Solved garlin's PowerShell scripts for updating Secure Boot CA 2023


G

garlin

Well-known member
Guru
VIP
Local time
7:12 PM
Posts
6,119
OS
Windows 7
INTRO

For the last two months, I've been working on new PowerShell scripts to automate the Secure Boot CA 2023 update process. A number of contributed scripts or guides presented on various ElevenForum threads (including a few of my earlier scripts) are lacking in clarity. There's simply too much confusion and guesswork to what's going with updates. The whole process should be easier to follow.

Why should you use these scripts?
  • Find out if your BIOS is currently supported by MS or not
  • Find out if your Secure Boot update is completed right now, without the need to run other commands or looking at the Event Viewer logs
  • Force an immediate update to CA 2023 certs, and optionally revoke the CA 2011 cert at this time
  • Update your boot files on USB removable media (including Macrium recovery drives)
The scripts are written in PowerShell so any technical user can examine the code, and determine if there are any security problems presented.

All the UEFI security certificates and policy files are either sourced from the \Windows\System32\SecureBootUpdates folder, or the Microsoft GitHub repo for Secure Boot Objects. The MS GitHub is referenced by the UEFI Forum group as the official site for downloading Secure Boot CA 2023 updates.

W10 22H2 and all W11 releases, which have the July 2025 (or later) Monthly Update are supported. Including x64, x86, arm64 and arm architectures.

DO I NEED TO READ EVERYTHING BELOW?

No. If you want to just get started, first run the Check_UEFI-CA2023.ps1 script. If it doesn't suggest you to run the Update_UEFI-CA2023.ps1 script, then you have the option to do nothing (wait for MS to safely upgrade your PC in 2026), or follow the onscreen instructions. The instructions mirror the current MS guides.

Whenever you see the MS instructions for "reg add"..., you can always run the Update_UEFI-CA2023.ps1 and skip the waiting. The upgrade script does everything at the same time, so there's no need to check any Windows event logs. Run the Check_UEFI-CA2023.ps1 script again, and see if there are no more instructions left.

You have the option to stop right now, after adding the CA 2023 certs. The revocation of CA 2011 isn't expected to happen until early-mid 2026.

Before we get started, let's review an important requirement for the CA 2023 update:

When Secure Boot is enabled, your UEFI must have a signed KEK CA 2023 certificate in order to properly install the CA 2023 certs and updated boot files.

In the UEFI security model, Micorosoft provides the PC or motherboard maker a signed Key Exchange Key (KEK) signed by MS. The OEM in turn signs the KEK with their Platform Key (PK) to bless the KEK as authenticated by the vendor. The OEM has the option to provide one of two solutions:
  • Recent BIOS firmware update which includes the CA 2023 certs as factory defaults
  • Submit a re-signed KEK for inclusion in the MS GitHub repo (and Windows can perform the update by itself)
A problem happens when the OEM doesn't follow either solution, because they don't want to support older PC's.

Fortunately, another option is available. Most UEFI's have a Setup Mode, where the user clears the UEFI of all existing certs and signature hashes, and allows a tool to write certs directly into UEFI. This is what Mosby tries to do. But we don't actually need Mosby (and its requirement to format an USB drive) if you have a script or tool that runs on Windows.

There are three scripts in the release:
  1. Check_UEFI-CA2023.ps1
    Checks the current state of your UEFI certs, and the boot files for Windows and any bootable DVD or USB media. The script can provide an Audit Report, listing what steps need to be completed to be in compliance with the CA 2023 update, and what commands to run.

  2. Update_UEFI-CA2023.ps1
    Updates the UEFI certs and boot files for Windows and any bootable USB media. You have the option to only install the UEFI CA 2023 certs, and not revoke the PCA 2011 cert; or to complete the entire process in one pass.

  3. Check_DBXUpdate.bin.ps1
    Compares any submitted DBXUpdate.bin file against the current UEFI DBX variable, and informs you if there are any EFI or SVN signatures that need to be installed.

USAGE

Check_UEFI-CA2023.ps1

Report on the current UEFI certs enrolled in the KEK, DB, and DBX variables, Secure Boot and Virtualization-Based Security modes, BitLocker encryption status, and if the Windows Boot Manager is allowed by the current UEFI setup. Each command-line option may be used on its own, or in combination with any or all of them.

Supported options:

- AuditReport what UEFI CA 2023 steps have not been completed. Check the Windows Boot Manager as if Secure Boot is enabled (in case you're running with Secure Boot as disabled).
- VerboseExtended details including Windows build, BIOS versions, factory defaults for PK, KEK, DB and DBX variables, Windows BootMgr SVN, and count of EFI signature hashes for the DBX list.
- BootMediaCheck the boot file and Windows install image are allowed by the current UEFI setup.
- LogSave output to a log named after the current date, and PC model.

Check_UEFI-CA2023.ps1
Code: 
Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) ON

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011

UEFI DBX Certs
--------------
    (NONE)

EFI Files
---------
    Disk 0: Windows Boot Manager [Production PCA 2011] is ALLOWED.

    Registry: WindowsUEFICA2023Capable = 0
        [Windows UEFI CA 2023] not in UEFI DB.

    Disk 0: SkuSiPolicy.p7b (for VBS) is NOT PRESENT.


REQUIRED ACTION
===============

OPTION 1:  DO NOTHING.  Windows will apply the UEFI updates in 2026 (supported BIOS).

OPTION 2:  To install [UEFI CA 2023] certs WITHOUT REVOKING the [PCA 2011] cert, run the commands:

    manage-bde -Protectors -Disable C: -RebootCount 1
    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f
    powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

OPTION 3:  To install [UEFI CA 2023] certs and REVOKE the [PCA 2011] cert, run the commands:

    manage-bde -Protectors -Disable C: -RebootCount 1
    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5be6 /f
    powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Check_UEFI-CA2023.ps1 -Audit
Code: 
Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) ON

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011

UEFI DBX Certs
--------------
    (NONE)

EFI Files
---------
    Disk 0: Windows Boot Manager [Production PCA 2011] is ALLOWED.

    Registry: WindowsUEFICA2023Capable = 0
        [Windows UEFI CA 2023] not in UEFI DB.

    Disk 0: SkuSiPolicy.p7b (for VBS) is NOT PRESENT.


AUDIT REPORT
============
1.  Secure Boot is DISABLED
2.  [Microsoft Corporation KEK 2K CA 2023] is missing from UEFI KEK
3.  [Windows UEFI CA 2023] is missing from UEFI DB
4.  [Microsoft UEFI CA 2023] is missing from UEFI DB
5.  [Microsoft Option ROM UEFI CA 2023] is missing from UEFI DB
6.  [Production PCA 2011] is missing from UEFI DBX
7.  DBX Updates are missing from UEFI DBX
8.  Windows BootMgr SVN is missing from UEFI DBX
9.  Windows Boot Manager [Production PCA 2011] is wrong version
10. SkuSiPolicy.p7b (for VBS) is missing


REQUIRED ACTION
===============

OPTION 1:  DO NOTHING.  Windows will apply the UEFI updates in 2026 (supported BIOS).

OPTION 2:  To install [UEFI CA 2023] certs WITHOUT REVOKING the [PCA 2011] cert, run the commands:

    manage-bde -Protectors -Disable C: -RebootCount 1
    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f
    powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

OPTION 3:  To install [UEFI CA 2023] certs and REVOKE the [PCA 2011] cert, run the commands:

    manage-bde -Protectors -Disable C: -RebootCount 1
    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5be6 /f
    powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Update_UEFI-CA2023.ps1

Install the UEFI CA 2023 certs, and optionally revoke the CA 2011 cert if desired; copy the CA 2023 boot manager file to the EFI (ESP) partition, and any removable USB drives which have an \EFI\boot\bootx64.bin boot file. SkuSiPolicy.p7b file will be copied to EFI, if Virtualization-Based Security (VBS) is currently enabled.

