Articles on: ggRock

🔐 Secure Boot Configuration Guide

This guide will walk you through installing the Microsoft and ggCircuit Secure Boot certificates into your system’s UEFI keystores. Let’s get your system ready for Secure Boot in just a few steps!



NEW:Try the “Easy Mode” flash drive method!https://ggcircuit.atlassian.net/wiki/x/Qwvy



🛠️ Step 1: Prepare Your Flash Drive


  1. Download and extract its contents to the root directory of any USB flash drive.
  2. For convenience, name the drive something memorable like ggDrive or KEYTOOL.


✅ Your flash drive should look like this when ready:


G:\>dir /S
Volume in drive G is ggDrive
Volume Serial Number is GGCI-RCUIT
Directory of G:\
08/20/2024 06:50 PM EFI
08/20/2024 06:42 PM 2,056 GG.auth
08/20/2024 06:42 PM 781 GG.cer
08/20/2024 06:42 PM 1,462 MicCorKEK2KCA2023.cer
08/20/2024 06:42 PM 1,462 MicCorUEFCA2011\_2011-06-27.cer
08/20/2024 06:42 PM 1,462 microsoft uefi ca 2023.cer
08/20/2024 06:42 PM 1,454 MicWinUEFICA2023.cer
08/20/2024 06:42 PM 1,499 MS\_CA\_2011.cer
08/20/2024 06:42 PM 1,516 MS\_KEK\_2011.cer
6 File(s) 8,768 bytes
Directory of G:\EFI
08/20/2024 06:50 PM .
08/20/2024 06:50 PM ..
08/20/2024 06:42 PM BOOT
0 File(s) 0 bytes
Directory of G:\EFI\BOOT
08/20/2024 06:50 PM .
08/20/2024 06:50 PM ..
08/20/2024 06:42 PM 136,192 BOOTX64.efi
1 File(s) 136,192 bytes
Total Files Listed:
7 File(s) 144,960 bytes
6 Dir(s) 1,435,224,072,192 bytes free
G:\>



🔑 Step 2: Install the Certificates


1. Enter BIOS Setup


  • Plug the flash drive into the target computer.
  • Boot into BIOS (commonly by pressing F2, Del, or ESC at startup).
  • Put the platform into Setup Mode:


  • This usually involves deleting the Platform Key (PK) or clearing all Secure Boot keys.



2. Boot from the Flash Drive


  • Use the Boot Menu (typically F8, F12, or ESC) to boot from the USB drive.
  • This will launch KeyTool.efi.



3. Use KeyTool to Add Keys


➕ Key Exchange Key Database (KEK)


  • Select “Edit Keys” > “The Key Exchange Key Database (KEK)” > “Add New Key”



  • Add the following certificates:


  • GG.cer
  • MicCorKEK2KCA2023.cer
  • MS_KEK_2011.cer



➕ Allowed Signatures Database (db)


  • Select “The Allowed Signatures Database (db)” > “Add New Key”



  • Add these certificates:


  • MicWinUEFICA2023.cer
  • MS_CA_2011.cer
  • MicCorUEFCA2011_2011-06-27.cer
  • microsoft uefi ca 2023.cer
  • GG.cer



🔁 Platform Key (PK)


  • Select “The Platform Key (PK)” > “Replace Key(s)”



  • Choose: GG.auth




🧩 Step 3: Final BIOS Setup


  1. Press CTRL + ALT + DEL to reboot.
  2. Remove the USB drive.
  3. Enter BIOS again.
  4. Go to Boot Options.
  5. Enable Secure Boot (some systems label it “Windows UEFI Mode”).


⚠️ On some systems, Secure Boot is auto-enabled after installing the Platform Key. If not, enable it manually here.


  1. Save changes and exit BIOS.



✅ Confirmation


Once you're booted into Windows:


  • Run msinfo32.exe


  • Ensure BIOS Mode = UEFI
  • Secure Boot State = On



  • Or, run this PowerShell command:


  Confirm-SecureBootUEFI


If it returns True, Secure Boot is successfully enabled 🎉


Updated on: 10/12/2025

Was this article helpful?

Share your feedback

Cancel

Thank you!