If you’ve cleared your secureboot keys in your UEFI setup and your motherboard firmware hasn’t been updated with the latest secureboot keys from Microsoft you may find your system is unable to boot to windows if you install the default secure boot keys in UEFI setup. The easiest solution to this problem is clear the secure boot keys so SecureBoot goes into setup mode and reinstall the same version of windows into a blank partition as windows setup should automatically install the correct keys.
However reinstalling windows is overkill and unnecessary as you can install the latest keys manually in only a few minutes. Microsoft has made available on github the latest updated secureboot keys and a script to install them. This guide will instruct on how to get and use them.
Before manually installing updated scureboot keys go into your UEFI setup, Make sure secureboot is enabled, and then clear the secureboot keys if you already have keys installed, putting Secure Boot into setup mode. Windows will boot when Secureboot is in setup mode, which is what we need to install updated keys. If Windows wont boot for you when Secure Boot is in Setup mode, this guide is not for you, something else is wrong.
Once in Windows, you need to download the latest edk2-x64-secureboot-binaries.zip file from https://github.com/microsoft/secureboot_objects/releases At the time of writing this guide (January 2026) the latest was v1.6.2 and was the version i used. Note the signed releases do not have the needed file you can only find it in the non signed releases. Extract the zip file into a new directory Once you have that file you need to download a powershell script from the secureboot_objects source tree https://github.com/microsoft/secureboot_objects/blob/v1.6.2/scripts/windows/InstallSecureBootKeys.ps1 Note you can’t download this file directly in a browser you need to view the link and then press the download raw file button or choose the download option in the overflow menu in the top right of the page. Download the file to the directory you extracted the zip file into
Once the powershell script is downloaded you’re now ready to install the keys. Start Powershell as an administrator and change to the directory you extracted the file and downloaded the script to. Run the following poweshell command to enable script execution for this session
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope ProcessNow you can run the script and install the keys with the following command
.\InstallSecureBootKeys.ps1 MicrosoftAndThirdParty\Firmware\
If everything was done correctly you should see powershell output like the following:
The secure boot keys have been installed and you can now restart your computer. Installing the keys automatically switches SecureBoot into User mode and nothing else needs to be done. Windows should boot normally now with SecureBoot now fully enabled with the latest keys. You should not need to do this again unless you clear the keys as Windows is supposed to keep the Keys updated