Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

Genix · Jan 1, 2026

garlin said:
I'll try a few tests tomorrow, I am concerned if someone actually does get a localized error message. Which I should fix anyway.

Thanks again for your interest.

By the way, it wouldn't be relevant if the BIOS has a "Reset to Setup Mode" option in the security settings.

Steve C · Jan 1, 2026

garlin said:
That is true, you can continue booting from CA 2011 certs unless MS gets a report of a new security hole in the boot manager. In that case, they would be forced to ship a replacement boot file, and the CA 2011 cert would no longer be valid to sign it (since it expired after 2026).

But the "OPTION 1:" message indicates HP has worked with MS to guarantee the CA 2023 updates can be applied to your model without any troubles.

I like the do nothing option!

Brian48 · Jan 1, 2026

Ran the "Check_UEFI-CA2023.ps1" script from @garlin and this is my result.
I have the missing "SkuSiPolicy.p7b" too, as per @Genix and @Steve C above.
I tried the 2 suggested commands, rebooted but same result.
I am using the EnglishUK version of Windows and I think @Genix said he was using the Spanish version and @Steve C appears to be in the UK so is it possible that non US versions are throwing up this error?

markw51 · Jan 1, 2026

Dirtyflash said:
No luck, but thank you nevertheless! I think it may be because I'm running an older version of 24H2.

try .\Check_UEFI-CA2023.ps1 and not ./

Rollback_Jockey · Jan 1, 2026

garlin said:
Thank you for confirming it worked! I wasn't sure before, since I don't have a PC with one of the older BIOS'es in my home.

For reference, the system I’m dealing with right now is an ancient ASUS X99

I'm in the UK using English GB on 25H2 26200.7462

Dirtyflash · Jan 1, 2026

starchase said:
I appended the text from the previous powershell check scripts so it looks like this:
PS C:\Users\theislands> powershell -nop -ep bypass -f C:\temp\Check_UEFI-CA2023.ps1
as I have the scripts copied to the temp folder in Windows root.

I got it to work using your command, but can you explain why I couldn't simply right click on it and open it with PowerShell. Again, thank you!

Dirtyflash · Jan 1, 2026

markw51 said:
try .\Check_UEFI-CA2023.ps1 and not ./

Thank you! Got it working now.

suatcini54 · Jan 1, 2026

My PC was already updated to comply with MS new CA certificates. After running Check_UEFI-CA2023.ps1, I got a recommendation to install SkuSiPolicy.p7b in the REQUIRED ACTION section. Then I ran the commands to install SkuSiPolicy.p7b.

After re-checking, I saw to my surprise that I still had the recommendation to install SkuSiPolicy.p7b. Does that mean my old motherboard does not accept SkuSiPolicy ?

This screenshot is what I got after re-running the Check_UEFI-CA2023.ps1 command.

What am I missing ?

suatcini54 · Jan 1, 2026

Dirtyflash said:
I got it to work using your command, but can you explain why I couldn't simply right click on it and open it with PowerShell. Again, thank you!

Permission to run the powershell script, I guess.

Dirtyflash · Jan 1, 2026

suatcini54 said:
Permission to run the powershell script, I guess.

Would you say I need to change the permissions?

TheVisitor · Jan 1, 2026

Dirtyflash said:
Would you say I need to change the permissions?View attachment 158560

I have the same issue. I get restricted when I check Get-ExecutionPolicy -Scope CurrentUser I've used PS before and it worked so don't know what's changed. I've read thru this: about_Execution_Policies - PowerShell but I'm afraid its over my head and pay grade.

Dirtyflash · Jan 1, 2026

TheVisitor said:
I have the same issue. I get restricted when I check Get-ExecutionPolicy -Scope CurrentUser I've used PS before and it worked so don't know what's changed. I've read thru this: about_Execution_Policies - PowerShell but I'm afraid its over my head and pay grade.

Thanks, that's sort of good news, it's not just me.

suatcini54 · Jan 1, 2026

Dirtyflash said:
Would you say I need to change the permissions?View attachment 158560

When you run the script with "powershell -nop -ep bypass" prefix, you bypass the restriction to run the script for one time and the poweshell script runs. Otherwise, the script is blocked.

