Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

no1yak · Apr 29, 2026

garlin said:
Run this command.

Code:

Update_UEFI-CA2023.ps1 -SkuSiPolicy

Thanks for the help, ran your code and now everything is ok.

cydrone · Apr 29, 2026

garlin said:
The Secure Boot security model works like this:
Dell's Platform Key (PK) validates the KEK key, which in turn validates a DB key, which validates your boot file.

Without a KEK CA 2023, those new UEFI CA 2023 certs aren't validated. And by inference, a CA 2023-signed boot file isn't either.

The only method to install a KEK CA 2023 on these Dells is to wipe their certs (keys). When the PK is removed, UEFI security is disabled and we're allowed to replace the certs and install a reference KEK CA 2023 signed by MS. This process is still secure, because the only method for deleting all keys is to be physically in front of the PC at the BIOS screen. When the replacement PK is installed, normal security is restored.

1. Shutdown Windows.
2. Disable Secure Boot mode.
3. Chose Custom Mode.
4. Delete all Secure Boot keys.
5. Restart Windows. Secure Boot is ready to be configured by the update script.
6. Assuming we're successfully, you can re-enable Secure Boot mode.

Thank you so much for the concise explanation and instructions!

I followed steps #1 through #5. The Check and Update scripts ran correctly, and I have attached their output.

QUESTION:
Do I still need to "follow the README_UEFI.TXT instructions, for installing the PK cert from BIOS" (which is what the Update script said was the required action)? Or is that already taken care of by the script? You did not include a step of manually installing the PK cert from BIOS before step #6, re-enabling Secure Boot.

I reran the Check script with -Audit (before shutting down and re-entering the BIOS) and attached the output (second attachment). I'll let the machine sit in this state and wait for now. Based on my reading of this thread, all looks good to me except that the SkuSiPolicy still needs to be updated.

garlin · Apr 29, 2026

cydrone said:
Do I still need to "follow the README_UEFI.TXT instructions, for installing the PK cert from BIOS" (which is what the Update script said was the required action)? Or is that already taken care of by the script? You did not include a step of manually installing the PK cert from BIOS before step #6, re-enabling Secure Boot.

No, if you've executed Setup Mode then you don't need to follow the PK instructions. I should make the README more clear to skip the second section, if you finished the Setup Mode part.

cydrone said:
I reran the Check script with -Audit (before shutting down and re-entering the BIOS) and attached the output (second attachment). I'll let the machine sit in this state and wait for now. Based on my reading of this thread, all looks good to me except that the SkuSiPolicy still needs to be updated.

Your CA 2023 is updated, but CA 2011 is not revoked (which is still optional for now).

SkuSiPolicy can be added for more security, but if you like to play around with dual-booting or use bootable Macrium recovery drives. Sometimes the policy can lock out other bootable devices because their boot files are not in compliance (wrong version).

cydrone · Apr 29, 2026

garlin said:
No, if you've executed Setup Mode then you don't need to follow the PK instructions. I should make the README more clear to skip the second section, if you finished the Setup Mode part.

Thank you! That's what I thought, and this clarification should help others. You were right; it worked seamlessly.

garlin said:
Your CA 2023 is updated, but CA 2011 is not revoked (which is still optional for now).

I ran the Update script with -Revoke, and CA 2011 is now revoked.

garlin said:
SkuSiPolicy can be added for more security, but if you like to play around with dual-booting or use bootable Macrium recovery drives, sometimes the policy can lock out other bootable devices because their boot files are not in compliance (wrong version).

Those considerations are not applicable to me, but thanks again for clarifying. I ran the Update script with -SkuSiPolicy. That also worked; after rebooting, now "SkuSiPolicy.p7b is CURRENT". (I don't need to attach the latest Check script output because all is clean and "UPDATES ARE FINISHED"!)

But there is one last little wrinkle: although it did work and the policy is now current, the Update script with -SkuSiPolicy reported an error. Attached is the output, in case it is helpful to you. (The scripts I'm running are the updated versions you provided here this week after the 2026.04.24 release.)

