Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

In general, it depends on your PC model and the current BIOS version.

Some BIOS'es support the CA 2023 certs and the update process works very well, and other times you have a legacy PC where some manual help is required. You can download and install the check script from post #1, and share the output.

Opened a bug with PS 7.
Get-SecureBootSVN can report the wrong FirmwareSVN value #27058

JamesSmith said:

I don't have the technical knowledge to clear the dbx keys on the Gigabyte Bios

Click to expand...

In your profile you say Gigabyte B760M H DDR4
These pics are from a Gigabyte B760M DS3H DDR4 (Rev. 1.0) and it's not too hard- should look pretty much the same on your board:

t2s50 said:

In your profile you say Gigabyte B760M H DDR4
These pics are from a Gigabyte B760M DS3H DDR4 (Rev. 1.0) and it's not too hard- should look pretty much the same on your board:

Spoiler: Gigabyte B760 Bios Pics for deleting a singel dbx entry

Go into your bios setup, choose boot, then secure boot
View attachment 166210

Klick Key Management:
View attachment 166211

Klick Forbidden Signatures (dbx)
View attachment 166212

Klick delete (don't worry, there's at least one more question):
View attachment 166213

Klick "No" since you don't want to delete the complete dbx but just a single entry:
View attachment 166214

Choose the entry with the additional SVNs- this pic has just the necessary entries, if Get-SecureBootSVN still shows Firmware SVN 2 you have in addition another entry with Count 3 in the list. First two (count 430 and 1) are the 431 standard hashes, the PCA 2011 revocation is clearly marked, and in my pic the last entry is the SVN update. It should be the first entry with count 3 before or directly after the PCA2011 entry.
Click the entry you want to remove / delete (it's not the one marked in the pic, these 4 entries are all OK)
View attachment 166215

Now you have to confirm one last time
View attachment 166216

If you by accident delete both SVN updates you simply re- apply the latest (single) SVN update.

(Despite veing applied in a single file both for my 10th gen Intel Asus board and the Gigabyte board had the old SVN update and the 2011 recovation as separate entries)

Click to expand...

If I remember I need to reset the entire dbx database as everything is out of order? Wouldn't that mean I need to remove more than 1 certificate?

I can possibly take a picture of that menu and show it to you before I delete anything. Technically I would like to reset the whole thing and start again using garlin's script.

I am still sitting on the fence as I trust what Garlin is saying.

Also I am waiting on this

garlin said:

Opened a bug with PS 7.
Get-SecureBootSVN can report the wrong FirmwareSVN value #27058

Click to expand...

If it is a bug then there's no need to do anything.

garlin said:

Opened a bug with PS 7.
Get-SecureBootSVN can report the wrong FirmwareSVN value #27058

Click to expand...

Confirmed over here on PS 7.5.5. Do you think MS will fix the "Get-SecureBootSVN" code in PowerShell and roll it out in a Windows Update or will we just be stuck with it - or is this another who knows.

It's a trivial bug to fix. In my scripts, I sort the different SVN's in ascending order before selecting the last (highest) one. I'm guessing it's buried in a shared library because PS 5.1 has the same bug.

I chalk it up to insufficient testing.

Yeah, that's true - it's not like it is going to hurt anything. I'll just ignore it.

neldog said:

Yeah, that's true - it's not like it is going to hurt anything. I'll just ignore it.

Click to expand...

Agreed we should ignore this unless there is new information saying otherwise.

I trust Garlin’s thinking.

Tried a bootmanager SVN3 on a machine with all revocations applied (meaning it should show Firmware SVN: 7.0) but showing Firmware SVN: 2.0 and got a secure boot violation- didn't boot. So it's one more indication that it's an error in PS and Secure Boot SVNs worked as expected...

This is mine

SaliesBuzz said:

Read all of those, not one lists "Reset All Keys" just Factory Default. The setup screen is also different as it is InsydeH20 Setup Utility. Will try again later today my time, it is early morning here! Thanks anyway

Click to expand...

Achieved the update leaving the Bios alone by the method described in the original Microsoft article:
The Check_UEFI script still returns the error:
ell Inc. Inspiron 5721
Version: A16
Date: 2018-05-24
La variable est actuellement non définie : 0xC0000100
(The variable is currently undefined)
However the status in the relevant Registry Keys shows 2023 Ca is present and updated.

SaliesBuzz said:

Achieved the update leaving the Bios alone by the method described in the original Microsoft article:

Registry key updates for Secure Boot: Windows devices with IT-managed updates - Microsoft Support

support.microsoft.com

The Check_UEFI script still returns the error:
ell Inc. Inspiron 5721
Version: A16
Date: 2018-05-24
La variable est actuellement non définie : 0xC0000100
(The variable is currently undefined)
However the status in the relevant Registry Keys shows 2023 Ca is present and updated.

Click to expand...

Does this version return the 0xC0000100 error?

garlin said:

Does this version return the 0xC0000100 error?

Click to expand...

Yes it did.
I will not have this computer after another hour, as its owner is coming to collect it.
Attached are 2 files, showing the results of 2 other checks that also show errors but succeed in parts. I hope they may help. One of them has a partly French output as I piped the output to a file.
Kind Regards
SaliesBuzz

Hey @garlin

On second thought: It sounds like you think the behavior constitutes a security vulnerability, and as such it may receive more attention.

Click to expand...

It's not a vulnerability. Get-SecureBootSVN doesn't determine any actual behavior, it's merely a reporting feature.

