Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

Klaver7 · Apr 24, 2026

ThanX for the New Update on Github

garlin · Apr 24, 2026

UPDATE 2026-04-24:

The new GitHub version (v2026.04.24) is virtually the same as this week's emergency fix ZIP file, except to clean up some internal code.
Thanks to @t2s50 for reminding me I don't need to parse the encoded SkuSiPolicy.p7b file, just to read the version number.

List of fixes:

1. Get-SignatureDataSVN incorrectly assumes the signature data is ordered as a big-endian UInt16

2. PowerShell 7 script execution blocked by Get-WmiObject calls

3. Refactor the code to have one shared function for Boot Manager validation

4. April 2026 LCU introduced SVN 8.0, requiring a new minimum UBR for supported releases

5. Emergency fix for April 2026 LCU changes to DBXUpdate2024.bin

6. Get-Disk cannot find the System Disk when it's a Dynamic Disk

7. Report SBAT level from Check_UEFI-CA2023.ps1, while in verbose mode

OldNavy · Apr 24, 2026

I admire your dedication to this exercise garlin. Well done.

RJARRRPCGP · Apr 24, 2026

I was working on an Acer Nitro 5 that my sister purchased during the early-2020s, IIRC. It has a 9th gen Core i5.

Everything is fine, except for no KEK. I can't get the KEK, looks like I'm cooked.

anchamp65 · Apr 24, 2026

garlin said:
0x4000 is the troublemaker that makes Secure Boot task get "stuck" on pending updates, and it never clears the 0x4000 when it's done...

Windows only needs KEK CA 2023 and Windows UEFI CA 2023 to properly boot.

Microsoft UEFI CA 2023 is for Linux, and Option ROM supports some HW devices. They're optional certs which aren't required to run Windows (except for the Option ROM if you have a GPU that has signed ROM's).

Ok, got it
Thanks

garlin · Apr 24, 2026

OldNavy said:
I admire your dedication to this exercide garlin. Well done.

Thanks. If MS made this process easier, I wouldn't have much to do. They're making progress, but it's mostly tailored for large corporate clients.

garlin · Apr 24, 2026

RJARRRPCGP said:
I was working on an Acer Nitro 5 that my sister purchased during the early-2020s, IIRC. It has a 9th gen Core i5.

Everything is fine, except for no KEK. I can't get the KEK, looks like I'm cooked.

Not really. You can probably update it, but you need to budget some extra time (20-30 min.)

The first thing to check is if this Acer supports manual KEK key enrollment. The script will try copying the cert file to the EFI partition, and you can try loading the cert from there. If that doesn't work, then you can delete all the keys and go for Setup Mode.

Total time to perform these tasks is very short. But I expect a lot of time will be spent getting familiar with the specific BIOS menus, and learning how to use the scripts. If you pace yourself, it's too bad.

The processes here can't permanently "brick" a PC. The worse thing that can happen is you get to disable Secure Boot and reset back to the factory defaults. It leaves you no worse than you were before. Though one person said their PC didn't respond after adding certs, but it's probably a BIOS-specific issue that most users won't ever see.

anchamp65 · Apr 24, 2026

garlin said:
If you pace yourself, it's too bad.

You probably ment "its NOT too bad"

anchamp65 · Apr 24, 2026

@garlin

I restored my VM from snapshot and tried multiple ways of getting it to do the full update without using your update script.
Clearing the 0x4000 (0x0), running the task, restarting, setting it to 0x5800, running task, clearing... etc...

It never was able to complete the certificate update.

I restored VM once more, ran your update script with revoke.
Restart, and voilà, all updates applied !!!

So DEFINITELY, your script does a better job the MS... :thumbsup:

anchamp65 · Apr 24, 2026

@garlin

In the "README_UEFI.TXT" you have "NOTES FOR DELL PC's"
Does that apply only if doing mannual updates ?
Using regkey 0x5944 and running task, or running your update script, those are not affected, wright ?

Thanks in advance

garlin · Apr 24, 2026

anchamp65 said:
@garlin

In the "README_UEFI.TXT" you have "NOTES FOR DELL PC's"
Does that apply only if doing mannual updates ?
Using regkey 0x5944 and running task, or running your update script, those are not affected, wright ?

Thanks in advance

If the update script says to the read the README_UEFI.TXT, then you have an unsupported PC.

For Dell's, it most likely that the KEK manual key enrollment will fail because Dell expects a secure format for the key that we can't provide (because only Dell has that security info). You should delete all keys to enter Setup Mode.

After you have delete the keys, restart Windows. Run the update script instead as the 0x5944 value cannot help in this instance.

RJARRRPCGP · Apr 24, 2026

Yep, Windows 11 in the event log gives the error message that a KEK don't exist, so I installed Linux.

It has Ubuntu Studio 26.04 now.

anchamp65 · Apr 24, 2026

garlin said:
If the update script says to the read the README_UEFI.TXT, then you have an unsupported PC.

For Dell's, it most likely that the KEK manual key enrollment will fail because Dell expects a secure format for the key that we can't provide (because only Dell has that security info). You should delete all keys to enter Setup Mode.

