Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

nikki605 · Apr 15, 2026

JamesSmith said:
I am confused because yesterday all was good and now I have no idea what is going on. Maybe its throwing up this error because when I run Get-SecurebootSVN I get firmwareSVN 2.0 instead of the latest. I am pretty sure I revoked the PCA 2011 cert previously.

or maybe the new windows update is not compatible with the script garlin wrote. I do have the green tick with no more certificate changes are needed .

Welcome to the confusion club.

Nebulon Ranger · Apr 15, 2026

Thank heavens I checked this thread again. Seemingly random SVN bump, what the Hell Microsoft? Poop indeed.

Anyway, all is right in my neck of the universe again:

garlin · Apr 15, 2026

A preliminary report of the April 2026 changes to the DBX update files:

1. These files have the same list of EFI signature hashes (as before April), but have a different signature block for the .bin file.

Code:

dbxupdate.bin
dbxupdateLegacy.bin
DBXUpdateSVN.bin
DBXUpdateSVNLegacy.bin

2. These files either have a new data structure (but why just this pair of files?), or corrupted data within them. Normally, the Get-UefiDatabaseSignatures function expects to see a header size of 0 bytes, and a signature size of 48 or 1515 bytes.

Code:

DBXUpdatesvn.bin
DBXUpdatesvnLegacy.bin

If you're assuming the old parsing method is correct, our new files apparently have a different GUID, and extracted header sizes far in excess of the update file's total filesize. From browsing the byte stream, the timestamps inside the cert payload for CA 2011 are modified. I'm really confused as to what their intentions were.

Assuming it's a simple change to bump SVN from 7.0 to 8.0, all MS needed to do was replace BootMgr SVN and leave everything else alone.

Right now, I don't understand if this was intentional or not. No fix is possible until I understand the problem. Everyone can update to SVN 8.0, so needing the DBX check script fixed isn't so important. The total count of EFI signature hashes won't go up, it's only the SVN number will randomly change.

DarkShadowMD · Apr 15, 2026

What do you recommend? Waiting for an update for your script?
For me is easier to wait for you, I'm not updating Windows soon... I prefer to rely on your own method.

garlin · Apr 15, 2026

There's nothing wrong (at the moment) with the main check or update scripts. The DBX check script doesn't recognize two of the DBX update files, but it's a separate script for troubleshooting.

If you haven't started updates, I would worry more about making sure the base CA 2023 certs can be installed. The DBX issue concerns an enforcement value that will be used later this summer, and is still optional for now.

gunrunnerjohn · Apr 15, 2026

garlin said:
There's nothing wrong (at the moment) with the main check or update scripts. The DBX check script doesn't recognize two of the DBX update files, but it's a separate script for troubleshooting.

If you haven't started updates, I would worry more about making sure the base CA 2023 certs can be installed. The DBX issue concerns an enforcement value that will be used later this summer, and is still optional for now.

Do you think that MSC could make this process any more convoluted? :lmao:

JamesSmith · Apr 15, 2026

@garlin Just to confirm. This was the previous output for Check_DBXUpdate.bin.ps1

Now this output is what is correct at least for now?

DarkShadowMD · Apr 15, 2026

garlin said:
There's nothing wrong (at the moment) with the main check or update scripts. The DBX check script doesn't recognize two of the DBX update files, but it's a separate script for troubleshooting.

If you haven't started updates, I would worry more about making sure the base CA 2023 certs can be installed. The DBX issue concerns an enforcement value that will be used later this summer, and is still optional for now.

I already have them installed, and BIOS updated. If this means only the DBX is affected, I'll wait to see how this evolves before I let Windows Update do anything. I think I confused this with the SkuSiPolicy stuff lol

JamesSmith · Apr 15, 2026

Hey Garlin I am at my dads house and he messed with his BIOS. So I had to reset his keys in custom mode and re do the update script. This is what I got

PS C:\SecureBoot-CA-2023-Updates> powershell -nop -ep bypass -f .\Check_UEFI-CA2023.ps1 -Verbose -Audit
Windows 11 25H2 (26200.8246)

Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

BIOS Firmware
-------------
Gigabyte Technology Co. B760M H DDR4
Version: F14
Date: 2025-06-19