Aramil · Jan 1, 2026

Brian48 said:
Ran the "Check_UEFI-CA2023.ps1" script from @garlin and this is my result.
I have the missing "SkuSiPolicy.p7b" too, as per @Genix and @Steve C above.
I tried the 2 suggested commands, rebooted but same result.
I am using the EnglishUK version of Windows and I think @Genix said he was using the Spanish version and @Steve C appears to be in the UK so is it possible that non US versions are throwing up this error?
View attachment 158541

Run the following commands in an elevated Windows PowerShell prompt to install skuSipolicy manually if the script is having trouble (line by line)

Powershell:

$PolicyBinary = $env:windir+"\System32\SecureBootUpdates\SkuSiPolicy.p7b"
$MountPoint = 's:'
$EFIDestinationFolder = "$MountPoint\EFI\Microsoft\Boot"
mountvol $MountPoint /S
if (-Not (Test-Path $EFIDestinationFolder)) { New-Item -Path $EFIDestinationFolder -Type Directory -Force }
Copy-Item -Path $PolicyBinary -Destination $EFIDestinationFolder -Force
mountvol $MountPoint /D

From MS Guidance for blocking rollback of Virtualization-based Security (VBS) related security updates - Microsoft Support

Genix · Jan 1, 2026

I'm not entirely sure how I did it, but with the help of "copilot" I managed to update and now it's working correctly. Thanks

I forgot to mention, I did a "Reset Setup Keys" in the BIOS.

garlin · Jan 1, 2026

suatcini54 said:
My PC was already updated to comply with MS new CA certificates. After running Check_UEFI-CA2023.ps1, I got a recommendation to install SkuSiPolicy.p7b in the REQUIRED ACTION section. Then I ran the commands to install SkuSiPolicy.p7b.

After re-checking, I saw to my surprise that I still had the recommendation to install SkuSiPolicy.p7b. Does that mean my old motherboard does not accept SkuSiPolicy ?

Back in 2023, MS made the first recommendation to copy SkuSiPolicy.p7b, whenever Windows is running VBS.

cjee21's GitHub suggests AvailableUpdates = 0x20 will force the scheduled task to copy the file. But in reviewing the MS docs, there isn't confirmation of that. I found online comments from 2023 that suggest using a 0x10 (enable policy enforcement) or 0x30 value (0x10 + 0x20).

All we have right now are instructions to simply copy the file, without making other changes. Since MS hasn't indicated you should be using AvailableUpdates to push SkuSiPolicy.p7b, I will change the script's output to suggest you use the update script.

Dirtyflash · Jan 1, 2026

This was about as far as I was able to get. In the end, like Mosby, I couldn't get out of Setup Mode in order to turn Secure Boot back on without Resetting Factory Keys. I'm not disappointed, it was an interesting experience and I'm happy it's working for others. I have to say that I'm still impressed with what @garlin was able to achieve.

TheVisitor · Jan 1, 2026

I give up.. can't get the syntax or something right, I'm just not understanding
The argument 'C:\users\username\desktop\secureboot-ca-2023-updates\check_uefi-2023.ps1' to the -File parameter does not exist. Provide the path to an existing '.ps1' file as an argument to the -File parameter

Dirtyflash · Jan 1, 2026

TheVisitor said:
I give up.. can't get the syntax or something right, I'm just not understanding
The argument 'C:\users\username\desktop\secureboot-ca-2023-updates\check_uefi-2023.ps1' to the -File parameter does not exist. Provide the path to an existing '.ps1' file as an argument to the -File parameter

Let me try helping you out. I created a folder under C called Temp, essentially called C/Temp. I then put both the Check and Update commands into that folder. Next step, open PowerShell as an Administrator. To run the commands, they would look like this:

powershell -nop -ep bypass -f C:\Temp\Check_UEFI-CA2023.ps1

powershell -nop -ep bypass -f C:\Temp\Update_UEFI-CA2023.ps1

cybesis · Jan 1, 2026

This looks like a great resource for managing Secure Boot CA updates! The automation approach with PowerShell is definitely the way to go - it eliminates a lot of the manual guesswork that comes with following various guides.

Have you tested these scripts on both traditional BIOS and UEFI systems? I'm curious about the compatibility across different motherboard manufacturers, especially with some of the older hardware that might still be running Windows 11.

Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

Member

My Computer

Well-known member

My Computer

Active member

My Computer

AI Data Scientist

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Member

Attachments

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Member

My Computer