It is amazing that you have made these updates work on an 8-year-old machine whose BIOS will no longer be updated by Dell, and I don't have to learn Mosby. This is a perfectly good Windows 11 machine for now (i5-7600, 16GB RAM). Once again, thank you SO MUCH for all of your hard work on this.

garlin · Apr 29, 2026

cydrone said:
But there is one last little wrinkle: although it did work and the policy is now current, the Update script with -SkuSiPolicy reported an error. Attached is the output, in case it is helpful to you. (The scripts I'm running are the updated versions you provided here this week after the 2026.04.24 release.)

Thanks. That's part of an upcoming update to determine whether you have an UEFI lock on SkuSiPolicy (sometimes know as DeviceGuard).

cydrone said:
It is amazing that you have made these updates work on an 8-year-old machine whose BIOS will no longer be updated by Dell, and I don't have to learn Mosby. This is a perfectly good Windows 11 machine for now (i5-7600, 16GB RAM). Once again, thank you SO MUCH for all of your hard work on this.

Great that you're taken care of.

Fred123 · Apr 30, 2026

Hi Garlin, I was having similar 2 system disk problem to cydrone, so I ran your previous (2026.04.24) Check script and now I get an error dbxupdate.bin not found:

powershell -nop -ep bypass -f .\Check_UEFI-CA2023.ps1 -Audit -Verbose -Log

from here, perhaps: (?)

if (($dbx_BytesCount -eq 0) -or -not (Match-DBXSignatureData "$env:SystemRoot\System32\SecureBootUpdates\dbxupdate.bin")) {
$CheckList += "{0,-3} DBX Updates are missing from UEFI DBX`n" -f ('{0}.' -f $index++)
$script:RevokeFlags = $script:RevokeFlags -bor 0x2
}

But seems that the file is there:

Please let me know if you have any suggestions, thanks.

garlin · Apr 30, 2026

Fred123 said:
Hi Garlin, I was having similar 2 system disk problem to cydrone, so I ran your previous (2026.04.24) Check script and now I get an error dbxupdate.bin not found:

Fred123 said:
But seems that the file is there:

I've seen this problem before with two different users. They report different DB or DBX files in the SecureBootUpdates folder cannot be "opened", even though they're listed in File Explorer. I have never figured out why their Windows are different.

Let's try this:
1. Do you run any 3rd-party anti-virus or security software? I'm wondering if file access is being blocked.

2. Run this test command:

Code:

powershell -C "try { $bytes = [System.IO.File]::ReadAllBytes('C:\Windows\System32\SecureBootUpdates\dbxupdate.bin') } catch { $_.Exception }"

If successful, there should be no output. Only if there's a read error.

Dirtyflash · Apr 30, 2026

@garlin I've got a question for you. Just updated to the release preview and wanted to test a Macrium v8.0 Rescue Media USB and it failed to boot. Error on the screen was SVN is 8 and USB is 7. How do I update the SVN on the USB to 8. The USB worked fine on the public release from 14 April and on the 28000 26H1 preview that also came out today. Both devices are on SVN 8.0 with the Rescue Media working on one device, but not the other. A bit weird, tried manually copy/pasting the EX bootloader from C, it didn't make any difference, but still booted on the 26H1 device. In the end, I turned off secure boot on the 25H2 device and it booted fine. I recreated the Rescue Media USB on the 26H1 device as the software is installed on it. Maybe I should install Macrium on the 25H2 device and rebuild the Rescue Media using that device?

Edit: I did run the BootMedia script.

garlin · May 1, 2026

Dirtyflash said:
@garlin I've got a question for you. Just updated to the release preview and wanted to test a Macrium v8.0 Rescue Media USB and it failed to boot. Error on the screen was SVN is 8 and USB is 7. How do I update the SVN on the USB to 8. The USB worked fine on the public release from 14 April and on the 28000 26H1 preview that also came out today. Both devices are on SVN 8.0 with the Rescue Media working on one device, but not the other. A bit weird, tried manually copy/pasting the EX bootloader from C, it didn't make any difference, but still booted on the 26H1 device. In the end, I turned off secure boot on the 25H2 device and it booted fine. I recreated the Rescue Media USB on the 26H1 device as the software is installed on it. Maybe I should install Macrium on the 25H2 device and rebuild the Rescue Media using that device?

