Solved garlin's PowerShell scripts for updating Secure Boot CA 2023


garlin said:
You're missing KEK CA 2023, which is the important one.

Depending on your BIOS, there's normally a setting for Custom (non-factory) mode. Once enabled, there might be an option to Remove All Keys or something similar to wipe all the current certs. This leaves your Secure Boot UEFI in a blank state, where we can install the MS provided Windows OEM Devices PK as a replacement set of certs.

That part is a little tricky, the exact screens or wording can be different on your BIOS version. Otherwise you may have menu options to delete individual keys, and you can try deleting all of them until none are left.
Click to expand...
Thanks for the reply. This is what my BIOS looks like:
1775663834396.webp
Is it the option "Erase all Secure Boot setting"?
 
Last edited:

My Computer My Computer

At a glance

Windows 11 Pro 25H2Intel Core i7-11800H16GB (2x8 GB)RTX 3060 Laptop GPU
OS
Windows 11 Pro 25H2
Computer type
Laptop
Manufacturer/Model
Acer Predator Helios 300 PH314-54-72ZJ
CPU
Intel Core i7-11800H
Motherboard
TGL
Memory
16GB (2x8 GB)
Graphics Card(s)
RTX 3060 Laptop GPU
Sound Card
Realtek ALC295
Monitor(s) Displays
1
Screen Resolution
2560 x 1440 @ 165Hz
Hard Drives
1TB NVMe SSD, 512GB NVMe SSD, 1TB 7200 RPM HDD
Cooling
Aeroblade 5th Gen 3D fan
Keyboard
RGB Laptop keyboard
Mouse
Logitech Lightsync G203
Internet Speed
175 Mbps up/175 Mbps down
Browser
Firefox with uBlock Origin and YouTube enhancing extensions..
Antivirus
Windows Security with Core Isolation on
I believe so.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
UPDATE:

I have released a (long overdue) update to version 2026.04.01, on post #1 and on GitHub.

Mostly bug fixes for everything reported in the past two months:
1. Suspend-BitLocker script function unintentionally has the same name as the Suspend-BitLocker command
2. Change the recommendation to install SkuSiPolicy.p7b from mandatory to optional
3. Get-UEFICert function returns (NONE) for Gigabyte and other cert signers
4. Get-SecureBootUEFI isn't properly trapped for 0xC0000100 errors in multiple script functions
5. Update the EDK2 binaries zip file to version 1.6.4
6. Check if the PK key contains an incorrectly enrolled KEK certificate
7. Check_UEFI-CA2023.ps1 doesn't correctly handle a blank date for BIOS ReleaseDate
8. Add warning that HP BIOS'es missing the "SBKPFV3" tag in the version string are unsupported
9. Update the function Confirm-MinimumUBR to report newer Insider releases as unsupported
10. Check_UEFI-CA2023.ps1 instructs the user to revoke PCA 2011 by "run the commands, run the commands"
11. Hide "implicit module loading" message for PowerShell 7 users
12. Report on the SkuSiPolicy.p7b file's policy version
13. Report on the Windows boot manager SVN number if PowerShell supports Get-SecureBootSVN
14. Get-SecureBootUEFI error handler doesn't work for non-English locales
15. Add W11 26H1, W10 Server 2016, W10 Server 2019 to list of supported Windows releases
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
Well done garlin, thank you for all of your great work.
 

My Computer My Computer

At a glance

Win 11 ProAMD Ryzen 7 9700XG.Skill Trident Z5 Neo RGB 64GB Kit (2x32GB) ...PowerColor Radeon RX 9060 XT Reaper GDDR6 16GB
OS
Win 11 Pro
Computer type
PC/Desktop
Manufacturer/Model
N/A
CPU
AMD Ryzen 7 9700X
Motherboard
Asrock 870E Nova WiFi
Memory
G.Skill Trident Z5 Neo RGB 64GB Kit (2x32GB) DDR5-6000 C30
Graphics Card(s)
PowerColor Radeon RX 9060 XT Reaper GDDR6 16GB
Sound Card
USB Out NAD M51 DAC with Adams A8 powered speakers
Monitor(s) Displays
Dell 3219Q
Screen Resolution
3840 x 2160
Hard Drives
5 x WD_BLACK SN850x PCIe Gen4 NVMe M.2 SSD - 4TB
PSU
be quiet! DARK POWER 13 1000W Titanium PCIe 5.0 ATX Modular PSU
Case
Fractal Design Define 7 Full Tower Case (Black)
Cooling
Noctua NH-D15 G2 LBC - High Performance Multi-Socket PWM CPU Cooler
Keyboard
Razer Huntsman V2
Mouse
Razer Viper Ultimate
Internet Speed
Starlink 94Mbps down 20Mbps up
Browser
Brave
Antivirus
ESET
I have released a (long overdue) update to version 2026.04.01, on post #1 and on GitHub.