Before the script runs, it checks if your Windows release is July 2025 or later, in order to have the latest Secure Boot files. When BitLocker is enabled, it's suspended for 1 or 3 reboots (depending on VBS), so changes in the UEFI don't require you to provide a BitLocker recovery key.

The script is smart enough to only perform the missing steps. If you partially updated the UEFI before running the script, it will finish whatever is expected. If you want to perform the entire upgrade in one pass, you can use the -Revoke flag.

If you have a supported BIOS (where the OEM has submitted a signed KEK to MS), then Update_UEFI-CA2023.ps1 can run without needing any help.

If you have any unsupported BIOS, you have two options:
  • For PC's with an UEFI that supports manual key management, the script copies the KEK CA 2023 certificate to the EFI partition. You can use your UEFI's menu options to manually enroll the KEK file, from the EFI partition's \EFI\Certs folder.

    If your PC has an untrusted PK cert ("DO NOT TRUST" or "TEST"), the script will copy the "Windows OEM Devices PK" cert to the EFI partition. Enroll this PK cert from the \EFI\Certs folder.

  • For PC's that don't support manual key management of individual keys, you can choose Setup Mode (which deletes all certs). After clearing the certs, and restarting Windows, run the Update_UEFI-CA2023.ps1 script. It will complete the process without further help from you. This does almost the same thing as Mosby, except you're using the MS recommended "Windows OEM Devices PK" instead of self-signing the KEK cert.
Each command-line option may be used on its own, or in combination with any or all of them.

-AuditReport what UEFI CA 2023 steps have not been completed. Check the Windows Boot Manager as if Secure Boot is enabled (in case you're running with Secure Boot as disabled).
-RevokeRevoke the PCA 2011 cert, banning all old boot files. By default, the script only installs the CA 2023 certs, and will not revoke PCA 2011 unless requested.
-LatestCheck the MS GitHub, if later version of DBXUpdate.bin and DBXUpdateSVN.bin exist. Only apply changes if the bin files are newer.
-SBATApply the optional Secure Boot Advanced Targeting (SBAT) update, if you're sharing EFI with a Linux system. Not required for a pure Windows setup.
-BootMediaReplace the EFI bootfile (\EFI\Microsoft\Boot\bootx64.efi) on mounted USB drives, if the file is present.
-LogSave output to a log named after the current date, and PC model.

Update_UEFI-CA2023.ps1
Code: 
Suspending BitLocker for one reboot.
Successfully appended "dbupdate2024.bin" to UEFI DB.
Successfully appended "DBUpdate3P2023.bin" to UEFI DB.
Successfully appended "DBUpdateOROM2023.bin" to UEFI DB.
Downloading "KEKUpdate_Microsoft_PK3d8660c0.bin" from GitHub.
Successfully appended "KEKUpdate_Microsoft_PK3d8660c0.bin" to UEFI KEK.
Copying EFI boot files.
Boot files successfully created.

REQUIRED ACTION
---------------
Restart Windows, for UEFI updates to take effect.

Update_UEFI-CA2023.ps1 -Revoke
Code: 
Successfully appended "dbxupdate.bin" to UEFI DBX.
Successfully appended "DBXUpdate2024.bin" to UEFI DBX.
Successfully appended "DBXUpdateSVN.bin" (SVN 7.0) to UEFI DBX.
Deployed SkuSiPolicy.p7b (for VBS).

REQUIRED ACTION
---------------
Restart Windows, for UEFI updates to take effect.

Check_DBXUpdate.bin.ps1

For normal users, this script isn't needed for the update process. When Windows releases a new DBXUpdate or SVN, it will be part of the usual Monthly Updates and eventually pushed to the UEFI. If you want to confirm that the DBX variable contains all signatures in a provided DBXupdate or DBXupdateSVN bin file, run this script. The script will report how many matched or missing EFI or SVN signatures from the submitted file are found in the DBX variable.

By default, the script compares the DBX files in \Windows\System32\SecureBootUpdates (refreshed by the Monthly Updates). You can provide a list of individual files or folders to be searched for *DBX*.bin named files. After a successful update (or revoke), there should be no missing signatures.

-VerboseDownload the "dbx_info_msft_latest.json" from MS GitHub, and extract the filename and vendor info for the missing EFI certs. If the missing signature is a SVN, report on the SVN.

Check_DBXUpdate.bin.ps1
Code: 
FAILED: Missing 404/431 EFI signatures from "dbxupdate.bin"
FAILED: Missing 3/3 SVN signatures from "DBXUpdate2024.bin"
FAILED: Missing 3/3 SVN signatures from "DBXUpdateSVN.bin"


The latest version of the script is available from GitHub, or attached as a ZIP file below.
Release v2026.05.31 · garlin-cant-code/SecureBoot-CA-2023-Updates
 

Attachments

Last edited:

My Computer

System One

  • OS
    Windows 7
Screenshot 2025-12-31 222143.webp
A quick check (updated already manually) looks good.
* formatting: The SVN does look like its in the DBX though
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    CPU
    Ryzen 5 5800X
    Motherboard
    Asus B550 Strix gaming
    Memory
    32Gb Corsair 3200
    Graphics Card(s)
    Gigabyte RTX4070-Super
    Screen Resolution
    2x 1440, 1x 1080
Would this work on my ASUS desktop, which at the moment can only boot when Secure Boot is disabled. In this condition I can run Mosby but it fails with the error about a security violation. This is the same error that occurs with my HP laptop that won't get a BIOS update (it was mfd in 2016) but somehow it eventually ran Mosby successfully and is now fully updated. If on my ASUS I restore the default certs while in the UEFI and reboot I get an error saying unauthorized changes were made to the BIOS and to choose a different bootable selection, which, of course, there is none.

This ASUS was fully updated with the new certs but problems with a corrupt SSD and trying to rectify problems I removed the secure boot certs in order to boot from a Macrium Rescue disk. I eventyally, a day ago, had to replace the drive with another of the same, a Samsung 870 something (I'm on my HP at the moment so I forget the item) and was able to restore an image from a week or two old. I'm reconciled to living with the ASUS staying in Secure Boot disabled but if I can somehow get it to accept all the new certs that would be delightful/

Here is the cert check on the ASUS from 12/13/25, it would be great if I could get the machine back to that state:

Code: 
S C:\temp> powershell -nop -ep bypass -f Check_EFIBootFile.ps1
Secure Boot: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011
    Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Microsoft Option ROM UEFI CA 2023
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023

UEFI DBX Certs
--------------

EFI Files
---------
    Disk 0: Boot Manager [Windows UEFI CA 2023] is ALLOWED.

    Registry: WindowsUEFICA2023Capable = 2
        [Windows UEFI CA 2023] is in UEFI DB, and Windows is starting from CA 2023 Boot Manager.

Bootable Media
--------------
    USB D: "MACRIUMBOOT"
        Boot File [Windows UEFI CA 2023] is ALLOWED.
 