Normally the SVN is stored in two places:

- one copy in the UEFI DBX variable, which is enforced

- one copy as part of the boot manager file

The boot manager runs and performs a self-check against the DBX's version. If the boot manager's SVN is lower than the DBX's SVN, then the boot manager voluntarily exits. So the boot file decides whether to run or not.

The UEFI only enforces if the file's signing cert is CA 2011 (banned) or CA 2023 (allowed).

What the problem boils down to is do you have the right boot file? Some devices are WinPE-style (\EFI\Boot) and WinRE-style (\EFI\Microsoft\Boot). In the WinRE format, you're essentially copying the whole bcdboot folder.

If you run "Check_UEFI-CA2023.ps1 -BootMedia", it should report:

- bootmfgw.efi for the WinRE style

- bootx64.efi for WinPE style

I'm presuming there's no mixing & matching of the two formats.

Fred123 · May 1, 2026

garlin said:
I've seen this problem before with two different users. They report different DB or DBX files in the SecureBootUpdates folder cannot be "opened", even though they're listed in File Explorer. I have never figured out why their Windows are different.

Let's try this:
1. Do you run any 3rd-party anti-virus or security software? I'm wondering if file access is being blocked.

2. Run this test command:

Code:

powershell -C "try { $bytes = [System.IO.File]::ReadAllBytes('C:\Windows\System32\SecureBootUpdates\dbxupdate.bin') } catch { $_.Exception }"

If successful, there should be no output. Only if there's a read error.

thanks

(1) so I turned off ESET for 10 min, and your CHECK script gave the same dbxupdate.bin not found error

(2) also, try-catch statement was run (adding write-host ?):

powershell -C "try { $bytes = [System.IO.File]::ReadAllBytes('C:\Windows\System32\SecureBootUpdates\dbxupdate.bin') } catch { write-host $_.Exception }"
.Exception

thanks

DarkShadowMD · May 1, 2026

Powershell:

Windows 11 25H2 (26200.8328)

Secure Boot: ON
Virtualization Based Security: OFF
BitLocker on (C:) OFF

BIOS Firmware
-------------
    HP HP Pavilion Laptop 15-eh3xxx
    Version: F.09
    Date: 2025-11-24

Factory Default UEFI PK Cert
----------------------------
    HP UEFI Secure Boot PK 2017

UEFI PK Cert
------------
    HP UEFI Secure Boot PK 2017

Factory Default UEFI KEK Certs
------------------------------
    Microsoft Corporation KEK CA 2011
    HP UEFI Secure Boot KEK 2017
    Microsoft Corporation KEK 2K CA 2023

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011
    HP UEFI Secure Boot KEK 2017
    Microsoft Corporation KEK 2K CA 2023

Factory Default UEFI DB Certs
-----------------------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    HP UEFI Secure Boot DB 2017
    Microsoft Option ROM UEFI CA 2023
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    HP UEFI Secure Boot DB 2017
    Microsoft Option ROM UEFI CA 2023
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023

Factory Default UEFI DBX Certs
------------------------------
    Debian Secure Boot Signer
    Canonical Ltd. Secure Boot Signing
    EFI_CERT_SHA256_GUID Signatures: 190

UEFI DBX Certs
--------------
    Microsoft Windows Production PCA 2011
    Windows BootMgr SVN 8.0
    EFI_CERT_SHA256_GUID Signatures: 480

EFI Files
---------
    Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
        \\.\HarddiskVolume1\EFI\Microsoft\Boot\bootmgfw.efi
        File Version: 28000.322, SVN 8.0

    Registry: WindowsUEFICA2023Capable = 2
        [Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.


AUDIT REPORT
============


STATUS REPORT
-------------
    Registry: UEFICA2023Status = Updated

    SUCCESS: UPDATES ARE FINISHED.
    UEFI CA 2023 certs are present, PCA 2011 cert is revoked.