"long overdue" - are you kidding me! Seems to me you have had your hands full lately just putting out fires here in this and other threads. We all thank you... I hope you still have a marriage when this is all over. :-)
 

My Computers My Computers

System One System Two

  • At a glance

    Windows 11 Pro 25H2 26200.8655Intel® Core™ Ultra 7 265 1.8GHz to 5.3GHz (Ar...SK Hynix 32GB DDR5 5600 Desktop RAM UDIMM Non...Dell NVIDIA® GeForce RTX™ 4060 8GB GDDR6 & (i...
    OS
    Windows 11 Pro 25H2 26200.8655
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Tower Plus EBT2250, DOB: 06/15/2025
    CPU
    Intel® Core™ Ultra 7 265 1.8GHz to 5.3GHz (Arrow Lake)
    Motherboard
    Dell Inc. 02D3NT A00 (U3E1)
    Memory
    SK Hynix 32GB DDR5 5600 Desktop RAM UDIMM Non-ECC PC5-5600B
    Graphics Card(s)
    Dell NVIDIA® GeForce RTX™ 4060 8GB GDDR6 & (iGPU) Integrated Intel® UHD Graphics
    Sound Card
    Chipset Realtek High-Definition Audio with Dolby Atmos
    Monitor(s) Displays
    Dell Ultra Sharp U2515H 25-Inch Screen LED-Lit
    Screen Resolution
    2560 X 1440
    Hard Drives
    Samsung (NVMe PM9C1a 1024GB) M.2 PCIe NVMe Solid State Drive (OS), with Samsung Piccolo (S4LY022) 6-Core 4 Channel Controller.

    Samsung T7 500GB SSD, USB-C External Drive
    PSU
    Dell 460W
    Case
    Dell Tower Plus EBT 2250
    Cooling
    Fan
    Keyboard
    Dell Wired Keyboard - KB216
    Mouse
    Logitech M510
    Internet Speed
    Intel Killer E3100G 2.5 Gigabit Ethernet Controller
    Browser
    Microsoft Edge
    Antivirus
    Microsoft Windows Security
    Other Info
    The Samsung NVMe PM9C1a 1024GB SSD does not use a Phison NAND controller. Instead, it uses Samsung's in-house developed Piccolo (S4LY022) 6-Core 4 Channel Controller. The PM9C1a utilizes a controller built using Samsung's 5-nanometer process and seventh-generation V-NAND technology. 🤔

  • At a glance

    Windows 11 Pro 25H2 26200.865510th Generation Intel Core i7-10510U Processo...16GB DDR4 RAMNVIDIA® GeForce® MX250 with 2GB GDDR5 graphic...
    Operating System
    Windows 11 Pro 25H2 26200.8655
    Computer type
    Laptop
    Manufacturer/Model
    Dell Inspiron 15 7000 (7591) 2-in-1, DOB: 11/30/2019
    CPU
    10th Generation Intel Core i7-10510U Processor (8MB Cache, up to 4.9 GHz) Comet Lake
    Motherboard
    Dell 0NNW5N
    Memory
    16GB DDR4 RAM
    Graphics card(s)
    NVIDIA® GeForce® MX250 with 2GB GDDR5 graphics memory
    Sound Card
    Chipset Realtek ALC3254 🤔🤣
    Monitor(s) Displays
    Dell 15.6-inch UHD Truelife Touch Narrow Border WVA Display with Active Pen support
    Screen Resolution
    3840 x 2160
    Hard Drives
    Intel NVME 512GB SSD with 32GB Intel Optane Memory, M.2 80mm PCIe 3.0 RAID