The actual implementation of SVN is handled by the Windows boot manager code. I know because I've read the MS PowerPoint describing how it's supposed to work.

I'm not going to cry wolf, and have someone reject my bug report because I said it's security vulnerability when it wasn't.

SaliesBuzz said:

Attached are 2 files, showing the results of 2 other checks that also show errors but succeed in parts. I hope they may help. One of them has a partly French output as I piped the output to a file.

Click to expand...

I finally tracked down the last place in the script that doesn't trap the 0xC0000100 error (SetupMode variable).

This PC's DB list has 5 certs, or the correct number.

Just installed 28000.1719 (x64) on a VM.

DBXUpdateSVN.bin is not the latest version, but 26H1 has the latest boot manager.
I'm not sure why some builds don't include SVN 7.0!

Hi Garlin,
First of all, thanks for all the time and effort you have put into these scripts. I have been through all 40 some pages and haven’t seen anything that addresses my problem.

Below is the output of ./Check_UEFI-CA2023.ps1 -verbose
.............................
Windows 11 25H2 (26200.8037)

Secure Boot: ON
Virtualization Based Security: OFF
BitLocker on (C:) OFF

BIOS Firmware
-------------
Dell Inc. Precision M4800
Version: A26
Date: 2019-06-12

Factory Default UEFI PK Cert
----------------------------
(NONE)

UEFI PK Cert
------------
Dell Inc. UEFI Platform Key
Manual update of [KEK CA 2023] is REQUIRED.

Factory Default UEFI KEK Certs
------------------------------
(NONE)

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011

Factory Default UEFI DB Certs
-----------------------------
(NONE)

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

Factory Default UEFI DBX Certs
------------------------------
(NONE)
Get-SecureBootUEFI: D:\SecureBoot-CA-2023-Updates\Check_UEFI-CA2023.ps1:1115
Line |
1115 | … gnatures: {1}' -f $Tab4, (Get-SecureBootUEFI -Name dbxDefault | Get-U …
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Variable is currently undefined: 0xC0000100

UEFI DBX Certs
--------------
Microsoft Windows PCA 2010
Windows BootMgr SVN is MISSING.
EFI_CERT_SHA256_GUID Signatures: 432

EFI Files
---------
Disk 1: Windows Boot Manager [Windows UEFI CA 2023] is BANNED.
bootmgfw.efi File version: 26100.30227

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.


REQUIRED ACTION
===============

Run the command:
Update_UEFI-CA2023.ps1 -Revoke

Finish the UEFI steps to manually add the [KEK CA 2023] cert, if the script provided instructions.

PS D:\SecureBoot-CA-2023-Updates>
.................................
So I run the above command W/O -revoke then attempt to add the KEK CA2023 certificates via the instructions "Manual installation of [KEK 2K CA 2023]". Whether I attempt to replace the key or add the key I get a the error "Error replacing key, Make sure the new key is properly formatted". I get this error with both the .der and .crt certs. Can you help?

LeeElectrode said:

UEFI PK Cert
------------
Dell Inc. UEFI Platform Key
Manual update of [KEK CA 2023] is REQUIRED.

Click to expand...

Your PC's last BIOS was Dec 2019, which is too old to support Secure Boot CA 2023 and Dell never signed a KEK update for this BIOS.

LeeElectrode said:

So I run the above command W/O -revoke then attempt to add the KEK CA2023 certificates via the instructions "Manual installation of [KEK 2K CA 2023]". Whether I attempt to replace the key or add the key I get a the error "Error replacing key, Make sure the new key is properly formatted". I get this error with both the .der and .crt certs. Can you help?

Click to expand...

This version of the BIOS also doesn't take the .der or .crt-formatted certs, so manual enrollment of the KEK CA 2023 won't work. A number of other folks have the same issue with their older-generation Dells.

1. BitLocker is OFF for you, so we don't need to disable or suspend it.

2. We need to put the BIOS into Setup Mode (clear all certs), so the update script can install a new set of replacement MS certs. Please read this Dell article, and determine which BIOS version you have (looking at the screen layout).

How To Update Secure Boot Active Database from BIOS

3. Follow the Dell instructions. Make sure Secure Boot mode is disabled, before booting into Windows.

4. Run the check script; if it recognizes you're in Setup Mode then we can proceed.

5. Run the update script, it should replace the Dell PK with a Windows OEM Devices PK (from MS). Once that gets added, the rest of the CA 2023 certs should be installed in turn.

6. Run the check script. You should see the KEK CA 2023 now.

hvoqasimo said:

outcome runing Check_UEFI-CA2023.ps1 script:
powershell -nop -ep bypass -f "C:\temp\SecureBoot-CA-2023-Updates\Check_UEFI-CA2023.ps1”
Secure Boot: ON
Virtualization Based Security: OFF
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 7.0

EFI Files
---------
Disk 1: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

STATUS REPORT
-------------
Registry: UEFICA2023Status = Updated

SUCCESS: NO UPDATES ARE REQUIRED.

PS C:\Users\asimo>

Click to expand...

I would like to share the outcome of the following script running with you:everything looks good.

powershell -nop -ep bypass -f "C:\temp\SecureBoot-CA-2023-Updates\Check_DBXUpdate.bin.ps1”
SUCCESS: Matched 431/431 EFI signatures from "dbxupdate.bin"
SUCCESS: Matched 3/3 SVN signatures from "DBXUpdate2024.bin"
SUCCESS: Matched 3/3 SVN signatures from "DBXUpdateSVN.bin"