Factory Default UEFI PK Cert
----------------------------
GIGABYTE

UEFI PK Cert
------------
GIGABYTE

Factory Default UEFI KEK Certs
------------------------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023
GIGABYTE

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023
GIGABYTE

Factory Default UEFI DB Certs
-----------------------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Windows UEFI CA 2023
GIGABYTE
GIGABYTE

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023
GIGABYTE
GIGABYTE

Factory Default UEFI DBX Certs
------------------------------
(NONE)
EFI_CERT_SHA256_GUID Signatures: 77

UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 8.0
EFI_CERT_SHA256_GUID Signatures: 81

EFI Files
---------
Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
\\.\HarddiskVolume1\EFI\Microsoft\Boot\bootmgfw.efi
File Version: 28000.322, SVN 8.0

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

SkuSiPolicy.p7b is CURRENT.
\\.\HarddiskVolume1\EFI\Microsoft\Boot\SkuSiPolicy.p7b
Version: 3.0.0.14

AUDIT REPORT
============
1. DBX Updates are missing from UEFI DBX

REQUIRED ACTION
===============

To revoke the [PCA 2011] cert, run the commands:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x2 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

So I ran the command and then got this

PS C:\SecureBoot-CA-2023-Updates> powershell -nop -ep bypass -f .\Check_UEFI-CA2023.ps1 -Verbose -Audit
Windows 11 25H2 (26200.8246)

Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

BIOS Firmware
-------------
Gigabyte Technology Co. B760M H DDR4
Version: F14
Date: 2025-06-19

Factory Default UEFI PK Cert
----------------------------
GIGABYTE

UEFI PK Cert
------------
GIGABYTE

Factory Default UEFI KEK Certs
------------------------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023
GIGABYTE

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023
GIGABYTE

Factory Default UEFI DB Certs
-----------------------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Windows UEFI CA 2023
GIGABYTE
GIGABYTE

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023
GIGABYTE
GIGABYTE

Factory Default UEFI DBX Certs
------------------------------
(NONE)
EFI_CERT_SHA256_GUID Signatures: 77

UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 8.0
EFI_CERT_SHA256_GUID Signatures: 332

EFI Files
---------
Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
\\.\HarddiskVolume1\EFI\Microsoft\Boot\bootmgfw.efi
File Version: 28000.322, SVN 8.0

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

SkuSiPolicy.p7b is CURRENT.
\\.\HarddiskVolume1\EFI\Microsoft\Boot\SkuSiPolicy.p7b
Version: 3.0.0.14

AUDIT REPORT
============

STATUS REPORT
-------------
Registry: UEFICA2023Status = Updated

SUCCESS: UPDATES ARE FINISHED. UEFI CA 2023 certs are present, PCA 2011 cert is revoked.

PS C:\SecureBoot-CA-2023-Updates>

The only thing I am concerned about is the UEFI DBX Certs
EFI_CERT_SHA256_GUID Signatures: 332

I thought this was supposed to be in the 400's? I know the 332 is not a normal result but could this be because of the Windows April Update?

garlin · Apr 15, 2026

As I mentioned privately, DBX EFI signatures is an older way of banning boot files where you list every single banned file's signature, one by one.

Before the PCA 2011 revocation, MS had to ban every single version of the boot file going back several Windows releases. Now the PCA 2011 revocation bans en masse all of MS's older boot files which were all signed by the same PCA 2011 cert. One banned cert does the same work as listing every banned Windows boot file. It's a duplication of effort.

What's not important is your total DBX count. What is important is the update script determines there are no missing DBX EFI signatures to add. If you run the script and it detects there's some missing, it'll re-apply the DBX update files.

MS has done some clean-up on the DBX list (in order to save NVRAM space). The now redundant EFI signatures (if they're already in place) do not need to be "cleaned up". The only way to clear them is to manually delete them from your UEFI menu by hand, or wipe your certs clean and start over.

The only time the full list of 431 DBX signatures is required is if you never intend to revoke PCA 2011.

This will invalidate most of the wrong wisdom on the webs right now. There has never been a "correct" number.

