Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

Phirevixen · 2026-06-06T19:45:42-0400

This is the one that still works:

wabbit · 2026-06-06T19:50:27-0400

garlin said:
Did you install the May 2026 Preview Update? There is no longer \SecureBoot\SBAT in my registry

On an HP laptop I recently bought, it doesn't show \secureBoot\SBAT in the registry either. The system has the May 26 preview update. After I got this laptop, it got the latest bios update from HP. Apparently, the system has the required CA 2023 certs. My other 2 systems have the latest preview update and both have the \SecureBoot\SBAT in the registry. Strange?

garlin · 2026-06-06T19:50:58-0400

I downloaded #2157, and it doesn't have the "foreach |...|"

The "working" version you keep bringing up has a bug. Get-ItemPropertyValue doesn't correctly support "-ErrorAction SilentlyContinue". You can Google that topic, it will silently fail in the wrong way.

Phirevixen · 2026-06-06T19:52:39-0400

So is there something wrong with my system then?

garlin · 2026-06-06T19:53:27-0400

wabbit said:
On an HP laptop I recently bought, it doesn't show \secureBoot\SBAT in the registry either. The system has the May 26 preview update. After I got this laptop, it got the latest bios update from HP. Apparently, the system has the required CA 2023 certs. My other 2 systems have the latest preview update and both have the \SecureBoot\SBAT in the registry. Strange?

It's been there for months. If you don't have it configured, the SBatLevel reg variable is filled with fake data ("!SBATnotfound").

garlin · 2026-06-06T19:55:15-0400

Phirevixen said:
So is there something wrong with my system then?

I dunno, is your browser caching the file downloads? I'll rename it, so there's no chance it's picking up the file from somewhere else.

Phirevixen · 2026-06-06T19:57:24-0400

Ok this is the RENAMED output now:
Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) ON

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 8.0

EFI Files
---------
Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.

Registry: "WindowsUEFICA2023Capable" = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

SkuSiPolicy.p7b is CURRENT.

STATUS REPORT
-------------
Registry: "UEFICA2023Status" = Updated

SUCCESS: UPDATES ARE FINISHED.
UEFI CA 2023 certs are present, PCA 2011 cert is revoked.

PS C:\WINDOWS\system32>

Phirevixen · 2026-06-06T19:58:08-0400

And I have no SBAT in the Registry either.

CristianSsam · 2026-06-06T20:02:38-0400

Script Detect-SecureBootCertUpdateStatus.ps1 of MS

The last one you sent me

Phirevixen · 2026-06-06T20:12:07-0400

PS C:\> ./Detect-SecureBootCertUpdateStatus.ps1
Hostname: PHIREVIXEN-PC
Collection Time: 06/06/2026 19:10:52
Secure Boot Enabled: True
High Confidence Opt Out: 0
Microsoft Update Managed Opt In: Not Set
Available Updates: 0x0
Available Updates Policy: 0x0
Windows UEFI CA 2023 Status: Updated
UEFI CA 2023 Error: None
UEFI CA 2023 Error Event: Not Available
OEM Manufacturer Name: HP
OEM Model System Family: 103C_5335KV HP Pavilion
OEM Model Number: HP Pavilion Laptop 15-eg0xxx
Firmware Version: F.52
Firmware Release Date: 04/29/2026
OS Architecture: AMD64
Can Attempt Update After: 06/10/2026 22:16:09
Latest Event ID: 1808
Bucket ID: c784d440667d3d075e8ca81cdf7706ade0e570666830984100973316c80adcdc
Confidence: No Data Observed - Action Required
Event 1801 Count: 0
Event 1808 Count: 1
Update complete (Event 1808 or Status=Updated) - skipping error analysis
OS Version: 10.0.26200
Last Boot Time: 06/04/2026 22:33:55
Baseboard Manufacturer: HP
Baseboard Product: 87CB
SecureBoot Update Task: Ready (Enabled: True)
WinCS Key F33E0C8E002: Applied
{"UEFICA2023Status":"Updated","UEFICA2023Error":null,"UEFICA2023ErrorEvent":null,"AvailableUpdates":"0x0","AvailableUpdatesPolicy":"0x0","Hostname":"PHIREVIXEN-PC","CollectionTime":"2026-06-06T19:10:52.1498982-05:00","SecureBootEnabled":true,"HighConfidenceOptOut":0,"MicrosoftUpdateManagedOptIn":null,"OEMManufacturerName":"HP","OEMModelSystemFamily":"103C_5335KV HP Pavilion","OEMModelNumber":"HP Pavilion Laptop 15-eg0xxx","FirmwareVersion":"F.52","FirmwareReleaseDate":"04/29/2026","OSArchitecture":"AMD64","CanAttemptUpdateAfter":"2026-06-10T22:16:09.0090000Z","LatestEventId":1808,"BucketId":"c784d440667d3d075e8ca81cdf7706ade0e570666830984100973316c80adcdc","Confidence":"No Data Observed - Action Required","SkipReasonKnownIssue":null,"Event1801Count":0,"Event1808Count":1,"Event1795Count":0,"Event1795ErrorCode":null,"Event1796Count":0,"Event1796ErrorCode":null,"Event1800Count":0,"RebootPending":false,"Event1802Count":0,"KnownIssueId":null,"Event1803Count":0,"MissingKEK":false,"OSVersion":"10.0.26200","LastBootTime":"2026-06-04T22:33:55.5007970-05:00","BaseBoardManufacturer":"HP","BaseBoardProduct":"87CB","SecureBootTaskEnabled":true,"SecureBootTaskStatus":"Ready","WinCSKeyApplied":true,"WinCSKeyStatus":"Applied"}

gunrunnerjohn · 2026-06-06T20:46:03-0400

garlin said:
The real issue is finding what is passing a non-string value to the function. This code has been in place for months and has never failed before. Which points to something different about your UEFI data.

Try this version.

I just ran the script you posted in the above post. No errors at all and I'm running build 26200.8524.

CristianSsam · 2026-06-06T22:51:00-0400

gunrunnerjohn said:
I just ran the script you posted in the above post. No errors at all and I'm running build 26200.8524.

Yes, but in your case you revoked the certificates from 2011 and earlier versions, which I didn't do because I don't want to have problems with my backup media. Perhaps by revoking the old certificates, the UEFI will have the signatures that the script expects to read.

garlin · 2026-06-06T22:56:54-0400

So the script is looking for SVN numbers to report. If you have NOT revoked CA 2011, in theory you don't have any SVN's.

It is possible to install the SVN update file in the wrong order (by manually calling the Secure Boot task with specific AvailableUpdate values).

I went back and reset my test VM to CA 2011 (no SVN's) and can't duplicate the error. But I have cleaned up the check script a bit.

Klaver7 · 2026-06-06T23:03:11-0400

Code:

PS C:\Users\jwdav> powershell -nop -ep bypass -f E:\Z_c2023\Check_UEFI-CA2023.ps1 -Verbose
Windows 11 25H2 (26200.8457)

Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

BIOS Firmware
-------------
    ASUS System Product Name
    Version: 3854
    Date: 2026-04-03

Factory Default UEFI PK Cert
----------------------------
    ASUSTeK MotherBoard PK Certificate

UEFI PK Cert
------------
    ASUSTeK MotherBoard PK Certificate

Factory Default UEFI KEK Certs
------------------------------
    Microsoft Corporation KEK CA 2011
    Microsoft Corporation KEK 2K CA 2023
    ASUSTeK MotherBoard KEK Certificate

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011
    Microsoft Corporation KEK 2K CA 2023
    ASUSTeK MotherBoard KEK Certificate

Factory Default UEFI DB Certs
-----------------------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Microsoft Option ROM UEFI CA 2023
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023
    ASUSTeK MotherBoard SW Key Certificate
    ASUSTeK Notebook SW Key Certificate

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Microsoft Option ROM UEFI CA 2023
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023
    ASUSTeK MotherBoard SW Key Certificate
    ASUSTeK Notebook SW Key Certificate

Factory Default UEFI DBX Certs
------------------------------
    (NONE)
    EFI_CERT_SHA256_GUID Signatures: 430

UEFI DBX Certs
--------------
    Microsoft Windows Production PCA 2011
foreach |01612B139DD5598843AB1C185C3CB2EB92000005000000000000000000000000|
foreach |01612B139DD5598843AB1C185C3CB2EB92000008000000000000000000000000|
    Windows BootMgr SVN 8.0
    EFI_CERT_SHA256_GUID Signatures: 436

UEFI Variables
--------------
    Credential Guard: ON
    SBAT (Linux only): sbat,1,2024010900 / shim,4 / grub,3 / grub.debian,4

EFI Files
---------
    Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
        \\.\HarddiskVolume1\EFI\Microsoft\Boot\bootmgfw.efi
        File Version: 28000.326, SVN 8.0

    Registry: "WindowsUEFICA2023Capable" = 2
        [Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

    SkuSiPolicy.p7b is CURRENT.
        \\.\HarddiskVolume1\EFI\Microsoft\Boot\SkuSiPolicy.p7b
        Version: 3.0.0.14


STATUS REPORT
-------------
    Registry: "UEFICA2023Status" = Updated

    SUCCESS: UPDATES ARE FINISHED.
    UEFI CA 2023 certs are present, PCA 2011 cert is revoked.

