOIbqFReBPtv8Es8KesH.png?f=user_large) | :strip_exif()/f/image/48gmXHvUfeZDxnQrAvvnCmVK.png?f=user_large) |
:strip_exif()/f/image/gKp2qP81hRJcWWGfTaRBj1SA.png?f=user_large) | :strip_exif()/f/image/KUa6YTPFZ9tgMN18rjPlVb8m.png?f=user_large) | :strip_exif()/f/image/N3PTNNjfGkQhT6R6NkD5LKQ7.png?f=user_large) |
>
Disclaimer Understanding the risks
How to manage the Windows Boot Manager revocations for Secure Boot changes as...
my fresh patched virtual windows 10 with secure boot enabled
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
was reading false before mitigations
so step by step on this client
- Update certificate definitions
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot" -Name "AvailableUpdates" -Value 0x40
you may wish to manually check this value in the registry during this process for understanding
then run
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
can check the registry again, you will see that the value just set is no longer present and the schtask reset it
Reboot the machine
- Verify that the Secure Boot DB update was successful
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
should now see True
- Update the Boot Manager
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot" -Name "AvailableUpdates" -Value 0x100
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
can check the registry again, you will see that the value just set is no longer present and the schtask reset it
Reboot the machine
- Verify the update
mountvol s: /s
copy S:\EFI\Microsoft\Boot\bootmgfw.efi c:\bootmgfw_2023.efi
# mountvol s: /d
Right-click the file C:\bootmgfw_2023.efi, click Properties, and then select the Digital Signatures tab.
In the Signature list, confirm that the certificate chain should match Windows UEFI CA 2023
- Enable the revocation
"The UEFI Forbidden List (DBX) is used to block untrusted UEFI modules from loading. In this step, updating the DBX will add the “Windows Production CA 2011” certificate to the DBX. This will cause all boot managers signed by this certificate to no longer be trusted"
WARNING: Before applying the third mitigation, create a recovery flash drive that can be used to boot the system
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot" -Name "AvailableUpdates" -Value 0x80
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
can check the registry again etc
Reboot the machine
- Verify the revocation
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbx).bytes) -match 'Microsoft Windows Production PCA 2011'
- Apply the update to the firmware
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot" -Name "AvailableUpdates" -Value 0x200
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
Reboot the machine
[ Voor 35% gewijzigd door bobby022 op 25-12-2025 01:30 ]
Ik geef na Ontvangst V&A ALTIJD een Rating.