After you have delete the keys, restart Windows. Run the update script instead as the 0x5944 value cannot help in this instance.

I'm good to go
Ran check on my Dell

OPTION 1: DO NOTHING. Windows will apply the UEFI updates (PC has supported BIOS).

REQUIRED ACTION
===============

OPTION 1: DO NOTHING. Windows will apply the UEFI updates (PC has supported BIOS).

OPTION 2: To install [UEFI CA 2023] certs WITHOUT REVOKING the [PCA 2011] cert, run the commands:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f

powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

OPTION 3: To install [UEFI CA 2023] certs and REVOKE the [PCA 2011] cert, run the commands:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5bc4 /f

powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

SaliesBuzz · Apr 26, 2026

Hello Again,
I have run the "new" check scripts on my mini fleet of 5 PCs and Surface Tablets.
They all report they are update in the new Windows Security Device Security Secure Boot Flags.
A consistent thing on all of them is:
Factory Default UEFI DBX Certs
------------------------------
(NONE)
EFI_CERT_SHA256_GUID Signatures: 217

UEFI DBX Certs
--------------
(NONE)
Windows BootMgr SVN is MISSING.
EFI_CERT_SHA256_GUID Signatures: 431

EFI Files
---------
Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
\\.\HarddiskVolume1\EFI\Microsoft\Boot\bootmgfw.efi
File Version: 28000.322, SVN 8.0

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

[OPTIONAL] SkuSiPolicy.p7b (for VBS) is MISSING.

CheckDBXUpdate Reveals:
FAILED: Missing 1/278 EFI signatures from "dbxupdate.bin"
FAILED: Missing 3/3 SVN signatures from "DBXUpdate2024.bin"
Missing [01612B139DD5598843AB1C185C3CB2EB92000005000000000000000000000000] bootmgfw.efi SVN 5.0
Missing [019D2EF8E827E15841A4884C18ABE2F284000003000000000000000000000000] cdboot.efi SVN 3.0
Missing [01C2CA99C9FE7F6F4981279E2A8A535976000003000000000000000000000000] wdsmgfw.efi SVN 3.0

FAILED: Missing 3/3 SVN signatures from "DBXUpdateSVN.bin"
Missing [01612B139DD5598843AB1C185C3CB2EB92000008000000000000000000000000] bootmgfw.efi SVN 8.0
Missing [019D2EF8E827E15841A4884C18ABE2F284000003000000000000000000000000] cdboot.efi SVN 3.0
Missing [01C2CA99C9FE7F6F4981279E2A8A535976000003000000000000000000000000] wdsmgfw.efi SVN 3.0

I have to admit I am well confuses by the DBX Certs Entries!

Any advice most welcome!

garlin · Apr 26, 2026

SaliesBuzz said:
Hello Again,
I have run the "new" check scripts on my mini fleet of 5 PCs and Surface Tablets.
They all report they are update in the new Windows Security Device Security Secure Boot Flags.
A consistent thing on all of them is:

UEFI DBX Certs
--------------
(NONE)
Windows BootMgr SVN is MISSING.
EFI_CERT_SHA256_GUID Signatures: 431

"(NONE)" represents no X509 certificates are on the DBX (banned) list. This means your PC has not revoked PCA 2011.

The second half of the Secure Boot process will revoke the older CA 2011 cert, when the newer CA 2023 certs are in place. Revocation is optional for now. Windows will do this later this summer, or you can force revocation now.

SaliesBuzz said:
CheckDBXUpdate Reveals:
FAILED: Missing 1/278 EFI signatures from "dbxupdate.bin"
FAILED: Missing 3/3 SVN signatures from "DBXUpdate2024.bin"
Missing [01612B139DD5598843AB1C185C3CB2EB92000005000000000000000000000000] bootmgfw.efi SVN 5.0
Missing [019D2EF8E827E15841A4884C18ABE2F284000003000000000000000000000000] cdboot.efi SVN 3.0
Missing [01C2CA99C9FE7F6F4981279E2A8A535976000003000000000000000000000000] wdsmgfw.efi SVN 3.0

FAILED: Missing 3/3 SVN signatures from "DBXUpdateSVN.bin"
Missing [01612B139DD5598843AB1C185C3CB2EB92000008000000000000000000000000] bootmgfw.efi SVN 8.0
Missing [019D2EF8E827E15841A4884C18ABE2F284000003000000000000000000000000] cdboot.efi SVN 3.0
Missing [01C2CA99C9FE7F6F4981279E2A8A535976000003000000000000000000000000] wdsmgfw.efi SVN 3.0

I have to admit I am well confuses by the DBX Certs Entries!

DBXUpdate.bin is missing one EFI signature, most likely it was the last one added by MS last year for an obscure non-Windows boot file.

SVN is a number which is also added during the revocation, as a version number to prevent attackers from switching out the boot file with an older version. If you want, run the update script to revoke PCA 2011 and add the SVN.

Code:

Update_UEFI-CA2023.ps1 -Revoke

Be aware if you perform the revocation, you'll have to make a new Macrium or other backup recovery USB drive. That drive will probably have a boot manager file that's now banned since the security rules have changed.