My Computers

System One System Two

  • OS
    Windows 11 Home, ver 25H2 build 26200.8246
    Computer type
    Laptop
    Manufacturer/Model
    Hewlett-Packard Spectre 13-4001 x360 convertable
    CPU
    Intel Core i5 5200U @ 2.20GH
    Motherboard
    Hewlett-Packard 802D
    Memory
    4 GB
    Graphics Card(s)
    Intel HD Graphics 5500 on board
    Sound Card
    Intel Smart Sound Technology (Intel SST)
    Hard Drives
    Micron 256GB M.2 2280 NGFF SSD MTFDDAV256TBN, (SATA 6.0 Gb/s)
    Keyboard
    Model # G01KB
    Antivirus
    Microsoft Defender
    Other Info
    born on date: 25 Feb 2016
  • Operating System
    Win 11 Home 25H2 build 26200.7922
    Computer type
    PC/Desktop
    Manufacturer/Model
    Asus Desktop model M32AD-US019S (DOM: 6/9/2014 )
    CPU
    Intel Core i7 4th Gen 4790 (3.60GHz), Haswell 22nm Technology, SOCKET 1150
    Motherboard
    H81M-E/M51AD/DP_MB
    Memory
    Samsung 16 GB DDR3 (8GB in 2 modules)
    Graphics card(s)
    NVIDIA GeForce GTX 760, 3GB, and on-board Intel HD Graphics 4600 Rev 6
    Monitor(s) Displays
    HP EliteDisplay E241i LED; HP EliteDisplay E243
    Hard Drives
    Samsung 500GB SSD, 870 EVO (SATA 6.0 )
    Micron 250GB SSD, CT250MX500
    Toshiba HDD, 3GB (original drive w/PC)
    Case
    ASUS
    Keyboard
    ASUS-------------------------
    Antivirus
    MS Defender
    Other Info
    Additional Laptops:

    HEWLETT PACKARD
    HP OmniBook X Flip NGAI (Next Gen AI),
    Model: 16-as0023dx
    PT# B5UH1UA#ABA Product #: B5UH1UA
    delivered and setup 7/25/25
    16" 2K Touch-Screen Laptop
    Intel Core Ultra 7 256V '24 Series 2 - CPU
    Boost Clock Frequency 4.8 gigahertz; Neural Processing Unit (NPU) Yes;
    16GB Memory, LPDDR5X
    1TB SSD PCIe 4.0
    Graphics: Intel Arc 140V
    1 x HDMI 2.1
    1 x Thunderbolt 4
    2K Touch-Screen display, LED, IPS; 1920 x 1200 (Full HD+)
    USB Ports: 1 x USB-C 3.1, 2 x USB-A 3.1
    Wi-Fi 6E
    weight 4.15 pounds

    DELL
    Model:I7591-7483BLK-PUS 2-in-1 (7000 Series)
    purchased 12/3/2019,
    15.6 inch 2-IN-1;
    4K Ultra HD Touch-Screen, 3840 x 2160,
    Intel Core i7 10510U CPU 1.80GHz,
    16GB RAM DDR4 SDRAM 2400 megahert (2 slots),
    dedicated graphics Nvidia GeForce MX250 2 GB Graphics,
    PCIe 512GB Intel SSD + 32GB Optane Memory (Intel Optane Memory H10 with solid-state storage),
    wireless-AX & Bluetooth
    Battery: 68wh, Type 4VGMP 4 cell
Thanks for this @garlin

I ran the Check_UEFI-CA2023.ps1 script as a test and it worked fine and came up with this.

