Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

LeeElectrode · Mar 22, 2026

Shinji92 said:
Would it work on my old dell e6430s laptop?

I did a little research and from screenshots of your bios it looks as though version A12 has secure boot and expert key management so it has potential like my M4800. Has this laptop been upgraded to win 11 2H52? (Via Rufus?)

garlin · Mar 22, 2026

Shinji92 said:
Would it work on my old dell e6430s laptop?

Your last BIOS is Jan 2019, so it's unsupported. Using Setup Mode might work after you've Reset All Keys from the BIOS menu.

PurSpyk!! said:
Would this work on an old X99 based Asus motherboard?

Depends on the last BIOS date. You should name the exact motherboard model.

LeeElectrode · Mar 22, 2026

LeeElectrode said:
I did a little research and from screenshots of your bios it looks as though version A12 has secure boot and expert key management so it has potential like my M4800. Has this laptop been upgraded to win 11 2H52? (Via Rufus?)

Looks like A21 is the latest BIOS.
A21 BIOS

SillyBadger · Mar 22, 2026

All 3 of my desktops appear to have downloaded new keys automatically.

All that remains is an
Acer 2023 laptop which im surprised per your comments doesnt already have support
HP Elitebook 820 G4 which is like 9 years old so I am sure that wont be supported by HP.

garlin · Mar 22, 2026

The blocking factor in all cases is whether your OEM has provided a signed KEK CA 2023 cert, which underpins the entire migration.

Newer BIOS'es will have it pre-installed, or a recent firmware update will get you the KEK CA 2023 cert.
For older BIOS'es (like 9 years old), HP isn't going to do that. So you will have to test if replacing all the keys in Setup Mode is possible.

A not so old Acer will probably have an UEFI Setup menu which supports KEK key enrollment. In that case, the script copies the KEK CA 2023 in file format to the EFI and it can be installed by the UEFI menu from there.

PurSpyk!! · Mar 22, 2026

garlin said:
Your last BIOS is Jan 2019, so it's unsupported. Using Setup Mode might work after you've Reset All Keys from the BIOS menu.

Depends on the last BIOS date. You should name the exact motherboard model.

Hi, its the Asus X99 Deluxe, with BIOS version 4101

Probably too old

garlin · Mar 22, 2026

Too old to be factory supported, but might work in Setup Mode.

man00 · Mar 22, 2026

Can I just upload the cert from a file into bios after highlighting kek ?

garlin · Mar 22, 2026

If you have an unsupported BIOS, the update script will copy the KEK CA 2023 cert file to the EFI partition under folder "\EFI\Certs". You can search the system disk from the setup menu (instead of using a spare USB drive).

Some old Dell's will complain that the file is in the wrong format (expecting an .auth file).

In that case, you will need to "Delete All Keys" and run the update script. The script should detect it's in Setup Mode and install a replacement set of Secure Boot keys. But the PK will switch from Dell to a MS-issued "Windows OEM Devices PK". From there, it can finish the update process.

man00 · Mar 22, 2026

garlin said:
If you have an unsupported BIOS, the update script will copy the KEK CA 2023 cert file to the EFI partition under folder "\EFI\Certs". You can search the system disk from the setup menu (instead of using a spare USB drive).

Some old Dell's will complain that the file is in the wrong format (expecting an .auth file).

In that case, you will need to "Delete All Keys" and run the update script. The script should detect it's in Setup Mode and install a replacement set of Secure Boot keys. But the PK will switch from Dell to a MS-issued "Windows OEM Devices PK". From there, it can finish the update process.

I don't have \EFI\Certs folder

garlin · Mar 22, 2026

Did you run Update_UEFI-CA2023.ps1? It should instruct to manually install the KEK key. After it does that, you need to select the boot device (trial and error, if you don't know it), until you see a "Certs" folder. The copied cert should be under the folder.

LeeElectrode · Mar 22, 2026

man00 said:
Can I just upload the cert from a file into bios after highlighting kek ?
View attachment 166574

Enter Bios
Enable Secure Boot
Under Expert Key Management check the box Enable Custom Mode
Delete (not reset) all Keys.
Save and exit and the PC should boot to windows.
.....................................
Run Update_UEFI-CA2023.ps1 -Revoke
Reboot to windows
Run Check_UEFI-CA2023.ps1 and you should now see:
UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

In the bios leave Expert Key Management, Enable Custom Mode "checked". Just don't go back into the bios...

garlin · Mar 23, 2026

I recommend users try the manual KEK enrollment first, and if that doesn't work, then delete all keys as the next step.

Start with the normal method, and then work your way to the next workaround. It only takes a few minutes to see if your attempt at manual enrollment is rejected or not.

cool59 · Mar 23, 2026

man00 said:
I don't have \EFI\Certs folder

Hey friends!

