Updating Secure Boot variables (KEK, DB, DBX) from within Windows PE

Question

I'm preparing for the June 2026 expiration of the Secure Boot certificates from 2011. Specifically, I want to add the 2023 certificates to a PC in case someone resets their BIOS or NVRAM and loses these certificates in the process.

If a Win11 PC is using the 2023-signed boot loaders but the PC's NVRAM loses the 2023 KEK and DB certs, then Secure Boot will fail citing a verification error. I want to be able to replace the certs without having to reinstall Windows.

To this end I prepared a Windows 11 Pro installation that runs off a USB 3 device and uses the 2011-signed boot loader. From there I can run scripts to check the Secure Boot variables and replace missing certificates as though the USB Windows was the local Windows installation. After replacing the missing certs, I can restart the original installed Windows that has the 2023-signed boot loader and nothing is lost.

This is fine, as long as the boot USB is fast enough and the PC supports super-speed USB3 devices. But if the PC has trouble booting an entire Windows OS from USB for some reason, or is only a USB 2 capable machine, that process will be very, very slow. I've also tried other solutions, such as updating Secure Boot variables from EFI shells, Linux live boot devices, or within the BIOS Setup itself, but none of those seem to work right. I can only seem to update Secure Boot variables from within a running Windows OS that has internet access.

I'd like to be able to update the Secure Boot variables from within the Windows Preinstall Environment instead, a much more compact OS that I already use for capturing and restoring Windows disk images.

I can already check Secure Boot variables from within WinPE if the WinPE device has the PowerShell, Secure-Startup and Secure-Storage modules installed along with dependencies. What PE doesn't have is a Task Scheduler and the associated task that launches every 12 hours after startup. That task launches some code within tpmtasks.dll and references something called "SBServicing." This must be the code that looks in the SecureBoot section of the Control Registry for whatever it needs to update, for instance 0x1844 would apply the 2023 KEK and all three 2023 DB certs.

So, how to invoke this in WinPE? There is a tpmtasks.dll in WinPE as of 25H2 that seems to match the one in Win11 25H2. The tpmtool.exe command line took doesn't seem to have any Secure Boot parameters. Could I just launch this with rundll32.exe maybe? Something like, "rundll32 tpmtasks.dll sbservicing?"

Answer 1

It looks like there's no answer to do this from anything aside from a full Windows 11 installation.

Note that I only need to do this on machines that don't already have a BIOS update that includes the 2023 certificates. If the target PC has this, none of the steps are necessary. This is just for slightly older PCs that won't get a BIOS update anymore, and in case someone's erased the machine's NVRAM and is getting a Secure Boot violation complaint when they try to restart.

I was able to do this using the same disk image I use for preparing PCs normally, just specifying the faster USB device as the restoration target.

If you do this yourself, use steps similar to these:

1. Restore your Sysprep'd Win11 installation to a fast USB device. That installation should have the 2011-signed boot manager.
2. Use dism's /add-driver command to add any needed network drivers to the restored Win11 on the fast USB device. I found I only needed network drivers as I don't need to use a PC's local storage volumes just to restore Secure Boot certs.
3. Make sure the machine is in Secure Boot Deployed mode and at least has the 2011 certificates. As of February 2026 it appears any PC that supports UEFI Secure Boot will at least have this.
4. Boot from the fast USB device. If the Windows installation was in Sysprep Audit mode, it should automatically sign in as the built-in Administrator. If network drivers are loaded it should also have internet access.
5. Use the Check scripts from the Check UEFI Secure Boot repository to check the Secure Boot status. Avoid using the "Apply 2023 KEK, DB and bootmgfw update" script as this will also mess with the boot loader of your USB device.
6. Instead make a copy of the "Apply 2023" script and change the Registry value on the script from 0x5944 to 0x1844, which should just reinstall the 2023 KEK and 2023 DB certs. Run the modified version.
7. Run the scheduled task Microsoft/Windows/PI/Secure-Boot-Update by hand, as for some reason Sysprep audit mode won't allow any scripted command to run this. It will be stuck in "Queued" mode until you run it by hand.
8. Run the Check script to confirm that the 2023 certs are in the Current Secure Boot sections.
9. Shut down the USB Windows and keep it handy for the next machine you need to do this to. Restart the machine using its original OS and it should start.

I found if I was doing this to a machine that had BitLocker enabled, restarting the machine after this would prompt for the recovery key, so keep a copy of that in a secure location. After it's been keyed in once, it shouldn't ask for the recovery key again on subsequent restarts.

Answer 2

@Gordon Fecyk , At windows PE is light os which does not have most services to update needy certicatess. so its impossible

Answer 3

Hi Gordon Fecyk,

At present, Windows PE does allow you to read Secure Boot variables if the right PowerShell modules are included, but it does not provide the full servicing framework that standard Windows uses to update KEK, DB, or DBX. The “SBServicing” task you mentioned is indeed tied to scheduled servicing in a full Windows environment, and it isn’t designed to be invoked directly from WinPE with rundll32.

The supported approach is to use either the full Windows OS with internet connectivity or vendor‑provided firmware tools to update Secure Boot certificates. While WinPE can be customized with modules to inspect variables, it lacks the servicing infrastructure to apply updates reliably. Attempting to call tpmtasks.dll directly from WinPE won’t replicate the scheduled task behavior and may not safely update the NVRAM. For environments where booting a full OS from USB is impractical, the recommended path is to prepare a lightweight Windows installation image with the servicing components intact, rather than relying on WinPE alone.

I hope this helps. If the information provided so far has helped you better understand or resolve the issue, please click "Accept Answer" to mark it as resolved, as this may also help others in the community.

Jason.

Answer 4

Updating Secure Boot variables from within Windows PE (WinPE) can be a complex task, especially when dealing with the specific requirements of Secure Boot and the associated certificates. While the context provided does not offer a direct method to invoke the tpmtasks.dll or manage Secure Boot variables from WinPE, it does highlight the importance of having the necessary modules and tools available in your environment.

Since you can check Secure Boot variables from WinPE with the appropriate modules installed, you may want to explore the following steps:

1. Ensure Required Modules are Present: Verify that the PowerShell, Secure-Startup, and Secure-Storage modules are correctly installed in your WinPE environment. This will be crucial for managing Secure Boot variables.
2. Using rundll32.exe: While invoking tpmtasks.dll using rundll32.exe is a potential approach, it is essential to ensure that the method you are attempting to call is designed to be invoked in this manner. Not all DLL functions can be called this way, and you may need to refer to the specific documentation or resources for tpmtasks.dll to confirm if this is feasible.
3. Alternative Methods: If direct invocation does not work, consider looking for command-line tools or scripts that may facilitate the updating of Secure Boot variables from WinPE. This could include using PowerShell scripts that leverage the Secure-Startup module to interact with Secure Boot settings.
4. Testing and Validation: After attempting to invoke the necessary functions, ensure to test the changes by rebooting the system and checking the Secure Boot status to confirm that the certificates have been updated successfully.

Unfortunately, the context does not provide explicit instructions for executing these tasks in WinPE, and further research may be necessary to find detailed guidance on this specific use case.