Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

garlin · Mar 23, 2026

JamesSmith said:
I was just checking in with you. I thought someone might have reached out. I assume you will keep us updated?

I'll keep everyone informed, but I don't understand the worry.

My script does the right thing (it has a different method for determining the DBX's SVN, written). But if someone or a guide instructs you to run Get-SecureBootSVN, then that result may be wrong. The whole point of the project is to get a correct presentation of facts so everyone doesn't have to be an expert on Secure Boot.

Winuser · Mar 23, 2026

I got a pleasant surprise from ASRock today. I went to their website to see if they finally released a new BIOS update. When I saw that the had release a Secure Boot BIOS update you could have knocked me over with a feather. My PowerSpec B746 desktop is know running BIOS v L1.36 dated 02/26/2026. Because I had to reset the BIOS back to the factory defaults I had to reset my pin number to get back into Windows 11. I haven't check to see the Secure Boot settings yet.

garlin · Mar 23, 2026

Winuser said:
I got a pleasant surprise from ASRock today. I went to their website to see if they finally released a new BIOS update. When I saw that the had release a Secure Boot BIOS update you could have knocked me over with a feather. My PowerSpec B746 desktop is know running BIOS v L1.36 dated 02/26/2026. Because I had to reset the BIOS back to the factory defaults I had to reset my pin number to get back into Windows 11. I haven't check to see the Secure Boot settings yet.

When you refresh the certs (because the new factory defaults added CA 2023), TPM detects this as a platform change.

Windows will ask for a BitLocker recovery key (if BitLocker wasn't disabled or suspended), and your Windows Hello PIN is no longer valid. It's a security measure to confirm someone didn't alter your UEFI's settings without your knowledge. It's annoying, but for your protection.

Winuser · Mar 23, 2026

garlin said:
When you refresh the certs (because the new factory defaults added CA 2023), TPM detects this as a platform change.

Windows will ask for a BitLocker recovery key (if BitLocker wasn't disabled or suspended), and your Windows Hello PIN is no longer valid. It's a security measure to confirm someone didn't alter your UEFI's settings without your knowledge. It's annoying, but for your protection.

I never saw a need to use BitLocker on my computers. On the rare occasions I need to encrypt a file or folder I'll use VeraCrypt. I wasn't surprised that I had to have a code sent to my phone so I could log-in to my MS account to reset my pin number because I have had to do it in the past.. One nice thing is that I didn't have to change my pin number. The ASRock Instant Flash makes it so easy to update the BIOS. I remember when I use to cross my fingers and hope for the best when I did a BIOS update. Something that did surprise me though was Edge. I had to reset the three pages that load when Edge starts. Firefox wasn't effected. I'm guessing that having to sign-in to my MS account must have reset Edge. Not sure why though. As far as I know, I don't have Edge set to sync to my MS account.

Winuser · Mar 23, 2026

I think my PowerSpec B746 is now good to go. When I first checked I saw that Secure Boot was turned off. When I entered the BIOS to turn it on I found that I had to turn off CSM. Very easy to do once I found out where they hid the setting. This is what I got when I ran the script to do a check. Looks good to me. I hope I'm right.

garlin · Mar 23, 2026

Winuser said:
I think my PowerSpec B746 is now good to go. When I first checked I saw that Secure Boot was turned off. When I entered the BIOS to turn it on I found that I had to turn off CSM. Very easy to do once I found out where they hid the setting. This is what I got when I ran the script to do a check. Looks good to me. I hope I'm right.

For the CA 2023 certs, you're fine.

What concerns me is the script cannot open "\Windows\System32\SecureBootUpdates\dbxupdate.bin". I will guess when you browse that folder, dbxupdate.bin is present. You might be the 3rd user to report some weird glitch where the script isn't allowed to read that file, even it exists and you're running as Admin.

Winuser · Mar 23, 2026

garlin said:
For the CA 2023 certs, you're fine.

What concerns me is the script cannot open "\Windows\System32\SecureBootUpdates\dbxupdate.bin". I will guess when you browse that folder, dbxupdate.bin is present. You might be the 3rd user to report some weird glitch where the script isn't allowed to read that file, even it exists and you're running as Admin.

