Solved garlin's PowerShell scripts for updating Secure Boot CA 2023


FYI

I found why MS task Secure-Boot-Update was exiting with 0x800706D9 error code.
I have been disabling for years the service "Connected User Experience and Telemetry" (DiagTrack) on top of having OOShutUp10 disabling all diagnostics and telemetry. I started disabling it back in XP or 7 following BlackViper suggestions, so a while ago...

Well it seems that MS Secure-Boot-Update task requires DiagTrack to be enabled.
The moment I enabled it on both Dell 3910 and SP9 Pro, task started exiting with 0x0.
So DiagTrack is staying on from now on...
I still have OOShutUp10 disabling diagnostics and telemetry.
 

My Computer

System One

  • OS
    Windows 11
Still trying to get the P16 Gen 3 up to SVN 9.0. Here is output from .\update_UEFI-CA2023.ps1 -stage
WARNING: Cannot confirm if W11 26H1 (28020.2236) has the latest files.

SUCCESS: NO UPDATES ARE REQUIRED.

Copilot says the SVN 9.0 stuff needs to come from Lenovo and is not yet forthcoming. What do you say?
Thanks for all your constant effort and assistance. Much, much appreciated.
--Ed--
 

My Computers

System One System Two

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo X380 Yoga
    CPU
    i7-8650U (8th Gen/Kaby Lake)
    Motherboard
    20LH000MUS (U3E1)
    Memory
    16 GB
    Graphics Card(s)
    Intel UHD Graphics 620
    Sound Card
    Integrated Conexant SmartAudio HD
    Monitor(s) Displays
    FlexView Display
    Screen Resolution
    1920x1080
    Hard Drives
    Toshiba 1 TB PCIe x3 NVMe SSD
    external 5TB Seagate USB-C attached HDD
    PSU
    Lenovo integrated 65W power brick
    Case
    Laptop
    Cooling
    Laptop
    Keyboard
    Integrated Lenovo ThinkPad keyboard
    Mouse
    touchscreen, touchpad
    Internet Speed
    GbE (Spectrum/Charter)
    Browser
    all of em
    Antivirus
    Defender
    Other Info
    Purchased early 2019 as Windows Insider test PC
  • Operating System
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    Ryzen 5800X
    Motherboard
    Asrock B550 Extreme4
    Memory
    128 GB (4x32 DDR5-5600)
    Graphics card(s)
    NVIDIA 3070Ti
    Sound Card
    built-in
    Monitor(s) Displays
    2xDell 2707
    Screen Resolution
    1980x1200
    Hard Drives
    2XNVMe, multiple HDDs from 3 to 12 TB
    PSU
    Seasonic 650
    Case
    NZXT Flo 6
    Cooling
    dual-fan air cooler
    Keyboard
    Logitech Wave
    Mouse
    Logitech Logi
    Internet Speed
    GbE
    Browser
    all of 'em
    Antivirus
    Defender
    Other Info
    temperamental UEFI
anchamp65 said:
Well it seems that MS Secure-Boot-Update task requires DiagTrack to be enabled.
Click to expand...
That makes sense, Secure Boot task wants to forward telemetry data back to MS.

The whole point of the Confidence Bucket exercise was guinea pigs early adopters would take the risk and see if updates worked or not. The collected telemetry would give MS a better idea of whether it was safe to unlock automatic updates to everyone else
 

My Computer

System One

  • OS
    Windows 7
garlin said:
The whole point of the Confidence Bucket exercise was guinea pigs early adopters would take the risk and see if updates worked or not. The collected telemetry would give MS a better idea of whether it was safe to unlock automatic updates to everyone else
Click to expand...
@garlin
Am I wrong to assume that the telemetry was only required for assigning the Confidence Bucket for 2023 certs and has no role in future boot loader or SVN upgrades, weither I send telemetry or not, those upgrades are going to get done normally by MS ?

But since I want Secure Boot task to complete successfully (0x0), I'll leave the DiagTrack running.
 

My Computer

System One

  • OS
    Windows 11
Ed Tittel said:
Still trying to get the P16 Gen 3 up to SVN 9.0. Here is output from .\update_UEFI-CA2023.ps1 -stage
WARNING: Cannot confirm if W11 26H1 (28020.2236) has the latest files.

SUCCESS: NO UPDATES ARE REQUIRED.

Copilot says the SVN 9.0 stuff needs to come from Lenovo and is not yet forthcoming. What do you say?
Click to expand...
Your CEO or CTO believes you can fire everyone, and replace them with AI. That's until your business falls behind, because AI is faulty. Or maybe every CEO runs the same AI, and everyone is suffering equally and you don't lose any competitive edge.

/sarcasm

The only thing controlled by the OEM is the PK and the signed KEK CA 2023. Beyond that, everything is owned by MS. SVN is a Windows-specific versioning system to prevent rollback of boot manager to older (insecure) builds. Lenovo has no role.

With Insider builds, I have no idea if the SecureBootUpdates folder is in sync. I hope so, but since I don't have time to run all of the Insider builds, I can't confirm it's true. Besides I would have to know the last time an Insider build was updated. Unlike the production Windows releases, they don't have a single portal which lists the current KB's, and most importantly provide a CSV file listing each file's contents.

