Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

garlin · 2026-06-14T11:46:06-0400

gunrunnerjohn said:
Where do you show the PK, or do you just assume it's there? It's obviously there or the other stuff wouldn't work, is that the working assumption?

When you run the check script in non-verbose mode, it doesn't bother reporting the PK. That's because it would distract most non-technical users,

By the UEFI standards, you can only have one cert for the PK or none. Once a PK is installed, you can't append another cert to the variable. You're allowed multiple KEK's, DB's and DBX's as much as you want (or actually until you run out of free NVRAM).

anchamp65 · 2026-06-14T11:46:57-0400

gunrunnerjohn said:
Where do you show the PK, or do you just assume it's there? It's obviously there or the other stuff wouldn't work, is that the working assumption?

I noticed the same thing
If you run the check script without any parameters, PK is not listed
But if you add "-verbose" as parameter, then it shows the PK section

@garlin, ~~I think a few versions back, you did show the PK section without having to supply the "-verbose" parameter~~
UPDATE: I went back to your v2026.04.08 and it did not show the PK unless you provide the "-verbose" parameter

garlin · 2026-06-14T12:07:04-0400

Here's my experience as a former IT admin: Sometimes providing more details up front doesn't really help the user. They get distracted or overwhelmed when those details don't get them closer to the finish line. Which is why they're moved to verbose mode.

In the the best cases:
1. OEM provides an updated BIOS which solves everyone's problems. Knowing the PK's name wouldn't have mattered.
2. OEM provides a signed KEK file to MS. Knowing the PK doesn't matter.
3. You can perform manual KEK enrollment. Knowing the PK doesn't matter.

4. In the worst case, we have to enter Setup Mode (delete all keys) and replace all keys. Knowing the old PK doesn't matter. Since we're replacing the complete set of certs from the Windows OEM Devices bundle, we know what the final PK will be. Knowing the new PK doesn't matter.

If you put too many non-critical details onscreen, someone will get fixated and ask too many questions which don't move the ball forward. Which is why I chose not to report the PK outside of verbose mode.

LeeElectrode · 2026-06-14T12:19:37-0400

garlin said:
I don't bring up Mosby on my own, but other people ask me about it. The fundamental difference is you strongly believe in self-signing, and it's a great tool for that but I'm offering an alternative that doesn't go that far to solve the same problem.

You're interpreting my comments as FUD. Have I ever written no one should use Mosby? No. I share my thoughts on its approach and why my script does it differently. It's not to disparage your project, it's more to explain why I chose my direction. Do I get tired of deflecting Mosby questions on a thread dedicated to my scripts, and maybe that tone shows up? Yes.

We can solve this problem if you provide me your preferred contact method for engaging with users when they ask me about Mosby in passing. I will redirect them to where you can directly address their questions and concerns.

Well put Garlin! You are a gentleman and a scholar!

garioch7 · 2026-06-14T12:26:20-0400

@garlin ,

First of all, thank you for helping me. I do really appreciate it!

I tried with, and without, adding "verbose", but the output was the same (image attached), but I could have been doing something wrong ...

It would appear that I don't have the 2023 KEK installed ... ?

The computer does not have active Bitlocker on any of its three drives, but I do use Windows PIN to log in, which I understand I must disable until the Certificate Update process completes successfully.

I do have the 2023 KEK file from GitHub, and three other related .der files that were listed as available for other 2023 certificates (image attached). All of the files have been "unblocked."

What is the next step?

Thank you again, and have a great day.

Regards,
Phil

anchamp65 · 2026-06-14T12:30:48-0400

garioch7 said:
@garlin ,

First of all, thank you for helping me. I do really appreciate it!

I tried with, and without, adding "verbose", but the output was the same (image attached), but I could have been doing something wrong ...

Did you add "-verbose"
The minus is important so that the parameter is correctly interpreted inside the powershell script

garlin · 2026-06-14T12:33:03-0400

garioch7 said:
I tried with, and without, adding "verbose", but the output was the same (image attached), but I could have been doing something wrong ...

It would appear that I don't have the 2023 KEK installed ... ?

All the KEK certs are reported, regardless of using the -Verbose option.

What's established is your BIOS doesn't have KEK CA 2023. Barring the OEM stepping up with a BIOS update or signed file submitted to MS, then the only alternative is manual key enrollment or wiping the current key (Setup Mode). This requires unlocking the BIOS advance features, which may be different for this model. That's the hard part where you're stuck at the moment.

gunrunnerjohn · 2026-06-14T12:35:17-0400

garlin said:
When you run the check script in non-verbose mode, it doesn't bother reporting the PK. That's because it would distract most non-technical users,

By the UEFI standards, you can only have one cert for the PK or none. Once a PK is installed, you can't append another cert to the variable. You're allowed multiple KEK's, DB's and DBX's as much as you want (or actually until you run out of free NVRAM).

Makes sense, I know at one point I saw it, perhaps that was when I ran with -verbose. I ran it again with -verbose and sure enough, lots more detail, including the PK.

Thanks again for the great support here.

garioch7 · 2026-06-14T12:38:36-0400

@anchamp65 ,

Thank you for your reply. No I did not include the dash. I re-ran it again with the "-Verbose" Output was too long to get a screen capture, so I have copied it.

Windows 11 25H2 (26200.8655)

Secure Boot: ON
Virtualization Based Security: OFF
BitLocker on (C:) OFF

BIOS Firmware
-------------
Dell Inc. XPS 8930
Version: 1.1.31
Date: 2023-11-20

Factory Default UEFI PK Cert
----------------------------
Pegatron PK

UEFI PK Cert
------------
Pegatron PK
Manual update of [KEK CA 2023] is REQUIRED.

Factory Default UEFI KEK Certs
------------------------------
Microsoft Corporation KEK CA 2011

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011

Factory Default UEFI DB Certs
-----------------------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

Factory Default UEFI DBX Certs
------------------------------
(NONE)
EFI_CERT_SHA256_GUID Signatures: 77

UEFI DBX Certs
--------------
(NONE)
Windows BootMgr SVN is MISSING.
EFI_CERT_SHA256_GUID Signatures: 495

UEFI Variables
--------------
Credential Guard: ON
SBAT (Linux only): sbat,1,2024010900 / shim,4 / grub,3 / grub.debian,4

EFI Files
---------
Boot File [Windows UEFI CA 2023] is UNTRUSTED
\\.\HarddiskVolume4\EFI\Microsoft\Boot\bootmgfw.efi
File Version: 28000.342, SVN 9.0

Registry: "WindowsUEFICA2023Capable" = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

REQUIRED ACTION
===============

Run the command:
Update_UEFI-CA2023.ps1 -Revoke

Finish the UEFI steps to manually add the [KEK CA 2023] cert, if the script provided instructions.

Thank you. I thought I was doing something wrong! Mea culpa.

Have a great day.

Regards,
Phil

garioch7 · 2026-06-14T12:47:58-0400

@garlin ,

Dell is not going to do anything from what I read on their Dell XPS Desktop Forum for the XPS 8930 and XPS 8940 models, where I am a "Tech Expert", primarily because of my malware expertise, not because I have any great knowledge of the intracacies of Dell computers. There are instructions there for doing it manually, I trust you more, and I don't "double doctor". You can find some of what is being recommended there at the link below:

XPS 8930, purchased 2018, 2023 Secure Boot Certificates | DELL Technologies

I will await your advice. Thank you again for helping me.

Regards,
Phil

Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

Well-known member

My Computer

Active member

My Computer

Well-known member

My Computer

Member

My Computer

Retired R.C.M.P. Veteran

Attachments

My Computers

Active member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Retired R.C.M.P. Veteran

My Computers

Retired R.C.M.P. Veteran

My Computers