    SanDisk 256GB Extreme microSDXC UHS-I Memory Card
    PSU
    Dell 4-Cell Battery, 68 Whr (Integrated), 90 Watt AC Adapter
    Case
    Dell Inspiron 15 7000 2-in-1 (7591)
    Cooling
    Standard Dell Case Fan & Havit HV-F2056 USB Powered (3 Fans) Laptop Cooling Pad.
    Keyboard
    Dell
    Mouse
    Logitech Wireless Mouse M650L
    Internet Speed
    Wireless/Wired connectivity (WiFi 6 - 802.11 ax)
    Browser
    Microsoft Edge
    Antivirus
    Microsoft Windows Security
    Other Info
    From Dell: 512GB NVME Solid State Drive accelerated by 32GB Intel Optane Memory are the fastest as compared to NAND SSDs. Intel Optane H10 with SSD offers speedy storage and accelerates opening your programs.
Happy to report that after installing today's "Update for Windows Security platform" (KB5007651), my Secure Boot certificate update status displayed on the Device security page in the Windows Security app now states this:
Secure Boot is on and all required certificate updates have been applied.
No further certificate changes are needed.
Click to expand...
🎉

(see Microsoft's admin guide Secure Boot certificate update status in the Windows Security app for details; today Phase 1 has started)

Thanks again @garlin!
 

My Computer My Computer

At a glance

Windows 11Intel Core i3-6006U @ 2.00 GHz16,0 GBIntel HD Graphics 520
OS
Windows 11
Computer type
Laptop
Manufacturer/Model
Dell Latitude 3380
CPU
Intel Core i3-6006U @ 2.00 GHz
Motherboard
Dell 0WM4F
Memory
16,0 GB
Graphics Card(s)
Intel HD Graphics 520
Sound Card
Realtek Audio
Monitor(s) Displays
Built-in
Screen Resolution
1366 x 768 @ 59 Hz
Hard Drives
SK Hynix SC311 SATA 128 GB SSD
Other Info
Multi-boot Windows/Ubuntu using rEFInd
April 8, 2026 (or later) is when users should get Phase 1 of the revised Security Center app, with slightly improved confirmation on your Secure Boot update progress. While Green is obviously good, it probably doesn't provide enough troubleshooting help if your PC isn't Green.

May 16, 2026 will be Phase 2 of the revised Security Center, with a bit more nagging if you're not in compliance.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
parttimewindows said:
Happy to report that after installing today's "Update for Windows Security platform" (KB5007651), my Secure Boot certificate update status displayed on the Device security page in the Windows Security app now states this:

🎉

(see Microsoft's admin guide Secure Boot certificate update status in the Windows Security app for details; today Phase 1 has started)

Thanks again @garlin!
Click to expand...

Thanks for the KB, found it in the Microsoft Update Catalog and installed it.

 

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
Tested the new script on my machines, obviously I am updated and all is reported without issues.
As usual, thank you SO MUCH for all your support. You are being an angel for all of us, poor souls that are lost in this sea of contradictory info from the source lol.
 

My Computers My Computers

System One System Two

  • At a glance

    Windows 11 Pro 25H2AMD Ryzen 5 5600G @ 3.9/4.4Ghz2 x 16 GB DDR4 Kingston Fury Beast 3200 MhzAMD Radeon RX 6600 XT MSI Mech 2X OC Edition ...
    OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built PC
    CPU
    AMD Ryzen 5 5600G @ 3.9/4.4Ghz
    Motherboard
    MSI B550M-PRO-WiFi Ver. 1.4
    Memory
    2 x 16 GB DDR4 Kingston Fury Beast 3200 Mhz
    Graphics Card(s)
    AMD Radeon RX 6600 XT MSI Mech 2X OC Edition 8 GB
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    Samsung C50Rx 27" LED / HP S2031 20" LCD
    Screen Resolution
    1920 x 1080 px / 1600 x 900 px
    Hard Drives
    WD Blue SN570 NVME M.2 SSD [1 TB] -- External Drives: - WD Scorpion Blue 250 GB 5400 RPM (Data Backup) - Hitachi 500 GB 5400 RPM (Software / ISOs Backup) - Toshiba MQ01ABD100 1 TB 5400 RPM (OS Images) - HGST TravelStar 7K1000 1 TB, 7200 RPM USB 3.0 - ADATA SU800 2TB SSD USB 3.0
    PSU
    Corsair RM750e 750W Fully Modular
    Case
    Naceb Hydra NA-1602
    Cooling
    Naceb Orpheus x 3 (Front) + Naceb Cepheus 1200 RPM Max (Rear) + ThemalRight Assasin X 90 SE (CPU)
    Keyboard
    Logitech MK470 Wireless
    Mouse
    Logitech MK470 Wireless
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - VMs: WMware Player - Windows 8.1 Pro x64 / Windows 11 Pro
    - Wacom Intuos Pro Small Tablet PTH-460

  • At a glance

    Windows 11 Pro 25H2AMD Ryzen 7 7730U @ 2.0/4.5 Ghz2 x 16 GB Kingston Fury Impact DDR4 3200 MhzRadeon (tm) Graphics Vega 8 (512 MB)
    Operating System
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    HP Pavilion 15-eh3000la (80M53LA)
    CPU
    AMD Ryzen 7 7730U @ 2.0/4.5 Ghz
    Motherboard
    HP 8BC7
    Memory
    2 x 16 GB Kingston Fury Impact DDR4 3200 Mhz
    Graphics card(s)
    Radeon (tm) Graphics Vega 8 (512 MB)
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    AU Optronics
    Screen Resolution
    1920 x 1080 px (125% size)
    Hard Drives
    WD Blue SN570 1TB NVME M.2 Drive
    PSU
    45 Watt Charger
    Cooling
    Laptop Cooling Pad
    Keyboard
    Free Wolf Foldable Portable Keyboard
    Mouse
    Free Wolf Wireless Mouse
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - 41mWh battery.
    - Wacom Intuos Pro Small Tablet PTH-460

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
Screenshot 2026-04-08 163243.webp

EDIT: I just did a "Check for Updates", and it was there and it downloaded. Took a few moments to show up changed.
 

My Computers My Computers

System One System Two

  • At a glance

    Windows 11 Pro 25H2 26200.8655Intel® Core™ Ultra 7 265 1.8GHz to 5.3GHz (Ar...SK Hynix 32GB DDR5 5600 Desktop RAM UDIMM Non...Dell NVIDIA® GeForce RTX™ 4060 8GB GDDR6 & (i...
    OS
    Windows 11 Pro 25H2 26200.8655
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Tower Plus EBT2250, DOB: 06/15/2025
    CPU
    Intel® Core™ Ultra 7 265 1.8GHz to 5.3GHz (Arrow Lake)
    Motherboard
    Dell Inc. 02D3NT A00 (U3E1)
    Memory
    SK Hynix 32GB DDR5 5600 Desktop RAM UDIMM Non-ECC PC5-5600B
    Graphics Card(s)
    Dell NVIDIA® GeForce RTX™ 4060 8GB GDDR6 & (iGPU) Integrated Intel® UHD Graphics
    Sound Card
    Chipset Realtek High-Definition Audio with Dolby Atmos
    Monitor(s) Displays
    Dell Ultra Sharp U2515H 25-Inch Screen LED-Lit
    Screen Resolution
    2560 X 1440
    Hard Drives
    Samsung (NVMe PM9C1a 1024GB) M.2 PCIe NVMe Solid State Drive (OS), with Samsung Piccolo (S4LY022) 6-Core 4 Channel Controller.

    Samsung T7 500GB SSD, USB-C External Drive
    PSU
    Dell 460W
    Case
    Dell Tower Plus EBT 2250
    Cooling
    Fan
    Keyboard
    Dell Wired Keyboard - KB216
    Mouse
    Logitech M510
    Internet Speed
    Intel Killer E3100G 2.5 Gigabit Ethernet Controller
    Browser
    Microsoft Edge
    Antivirus
    Microsoft Windows Security
    Other Info
    The Samsung NVMe PM9C1a 1024GB SSD does not use a Phison NAND controller. Instead, it uses Samsung's in-house developed Piccolo (S4LY022) 6-Core 4 Channel Controller. The PM9C1a utilizes a controller built using Samsung's 5-nanometer process and seventh-generation V-NAND technology. 🤔

  • At a glance

    Windows 11 Pro 25H2 26200.865510th Generation Intel Core i7-10510U Processo...16GB DDR4 RAMNVIDIA® GeForce® MX250 with 2GB GDDR5 graphic...
    Operating System
    Windows 11 Pro 25H2 26200.8655
    Computer type
    Laptop
    Manufacturer/Model
    Dell Inspiron 15 7000 (7591) 2-in-1, DOB: 11/30/2019
    CPU
    10th Generation Intel Core i7-10510U Processor (8MB Cache, up to 4.9 GHz) Comet Lake
    Motherboard
    Dell 0NNW5N
    Memory
    16GB DDR4 RAM
    Graphics card(s)
    NVIDIA® GeForce® MX250 with 2GB GDDR5 graphics memory
    Sound Card
    Chipset Realtek ALC3254 🤔🤣
    Monitor(s) Displays
    Dell 15.6-inch UHD Truelife Touch Narrow Border WVA Display with Active Pen support
    Screen Resolution
    3840 x 2160
    Hard Drives
    Intel NVME 512GB SSD with 32GB Intel Optane Memory, M.2 80mm PCIe 3.0 RAID

    SanDisk 256GB Extreme microSDXC UHS-I Memory Card
    PSU
    Dell 4-Cell Battery, 68 Whr (Integrated), 90 Watt AC Adapter
    Case
    Dell Inspiron 15 7000 2-in-1 (7591)
    Cooling
    Standard Dell Case Fan & Havit HV-F2056 USB Powered (3 Fans) Laptop Cooling Pad.
    Keyboard
    Dell
    Mouse
    Logitech Wireless Mouse M650L
    Internet Speed
    Wireless/Wired connectivity (WiFi 6 - 802.11 ax)
    Browser
    Microsoft Edge
    Antivirus
    Microsoft Windows Security
    Other Info
    From Dell: 512GB NVME Solid State Drive accelerated by 32GB Intel Optane Memory are the fastest as compared to NAND SSDs. Intel Optane H10 with SSD offers speedy storage and accelerates opening your programs.
Hmmm I feel like stealing that phrase for my check script. “NO UPDATES ARE REQUIRED” still gets too many questions on whether we’re finished or not.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
garlin said:
Hmmm I feel like stealing that phrase for my check script. “NO UPDATES ARE REQUIRED” still gets too many questions on whether we’re finished or not.
Click to expand...

Yes, I've noticed that a lot. Maybe we all need a little reassurance and a kudo if done well.
 

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
garlin said:
Hmmm I feel like stealing that phrase for my check script. “NO UPDATES ARE REQUIRED” still gets too many questions on whether we’re finished or not.
Click to expand...
It sure seemed enough for me, just ran your latest scripts, they were all happy. (y):hug:

1775682507706.webp
 

My Computers My Computers

System One System Two Other systems

  • At a glance

    Win 11 Pro 25H2, Build 26200.8737Intel Core i5 1450064GB DDR4GeForce RTX 4060
    OS
    Win 11 Pro 25H2, Build 26200.8737
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14500
    Motherboard
    Gigabyte B760M G P WIFI
    Memory
    64GB DDR4
    Graphics Card(s)
    GeForce RTX 4060
    Sound Card
    Chipset Realtek
    Monitor(s) Displays
    LG 45" Ultragear, Acer 24" 1080p
    Screen Resolution
    5120x1440, 1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 3D NAND NVMe M.2 SSD (O/S)
    Silicon Power 2TB US75 NVMe PCIe Gen4 M.2 2280 SSD (backup)
    Crucial BX500 2TB 3D NAND (2nd backup)
    Seagate 4TB Ironwolf, rotating HDD archive files
    External off-line backup Drives: 2 NVMe 4TB drives in external enclosures
    PSU
    Thermaltake Toughpower GF3 750W
    Case
    LIAN LI LANCOOL 216 E-ATX PC Case
    Cooling
    Lots of fans!
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security