Powershell:

Windows 11 25H2 (26200.8328)

Secure Boot: ON
Virtualization Based Security: OFF
BitLocker on (C:) OFF

BIOS Firmware
-------------
    Micro-Star International Co. MS-7C95
    Version: 2.O1
    Date: 2025-09-15

Factory Default UEFI PK Cert
----------------------------
    MSI SHIP PK

UEFI PK Cert
------------
    MSI SHIP PK

Factory Default UEFI KEK Certs
------------------------------
    Microsoft Corporation KEK CA 2011
    Microsoft Corporation KEK 2K CA 2023
    MSI SHIP KEK

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011
    Microsoft Corporation KEK 2K CA 2023
    MSI SHIP KEK

Factory Default UEFI DB Certs
-----------------------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Microsoft Option ROM UEFI CA 2023
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023
    MSI SHIP DB

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Microsoft Option ROM UEFI CA 2023
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023
    MSI SHIP DB

Factory Default UEFI DBX Certs
------------------------------
    (NONE)
    EFI_CERT_SHA256_GUID Signatures: 416

UEFI DBX Certs
--------------
    Microsoft Windows Production PCA 2011
    Windows BootMgr SVN 8.0
    EFI_CERT_SHA256_GUID Signatures: 439

UEFI Variable
-------------
    SBAT (Linux only): sbat,1,2024010900 / shim,4 / grub,3 / grub.debian,4

EFI Files
---------
    Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
        \\.\HarddiskVolume1\EFI\Microsoft\Boot\bootmgfw.efi
        File Version: 28000.322, SVN 8.0

    Registry: WindowsUEFICA2023Capable = 2
        [Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.


AUDIT REPORT
============


STATUS REPORT
-------------
    Registry: UEFICA2023Status = Updated

    SUCCESS: UPDATES ARE FINISHED.
    UEFI CA 2023 certs are present, PCA 2011 cert is revoked.

While the SBAT error persists in the console for the HP (which honestly, I can't care less if its just for Linux systems, after all I just opted out for the SBAT thing), I finally ran Windows Update to get the latest Preview Update (They fixed RDP, so we are alive lol) and did what the bat file told me when it audited the system, reboot, voila! SVN 8.0. I also updated my Macrium USB and tested, boots properly and no security violations.

Again, if it wasn't because of you, I can't see any of us having a good season with all this. You have made it so easy even I can do this!

Thanks a ton!

Scott · May 1, 2026

garlin said:
If you run "Check_UEFI-CA2023.ps1 -BootMedia", it should report:
- bootmfgw.efi for the WinRE style- bootx64.efi for WinPE style

I had to add -verbose to the command to see that info.

garlin · May 1, 2026

Fred123 said:
(2) also, try-catch statement was run (adding write-host ?):

powershell -C "try { $bytes = [System.IO.File]::ReadAllBytes('C:\Windows\System32\SecureBootUpdates\dbxupdate.bin') } catch { write-host $_.Exception }"
.Exception

The idea is if the try {} block fails, then you get the $_.Exception printed out. If you don't get a failed call, nothing gets dumped out.
Since you didn't see any output, then the file read worked.

Code:

C:\Windows\System32>powershell -C "try { $bytes = [System.IO.File]::ReadAllBytes('C:\no\such\file\exists') } catch { $_.Exception }"
Exception calling "ReadAllBytes" with "1" argument(s): "Could not find a part of the path 'C:\no\such\file\exists'."

Code:

C:\Windows\System32>powershell -C "try { $bytes = [System.IO.File]::ReadAllBytes('C:\no\such\file\exists') } catch { Write-host $_.Exception }"
System.Management.Automation.MethodInvocationException: Exception calling "ReadAllBytes" with "1" argument(s): "Could not find a part of the path 'C:\no\such\file\exists'." ---> System.IO.DirectoryNotFoundException: Could not find a part of the path 'C:\no\such\file\exists'.
   at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
   at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
   at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
   at System.IO.File.InternalReadAllBytes(String path, Boolean checkHost)
   at CallSite.Target(Closure , CallSite , Type , String )
   --- End of inner exception stack trace ---
   at System.Management.Automation.ExceptionHandlingOps.CheckActionPreference(FunctionContext funcContext, Exception exception)
   at System.Management.Automation.Interpreter.ActionCallInstruction`2.Run(InterpretedFrame frame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)

Fred123 · May 1, 2026

garlin said:

The idea is if the try {} block fails, then you get the $_.Exception printed out. If you don't get a failed call, nothing gets dumped out.
Since you didn't see any output, then the file read worked.