SaliesBuzz · Apr 26, 2026

garlin said:
"(NONE)" represents no X509 certificates are on the DBX (banned) list. This means your PC has not revoked PCA 2011.

The second half of the Secure Boot process will revoke the older CA 2011 cert, when the newer CA 2023 certs are in place. Revocation is optional for now. Windows will do this later this summer, or you can force revocation now.

DBXUpdate.bin is missing one EFI signature, most likely it was the last one added by MS last year for an obscure non-Windows boot file.

SVN is a number which is also added during the revocation, as a version number to prevent attackers from switching out the boot file with an older version. If you want, run the update script to revoke PCA 2011 and add the SVN.

Code:

Update_UEFI-CA2023.ps1 -Revoke

Be aware if you perform the revocation, you'll have to make a new Macrium or other backup recovery USB drive. That drive will probably have a boot manager file that's now banned since the security rules have changed.

I thought that may be the case. I take monthly volume images of each computer, (usually after the Windows Update Cycle), using Terabytes' Image for Windows, which is unusual in that it lets you backup every volume, including System, EFI, Recovery etc. At that time I create a new bootable USB Flash drive for each computer using their IFW for Windows Recovery Boot Disk utility. I have used their products for years. In the days of physical drives having moving parts, I have been able to recover from physical drive failures by simply replacing the drive and restoring the volumes.
These days it is more about being able to quickly recover a hacked computer! It may also come in handy also with this Secure Boot change this year, if something goes drastically wrong, which, when dealing with Microsoft, is always a possibility!
Whatever happened to the idea of actually testing things before letting them out in the wild?
Although not related directly to Microsoft, the leaking of the compromised AMI Test Key into so many manufacturer's Bios', illustrates perfectly the fact that things just don't get any testing at all!
Interestingly, and as a legal case in point, I recently returned a computer bought from Amazon France, after 6 months, because the manufacturer had no intention of releasing an updated Bios that addressed the AMI Test Key and 2023 Certificate issues. Under French consumer protection laws most electronic items have to be of "usable and merchantable quality" for a period of 2 years after purchase. Amazon France accepted that this computer wasn't and accepted its return and credited my account in full.

garlin · Apr 26, 2026

SaliesBuzz said:
Although not related directly to Microsoft, the leaking of the compromised AMI Test Key into so many manufacturer's Bios', illustrates perfectly the fact that things just don't get any testing at all!

Vendor laziness resulted in the AMI Test Key disaster.

When companies license a product, usually the manufacturer provides them a reference example for training purposes. Everyone is expected to customize the BIOS by changing the branding, and generating a random key. Nevertheless, several vendors were caught shipping the reference example. So once someone hacks that shared key, all copies will be vulnerable. Instead of having to hack or steal every vendor's key one by one.

SaliesBuzz said:
Interestingly, and as a legal case in point, I recently returned a computer bought from Amazon France, after 6 months, because the manufacturer had no intention of releasing an updated Bios that addressed the AMI Test Key and 2023 Certificate issues. Under French consumer protection laws most electronic items have to be of "usable and merchantable quality" for a period of 2 years after purchase. Amazon France accepted that this computer wasn't and accepted its return and credited my account in full.

The simple solution was to take their last BIOS release and switch out the PK and KEK keys (because the KEK is tied to the PK). That's it, they didn't have to change any BIOS features other than that. But BIOS management tends to be a low priority for smaller PC OEM's. BIOS engineering is highly specialized, and mostly a low volume business unless you own lots of models (like Dell and HP).

Microsoft offered their own reference example, the Windows OEM Devices certs, as a direct replacement for the AMI Test Key. Now, someone can argue that having a shared PK (instead of an individual PK) is still a risk, but the key is managed by one company instead of being in multiple hands.

bruno16757 · Apr 26, 2026

will this work for a surface pro 6?

anchamp65 · Apr 26, 2026

bruno16757 said:
will this work for a surface pro 6?

No reason it shouldn't, it worked on my old Surface Pro 5
Run the check script and see what it tells you

garlin · Apr 26, 2026

MS provides some confusing details on the Surface Pro 6, but I would imagine it's supported.

This page states the last BIOS update was Sep 2023:
Surface Pro 6 update history | Microsoft Support

This page states Secure Boot certs would have shipped in 2023 to all Surface PC's.
Surface Secure Boot Certificates | Microsoft Support

Microsoft began updating the UEFI Secure Boot Signature Database (DB) on Surface devices to contain the “Windows UEFI CA 2023” certificate starting in 2023, and these updates were delivered to Surface devices through UEFI firmware installed by Windows Update. Also, all Surface devices manufactured in 2024 and later were launched with the “Windows UEFI CA 2023” certificate. For devices not specifically listed in the table below, follow the general guidance provided for Windows users.

But they don't list Surface Pro 6 by name.
I would try running the update script, if it doesn't work then we can help you through the manual steps.

Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

Member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Active member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Active member

My Computer

Active member

My Computer

Active member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Active member

My Computer

Member

My Computer

Well-known member

My Computer

Member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Active member

My Computer

Well-known member

My Computer