Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

TheVisitor · Jan 8, 2026

Here is what I got:

PS C:\WINDOWS\system32> powershell -nop -ep bypass -f C:\temp\secureboot_test.ps1
HP HP Pavilion Desktop TP01-1xxx
F.54

The system is running in UEFI mode without CSM.
Secure Boot: ON and STANDARD (User) mode with factory/default keys.

PK = 1228 bytes
O=HP Inc., C=US, OU=CODE-SIGN, CN=HP UEFI Secure Boot PK 2017
Count: 1

KEK = 2790 bytes
O=HP Inc., C=US, OU=CODE-SIGN, CN=HP UEFI Secure Boot KEK 2017
CN=Microsoft Corporation KEK CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Count: 2

DB = 8868 bytes
O=HP Inc., C=US, OU=CODE-SIGN, CN=HP UEFI Secure Boot DB 2017
CN=Microsoft Corporation UEFI CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US
Count: 6

Genix · Jan 8, 2026

This is my screenshot.

I updated with "Mosby" as you can see.

Thierry 83200 · Jan 8, 2026

Hello, here is mine

kelper · Jan 8, 2026

Here is my output. I have an AMI BIOS. It only allows me to read or add keys if I delete all the keys first. I think I am up to date.

PS C:\Users\Martin\Downloads> powershell -nop -ep bypass -f SecureBoot_Test.ps1
AB8139 LX15PRO
CT_BI_AMI_LX15PRO_AB8139_A-004

The system is running in UEFI mode without CSM.
Secure Boot: ON and STANDARD (User) mode with factory/default keys.

PK = 859 bytes
CN=Oem Secure Boot PK
Count: 1

KEK = 3066 bytes
CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft Corporation KEK CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Count: 2

DB = 5500 bytes
CN=Oem Secure Boot PK
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft Corporation UEFI CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Count: 4

DBX = 3724 bytes
New-Object : Exception calling ".ctor" with "1" argument(s): "Cannot find the requested object.
"
At C:\Users\Martin\Downloads\SecureBoot_Test.ps1:140 char:38
+ ... atureData = New-Object Security.Cryptography.X509Certificates.X509Cer ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [New-Object], MethodInvocationException
+ FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand

Exception calling ".ctor" with "1" argument(s): "Cannot find the requested object.
"
At C:\Users\Martin\Downloads\SecureBoot_Test.ps1:174 char:13
+ throw $_.Exception.Message
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (Exception calli...sted object.
":String) [], RuntimeException
+ FullyQualifiedErrorId : Exception calling ".ctor" with "1" argument(s): "Cannot find the requested object.
"

neldog · Jan 8, 2026

garlin said:
Can I ask a favor of everyone who's gotten a failure running the update script?

Please run this short script, SecureBoot_Test.ps1

There is no "right" answer, as I'm trying to understand what's going on with different BIOS'es. If you have Secure Boot enabled, it should correctly determine if you're in Custom/Setup or Standard/User mode. Or let me know if your BIOS calls it a different name.

I have read other comments that sometimes Secure Boot as enabled/disabled is reported one way by Windows, but doesn't match the UEFI setting.
Thanks!

Mine, as requested - My System One
Edit: Oops, I did not get a failure, sorry.

nikki605 · Jan 8, 2026

garlin said:
Can I ask a favor of everyone who's gotten a failure running the update script?

Please run this short script, SecureBoot_Test.ps1

There is no "right" answer, as I'm trying to understand what's going on with different BIOS'es. If you have Secure Boot enabled, it should correctly determine if you're in Custom/Setup or Standard/User mode. Or let me know if your BIOS calls it a different name.

I have read other comments that sometimes Secure Boot as enabled/disabled is reported one way by Windows, but doesn't match the UEFI setting.
Thanks!

Here are the results from my 2 systems.

Lenovo T490 laptop:

Lenovo M83 desktop (Mosby):

Dirtyflash · Jan 8, 2026

Unsupported Lenovo device

Rollback_Jockey · Jan 8, 2026

TOSHIBA SATELLITE L50-C
5.30

The system is running in UEFI mode without CSM.
Secure Boot: OFF

PK = 1139 bytes
CN=Toshiba Corporation Platform Root 2012, O=Toshiba Corporation, L=Ome, S=Tokyo, C=JP
Count: 1

KEK = 2678 bytes
CN=Microsoft Corporation KEK CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Toshiba Corporation KEK CA 2012, O=Toshiba Corporation, L=Ome, S=Tokyo, C=JP
Count: 2

DB = 10454 bytes
CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft Corporation UEFI CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Toshiba Corporation Utility CA 2012, O=Toshiba Corporation, L=Ome, S=Tokyo, C=JP
CN=QCI_Shell
CN=Toshiba_QCI
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US
Count: 8

DBX = 25043 bytes
CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Count: 1

starchase · Jan 8, 2026

Just saw your post. Here's mine (though I should state I haven't had any failures):

Code:

PS C:\Users\thele> powershell -nop -ep bypass -f C:\temp\SecureBoot_Test.ps1
Hewlett-Packard HP Spectre x360 Convertible 13
F.54

The system is running in UEFI mode without CSM.
Secure Boot: ON and STANDARD (User) mode with factory/default keys.

PK = 838 bytes
CN=Mosby Generated PK [2025.12.17]
Count: 1

KEK = 3066 bytes
CN=Microsoft Corporation KEK CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US
Count: 2

DB = 8454 bytes
CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft Corporation UEFI CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US
CN=MosbyKey [2025.12.17]
Count: 6

DBX = 20888 bytes
Count: 0

PS C:\Users\thele>

Fracer · Jan 8, 2026

garlin said:
Can I ask a favor of everyone who's gotten a failure running the update script?

Please run this short script, SecureBoot_Test.ps1

There is no "right" answer, as I'm trying to understand what's going on with different BIOS'es. If you have Secure Boot enabled, it should correctly determine if you're in Custom/Setup or Standard/User mode. Or let me know if your BIOS calls it a different name.

I have read other comments that sometimes Secure Boot as enabled/disabled is reported one way by Windows, but doesn't match the UEFI setting.
Thanks!

Previously posted 'SecureBoot_Test.ps1' results post (#174) was for a Lenovo M93p deskside.

Below are 2 new runs for an M83 & a M82.
---------------------------------------------------------------------------------
Lenovo M83 deskside.

LENOVO 10ALCTO1WW
FBKTE0AUS

The system is running in UEFI mode without CSM.
Secure Boot: ON and STANDARD (User) mode with factory/default keys.

PK = 862 bytes
CN=DO NOT TRUST - AMI Test PK
Count: 1

KEK = 3066 bytes
CN=Microsoft Corporation KEK CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US
Count: 2

DB = 10307 bytes
CN=Trust - Lenovo Certificate
CN=Trust - Lenovo Certificate
CN=Lenovo UEFI CA 2014, O=Lenovo, S=North Carolina, C=US
CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft Corporation UEFI CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US
Count: 8

DBX = 10816 bytes
Count: 0

---------------------------------------------------------------------------------
Lenovo M82 deskside.

LENOVO 2929AZ6
9SKT9CAUS

The system is running in UEFI mode without CSM.
Secure Boot: ON and STANDARD (User) mode with factory/default keys.

PK = 862 bytes
CN=Trust - Lenovo Certificate
Count: 1

KEK = 1560 bytes
CN=Microsoft Corporation KEK CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Count: 1

DB = 8498 bytes
CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft Corporation UEFI CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Trust - Lenovo Certificate
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US
Count: 6

DBX = 20868 bytes
Count: 0

garlin · Jan 8, 2026

Thanks everyone. I think I have enough samples to review.

nikki605 · Jan 8, 2026

garlin said:
Thanks everyone. I think I have enough samples to review.

To be clear, I didn't have any failures on either of my 2 systems, like some others have posted. Just thought I'd give you some additional samples, but I don't want to confuse the issue further for you.

krzemien · Jan 14, 2026

Was supposed to chime in quite earlier - few weeks' back - but always had to postpone due to some other pending tasks.

First of all: Many thanks for your good job, @garlin.

Cut the long story short: was using others' (notably: GitHub - cjee21/Check-UEFISecureBootVariables: PowerShell scripts to check the UEFI KEK, DB and DBX Secure Boot variables as well as scripts for other Secure Boot related items.) scripts etc. for this affair and stumbled upon the situation, where - having cleared all TPM-WMI errors and seeing only successful completion of these within Event Viewer (notably: 1034 & 1088 only eventually at some stage), I then suddenly started seeing 1796 (1796 Error The Secure Boot update failed to update SBAT with error Unknown HResult Error code: 0x800700c1...) since the deployment of 2025 Dec CU (KB5072033).