The @man00 Dell bios type look exactly like mine.
Yes, it was a litle tricky to find the certs under folder "\EFI\Certs", but when i find them a error message pop-up said the certs are not properly signed (both formats).
Soo...i think in the case of @man00 the best is:

Enter Bios
Check if Secure Boot is enabled
Under Expert Key Management check the box Enable Custom Mode
Delete all Keys.
Disable secure boot
Save and exit and the PC should boot to windows.

Run the check script to unsure that the bios is in setup mode.
If yes, run the update script.

Then run check script again and see if the KEK CA 2K is presente.

If soo, reenter the bios and enable secure boot again.
Leave the custom mode enable and exit bios.

Done.
Best luck

man00 · Mar 23, 2026

Thanks I tried everything so far thats been posted but still unable to run any of those ps1 scripts maybe changing the bios from expert to custom mode may
allow it.
Did your results look like this?

cool59 · Mar 23, 2026

man00 said:
Thanks I tried everything so far thats been posted but still unable to run any of those ps1 scripts maybe changing the bios from expert to custom mode may
allow it.
Did your results look like this?
View attachment 166594

Before the update yes.

You must be able to run garlin scripts.

Lets try this:

1- Right click powershell and select "run as admistrator"

2- type this command: "Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass" without cotes and press enter.

3-Then powershell will ask if you are shure to allow to run the scrip: Tipe Y and press enter.

4- Let the powershell Windows open

5- Right click garlin Check_UEFI-CA2023.ps1 and select "copy as path"

6- Open notepad and paste what you copy in point 5.

7-When you paste you will see that the path as cotes in begining and end that you must delete.

8-After delete the path cotes, copy the result and paste in powershell

9- Press enter

With luck you will be able to run the garlin scripts

PS- This procedure just allow one time script runnings in power shell, and if you want to run one other you have to repeat this process.

LeeElectrode · Mar 23, 2026

How does one know, from the text below, if the 2011 cert has been Revoked?

Secure Boot: ON
Virtualization Based Security: OFF
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 7.0

EFI Files
---------
Disk 1: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

STATUS REPORT
-------------
Registry: UEFICA2023Status = Updated

SUCCESS: NO UPDATES ARE REQUIRED.

cool59 · Mar 23, 2026

LeeElectrode said:
How does one know, from the text below, if the 2011 cert has been Revoked?

Secure Boot: ON
Virtualization Based Security: OFF
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 7.0

EFI Files
---------
Disk 1: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

STATUS REPORT
-------------
Registry: UEFICA2023Status = Updated

SUCCESS: NO UPDATES ARE REQUIRED.

Hello!
I think because its listed in UEFI DBX

LeeElectrode · Mar 23, 2026

cool59 said:
Hello!
I think because its listed in UEFI DBX

Alighty then! That led me to explore the definition of :
UEFI DBX (Forbidden Signature Database) certificates are part of the UEFI Secure Boot standard used to revoke trust in compromised or vulnerable bootloaders and drivers. It is a "blacklist" stored in firmware that prevents specific, insecure code from running, thereby protecting the system from rootkits and unauthorized, malicious firmware

man00 · Mar 23, 2026

cool59 said:
Before the update yes.

You must be able to run garlin scripts.

Lets try this:

1- Right click powershell and select "run as admistrator"

2- type this command: "Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass" without cotes and press enter.

3-Then powershell will ask if you are shure to allow to run the scrip: Tipe Y and press enter.

4- Let the powershell Windows open

5- Right click garlin Check_UEFI-CA2023.ps1 and select "copy as path"

6- Open notepad and paste what you copy in point 5.

7-When you paste you will see that the path as cotes in begining and end that you must delete.

8-After delete the path cotes, copy the result and paste in powershell

9- Press enter

With luck you will be able to run the garlin scripts

PS- This procedure just allow one time script runnings in power shell, and if you want to run one other you have to repeat this process.

Got it to run the results
he execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose
you to the security risks described in the about_Execution_Policies help topic at
https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
[Y] Yes [A] Yes to All [N] No [L] No to All Suspend [?] Help (default is "N"): y
PS C:\WINDOWS\system32> C:\temp\Update_UEFI-CA2023.ps1
Downloading "KEKUpdate_Dell_PK4.bin" from GitHub.
ERROR: Failed to append "KEKUpdate_Dell_PK4.bin" to UEFI KEK.
Unexpected Result, status error: 0xC000000D

Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

Member

My Computer

Well-known member

My Computer

Member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Member

My Computer

Well-known member

My Computer

Member

My Computer

Well-known member

My Computer