PS C:\Users\jwdav>

Something New ?
I am on 26200.8457

garlin · 2026-06-06T23:08:01-0400

Extra debugging output when the script is looking up the UEFI's SVN number.

You still have a SBAT. Have you installed the May 2026 Preview?

Phirevixen · 2026-06-06T23:08:17-0400

Looks like this now:

Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) ON

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
foreach |01612B139DD5598843AB1C185C3CB2EB92000007000000000000000000000000|
foreach |01612B139DD5598843AB1C185C3CB2EB92000002000000000000000000000000|
foreach |01612B139DD5598843AB1C185C3CB2EB92000008000000000000000000000000|
Windows BootMgr SVN 8.0

EFI Files
---------
Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.

Registry: "WindowsUEFICA2023Capable" = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

SkuSiPolicy.p7b is CURRENT.

STATUS REPORT
-------------
Registry: "UEFICA2023Status" = Updated

SUCCESS: UPDATES ARE FINISHED.
UEFI CA 2023 certs are present, PCA 2011 cert is revoked.

PS C:\WINDOWS\system32>

garlin · 2026-06-06T23:21:45-0400

All you folks are normal. SVN's of 2.0, 7.0, and 8.0

Your story is you first installed the DBXUpdate2024.bin to ban PCA 2011. This added the base SVN of 2.0.
DBXUpdateSVN.bin (pre-April 2026) bumped you to 7.0, and then April 2026's DBXUpdateSVN.bin bumped you to 8.0.

What I don't understand is why @CristianSsam's PC gets "false" as a returned signature data value. Unless that PC has some weird issues.

CristianSsam · 2026-06-07T00:04:04-0400

garlin said:
All you folks are normal. SVN's of 2.0, 7.0, and 8.0

Your story is you first installed the DBXUpdate2024.bin to ban PCA 2011. This added the base SVN of 2.0.
DBXUpdateSVN.bin (pre-April 2026) bumped you to 7.0, and then April 2026's DBXUpdateSVN.bin bumped you to 8.0.

What I don't understand is why @CristianSsam's PC gets "false" as a returned signature data value. Unless that PC has some weird issues.

I went back into the BIOS, deleted all the keys, disabled secure boot, and entered Windows to reapply the updates with your script. Check-UEFI now reported no errors updating, showing that the BIOS was in configuration mode.
I applied the Update-UEFI - revoke script and these were the outputs:
Downloading "edk2-x64-secureboot-binaries.zip" from GitHub.
Successfully wrote "Default3PDb.bin" to UEFI db.
Successfully wrote "DefaultDbx.bin" to UEFI dbx.
Successfully wrote "DefaultKek.bin" to UEFI KEK.
Successfully wrote "DefaultPk.bin" to UEFI PK.
Successfully appended "dbxupdate.bin" to UEFI DBX.
Successfully appended "DBXUpdate2024.bin" to UEFI DBX.

Successfully appended "DBXUpdateSVN.bin" (SVN 8.0) to UEFI DBX.

REQUIRED ACTION
---------------
Please follow the README_UEFI.TXT instructions for installing the PK certificate from BIOS.

Restart Windows for UEFI updates to take effect.

I restarted, entered the BIOS, checked and all keys are applied, re-enabled secure boot and restarted, and look how the status of your check script changed:

So, an empty DBX certificates will generate errors in your checker script if it's trying to read a signature that doesn't exist.

garlin · 2026-06-07T00:22:05-0400

My standard test procedure is to shut down my VM and erase the NVRAM. This resets the "UEFI" to the factory defaults, with 77 EFI signatures and none of those are SVN's. I test the check script, run the updates and then check again.

In the 6 months I've been working on this project, I've never had something return "False" for the signature data. It's some valid string, or a null value.

Now that you've reset and re-applied the certs, it looks like whatever condition has cleared up. I dunno, my gut feeling is it was some weird NVRAM corruption. The good news is this exercise forced me to clean up some older parts of the code.

Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

Well-known member

Attachments

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

Attachments

My Computer

Well-known member

My Computer

Well-known member

My Computer

Member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Member

My Computer

Well-known member

Attachments

My Computer

Member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Member

My Computer

Well-known member

My Computer