Add option to install the Microsoft Windows Production PCA 2011 inv…

…alidation DBX update * Note: you should only use the -x if you know what you are doing. Especially, please be aware that the installation of the new 'Windows UEFI CA 2023' signed UEFI bootloaders from KB5025885 can only be applied with Secure Boot turned on, which means that, if you reinstall Windows from scratch, using current official boot media, and hope to get the new bootloaders installed while Secure Boot is turned off, you will *NOT* be able to do so and will have to go through a full `Microsoft Windows Production PCA 2011` DB cert reinstallation (and removal of the matching DBX entry), so that you can install the new signed bootloaders, so that you can remove PCA 2011 yet again...
pbatard · Sep 30, 2024 · bde307b · bde307b
1 parent 140f5d8
commit bde307b
Show file tree

Hide file tree

Showing 5 changed files with 488 additions and 28 deletions.
diff --git a/README.md b/README.md
@@ -116,6 +116,9 @@ variable to the data you want to install for it.
 * `-u`: Update only: Only update the revocation databases, SBAT, and SSPV/SSPU as needed.
 * `-t`: Test mode. Disables some checks and wnables the internal **low security** Random
         Number Generator, if no other Random Number Generator can be found.
+* `-x`: Install the Microsoft update that invalidates `Microsoft Windows Production PCA 2011`.
+        You should only use this if you know what you are doing, as you you may not be able
+        to boot or reinstall Windows otherwise. **You have been warned!**
 
 You can also point to files using the `-pk`, `-kek`, `-db`, `-dbx`, `-mok`, `-dbt`, `-sbat`,
 `-sspv` and `-sspu` parameters.