Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

garlin · Apr 16, 2026

mazzutti74 said:
Set new KEK or Append Var to KEK?
input file format? which one

Append VAR -> Public Key Certificate

garlin · Apr 16, 2026

t2s50 said:
I wonder a little bit why your script proposes to revoke the PCA2011 cert while it lists the PCA2011 already in the dbx? (Read the latest posts and didn't find that covered. Did I overlook something?)

AvailableUpdates is 0x200 or missing the SVN.

The script should make a better distinction. But it's almost like you to create a finite state machine to keep up with all the possible permutations. I'll add a "$UpdateFlags -band 0x200" check and throw out a SVN-only message.

Thanks.

JamesSmith · Apr 16, 2026

@garlin in your post -revoke-latest getting signatures up over 400 will that cause any issues with your script moving forward.

I wasn’t going to use it but could you please answer just in case I change my mind. I am really stressed out over this. I know you have had a busy morning. I just need to know if running that will cause issues moving forward , seeing as you put it in a red box warning. It's triggering making me feel sick with worry.

Dirtyflash · Apr 16, 2026

mx101 said:
@garlin I've already done these I don't have option for custom mode

the only option I've is enable or disable the secure boot is always on "UEFI mode", I can only enable or disable.

I'm not smart like @garlin , but why don't you wipe/reset the keys to factory, reboot and run the script. Every OEM BIOS is a bit different, it may be that in your case, when resetting the keys to factory, it might be throwing your Secure Boot into Setup Mode without you knowing.

t2s50 · Apr 16, 2026

Windows 10 ESU has now got the new Secure boot message, too:

garlin · Apr 16, 2026

Everyone on W10 22H2 should get the new Security Center app (KB5007651), regardless of support status. But it's a gradual rollout.

JamesSmith · Apr 16, 2026

Garlin as per private message I ran the script -revoke -latest

Can you please tell me if this might cause a problem for my dad. The big red bold message makes me think it might. I would really appreciate it if you could answer my many questions. I am about to book a 300 dollar flight go there in order to reset all his certs as I don't know if your post was made in anger I just want to know if doing that command has put dads pc at risk.

garlin · Apr 16, 2026

Look, I've explained the check DBX warnings are because MS recently changed the file format. It doesn't affect the update process.

Don't put the burden of whether to book a trip to update a PC on me. Your dad's PC will continue to work even if it can't get updated. Windows will skip over unsupported PC's. It will be less secure, but your dad's less likely to be a random target of bad actors.

If the currently outlined process doesn't work on your visit, disable Secure Boot and reset back to Secure Boot factory defaults. That puts the PC exactly where it was before.

anchamp65 · Apr 16, 2026

Hi,

New to this forum.
First, @garlin, amazing work !!!

Do the scripts have a way for updating the Recovery partition so that it contains the 2023 certificates ?

I've looked at the following link from Microsoft, but no mention for updating recovery partion.

Updating Windows bootable media to use the PCA2023 signed boot manager - Microsoft Support

support.microsoft.com

Haven't tried it yet...
Any guidance would be appreciated

JamesSmith · Apr 16, 2026

garlin said:
Look, I've explained the check DBX warnings are because MS recently changed the file format. It doesn't affect the update process.

Don't put the burden of whether to book a trip to update a PC on me. Your dad's PC will continue to work even if it can't get updated. Windows will skip over unsupported PC's. It will be less secure, but your dad's less likely to be a random target of bad actors.

If the currently outlined process doesn't work on your visit, disable Secure Boot and reset back to Secure Boot factory defaults. That puts the PC exactly where it was before.

I got him to run this over the phone. Which put the 300 dbx signatures to 485.

Code:

Update_UEFI-CA2023.ps1 -Revoke -Latest

We then ran

Code:

Check_UEFI-CA2023.ps1 -Verbose -Audit

and got

Registry: UEFICA2023Status = Updated
SUCCESS: UPDATES ARE FINISHED. UEFI CA 2023 certs are present, PCA 2011 cert is revoked.

I was only going to book a flight over there if going from 300 to 485 was going to be an issue. Which from what you have written will not be an issue. I was trying to understand if having the latest list of 300 was better than having the older list of 485.

I guess we can finally put this to rest. Thank you for your patience and understanding.

garlin · Apr 16, 2026

anchamp65 said:
Do the scripts have a way for updating the Recovery partition so that it contains the 2023 certificates ?

I've looked at the following link from Microsoft, but no mention for updating recovery partion.

Updating Windows bootable media to use the PCA2023 signed boot manager - Microsoft Support

support.microsoft.com

1. Secure Boot certs are installed to your UEFI's NVRAM memory. They're used by the BIOS to check anything that tries to boot, whether it's Windows, Linux or an USB boot drive.