Code:

C:\Windows\System32>powershell -C "try { $bytes = [System.IO.File]::ReadAllBytes('C:\no\such\file\exists') } catch { $_.Exception }"
Exception calling "ReadAllBytes" with "1" argument(s): "Could not find a part of the path 'C:\no\such\file\exists'."

Code:

C:\Windows\System32>powershell -C "try { $bytes = [System.IO.File]::ReadAllBytes('C:\no\such\file\exists') } catch { Write-host $_.Exception }"
System.Management.Automation.MethodInvocationException: Exception calling "ReadAllBytes" with "1" argument(s): "Could not find a part of the path 'C:\no\such\file\exists'." ---> System.IO.DirectoryNotFoundException: Could not find a part of the path 'C:\no\such\file\exists'.
   at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath)
   at System.IO.FileStream.Init(String path, FileMode mode, FileAccess access, Int32 rights, Boolean useRights, FileShare share, Int32 bufferSize, FileOptions options, SECURITY_ATTRIBUTES secAttrs, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
   at System.IO.FileStream..ctor(String path, FileMode mode, FileAccess access, FileShare share, Int32 bufferSize, FileOptions options, String msgPath, Boolean bFromProxy, Boolean useLongPath, Boolean checkHost)
   at System.IO.File.InternalReadAllBytes(String path, Boolean checkHost)
   at CallSite.Target(Closure , CallSite , Type , String )
   --- End of inner exception stack trace ---
   at System.Management.Automation.ExceptionHandlingOps.CheckActionPreference(FunctionContext funcContext, Exception exception)
   at System.Management.Automation.Interpreter.ActionCallInstruction`2.Run(InterpretedFrame frame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)
   at System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame frame)

Thanks.

(first) I ran the original and got the following. Does this mean the catch statement was executed? Or is this OK?

powershell -C "try { $bytes = [System.IO.File]::ReadAllBytes('C:\Windows\System32\SecureBootUpdates\dbxupdate.bin') } catch { $_.Exception }"

.Exception : The term '.Exception' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is
correct and try again.
At line:1 char:106
+ ... ows\System32\SecureBootUpdates\dbxupdate.bin') } catch { .Exception }
+ ~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (.Exception:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

(second) I ran your 2 tests on my machine:

powershell -C "try { $bytes = [System.IO.File]::ReadAllBytes('C:\no\such\file\exists') } catch { $_.Exception }"

.Exception : The term '.Exception' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is
correct and try again.
At line:1 char:77
+ ... .File]::ReadAllBytes('C:\no\such\file\exists') } catch { .Exception }
+ ~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (.Exception:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

... and then:

powershell -C "try { $bytes = [System.IO.File]::ReadAllBytes('C:\no\such\file\exists') } catch { Write-host $_.Exception }"

.Exception

Not sure what all this means ... (I'm running Windows PowerShell (x86))

garlin · May 1, 2026

Are you running this command inside PowerShell or CMD? This command was intended for CMD, since PS "eats" double-quotes that were intended for running outside of PS.

If you're already inside PS, run this:

Code:

try { $bytes = [System.IO.File]::ReadAllBytes('C:\Windows\System32\SecureBootUpdates\dbxupdate.bin') } catch { $_.Exception }

Nebulon Ranger · May 1, 2026

Now on 25H2 build 8328, thankfully no change to the boot manager this update.

Fred123 · May 1, 2026

Yes, I'm running from inside a PowerShell window. Here's what you suggest:

try { $bytes = [System.IO.File]::ReadAllBytes('C:\Windows\System32\SecureBootUpdates\dbxupdate.bin') } catch { $_.Exception }

Exception calling "ReadAllBytes" with "1" argument(s): "Could not find a part of the path 'C:\Windows\System32\SecureBootUpdates\dbxupdate.bin'."

garlin · May 1, 2026

Nebulon Ranger said:
Now on 25H2 build 8328, thankfully no change to the boot manager this update.

There is no defined schedule for when the boot manager changes. If someone reports a new security hole, then a new version will eventually roll. This whole process is inconvenient, but you know MS is trying to protect your PC.

garlin · May 1, 2026

Fred123 said:
Yes, I'm running from inside a PowerShell window. Here's what you suggest:

try { $bytes = [System.IO.File]::ReadAllBytes('C:\Windows\System32\SecureBootUpdates\dbxupdate.bin') } catch { $_.Exception }

Exception calling "ReadAllBytes" with "1" argument(s): "Could not find a part of the path 'C:\Windows\System32\SecureBootUpdates\dbxupdate.bin'."

You're officially the 3rd person with this problem. Please try this experiment:

Code:

copy C:\Windows\System32\SecureBootUpdates\dbxupdate.bin C:\Users\Fred123\Downloads
try { $bytes = [System.IO.File]::ReadAllBytes('C:\Users\Fred123\Downloads\dbxupdate.bin') } catch { $_.Exception }

It will be the same DBX file, but in a different folder path. If reading the copied file works, it means there's some hidden security issue with the SecureBootUpdates folder (or somewhere above it).

Fred123 · May 1, 2026

Yes, I'm running inside a PowerShell window. Here's your latest test:

try { $bytes = [System.IO.File]::ReadAllBytes('C:\Windows\System32\SecureBootUpdates\dbxupdate.bin') } catch { $_.Exception }
Exception calling "ReadAllBytes" with "1" argument(s): "Could not find a part of the path 'C:\Windows\System32\SecureBootUpdates\dbxupdate.bin'."
PS C:\Users\ ... >

Also, Windows Update updated to the latest: 2026-04 Preview Update (KB5083631) (26200.8328)

After 2 or 3 restarts, I find that Windows Security says all is up to date for Secure Boot and certificates. Here's your CHECK script output:

Also, the running your Check_UEFI-CA2023.ps1 script (inside a PS window) now gives

powershell -nop -ep bypass -f .\Check_UEFI-CA2023.ps1 -Audit -Verbose -Log
Windows 11 25H2 (26200.8328)

Secure Boot: ON
Virtualization Based Security: OFF
BitLocker on (C:) OFF

BIOS Firmware
-------------
ASUS System Product Name
Version: 1017
Date: 2021-07-12

Factory Default UEFI PK Cert
----------------------------
ASUSTeK MotherBoard PK Certificate

UEFI PK Cert
------------
ASUSTeK MotherBoard PK Certificate

Factory Default UEFI KEK Certs
------------------------------
Microsoft Corporation KEK CA 2011
Canonical Ltd. Master Certificate Authority
ASUSTeK MotherBoard KEK Certificate

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023
Canonical Ltd. Master Certificate Authority
ASUSTeK MotherBoard KEK Certificate

Factory Default UEFI DB Certs
-----------------------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Canonical Ltd. Master Certificate Authority
ASUSTeK MotherBoard SW Key Certificate
ASUSTeK Notebook SW Key Certificate

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023
Canonical Ltd. Master Certificate Authority
ASUSTeK MotherBoard SW Key Certificate
ASUSTeK Notebook SW Key Certificate

Factory Default UEFI DBX Certs
------------------------------
(NONE)
EFI_CERT_SHA256_GUID Signatures: 77

UEFI DBX Certs
--------------
(NONE)
Windows BootMgr SVN is MISSING.
EFI_CERT_SHA256_GUID Signatures: 330

UEFI Variables
--------------
Credential Guard: ON
SBAT (Linux only): sbat,1,2024010900 / shim,4 / grub,3 / grub.debian,4

EFI Files
---------
Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
\\.\HarddiskVolume1\EFI\Microsoft\Boot\bootmgfw.efi
File Version: 28000.322, SVN 8.0

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.
DBX update file "C:\WINDOWS\System32\SecureBootUpdates\dbxupdate.bin" not found.

Does the above, the mean that all needed updates are applied and Secure Boot and certificates are all OK ???

What about, the DBX update file ... dbxupdate.bin not found message? Is this a problem?

Thanks

Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

Well-known member

Attachments

My Computers

Member

Attachments

My Computer

Well-known member

My Computer

Member

Attachments

My Computer

Well-known member

My Computer

New member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

New member

My Computer

Peaceful Citizen

My Computers

Well-known member

My Computers

Well-known member

My Computer

New member

My Computer

Well-known member

My Computer

Member

My Computer

New member

My Computer

Well-known member

My Computer

Well-known member

My Computer

New member

My Computer