JamesSmith · Apr 15, 2026

Thank you Garlin. I know this must be frustrating for you. I appreciate the answer. All is good …until next month!

DarkShadowMD · Apr 15, 2026

garlin said:
MS has done some clean-up on the DBX list (in order to save NVRAM space). The now redundant EFI signatures (if they're already in place) do not need to be "cleaned up". The only way to clear them is to manually delete them from your UEFI menu by hand, or wipe your certs clean and start over.

The only time the full list of 431 DBX signatures is required is if you never intend to revoke PCA 2011.

This will invalidate most of the wrong wisdom on the webs right now. There has never been a "correct" number.

So this is the reason why the SVN thing went from 7.0 to 8.0? Or I'm just being ignorant?

garlin · Apr 16, 2026

Those two issues are unrelated.

Originally, the UEFI standard only supported the banning of a known insecure boot file by entering its hash (or representation) of the file's unique digital certificate. Over time, OEM's collected various lists of banned hashes. Some of them were hard-coded in the factory BIOS. The problem is nobody was serious about continuously updating the list.

Eventually MS took over responsibility from the vendors. MS would ideally write the latest list of banned hashes to your UEFI on some regular basis.

When the Black Lotus UEFI rootkit was discovered, MS ended up having to ship a fixed boot manager to close the security hole, and immediately invalidate all older (and unfixed) boot files from all of the previous Windows releases. This list ended up with 151 unique entries.

By revocating the PCA 2011 certificate as part of the planned migration, MS can avoid using the list of 151 hashes and use the banned 2011 cert as a wildcard to ban every Windows boot file that isn't signed by CA 2023. But not everyone has migrated yet. So the older method of listing the 151 is still supported in parallel.

What they've done in the April 2026 updates, is remove the 151 Windows boot files (shrinking the total DBX count).

Separately, a different change has been made to the boot files provided across all supported versions of Windows (from W10 22H2 to W11 26H1, and various W10 Server builds). Whenever a new boot file is released, the SVN number is bumped up as to ban whatever the older versions of the boot file. The introduction of a new boot manager and its matching SVN number will be always be synchronized by Windows Update.

But it's entirely detached from the DBX count issue. Now the DBX list also includes non-Windows boot files from Linux. But it's not expected to get new additions as Linux now uses the SBAT model. SBAT has a similar idea to SVN, in banning older boot files, but operates differently.

Scott · Apr 16, 2026

Nebulon Ranger said:
Thank heavens I checked this thread again. Seemingly random SVN bump, what the Hell Microsoft? Poop indeed.

Anyway, all is right in my neck of the universe again:

Now check your boot media. I've got my Macrium boot media working, now working on my Win 11 media.

garlin · Apr 16, 2026

You'll have to replace your boot file again. Run the update script (with your USB drive plugged in):

Code:

.\Update_UEFI-CA2023.ps1 -BootMedia

While the Secure Boot scheduled task will take care of Windows every month. It has no obligation, nor cares about your removable boot media or the dual-boot Windows system that hasn't been updated yet.

JamesSmith · Apr 16, 2026

garlin said:
As I mentioned privately, DBX EFI signatures is an older way of banning boot files where you list every single banned file's signature, one by one.

Before the PCA 2011 revocation, MS had to ban every single version of the boot file going back several Windows releases. Now the PCA 2011 revocation bans en masse all of MS's older boot files which were all signed by the same PCA 2011 cert. One banned cert does the same work as listing every banned Windows boot file. It's a duplication of effort.

What's not important is your total DBX count. What is important is the update script determines there are no missing DBX EFI signatures to add. If you run the script and it detects there's some missing, it'll re-apply the DBX update files.

MS has done some clean-up on the DBX list (in order to save NVRAM space). The now redundant EFI signatures (if they're already in place) do not need to be "cleaned up". The only way to clear them is to manually delete them from your UEFI menu by hand, or wipe your certs clean and start over.

The only time the full list of 431 DBX signatures is required is if you never intend to revoke PCA 2011.

This will invalidate most of the wrong wisdom on the webs right now. There has never been a "correct" number.

I guess what was making my OCD worse was and I know you said the number doesn't matter.