The file does exist but it says that it was modified on 10/14/2025 and the size is 24KB. On my other desktop the file is the same size and the date modified is 3/12/2026.

garlin · Mar 23, 2026

The SecureBootUpdate folder should be refreshed by Windows Update, try copying the file over the 2026 system.

dbxupdate.bin hasn't changed since last October, but something might have messed up the folder or file permissions.

nikki605 · Mar 24, 2026

neldog said:
Well, while you are banging on doors there, would you please ask your contact there to please bring back Microsoft Money?

I still use MS Money Plus Deluxe Sunset edition from 2016. My wife would kill me if I couldn't keep it running. :scream:

nikki605 · Mar 24, 2026

garlin said:
Sure. You want Encarta and Streets & Trips too?

I'd take Streets and Trips in a heartbeat. :wink:

man00 · Mar 24, 2026

garlin said:
Instead of changing the Execution Policy (not everyone wants to), you can use a longer command line to run the script:

Code:

powershell -ep bypass -f \folder\name\Update_UEFI-CA2023.ps1

If you got a "Failed to append" error, the normal (safe) method failed and you need to try the "Delete All Keys" from the BIOS menu. Then re-run the update script.

cool59 said:
Hey friends!

The @man00 Dell bios type look exactly like mine.
Yes, it was a litle tricky to find the certs under folder "\EFI\Certs", but when i find them a error message pop-up said the certs are not properly signed (both formats).
Soo...i think in the case of @man00 the best is:

Enter Bios
Check if Secure Boot is enabled
Under Expert Key Management check the box Enable Custom Mode
Delete all Keys.
Disable secure boot
Save and exit and the PC should boot to windows.

Run the check script to unsure that the bios is in setup mode.
If yes, run the update script.

Then run check script again and see if the KEK CA 2K is presente.

If soo, reenter the bios and enable secure boot again.
Leave the custom mode enable and exit bios.

Done.
Best luck

Thanks got it done other than the revoke the 2011 key, will do that or let MS do it in June

SillyBadger · Mar 24, 2026

garlin said:
That's not a normal looking registry. It looks like the Secure Boot scheduled task barfed while trying to update things.
What model PC is this from?

Thats the HP Elitebook 820 G4

neldog · Mar 24, 2026

Amazon.com: HP Elitebook 820 G4 12.5" Notebook, Windows, Intel Core i7 2.7 GHz, 8 GB RAM, 256 GB SSD, Silver (1FX44UT#ABA) : Electronics

www.amazon.com

man00 · Mar 25, 2026

My main computer results, To run those commands do I need to run Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass for powershell?
the other command I run from CMD as Admin?
Should Secure Boot be disabled before doing either of these?
Thanks

garlin · Mar 25, 2026

man00 said:
My main computer results, To run those commands do I need to run Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass for powershell?
the other command I run from CMD as Admin?
Should Secure Boot be disabled before doing either of these?

CA 2023 certs are added, but PCA 2011 has not been revoked.

Users have to decide whether they prefer to keep PS's security policy in place, or make it easier to run PS scripts again in the future. I run scripts all the time, so my Execution Policy is less secure. If you rather not change it, then use the longer command line, which overrides the policy for just one command.

The results will be exactly the same.

Secure Boot does not have to be disabled in your case.. It's only recommended to disable Secure Boot if you don't have a supported PC, and need to replace all the certs in Setup Mode. That's just in case the UEFI reset doesn't work correctly.

LeeElectrode · Mar 25, 2026

Garlin,
What are the differences between your .bat files as opposed to your .ps1 files? On my desktop the .ps1 files error but the .bat files work calling out Powershell. Just curious... My desktop has been already updated.

garlin · Mar 25, 2026

LeeElectrode said:
What are the differences between your .bat files as opposed to your .ps1 files? On my desktop the .ps1 files error but the .bat files work calling out Powershell. Just curious... My desktop has been already updated.

What you're seeing is the Execution Policy in effect. There are different levels of trust, and your current policy doesn't allow unsigned scripts.

I can't provide a signed script because of two reasons:
1. Not a professional dev, and signer certs from a trusted Certificate Authority are not cheap (it's designed that way to prevent casual hacking). Other folks who are devs do enough work to justify the cert's cost. Doing this for free.

2. While I could make my own self-signed cert and sign my scripts, you would have to import the cert into your Windows. That doesn't make the process any easier.

For the security conscious, the script is not obfuscated and all the Secure Boot files are accessed from Windows itself or the MS Secure Boot GitHub.

When you run the batch script, it does the same "powershell -ExecutionPolicy Bypass" or -ep bypass, on the command line.

Code:

@echo off
where pwsh >nul 2>nul
if %errorlevel% equ 0 (
   pwsh -nop -ep bypass -noexit -f "%~dp0\Check_UEFI-CA2023.ps1" %*
) else (
   powershell -nop -ep bypass -noexit -f "%~dp0\Check_UEFI-CA2023.ps1" %*
)

You can pass the batch file the same arguments, as the PS script.

Code:

Check-UEFI.bat -Verbose -BootMedia

neldog · Mar 25, 2026

LeeElectrode said:
What are the differences between your .bat files as opposed to your .ps1 files? On my desktop the .ps1 files error but the .bat files work calling out Powershell. Just curious... My desktop has been already updated.

If you left click your .ps1 file and put a check in the "Unblock" box then click; Apply - OK to close the dialog box, you can forever run "that one individual" scrip by just typing the file name into PowerShell like this.

.\Check_UEFI-CA2023.ps1

Example:

Code:

PowerShell 7.6.0
PS C:\Users\nelson\Desktop> .\Check_UEFI-CA2023.ps1
Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011
    Microsoft Corporation KEK 2K CA 2023

I do not know how to reverse this action to lock it back down, but all these came from Garlin and I trust him exclusively.

LeeElectrode · Mar 25, 2026

garlin said:
What you're seeing is the Execution Policy in effect. There are different levels of trust, and your current policy doesn't allow unsigned scripts.

I can't provide a signed script because of two reasons:
1. Not a professional dev, and signer certs from a trusted Certificate Authority are not cheap (it's designed that way to prevent casual hacking). Other folks who are devs do enough work to justify the cert's cost. Doing this for free.

2. While I could make my own self-signed cert and sign my scripts, you would have to import the cert into your Windows. That doesn't make the process any easier.

For the security conscious, the script is not obfuscated and all the Secure Boot files are accessed from Windows itself or the MS Secure Boot GitHub.

When you run the batch script, it does the same "powershell -ExecutionPolicy Bypass" or -ep bypass, on the command line.

Code:

@echo off where pwsh >nul 2>nul if %errorlevel% equ 0 ( pwsh -nop -ep bypass -noexit -f "%~dp0\Check_UEFI-CA2023.ps1" %* ) else ( powershell -nop -ep bypass -noexit -f "%~dp0\Check_UEFI-CA2023.ps1" %* )

You can pass the batch file the same arguments, as the PS script.

Code:

Check-UEFI.bat -Verbose -BootMedia

Thank you!

man00 · Mar 25, 2026

garlin said:
CA 2023 certs are added, but PCA 2011 has not been revoked.

Users have to decide whether they prefer to keep PS's security policy in place, or make it easier to run PS scripts again in the future. I run scripts all the time, so my Execution Policy is less secure. If you rather not change it, then use the longer command line, which overrides the policy for just one command.

The results will be exactly the same.

Secure Boot does not have to be disabled in your case.. It's only recommended to disable Secure Boot if you don't have a supported PC, and need to replace all the certs in Setup Mode. That's just in case the UEFI reset doesn't work correctly.

I ran the two commands

garlin said:
CA 2023 certs are added, but PCA 2011 has not been revoked.

Users have to decide whether they prefer to keep PS's security policy in place, or make it easier to run PS scripts again in the future. I run scripts all the time, so my Execution Policy is less secure. If you rather not change it, then use the longer command line, which overrides the policy for just one command.

The results will be exactly the same.

Secure Boot does not have to be disabled in your case.. It's only recommended to disable Secure Boot if you don't have a supported PC, and need to replace all the certs in Setup Mode. That's just in case the UEFI reset doesn't work correctly.

I ran the two commands the "reg" one said it was added
the powershell one didn't do anything,, did the override PS command then ran Check_UEFI-CA2023.ps1 same results as the first time still need to revoke 2011 key

Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Member

My Computer

Well-known member

My Computer