Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

garlin · 2026-06-02T18:30:58-0400

gunrunnerjohn said:
I not only remember teletypes, I created a little program in the 1980's to use a Radio Shack TRS-80 Model 100 tablet to replace the old Teletype Model 28 wall mount units for query terminals on the floor of the NYSE.

Two of my friends worked for Quotron (back when Citibank bought it). I got to visit their headquarters in LA. Everyone including their programmers had to wear a tie. That was before Bloomberg crushed them with a normal user terminal.

garlin · 2026-06-02T18:35:59-0400

Phirevixen said:
I just realized that and turned it back on. Never mind, sorry!

Don't feel bad. How is the user supposed to know?
If you hide the Secure Boot settings when it's disabled, nobody will be prompted to turn it on!!

Bozdrick · 2026-06-02T22:41:50-0400

Finally, the dreaded BIOS update was successfully completed in the easiest way possible, thanks to the Garlin's SecureBoot-CA-2023-Updates.v2026.05.27 file. After putting the BIOS into setup mode by deleting all existing keys, I ran Update-UEFI.bat, restarted, and successfully re-enabled SecureBoot. Windows Security confirmed that all required certificates were successfully updated. Before running Update-UEFI.bat and restarting, I downloaded and installed three certificates from Microsoft's website (Keys Required for Secure Boot on all PCs):
- microsoft corporation kek 2k ca 2023.crt
- windows oem devices pk.cer
- windows uefi ca 2023.crt
(learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance?view=windows-11#15-keys-required-for-secure-boot-on-all-pcs)
The only thing I want to ask about is the Check-UEFI.bat report, which shows that UEFI DBX Certs = (NONE).
Also, SkuSiPolicy.p7b (for VBS) is MISSING.
Will Windows then automatically update the DBX? And adding SkuSiPolicy.p7b?

By the way, I left Custom Mode Enabled in Expert Key Management to prevent the BIOS from erasing the new keys and reactivating Dell's silly system.

Can the BIOS automatically erase the new certificates?

-----------
UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
(NONE)

EFI Files
---------
Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
Registry: "WindowsUEFICA2023Capable" = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

[OPTIONAL] SkuSiPolicy.p7b (for VBS) is MISSING.

garlin · 2026-06-02T23:22:03-0400

Bozdrick said:
Finally, the dreaded BIOS update was successfully completed in the easiest way possible, thanks to the Garlin's SecureBoot-CA-2023-Updates.v2026.05.27 file. After putting the BIOS into setup mode by deleting all existing keys, I ran Update-UEFI.bat, restarted, and successfully re-enabled SecureBoot. Windows Security confirmed that all required certificates were successfully updated. Before running Update-UEFI.bat and restarting, I downloaded and installed three certificates from Microsoft's website (Keys Required for Secure Boot on all PCs):
- microsoft corporation kek 2k ca 2023.crt
- windows oem devices pk.cer
- windows uefi ca 2023.crt

When you delete all existing keys, the script downloads the Windows OEM Devices certs from the MS GitHub.

The Windows OEM Devices certs are encoded in a post-signed format, for direct application to the blank UEFI variables. Each .bin file can combine multiple certs in a single file. For example, the KEK .bin file contains both KEK CA 2011 & KEK CA 2023. The DB .bin file contains all 5 certs.

Pre-signed certs are provided in .crt, .cer, or .der file formats. Those can't be scripted unless you own the UEFI's Platform Key to cross-sign them, and are intended for manual enrollment using the BIOS setup screens. Two different methods of adding a cert.

Bozdrick said:
The only thing I want to ask about is the Check-UEFI.bat report, which shows that UEFI DBX Certs = (NONE).
Also, SkuSiPolicy.p7b (for VBS) is MISSING.
Will Windows then automatically update the DBX? And adding SkuSiPolicy.p7b?

By default, the update script doesn't enforce CA 2011 revocation. Not everyone wants that done immediately. Some users prefer to wait.
There is no announced timeline for when Windows will force a mandatory revocation.

You can perform revocation using the -Revoke option:

Code:

Update-UEFI -Revoke

When Virtualization Based Security (VBS) is enabled, MS recommends using a SkuSiPolicy for additional security. But in some cases, SkuSipolicy can prevent a dual-boot Windows from working (where the other Windows is an Insider build), or block a WinRE-based bootable drive.

There is a version check on winload.efi used for booting, which is unrelated to the Secure Boot check on Windows boot manager. Because enough users have encountered issues with SkuSiPolicy enforcement, the update script doesn't automatically push the file. YMMV.

Code:

Update-UEFI -Revoke
Update-UEFI -Revoke -SkuSiPolicy

Bozdrick said:
Can the BIOS automatically erase the new certificates?

Generally no. But technically yes.

In the best possible world, your BIOS would have the CA 2023 certs included as factory defaults. If something were to reset the NVRAM variables, then you would have to repeat the same update steps. Assuming you have an unsupported PC, there aren't any BIOS updates in the future.

But you might need to reset the UEFI or BIOS to clear some weird HW glitch, or your CMOS battery dies. Just save a copy of your update notes so you can repeat the process. It's easier the next time, since you know the BIOS menu layout.

grafcable · 2026-06-03T00:55:02-0400

Hi I have Dell XPS 8930 and I can't update KEK. Spent 4 hours and nothing works. Any help would be greatly appreciated

garlin · 2026-06-03T01:29:45-0400

grafcable said:
Hi I have Dell XPS 8930 and I can't update KEK. Spent 4 hours and nothing works. Any help would be greatly appreciated

Same suggestion as post #2063, read this thread from someone who updated their 8930.
How to check if your Secure Boot certs are updated. (three methods)

acer54 · 2026-06-03T06:01:34-0400

garlin said:
1. Confirm BitLocker is not enabled on system drive, and you're not using Windows Hello PIN for logon. Disable both of them if enabled.

2. Enter the BIOS. Create an Admin or Supervisor password to unlock the additional Secure Boot menus. Your screens might look like this example:
In acer nitro 5 AN515-57 how to change Secure boot mode enable (on windows) - Acer Community

3. Disable Secure Boot mode.

4. Change from Standard Mode to Custom Mode.

5. Erase All Secure Boot Settings.

6. Restart Windows. Run the update script, and copy/paste the check script's output.

Code:

Update-UEFI.bat Check-UEFI-bat -Verbose

Entered the Bios and created supervisor password, this unlocked some secure boot settings (delete keys etc.) but I am still not able to change secure boot from standard to custom mode.

mx101 · 2026-06-03T06:22:36-0400

acer54 said:
Entered the Bios and created supervisor password, this unlocked some secure boot settings (delete keys etc.) but I am still not able to change secure boot from standard to custom mode.

You can only update the certificates by updating the BIOS.

So forget the scripts updating. You need a BIOS update.

I also have an Acer Nitro, and I’m not on the acer update list, I have to wait, but it looks like there won’t be any BIOS updates for my Acer Nitro 5.

And if there aren't any BIOS updates, that's not a big deal either; the PC works just fine. I had Secure Boot disabled for a few years and never had any problems. :)

JagoWu · 2026-06-03T06:52:08-0400

Is it possible to use the scripts tomorrow to update machines or is it too late?

NormanF · 2026-06-03T07:22:58-0400

Its possible. If you want to verify the 2023 secure boot certificates are installed and present, the secure boot tab of O&O Shutup 10 Free will display them

garlin · 2026-06-03T10:09:20-0400

JagoWu said:
Is it possible to use the scripts tomorrow to update machines or is it too late?

There is no immediate deadline, except that the PCA 2011 cert expires in October. Once that happens, MS cannot release a new boot manager (after fixing a security hole) with the CA 2011 cert. It must be signed by a valid CA 2023 cert.

You have from now to the end of September to update machines. In the upcoming months, MS will probably add more Windows features to constantly remind you to update certs. But you have enough time.

garlin · 2026-06-03T10:15:40-0400

mx101 said:
You can only update the certificates by updating the BIOS.

So forget the scripts updating. You need a BIOS update.

This depends on your exact BIOS. When you have a supported PC, the Secure Boot task or a script can handle updates.

Some BIOS'es support manual enrollment of keys. Only the KEK CA 2023 needs to be enrolled from BIOS. The rest can be scripted.
Some BIOS'es support deleting all keys, and allowing replacements. You perform this once, and the rest can be scripted.

A few PC's claim to support the above, but have firmware bugs which prevent the installed keys from working. Those tend to be rare. We've had a number of older Acers updated in this thread. It depends on the model (how old the BIOS is).

garlin · 2026-06-03T10:16:14-0400

acer54 said:
Entered the Bios and created supervisor password, this unlocked some secure boot settings (delete keys etc.) but I am still not able to change secure boot from standard to custom mode.

Does deleting all keys change the mode for you?

acer54 · 2026-06-03T11:09:02-0400

garlin said:
Does deleting all keys change the mode for you?

I didn't delete the keys at this stage, I didn't want to get into non boot situation, what's the worst that can happen if I delete them and whats the way forward after deletion?

garlin · 2026-06-03T11:17:00-0400

If you delete them and it doesn't work, you can always reset back to factory defaults. Secure Boot mode should be disabled when doing the update, so it doesn't matter which version of the boot manager is currently installed (no enforcement).

After you delete all keys, restart Windows and run the update script again.

mx101 · 2026-06-03T11:44:50-0400

garlin said:
This depends on your exact BIOS. When you have a supported PC, the Secure Boot task or a script can handle updates.

Some BIOS'es support manual enrollment of keys. Only the KEK CA 2023 needs to be enrolled from BIOS. The rest can be scripted.
Some BIOS'es support deleting all keys, and allowing replacements. You perform this once, and the rest can be scripted.

A few PC's claim to support the above, but have firmware bugs which prevent the installed keys from working. Those tend to be rare. We've had a number of older Acers updated in this thread. It depends on the model (how old the BIOS is).

I was talking about my BIOS, which is exactly like the one on the @acer54 ; this type of BIOS can only update the certificates through BIOS update.

The BIOS is locked you only can update the certificates through a BIOS update.

None of the scripts work on this type of BIOS.

The BIOS update can be downloaded through Windows Update or from Acer site if available.

DarkShadowMD · 2026-06-03T14:30:43-0400

In my experience, BIOSes manufactured from 2018 onwards use a different mechanism for erasing Secure Boot keys, than to reset or set default BIOS settings, than to set default TPM settings.

Nowadays, all these three are reset separately via their respective reset option/button, so even if your BIOS is reset due to lack of power, you won't lose your secure boot keys, not TPM settings. This is very true with HP BIOS, my laptop for example can only reset keys if you explicitly do so, if you take off your battery and the BIOS is reset, the keys are still there and all Secure Boot Settings, nothing gets reset, same with TPM, except for the usual, fan, keyboard or battery settings you usually change.

DarkShadowMD · 2026-06-03T14:33:15-0400

mx101 said:
I was talking about my BIOS, which is exactly like the one on the @acer54 ; this type of BIOS can only update the certificates through BIOS update.

The BIOS is locked you only can update the certificates through a BIOS update.

None of the scripts work on this type of BIOS.

The BIOS update can be downloaded through Windows Update or from Acer site if available.

I had an Acer a while ago... if your BIOS is locked with a supervisor password, you can unlock it, there are sites that have the default unlock keys to access BIOS settings... there's also the Fn + Tab + Power combo that unlocks the advanced settings of Acer BIOSes, if you are able to enter your advanced settings, you can definitely use the script. Still you need an updated BIOS to have the default certs installed.

I haven't tried with my E5-553... but I wouldn't do it, because that laptop is unsupported, and Windows runs so poorly I'm better off letting Kubuntu do its job on it lol.

gunrunnerjohn · 2026-06-03T16:42:02-0400

DarkShadowMD said:
In my experience, BIOSes manufactured from 2018 onwards use a different mechanism for erasing Secure Boot keys, than to reset or set default BIOS settings, than to set default TPM settings.

Nowadays, all these three are reset separately via their respective reset option/button, so even if your BIOS is reset due to lack of power, you won't lose your secure boot keys, not TPM settings. This is very true with HP BIOS, my laptop for example can only reset keys if you explicitly do so, if you take off your battery and the BIOS is reset, the keys are still there and all Secure Boot Settings, nothing gets reset, same with TPM, except for the usual, fan, keyboard or battery settings you usually change.

Au Contraire! I have an HP ENVY desktop that I just loaded Windows 11 on and configured for Secure Boot with the @garlin scripts with a 2014 AMI BIOS, and there was a convenient setting to nuke everything and start from scratch. This model doesn't have TPM2, but I just used Rufus to bypass that requirement. I did several updates to the current Win11 Pro version with no issues at all. It reused the license from the Win10 Pro it was running before, so I didn't have to do anything about licensing.

Bozdrick · 2026-06-03T18:55:28-0400

Yesterday, using the Hasleo EasyUEFI program, I noticed that a folder called Certs was added to the UEFI system partition (ESP). Inside this folder is the WindowsOEMDevicesPK.der certificate. This folder was added when the BIOS certificates were updated to 2023.

Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

Well-known member

My Computer

Well-known member

My Computer

Member

Attachments

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Active member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Peaceful Citizen

My Computers

Peaceful Citizen

My Computers

Well-known member

My Computers

Member

Attachments

My Computer