With production builds, I can easily see when the file sizes change in the CSV for each month's update. Therefore the script can't check if you're using an outdated Insider build, since some people don't update them regularly.

The DBX update files are not specific to any Windows. I don't know if you've first tried "Update_UEFI-CA2023.ps1 -Revoke".


One thing you can do is if your Insider build is lagging is to stage your own private copy of SecureBootUpdates folder.

1. Create a ZIP of \Windows\System32\SecureBootUpdates folder from an updated Production Windows.

2. Extract the folder to any random location on the Insider PC. Don't overwrite the official \Windows\System32 folder!

3. Delete the SkuSiPolicy.p7b in this folder, because it's dangerous to mix & match SkuSiPolicy files from different builds. They are magically different even through they may report the same version number (ie. 3.0.0.15).

4. Run the update script, using the staged folder:
Code: 
Update_UEFI-CA2023.ps1 -Revoke -UpdatesFolder \path\to\private\folder

This will run the script using the DBX update files provided by another Windows build. Just make sure the Windows boot manager is reported to be SVN 9.0 before trying this. Otherwise you'll be locked out because of a mismatch.
 

My Computer

System One

  • OS
    Windows 7
anchamp65 said:
@garlin
Am I wrong to assume that the telemetry was only required for assigning the Confidence Bucket for 2023 certs and has no role in future boot loader or SVN upgrades, weither I send telemetry or not, those upgrades are going to get done normally by MS ?

But since I want Secure Boot task to complete successfully (0x0), I'll leave the DiagTrack running.
Click to expand...
That's up to you. We know the update script can handle new changes, but someone has to run it when needed.

MS isn't trying to invade your privacy with a dependency on DiagTrack. They probably didn't want to write a whole new API to send data back to the Secure Boot teams. And DiagTrack was already there on every Windows box.
 

My Computer

System One

  • OS
    Windows 7
garlin said:
MS isn't trying to invade your privacy with a dependency on DiagTrack. They probably didn't want to write a whole new API to send data back to the Secure Boot teams. And DiagTrack was already there on every Windows box.
Click to expand...
I could have been clearer...
DiagTrak is running and will remain running from now on.

But I'm guessing that future boot loader or SVN updates don't really need any telemetry to be sent back to MS.
They are more in sens of "here is an update, apply it to your computer and I don't need to know if you were successfull doing it or not"
And that's the main difference with 2023 certs where MS needed to know for the gradual rollout based on Confidence Bucket valu@ge.

@garlin Does that make sens ?
 
Last edited:

My Computer

System One

  • OS
    Windows 11
garlin said:
The Secure Boot task is the intended mechanism for applying all future changes. I can imagine MS is hesitant (for now) to allow the task to update revocation settings because of the non-zero risk of "bricking" your Windows.

It's relatively safe to add new CA 2023 certs, since that doesn't prevent you from using CA 2011 boot managers.

Anything that is a revocation action is by design restrictive. If you don't apply the changes in lockstep, Windows might stop booting until you temporarily disable Secure Boot. So MS may be slow rolling updates, like it appears the SVN isn't automatically applied to the DBX.

In short, for now there is no risk presented by the Secure Boot task. But then it's not always going to apply every security change right away. Again, I don't work for MS. The best I can do is provide tools to allow users to check their status, and do their own updates.
Click to expand...
I will continue to look at this thread until Microsoft finally takes control of this whole process.

Is it better to do

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x200 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

[OPTIONAL] To update SkuSiPolicy.p7b, run the command:
Update_UEFI-CA2023.ps1 -SkuSiPolicy

OR
Update_UEFI-CA2023.ps1 -Revoke -SkuSiPolicy

Thanks.
James.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self built PC by me.
    CPU
    Intel Core i5-12600K 3.7 GHz 10-Core Processor
    Motherboard
    Gigabyte B760M H DDR4 Micro ATX LGA1700 Motherboard
    Memory
    Corsair Vengeance LPX 64 GB (2 x 32 GB) DDR4-3200 CL16 Memory
    Graphics Card(s)
    Integrated Intel UHD Graphics 770
    Sound Card
    Realtek
    Monitor(s) Displays
    LG
    Hard Drives
    Samsung 990 Pro 1 TB M.2-2280 PCIe 4.0 X4 NVME Solid State Drive
    Samsung 990 Pro 2 TB M.2-2280 PCIe 4.0 X4 NVME Solid State Drive
    PSU
    NZXT 850w ATX 3.1 Gold Fully Modular Power Supply
    Case
    Thermaltake Versa H25 ATX Mid Tower Case
    Cooling
    CPU Cooler Thermalright Assassin Spirit 120 EVO ARGB (ARGB Disabled) - Case Fans BlackThermalright TL-C12C-S X3 66.17 CFM 120 mm Fans 3-Pack (ARGB disabled)
    Internet Speed
    1 Gbps
    Other Info
    I hate ARGB.
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo ThinkBook 14 G2 ITL
You must log in or register to reply here.

Latest Support Threads

Latest Tutorials

Back
Top Bottom