Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

Please re-download the update script. I just realized I submitted the old May version instead of the June 8 version.
GitHub and the ZIP file have been refreshed.

Run the update script in -Revoke mode.

The update script by itself will never perform a revoke action, because not everyone wants that. I'll probably have to add a check that if you're already revoked, to auto-apply new revocation updates.

Just ran mine on a couple of test machines (one Lenovo, one ASUS). Both remain completely clean and up-to-date. Used yesterday's (06/08/2026) script versions.
--Ed--

AUDIT REPORT
============
1. [Microsoft Option ROM UEFI CA 2023] is missing from UEFI DB
2. [Production PCA 2011] is missing from UEFI DBX
3. DBX Updates are missing from UEFI DBX
4. SecureBootUpdates SVN is higher than UEFI DBX

[OPTIONAL] SkuSiPolicy.p7b (for VBS) is missing from EFI

REQUIRED ACTION
===============

Mine was on version 8.0 before todays Microsoft Security Update KB5094126 now it's on 9 but not in UEFI DBX.

Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
\\.\HarddiskVolume1\EFI\Microsoft\Boot\bootmgfw.efi
File Version: 28000.342, SVN 9.0

EFI Files
---------
Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
\\.\HarddiskVolume1\EFI\Microsoft\Boot\bootmgfw.efi
File Version: 28000.342, SVN 9.0

Registry: "WindowsUEFICA2023Capable" = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

SkuSiPolicy.p7b is CURRENT.
\\.\HarddiskVolume1\EFI\Microsoft\Boot\SkuSiPolicy.p7b
Version: 3.0.0.15


STATUS REPORT
-------------
Registry: "UEFICA2023Status" = Updated

SUCCESS: UPDATES ARE FINISHED.
UEFI CA 2023 certs are present, PCA 2011 cert is revoked.

Ok we are back to "normal"

Asus272 said:

AUDIT REPORT
============
1. [Microsoft Option ROM UEFI CA 2023] is missing from UEFI DB
2. [Production PCA 2011] is missing from UEFI DBX
3. DBX Updates are missing from UEFI DBX
4. SecureBootUpdates SVN is higher than UEFI DBX

[OPTIONAL] SkuSiPolicy.p7b (for VBS) is missing from EFI

REQUIRED ACTION
===============

Mine was on version 8.0 before todays Microsoft Security Update KB5094126 now it's on 9 but not in UEFI DBX.

Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
\\.\HarddiskVolume1\EFI\Microsoft\Boot\bootmgfw.efi
File Version: 28000.342, SVN 9.0

Click to expand...

You dont have this:

todays updates updated svn. had to update usb.

thanks for great feature garlin!

From the MS GitHub, SVN has been bumped to 9.0 and 11 new EFI signatures were added to DBX.

After today's update I'm getting this error. I've just redownloaded the update from github , re-ran this script still get this:


SkuSiPolicy.p7b Version: 3.0.0.14 is WRONG VERSION.
\\.\HarddiskVolume1\EFI\Microsoft\Boot\SkuSiPolicy.p7b
Version: 3.0.0.14

SkuSiPolicy.p7b is WRONG VERSION.


REQUIRED ACTION
===============

[OPTIONAL] To update SkuSiPolicy.p7b, run the command:
Update_UEFI-CA2023.ps1 -SkuSiPolicy

PS C:\WINDOWS\system32> Update_UEFI-CA2023.ps1 -SkuSiPolicy
Update_UEFI-CA2023.ps1 : The term 'Update_UEFI-CA2023.ps1' is not recognized as the name of a cmdlet, function, script
file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct
and try again.
At line:1 char:2
+ Update_UEFI-CA2023.ps1 -SkuSiPolicy
+ ~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (Update_UEFI-CA2023.ps1:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

You probably need the full path for Update_UEFI-CA2023.ps1:

@garlin thanks, that fixed it.