garlins check secureboot script test.webp
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Homebuilt
    CPU
    Intel Core i9 13900K
    Motherboard
    Asus ProArt Z790 Creator WiFi - Bios 3107
    Memory
    Corsair Dominator Platinum 64gb 5600MT/s DDR5 Dual Channel
    Graphics Card(s)
    Sapphire NITRO+ AMD Radeon RX 7900 XTX Vapor-X 24GB
    Sound Card
    External DAC: Cambridge Audio DACMagic200M - Headphone Amp: Topping L50
    Monitor(s) Displays
    Panasonic MX950 Mini LED 55" TV 120hz
    Screen Resolution
    3840 x 2160 120hz
    Hard Drives
    Samsung 980 Pro 2TB (OS)
    Samsung 980 Pro 1TB (Files)
    Lexar NZ790 4TB
    LaCie d2 Professional 6TB external - USB 3.1
    Seagate Expansion 16TB external - USB 3.2
    Seagate One Touch 18TB external HD - USB 3.0
    PSU
    Corsair RM1200x Shift
    Case
    Corsair RGB Smart Case 5000x (white)
    Cooling
    Corsair iCue H150i Elite Capellix XT
    Keyboard
    Incase Ergonomic USB (Microsoft clone)
    Mouse
    Logitech MX Master 3S
    Internet Speed
    Fibre 900/500 Mbps
    Browser
    Microsoft Edge Chromium
    Antivirus
    Bitdefender Total Security
    Other Info
    AMD Radeon Software & Drivers 26.1.1
    Hasleo Backup Suite
    Dashlane password manager
    Kensington Verimark fingerprint reader
    Logitech Brio 4K webcam
    Orico 10-port powered USB 3.0 hub
  • Operating System
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    Asus Vivobook X1605VA
    CPU
    Intel® Core™ i9-13900H
    Motherboard
    Asus X1605VA bios 309
    Memory
    32GB DDR4-3200 Dual channel
    Graphics card(s)
    *Intel Iris Xᵉ Graphics G7
    Sound Card
    Realtek | Intel SST Bluetooth & USB
    Monitor(s) Displays
    16.0-inch, WUXGA 16:10 aspect ratio, IPS-level Panel
    Screen Resolution
    1920 x 1200 60hz
    Hard Drives
    512GB M.2 NVMe™ PCIe® 3.0 SSD
    Mouse
    Logitech MX Ergo Trackball
    Antivirus
    Bitdefender Total Security
    Other Info
    720p Webcam
    WiFi & USB to ethernet
Aramil said:
A quick check (updated already manually) looks good.
* formatting: The SVN does look like its in the DBX though
Click to expand...
Normally a banned EFI file is blocked in the DBX by writing the hash value of its cert's signature to the DBX list.

SVN's use this mechanism to submit a fake "hash" where the first part of the hash is a fixed (and known) GUID, and the actual version number is hidden in the trailing digits.

For example: (BootMgr SVN pretending to be a signature hash)
Code: 
|----------BootMgr GUID----------|     | SVN major version
01612B139DD5598843AB1C185C3CB2EB92000007000000000000000000000000

I have chosen to group the SVN under DBX to keep the output less cluttered.
 
Last edited:

My Computer

System One

  • OS
    Windows 7
starchase said:
Would this work on my ASUS desktop, which at the moment can only boot when Secure Boot is disabled. In this condition I can run Mosby but it fails with the error about a security violation. This is the same error that occurs with my HP laptop that won't get a BIOS update (it was mfd in 2016) but somehow it eventually ran Mosby successfully and is now fully updated. If on my ASUS I restore the default certs while in the UEFI and reboot I get an error saying unauthorized changes were made to the BIOS and to choose a different bootable selection, which, of course, there is none.

This ASUS was fully updated with the new certs but problems with a corrupt SSD and trying to rectify problems I removed the secure boot certs in order to boot from a Macrium Rescue disk. I eventyally, a day ago, had to replace the drive with another of the same, a Samsung 870 something (I'm on my HP at the moment so I forget the item) and was able to restore an image from a week or two old. I'm reconciled to living with the ASUS staying in Secure Boot disabled but if I can somehow get it to accept all the new certs that would be delightful/
Click to expand...
The upgrade script functionally does the same thing as Mosby (writing a known good PK and KEK to UEFI, and then all the other certs will happily fall into place), but it does it by using the Windows features provided to PowerShell. If there's some weird UEFI firmware from AMI (as pbatard hints), then this script may not be much better because then it's a firmware bug.

There's no harm in trying. The worse case is you disable Secure Boot, and go back to the factory defaults. When in Setup mode, my script replaces the entire contents of each UEFI variable in one pass. The bug notes for Mosby mention something about appending the KEK, which my script doesn't do in Setup mode. It will append the KEK only if your vendor has provided a signed KEK to MS.

So it might work, but then I don't have one of these PC's available for testing. Let me know if it works.
 