Basically, since that CU has been installed, I started seeing a tandem of these two notifications upon each start-up:

Code:

(...)

11/12/2025 07:36:35            1796 Error            The Secure Boot update failed to update SBAT with error Unknown HResult Error code: 0x800700c1. For more information, please see....

11/12/2025 07:36:35            1808 Information      This device has updated Secure Boot CA/keys. This device signature information is included here....

(...)

which I found rather boring.

I then started nosing around and eventually stumbled upon this thread - and having read it, decided to give it a go - with the following result (NB screenshot is an example from another post above in the thread), the rest of the stuff above was deemed fine:

And on the 02/01 have run the script mentioned by @Aramil in this post.

That has put error 1796 back to sleep, and the outcome was:

Code:

    Disk 0: SkuSiPolicy.p7b (for VBS) is CURRENT.

STATUS REPORT
-------------
    Registry: UEFICA2023Status = Updated

SUCCESS: NO UPDATES ARE REQUIRED.

But only up until today, when I decided to install Jan 2026 CU (KB5074109). That has resulted with this outcome:

Code:

(...)
14/01/2026 10:34:13            1796 Error            The Secure Boot update failed to update SBAT with error Unknown HResult Error code: 0x800700c1. For more information, please see https://go.micros...

14/01/2026 10:34:13            1034 Information      Secure Boot Dbx update applied successfully
(...)

And having run your script (Check_UEFI-CA2023.ps1 - VERSION 2025.12.31) once again, I'm now m getting 'all clear' and 'no action needed' this time regarding the latter...

I shall re-run the script from Aramil again and report back shortly, however was wondering - if this doesn't yield any positive results - if there's anything else I shall do?

EDITED TO ADD: can actually now see that SKUSiPolicy.P7b under C:\Windows\System32\SecureBootUpdates has actually been updated, so there's that:

EDITED TO ADD #2: Once script has been run, and PC restarted, there's no change unfortunately, 1796/1808 tandem remains in place.

Aramil · Jan 14, 2026

@krzemien, Just checked, I see

Event ID 1808, confirming Bios has updated ca/keys
Event ID 1034 Dbx update applied successfully.

But as Info and not errors, a check and Update was run on reboot after CU install,
EventIDs 1041 & 1038 are the checks and a log file created about states (path to log in 1038 description) and seems to be run every boot to check state.

but all as info for me, can confirm P7b seems to be new, might not have changed from one installed (not checked).

garlin · Jan 14, 2026

MS released a new version of SKUSiPolicy.P7b today in (KB5074109):

Code:

5068861.csv:SKUSiPolicy.P7b,Not versioned,8-Nov-25,10:33,"6,544"
5068861.csv:SKUSiPolicy.P7b,Not versioned,8-Nov-25,10:41,"6,544"
5072033.csv:"SKUSiPolicy.P7b","Not versioned","06-Dec-2025","16:57","6,544"
5072033.csv:"SKUSiPolicy.P7b","Not versioned","06-Dec-2025","15:53","6,544"
5074109.csv:"SKUSiPolicy.P7b","Not versioned","09-Jan-2026","09:57","6,776"
5074109.csv:"SKUSiPolicy.P7b","Not versioned","09-Jan-2026","09:16","6,776"

For every Monthly Update, the W11 Update History page provides a CSV file of every month's file contents. You can do a string search to confirm if the file sizes have changed.

The current script should be reporting when the EFI copy doesn't match the Windows Update version.

man00 · Jan 14, 2026

Here's mine, can't make head or tails out it

garlin · Jan 14, 2026

That one's not my script. I wrote a different because the cjee21 script's output is harder to read.

Scott · Jan 15, 2026

garlin said:
The current script should be reporting when the EFI copy doesn't match the Windows Update version.

That it did.

I had one dated yesterday.

I used the copy code in post #69

garlin · Jan 15, 2026

Scott said:
I used the copy code in post #69

You can do that, but the current Update script also has a handy option to copy the same file.

Code:

Update_UEFI-CA2023.ps1 -SkuSiPolicy

krzemien · Jan 15, 2026

garlin said:
[cut]
The current script should be reporting when the EFI copy doesn't match the Windows Update version.

I did use the previous version of your script unfortunately, and only downloaded latter (latest) version once I moved these files manually myself.

Will keep an eye on this 1796 event as I'm just not keen in seeing it...

Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

Well-known member

My Computer

Member

Attachments

My Computer

Active member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

New member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Active member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Active member

My Computer