  • At a glance

    Win 11 Pro 25H2, Build 26200.8655Intel Core i5 1440032GB DDR5Intel 700 Embedded GPU
    Operating System
    Win 11 Pro 25H2, Build 26200.8655
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14400
    Motherboard
    Gigabyte B760M DS3H AX
    Memory
    32GB DDR5
    Graphics card(s)
    Intel 700 Embedded GPU
    Sound Card
    Realtek Embedded
    Monitor(s) Displays
    27" HP 1080p
    Screen Resolution
    1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 eD NAND PCIe SSD
    Samsung EVO 990 2TB NVMe Gen4 SSD
    Samsung 2TB SATA SSD
    PSU
    Thermaltake Smart BM3 650W
    Case
    Okinos Micro ATX Case
    Cooling
    Fans
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
  • Nimo N171 17" Laptop, (Intel i3-1215U, 16GB RAM, 2TB NVMe, Win11 Pro)
    Acemagic Vista Mini PC V1 (Intel N150, 16GB RAM, 1TB NVMe, Win11 Pro)
    HP ENVY h8-1540t, (24GB RAM, 2TB SSD, 2TB HDD, Win11 Pro)
garlin said:
If you have the Windows OEM Devices PK, the update script can install all of the required certs because MS provides a complete set of post-signed certs for vendors using this PK.

The easiest method is to clear all certs (with Secure Boot disabled) and run the update script. It should recognize you're in Setup Mode and install everything in one pass. I don't know if you cleared the non-PK certs. It's better in this case to have a clean slate so the replacement certs don't get a conflict with pre-existing ones.

That's just how MS packages these certs for use. Since your factory default is the AMI Test PK, MS would instruct you to do the same thing.
Click to expand...
Helping a friend with another Nipogi Mini PC, I found that Secure Boot was not enabled. I loaded the BIOS, cleared all the Certificates and put Secure Boot in setup mode. Cannot now login to Windows with his PIN as it has disappeared. It needs to send a code to the email registered to his Microsoft Account to either login that way or create another PIN. Locked in a mortal embrace until I can get hold of the guy to tell me the code he has received!
I have read this can happen with some TPM implementations. I have posted this as a warning to others trying this procedure.
On a more positive note my Acemagic S1 has now received KB5007651 update and is reporting in Device Security:
"Secure Boot is on and all required certificate updates have been applied. No further certificate changes are needed" with a Green Tick.
Does that mean I should just leave it, or still go through the procedure you described above to clear the AMI Test Key?
 

My Computer My Computer

At a glance

Windows11Intel(R) N97, 2000 Mhz, 4 Core(s), 4 Logical16GbIntel(R) UHD Graphics
OS
Windows11
Computer type
PC/Desktop
Manufacturer/Model
Acemagic S1
CPU
Intel(R) N97, 2000 Mhz, 4 Core(s), 4 Logical
Memory
16Gb
Graphics Card(s)
Intel(R) UHD Graphics
Sound Card
(Generic USB Audio)
Monitor(s) Displays
2
Screen Resolution
2560 x 1440 x 59 hertz
Hard Drives
Model KPART512GBC2DVT 512Gb
SaliesBuzz said:
Helping a friend with another Nipogi Mini PC, I found that Secure Boot was not enabled. I loaded the BIOS, cleared all the Certificates and put Secure Boot in setup mode. Cannot now login to Windows with his PIN as it has disappeared. It needs to send a code to the email registered to his Microsoft Account to either login that way or create another PIN. Locked in a mortal embrace until I can get hold of the guy to tell me the code he has received!
I have read this can happen with some TPM implementations. I have posted this as a warning to others trying this procedure.
Click to expand...
That is a known problem with some TPM's, they watch for Secure Boot changes and presume something unauthorized happened. They will ask for the BitLocker recovery key, and invalidate Windows Hello PIN's stored in TPM. While my check script does report the BitLocker status, and warns you to temporarily suspend it (and the update script does it for you), it doesn't warn about Windows Hello.

I will add that important messaging, since users don't anticipate this problem.

SaliesBuzz said:
On a more positive note my Acemagic S1 has now received KB5007651 update and is reporting in Device Security:
"Secure Boot is on and all required certificate updates have been applied. No further certificate changes are needed" with a Green Tick.
Does that mean I should just leave it, or still go through the procedure you described above to clear the AMI Test Key?
Click to expand...
That's the new "you are super good" message from Security Center. But I don't know if Security Center just ignores the AMI Test Key, because it doesn't know enough background to care about it.

It's not ideal. Secure Boot is enforced, but a number of security folks do believe the AMI Test Key is compromised because the confidential key details were leaked in a supply chain hack on a Chinese manufacturer that builds sub-contracted PC's

My preference is nobody should be running a BIOS with "Test" or "Example" PK's. But you should decide for yourself. Read this:
PKfail: Untrusted Platform Keys Undermine Secure Boot on UEFI Ecosystem
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
OK! Success.
The Output LOG:


Secure Boot: ON
Virtualization Based Security: OFF
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 7.0

EFI Files
---------
Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

STATUS REPORT
-------------
Registry: UEFICA2023Status = Updated

SUCCESS: UPDATES ARE FINISHED. UEFI CA 2023 certs are present, PCA 2011 cert is revoked.
---------------------------------------------------------------------------------------------------------


2. The option in bios that forced secure boot into setup mode on my X99 Godlike board (2015 era) so the update script can install the certs:

Step 0 - MANUAL management of secure boot keys (NOT standard mode)

Step 1 - DISABLE factory default option
Step 2 - DELETE all factory default keys
Step 3 - A msg box appears stating all keys will be deleted and force secure boot into setup mode.

Run the check script then update script.

SecureBootCustom01.webp
 

My Computer My Computer

At a glance

Windows 10
OS
Windows 10
Two quick updates:

1. I've forwarded a copy of the Get-SecureBootSVN bug report to my friend at MS. He doesn't work in the Windows or Secure Boot group, but hopefully the right people will take a look at the report.

2. Added Windows Hello PIN detection in the next version. The check script will remind you that Windows Hello is enabled, and warn you again in the Setup mode instructions. The update script won't do any detection, because if you've already wiped the certs, then it's too late to turn off the PIN.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
@garlin I ran your new script in power shell and Malwarebytes picked it up as Malware

Please see the screenshots.

This only happens once. If I run the script again Malwarebytes ignores it until a system restart.

fault.webp

fault2.webp

fault 3.webp

This happened on my laptop and desktop. There was no pop up. I saw the result when I went into Malwarebytes and was like what the heck but can say it happens exactly when the script runs. You need to open the program and go to detection history and it will be there.

James.
 

Attachments

My Computers My Computers

System One System Two

  • At a glance

    Windows 11 ProIntel Core i5-12600K 3.7 GHz 10-Core ProcessorCorsair Vengeance LPX 64 GB (2 x 32 GB) DDR4-...Integrated Intel UHD Graphics 770
    OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self built PC by me.
    CPU
    Intel Core i5-12600K 3.7 GHz 10-Core Processor
    Motherboard
    Gigabyte B760M H DDR4 Micro ATX LGA1700 Motherboard
    Memory
    Corsair Vengeance LPX 64 GB (2 x 32 GB) DDR4-3200 CL16 Memory
    Graphics Card(s)
    Integrated Intel UHD Graphics 770
    Sound Card
    Realtek
    Monitor(s) Displays
    LG
    Hard Drives
    Samsung 990 Pro 1 TB M.2-2280 PCIe 4.0 X4 NVME Solid State Drive
    Samsung 990 Pro 2 TB M.2-2280 PCIe 4.0 X4 NVME Solid State Drive
    PSU
    NZXT 850w ATX 3.1 Gold Fully Modular Power Supply
    Case
    Thermaltake Versa H25 ATX Mid Tower Case
    Cooling
    CPU Cooler Thermalright Assassin Spirit 120 EVO ARGB (ARGB Disabled) - Case Fans BlackThermalright TL-C12C-S X3 66.17 CFM 120 mm Fans 3-Pack (ARGB disabled)
    Internet Speed
    1 Gbps
    Other Info
    I hate ARGB.

  • At a glance

    Windows 11 Pro
    Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo ThinkBook 14 G2 ITL
You must log in or register to reply here.

Latest Support Threads

Latest Tutorials

Back
Top Bottom