2. After installing the certs, a new boot manager is copied to the EFI partition. Both normal Windows and WinRE use the same EFI partition for booting, so there is nothing that WinRE needs to have changed. There will be a Windows boot manager entry in your BCD store which handles where UEFI looks for a boot file.

A reference copy of the boot file (both old and new versions) are kept in the C:\Windows\Boot folder. If you lose the boot file in the EFI partition, it can be replaced from the reference folders.

mazzutti74 · Apr 16, 2026

I updated all the certificates manually with your help. Is it correct now? Thank you.

mx101 · Apr 16, 2026

Dirtyflash said:
I'm not smart like @garlin , but why don't you wipe/reset the keys to factory, reboot and run the script. Every OEM BIOS is a bit different, it may be that in your case, when resetting the keys to factory, it might be throwing your Secure Boot into Setup Mode without you knowing.

I've already done these with no results.

I've successfully create an iso file from link gave by @anchamp65 with "Make2023BootableMedia.ps1"
Now I'm going to do a clean install of Windows to see the results.

garlin · Apr 16, 2026

mazzutti74 said:
I updated all the certificates manually with your help. Is it correct now? Thank you.

You updated all the CA 2023 certs, but have not revoked PCA 2011. This is optional for now, and you can wait for MS to perform this task (later this summer).

garlin · Apr 16, 2026

mx101 said:
I've already done these with no results.

I've successfully create an iso file from link gave by @anchamp65 with "Make2023BootableMedia.ps1"
Now I'm going to do a clean install of Windows to see the results.

The bootable media script doesn't apply any Secure Boot certs. It helps copy the newer boot file to an install ISO. A clean install of Windows will not change your certs if your PC doesn't have a valid KEK CA 2023 cert. Which can only be applied in Setup mode for unsupported PC's.

anchamp65 · Apr 16, 2026

garlin said:
1. Secure Boot certs are installed to your...

Thanks for the clear explanation
Greatly appreciated

mx101 · Apr 16, 2026

garlin said:
The bootable media script doesn't apply any Secure Boot certs. It helps copy the newer boot file to an install ISO. A clean install of Windows will not change your certs if your PC doesn't have a valid KEK CA 2023 cert. Which can only be applied in Setup mode for unsupported PC's.

Yes, you're right, nothing has changed, thank you for your help.

I’ll give up; when the expiration date arrives, I’ll disable Secure Boot

HuntyFtw · Apr 17, 2026

mx101 said:
acer nitro 5 an515-55 notebook and don't support key enrrollment

Contact your region's Acer support and ask them why your model is not in this list and if it's not going to be there (it should), then let you know how to change the Secure Boot mode to Setup/Custom mode as it stays stuck at Standard even for my model.

LeeElectrode · Apr 17, 2026

This is strange.
On March 26, Check_UEFI-CA2023.ps1 indicated success. I have the text file to prove it. Also Windows Device Security/Secure Boot indicates no further certificate changes needed. However I ran Check_UEFI-CA2023.ps1 today and it indicated (similar to below since it it won't show up again at this point)
REQUIRED ACTION
To revoke the [PCA 2011] cert, run the commands, run the commands:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x280 /f powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

I added this and the PC is back to being happy... Could windows update somehow caused this?
I guess I'll check after the next update to see if this happens again...

garlin · Apr 17, 2026

LeeElectrode said:
This is strange.
On March 26, Check_UEFI-CA2023.ps1 indicated success. I have the text file to prove it. Also Windows Device Security/Secure Boot indicates no further certificate changes needed. However I ran Check_UEFI-CA2023.ps1 today and it indicated (similar to below since it it won't show up again at this point)

There are two planned phases in the normal CA 2023 migration:

1. CA 2023 certs should be added to Windows. The April 2026 update to Security Center will report Green if you have the CA 2023 certs, but ignores if you have not revoked CA 2011.

2. PCA 2011 cert should be revoked. This step is still optional for now. A future version of Security Center will not report Green if you have not complied by revoking PCA 2011.

LeeElectrode said:
REQUIRED ACTION
To revoke the [PCA 2011] cert, run the commands, run the commands:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x280 /f powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

The update script also breaks the required actions in two parts.

If you don't request to revoke PCA 2011, the script will only add the CA 2023 certs. I do not automatically force a revocation because a number of users are very concerned if the revocation is done at the same time of the CA 2023 updates.

To complete the second part, you can run the "REQUIRED ACTIONS" now, or wait for Windows to finish the job later this summer. The difference is if you have a bootable Windows ISO or recovery media on USB drives, the outdated boot files on them must also be replaced.

Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Member

My Computer

Well-known member

My Computers

Well-known member

My Computer

New member

Attachments

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Member

My Computer

Well-known member

My Computer