Last month when I did the updates he was at 485. He messed up something in the BIOS. So I went back reset to factory keys put it in custom mode ran the script fresh and got 332. Not sure if I did the procedure right. Hopefully I did. Everything else looks good. Ill be back there next month if something goes wrong next month.

garlin · Apr 16, 2026

JamesSmith said:
I guess what was making my OCD worse was and I know you said the number doesn't matter.

If your OCD is a problem, then run:

Code:

Update_UEFI-CA2023.ps1 -Revoke -Latest

This backfills the "missing" DBX signatures because the MS GitHub has the old version of DBXupdate.bin posted. It used be the "latest", but now it's not. Your father's PC will have 431 (or more) if that makes you happy.

EVERYONE ELSE: You really don't need to follow this step.

JamesSmith · Apr 16, 2026

garlin said:
If your OCD is a problem, then run:

Code:

Update_UEFI-CA2023.ps1 -Revoke -Latest

This backfills the "missing" DBX signatures because the MS GitHub has the old version of DBXupdate.bin posted. It used be the "latest", but now it's not. Your father's PC will have 431 (or more) if that makes you happy.

EVERYONE ELSE: You really don't need to follow this step.

That won't make me happy. I am going to leave it. Thanks for the command.
I have re read a lot of what you wrote and I can understand it a bit more.

I apologise if my comments came across as if I wanted you to fix the 300 problem.
I was only seeking reassurance I had done everything right.

Have a good night.
James.

Warre1 · Apr 16, 2026

for me there's :
UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 8.0
EFI_CERT_SHA256_GUID Signatures: 492

and install media up to date as well

USB Drive J: "ESD-USB"
Boot File [Windows UEFI CA 2023] is ALLOWED.
J:\EFI\Boot\bootx64.efi
File Version: 28000.322, SVN 8.0

boot.wim:2 Boot Manager [Windows UEFI CA 2023] is PRESENT.
install.swm:1 Boot Manager [Windows UEFI CA 2023] is PRESENT.
Skipping checks on next 6 install.swm images.

GunnzAkimbo · Apr 16, 2026

I had to do secure boot clear again (this old 2015 mobo is odd, when powered off at the plug, turning on gives black screen. Have to clear secure boot into setup mode to boot into windows and redo process).
I have done the update with -revoke, and checked with -audit - verbose -bootmedia this time and results with:

1. [Production PCA 2011] is missing from UEFI DBX
2. Windows BootMgr SVN is missing from UEFI DBX
3. SkuSiPolicy.p7b (for VBS) is missing [OPTIONAL]

To revoke the [PCA 2011] cert, run the commands:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x280 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Windows 11 25H2 (26200.8246)

Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

BIOS Firmware
-------------
MSI X99A GODLIKE GAMING (MS-7883)
Version: 1.A1_0.4.3
Date: 2025-07-26

Factory Default UEFI PK Cert
----------------------------
DO NOT TRUST - AMI Test PK

UEFI PK Cert
------------
Windows OEM Devices PK

Factory Default UEFI KEK Certs
------------------------------
Microsoft Corporation KEK CA 2011

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

Factory Default UEFI DB Certs
-----------------------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

Factory Default UEFI DBX Certs
------------------------------
(NONE)
EFI_CERT_SHA256_GUID Signatures: 13

UEFI DBX Certs
--------------
(NONE)
Windows BootMgr SVN is MISSING.
EFI_CERT_SHA256_GUID Signatures: 432

EFI Files
---------
Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
\\.\HarddiskVolume2\EFI\Microsoft\Boot\bootmgfw.efi
File Version: 28000.322, SVN 8.0

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

SkuSiPolicy.p7b (for VBS) is MISSING. [OPTIONAL]

AUDIT REPORT
============
1. [Production PCA 2011] is missing from UEFI DBX
2. Windows BootMgr SVN is missing from UEFI DBX
3. SkuSiPolicy.p7b (for VBS) is missing [OPTIONAL]

REQUIRED ACTION
===============

To revoke the [PCA 2011] cert, run the commands:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x280 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

Well-known member

My Computers

Member

My Computer

Well-known member

My Computer

Peaceful Citizen

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Peaceful Citizen

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Peaceful Citizen

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer