This article provides step-by-step instructions for manually updating the Microsoft CA 2023 certificates through Windows on Elo All-in-One systems with Intel-based hardware.
⚠️ Important Notice: This process should work for all Intel models; however, it has been validated on EloPOS, EloPOS Pack, and PayPoint for Windows devices. These steps were performed on an EloPOS with Intel System. BIOS layout and terminology may differ on non‑EloPOS systems.
❗ Important: If Secure Boot is enabled, please refer to this MS link for Windows to update the 4 security keys remotely.
EloPOS Microsoft CA 2023 Certificate Update Guide
Following these steps ensures your device remains compliant and secure.
Step 1: Enter BIOS and Set Secure Boot to Setup Mode
⚠️ Warning: Changing BIOS settings incorrectly can prevent your system from booting. Proceed carefully and follow the steps exactly as documented.
- Restart your system and press Del during startup to enter the BIOS setup utility.
- Navigate to the Security tab → Secure Boot Menu.
- Set these values:
- Secure Boot: Disabled
- Secure Boot Mode: Custom
- Select Reset To Setup Mode.
-
When prompted, confirm:
"Deleting all variables will reset the system to Setup Mode. Do you want to proceed?"
- Ensure BIOS settings match the below:
- Save changes and exit BIOS (F10).
Step 2: Import the Certificate Using PowerShell
💡 Note: You must run PowerShell as Administrator to execute the required Secure Boot commands.
- After Windows loads, open PowerShell as Administrator:
- Search "PowerShell" in the Start Menu
- Right-click and select Run as Administrator
- Download and extract ELO_Key_Update.zip into a folder (e.g.,
D:\ELO_Key_Update). -
Navigate to that folder:
cd D:\ELO_Key_Update -
Verify that the system is in Setup Mode:
Get-SecureBootUEFI -Name SetupModeThe output should show 1.
-
If Setup Mode is active, enter the following commands in order:
$CurrentTime = (Get-Date).ToString("yyyy-MM-ddTHH:mm:ssZ") Set-SecureBootUEFI -Name KEK -Content (Get-Content "KEK_SigList.bin" -Raw -Encoding Byte) -Time $CurrentTime Set-SecureBootUEFI -Name DB -Content (Get-Content "DB_SigList.bin" -Raw -Encoding Byte) -Time $CurrentTime Set-SecureBootUEFI -Name DBX -Content (Get-Content "DBX_Content.bin" -Raw -Encoding Byte) -Time $CurrentTime Set-SecureBootUEFI -Name PK -ContentFilePath PK.sig -SignedFilePath PK.ser.p7 -Time $CurrentTime - Ensure all commands execute successfully without errors.
- The above screen shows the sequential execution of all commands, including
Get-SecureBootUEFI -Name SetupModeoutput of 1 (SetupMode 1), and successful output after eachSet-SecureBootUEFIcommand.
⚠️ Important: Do not restart or power off the system during script execution. Wait until all commands complete successfully.
Step 3: Verification
Use these commands to verify that all Microsoft certificates have been correctly applied. Each command should return True:
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Microsoft UEFI CA 2023'
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Microsoft Option ROM UEFI CA 2023'
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI KEK).bytes) -match 'Microsoft Corporation KEK 2K CA 2023'
✅ Success: If all results show
True, your certificate update is complete.Additional Notes
- Only use official files from the ELO_Key_Update package.
- If any command fails, double-check file paths and spelling.
- If your system fails to boot after the update, contact Elo Support for assistance.
Next Steps: After confirming certificate updates, re-enable Secure Boot in BIOS to ensure continued protection.
Keywords
EloPOS, Certificate Update, Microsoft CA 2023, BIOS, Secure Boot, PowerShell, UEFI Setup Mode
Please report any broken links by emailing support@elotouch.com and include a link to the knowledge article