resolve pk.fail and deploy Microsoft UEFI CA 2023 / KB5025885
check if affected by pk.fail in powershell (elevated), should return False:
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI PK).bytes) -match "DO NOT TRUST|DO NOT SHIP"
if True, follow these steps...
step 0: install Windows Update after 2024 July. prepare the bitlocker key if available or suspend bitlocker for several times (edit rebootcount).
Suspend-BitLocker -MountPoint "C:" -RebootCount 0
step 1: download edk2-x64-secureboot-binaries.zip from https://github.com/microsoft/secureboot_objects and extract *.bin to EFI partition.
step 2:
reboot to bios setup
(WARNING: this will erase all pk/kek/db/dbx entries, may become unbootable)
select secure boot - enable setup mode
import pk, kek, db from extracted files. dbx is optional. save and reboot.
after import, re-enable secure boot.
step 3: mount efi partition (again?), install new bootmgr with bcdboot /bootex (/offline). securebootrecovery.efi should appear under \EFI\Microsoft\Boot.
step 4: update dbx entries to disable Windows Production PCA 2011, then reboot 2 times.
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x80 /f
(SVN update is optional, set to 0x200 and reboot 2 times)
final check (should be True):
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbx).bytes) -match 'Microsoft Windows Production PCA 2011'