Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

nikki605 · Jan 20, 2026

I have Windows 11 recovery and Marium Reflect 8.0 Free boot sticks for both of my PCs. Is there a way to check the Secure Boot certificates on them now that I have updated both of my PCs? I have not yet revoked the 2011 certs on either PC. What will happen to boot sticks when Microsoft finally does revoke them?

cool59 · Jan 20, 2026

Hello @garlin!
When you have a moment, could you help me interpret these outputs?I still don't understand why it says Windows UEFI CA 2023 is banned and if I should be worried about it?
Anyway, I tried running UEFI-Ca 2023 ps1 -revoque as suggested, and the output I got is what you can see in the screenshot.

I'm unsure what to do next.
(I'm one of thesupposedly lucky users who has a cert KEK CA 2023 in the secure boot updates folder), and according to a script you provided, it reassured me because it said Microsoft would take care of updating it), I don't know if that's relevant to this issue...

Thanks for patience

Winuser · Jan 20, 2026

bikemanAMD said:
Ran the Reg Add command to fix SkuSiPolicy.p7b, after Check again, and looks like now i'm all set

How did you manage to get it to work? When I tried I got a not recognized error.

man00 · Jan 20, 2026

Is this something else to fix?

bikemanAMD · Jan 20, 2026

Winuser said:
How did you manage to get it to work? When I tried I got a not recognized error.

Well at the time it worked fine, but they might've changed to where it no longer works maybe is my guess, originally when i did it, i got no error at all, and all was smooth.

I don't have another Windows 11 PC or Gaming Laptop to test it on currently in the household

itsme1 · Jan 20, 2026

garlin said:
No, the default UEFI values represent the Factory Defaults hard-coded in the BIOS firmware. Only your vendor can rewrite the firmware so a Factory reset will copy the starting values back in.

The reason I wrote Check_UEFI-CA2023.ps1, is my disagreement about cjee21's script output.

While both scripts are technically accurate, the presentation of the Factory Defaults and the check marks leads to unnecessary confusion. If your vendor didn't provide a KEK CA 2023 in the factory default, that's their decision. I can't tell you if the vendor might fix it one day (we know they probably abandoned this model, but we can't be absolutely sure). Rather than guess the vendor's intention, I don't flag it.

Some vendors are still checking in KEK updates to MS!

The BootMgr SVN is the only SVN number you should care about. The other two are for actual CD/DVD's (are people still burning physical ISO's today?) and WDS (network boot from a MS deployment system). A single file DBXUpdateSVN.bin will update the SVN numbers as needed. There isn't a practical point to reporting CD or WDS SVN's.

If you want an output closer to cjee21's script, run Check_UEFI-CA2023.ps1 -Verbose

Verbose mode isn't the default, because most non-technical users don't need to review things like the factory defaults. The factory defaults are a "nice to know" detail, but doesn't help you do updates. It won't tell you if you can manually enroll the KEK CA 2023, or if you need to perform a Setup Mode upgrade.

Next question would be: How many EFI_CERT_SHA256 signatures should I have in verbose mode?
Answer: At least 437.

The current DBXUpdate.bin has 431 signatures, DBXUpdate2024.bin (which bans CA 2011) adds 3 SVN's, and DBXUpdateSVN.bin adds 3 more SVN's.
431 + 3 + 3 = 437

Your factory default DBX may have a random number of banned EFI signatures as a baseline. They may or may not overlap with DBXUpdate.bin.

There isn't a "correct number" for the factory DBX entries since it represents a snapshot of what was going on when that version of the BIOS firmware was being written. Some number of non-overlapping factory DBX entries could bump your EFI_CERT_SHA256 count above 437.

A SVN is really a special form of EFI_CERT_SHA256 signature. It pretends to have a normal hash value, but it hides the SVN revision number inside the "hash" digits so they didn't have to invent a new data type for the UEFI spec.

I also have a Red "x" under Default UEFI KEK (KEK 2K CA 2023) with cjee21's script. I thought it was unreliable, but it's actually a matter of interpretation of this script.

I hope that the fact that KEK 2K CA 2023 isn't the default certificate in the firmware won't hinder the transition to 2023 certificates.

Fracer · Jan 20, 2026

garlin said:
I dunno what's different about your Windows. But run this test script for me, it tries to walk down the folder path.

Thanks for the patience. Results:

$Paths = (C:\WINDOWS\System32\SecureBootUpdates)

Testing path to "C:\WINDOWS\System32\SecureBootUpdates"

Test-Path "C:" is valid.
Read 5195 directory items

Hidden folders:

Mode Name
---- ----
d--h-- GroupPolicy

Test-Path "C:\WINDOWS" is valid.
Read 124 directory items

Hidden folders:
d--h-- ELAMBKUP
d--hs- Installer
d--h-- LanguageOverlayCache

Test-Path "C:\WINDOWS\System32" is valid.
Read 5195 directory items

Hidden folders:
d--h-- GroupPolicy

Test-Path "C:\WINDOWS\System32\SecureBootUpdates" is valid.
Read 11 directory items

Hidden folders:

Relative path is .\C:\WINDOWS\System32\SecureBootUpdates

PS D:\UTILS95\UEFISecureBootVariables-garlin>

garlin · Jan 20, 2026

nikki605 said:
I have Windows 11 recovery and Marium Reflect 8.0 Free boot sticks for both of my PCs. Is there a way to check the Secure Boot certificates on them now that I have updated both of my PCs? I have not yet revoked the 2011 certs on either PC. What will happen to boot sticks when Microsoft finally does revoke them?

Run Check_UEFI-CA2023.ps1 -BootMedia to check the eligibility of your USB boot drives.

If you want to update your USB drives, then run Update_UEFI-CA2023.ps1 -BootMedia

neldog · Jan 20, 2026

Hi @garlin -

Okay this is my System One, where am I please? Thank you.

garlin · Jan 20, 2026

cool59 said:
Hello @garlin!
When you have a moment, could you help me interpret these outputs?I still don't understand why it says Windows UEFI CA 2023 is banned and if I should be worried about it?
Anyway, I tried running UEFI-Ca 2023 ps1 -revoque as suggested, and the output I got is what you can see in the screenshot.

This means your PC doesn't have a vendor-provided KEK CA 2023 update (which means MS cannot automatically do the update for you). It can only be updated by either:
- Manual update from the UEFI menu
- Clearing out the current UEFI certs using "Setup Mode"

The script has copied the KEK CA 2023 as a certificate file to the EFI partition, in case your PC supports a manual update. Since the script can't tell what your BIOS supports, you have to check your BIOS if a manual update is provided (usually called "key management").

If you don't see that option in BIOS (because it doesn't exist), then you'll have to try the "Setup Mode" in UEFI.

cool59 said:
(I'm one of thesupposedly lucky users who has a cert KEK CA 2023 in the secure boo updates folder), and according to a script you provided, it reassured me because it said Microsoft would take care of updating it), I don't know if that's relevant to this issue...

Unfortunately if the vendor didn't provide MS an update, Windows cannot take of it. The UEFI security model is a partnership between your PC vendor and MS. The PC vendor's Platform Key verifies the MS KEK as valid. The MS KEK verifies the other certs as valid. If the vendor doesn't bless the MS KEK, then UEFI doesn't trust the KEK. This is the gaping hole in the Secure Boot update problem.

It requires the vendor to do their half of the work. Some vendors have decided to abandon older PC's. But if you have the option to invoke a "Setup Mode", then the UEFI can clear out the certs and allow itself to be reprogrammed. In this case, the update script can provide an entirely MS-based cert collection (including a custom Platform Key that MS provides just for this scenario), and install it.

Please check if you see any options for either key management (where it says you can install KEK keys), or Setup/Custom mode.

garlin · Jan 20, 2026

Winuser said:
How did you manage to get it to work? When I tried I got a not recognized error.

It's believed the "reg add" for SkuSiPolicy (0x20), doesn't work for the scheduled task.

You'll need to copy it manually, or use the latest version of the update script:

Code:

Update_UEFI-CA2023.ps1 -SkuSiPolicy

garlin · Jan 20, 2026

man00 said:
Is this something else to fix?

In your case, the CA 2011 certs have not been revoked. So the last two update files are not applied yet.

Code:

Update_UEFI-CA2023.ps1 -Revoke

nikki605 · Jan 20, 2026

I checked 2 boot sticks that I have for my Lenovo T490 laptop - RECOVERY and MACRIUM. Here are the results. What can or should I do about the Macrium Reflect 8.0 Free boot stick? Should I just use Macrium to create a new boot stick or should this one still boot? It was created back in December and I can't honestly remember if I had completed the cert update or not. I guess I'll try to boot from it after I post this reply to see what happens.

EFI Files
---------
Disk 0: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

Bootable Media
--------------
USB Drive D: "RECOVERY"
Boot File [Windows UEFI CA 2023] is ALLOWED.

STATUS REPORT
-------------
Registry: UEFICA2023Status = Updated

SUCCESS: NO UPDATES ARE REQUIRED.

PS C:\SecureBoot\SecureBoot-CA-2023-Updates_v2026-01-18>

**************************************************

EFI Files
---------
Disk 0: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

Bootable Media
--------------
USB Drive D: "MACRIUMT490"
Boot File [Production PCA 2011] is BANNED.

STATUS REPORT
-------------
Registry: UEFICA2023Status = Updated

SUCCESS: NO UPDATES ARE REQUIRED.

PS C:\SecureBoot\SecureBoot-CA-2023-Updates_v2026-01-18>

garlin · Jan 20, 2026

itsme1 said:
I also have a Red "x" under Default UEFI KEK (KEK 2K CA 2023) with cjee21's script. I thought it was unreliable, but it's actually a matter of interpretation of this script.

I hope that the fact that KEK 2K CA 2023 isn't the default certificate in the firmware won't hinder the transition to 2023 certificates.

That is correct. You can ignore this case if the following conditions are true:

1. Vendor has already signed the KEK CA 2023 for MS, but not bothered to release a new firmware. MS will have a copy of the signed KEK to push out.

2. Your BIOS supports manually enrollment of KEK keys. So if you provide the KEK CA 2023 in .der file format, it can be enrolled by the UEFI using the menu options. The update script will attempt to copy the file to EFI, just in case this option is available.

3. Your BIOS supports Setup Mode, where you decide it's better to replace the vendor PK with the generic "Windows OEM Devices PK" which allows KEK CA 2023 to be installed, since MS signed its own KEK. This is the nuclear option if you have an abandoned BIOS. Mosby does the same actions, but it creates a custom PK for you.

The update script will do the same work, but without requiring a separate USB drive and do it entirely from Windows.

garlin · Jan 20, 2026

neldog said:
Hi @garlin -
Okay this is my System One, where am I please? Thank you.

"SUCCESS: NO UPDATES REQUIRED" means you're done.

garlin · Jan 20, 2026

Fracer said:
Relative path is .\C:\WINDOWS\System32\SecureBootUpdates

This is "wrong".

nikki605 said:
I checked 2 boot sticks that I have for my Lenovo T490 laptop - RECOVERY and MACRIUM. Here are the results. What can or should I do about the Macrium Reflect 8.0 Free boot stick? Should I just use Macrium to create a new boot stick or should this one still boot? It was created back in December and I can't honestly remember if I had completed the cert update or not. I guess I'll try to boot from it after I post this reply to see what happens.

Bootable Media
--------------
USB Drive D: "RECOVERY"
Boot File [Windows UEFI CA 2023] is ALLOWED.

This one is good.

nikki605 said:
Bootable Media
--------------
USB Drive D: "MACRIUMT490"
Boot File [Production PCA 2011] is BANNED.

This one needs to be updated. Leave it plugged, and run Update_UEFI-CA2023.ps1 -BootMedia

neldog · Jan 20, 2026

garlin said:
"SUCCESS: NO UPDATES REQUIRED" means you're done.

Thanks for all your help!!!

nikki605 · Jan 20, 2026

garlin said:
This one needs to be updated. Leave it plugged, and run Update_UEFI-CA2023.ps1 -BootMedia

Got it. Will do.

We sure are keeping you busy.

garlin · Jan 20, 2026

If users are being helped by the scripts, then I'm doing something right.

Fracer · Jan 20, 2026

garlin said:
Run Check_UEFI-CA2023.ps1 -BootMedia to check the eligibility of your USB boot drives.

If you want to update your USB drives, then run Update_UEFI-CA2023.ps1 -BootMedia

Thanks for the suport.
Results per your instructions...
==========================================================
1st RUN:

D:\UTILS95\BR>D:\UTILS95\UEFISecureBootVariables-garlin\Check-UEFI.cmd -BootMedia
Checking for Elevation...
OK

Running powershell-{C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe}
Major Minor Build Revision
----- ----- ----- --------
5 1 26100 7462

Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
(NONE)

EFI Files
---------
Disk 0: Windows Boot Manager [Windows UEFI CA 2023] is BANNED.

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

Disk 0: SkuSiPolicy.p7b (for VBS) is CURRENT.

Bootable Media
--------------
USB Drive F: "SD128gb31"
Boot File [Windows UEFI CA 2023] is BANNED.
USB Drive H: "RESCUEM93P2"
Boot File [Windows UEFI CA 2023] is BANNED.
DVD Drive Z:

REQUIRED ACTION
===============

Run the command:
Update_UEFI-CA2023.ps1 -Revoke

Finish the UEFI steps to manually add the [KEK CA 2023] cert, if the script provided instructions.

=========================================================================
2nd Run:

D:\UTILS95\BR>D:\UTILS95\UEFISecureBootVariables-garlin\Update-UEFI.cmd -BootMedia
Checking for Elevation...
OK

Running powershell-{C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe}

Major Minor Build Revision
----- ----- ----- --------
5 1 26100 7462

REQUIRED ACTION
---------------
Please follow the README_UEFI.TXT instructions, for installing the [KEK CA 2023] cert from BIOS.

Restart Windows, for UEFI updates to take effect.

Done.

Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

New member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

New member

My Computer