My Computer

System One

  • OS
    Windows 7
garlin said:
The upgrade script functionally does the same thing as Mosby (writing a known good PK and KEK to UEFI, and then all the other certs will happily fall into place), but it does it by using the Windows features provided to PowerShell. If there's some weird UEFI firmware from AMI (as pbatard hints), then this script may not be much better because then it's a firmware bug.

There's no harm in trying. The worse case is you disable Secure Boot, and go back to the factory defaults. When in Setup mode, my script replaces the entire contents of each UEFI variable in one pass. The bug notes for Mosby mention something about appending the KEK, which my script doesn't do in Setup mode. It will append the KEK only if your vendor has provided a signed KEK to MS.

So it might work, but then I don't have one of these PC's available for testing. Let me know if it works.
Click to expand...
Thanks. I'll run it this evening and advise.
 

My Computers

System One System Two

  • OS
    Windows 11 Home, ver 25H2 build 26200.8246
    Computer type
    Laptop
    Manufacturer/Model
    Hewlett-Packard Spectre 13-4001 x360 convertable
    CPU
    Intel Core i5 5200U @ 2.20GH
    Motherboard
    Hewlett-Packard 802D
    Memory
    4 GB
    Graphics Card(s)
    Intel HD Graphics 5500 on board
    Sound Card
    Intel Smart Sound Technology (Intel SST)
    Hard Drives
    Micron 256GB M.2 2280 NGFF SSD MTFDDAV256TBN, (SATA 6.0 Gb/s)
    Keyboard
    Model # G01KB
    Antivirus
    Microsoft Defender
    Other Info
    born on date: 25 Feb 2016
  • Operating System
    Win 11 Home 25H2 build 26200.7922
    Computer type
    PC/Desktop
    Manufacturer/Model
    Asus Desktop model M32AD-US019S (DOM: 6/9/2014 )
    CPU
    Intel Core i7 4th Gen 4790 (3.60GHz), Haswell 22nm Technology, SOCKET 1150
    Motherboard
    H81M-E/M51AD/DP_MB
    Memory
    Samsung 16 GB DDR3 (8GB in 2 modules)
    Graphics card(s)
    NVIDIA GeForce GTX 760, 3GB, and on-board Intel HD Graphics 4600 Rev 6
    Monitor(s) Displays
    HP EliteDisplay E241i LED; HP EliteDisplay E243
    Hard Drives
    Samsung 500GB SSD, 870 EVO (SATA 6.0 )
    Micron 250GB SSD, CT250MX500
    Toshiba HDD, 3GB (original drive w/PC)
    Case
    ASUS
    Keyboard
    ASUS-------------------------
    Antivirus
    MS Defender
    Other Info
    Additional Laptops:

    HEWLETT PACKARD
    HP OmniBook X Flip NGAI (Next Gen AI),
    Model: 16-as0023dx
    PT# B5UH1UA#ABA Product #: B5UH1UA
    delivered and setup 7/25/25
    16" 2K Touch-Screen Laptop
    Intel Core Ultra 7 256V '24 Series 2 - CPU
    Boost Clock Frequency 4.8 gigahertz; Neural Processing Unit (NPU) Yes;
    16GB Memory, LPDDR5X
    1TB SSD PCIe 4.0
    Graphics: Intel Arc 140V
    1 x HDMI 2.1
    1 x Thunderbolt 4
    2K Touch-Screen display, LED, IPS; 1920 x 1200 (Full HD+)
    USB Ports: 1 x USB-C 3.1, 2 x USB-A 3.1
    Wi-Fi 6E
    weight 4.15 pounds

    DELL
    Model:I7591-7483BLK-PUS 2-in-1 (7000 Series)
    purchased 12/3/2019,
    15.6 inch 2-IN-1;
    4K Ultra HD Touch-Screen, 3840 x 2160,
    Intel Core i7 10510U CPU 1.80GHz,
    16GB RAM DDR4 SDRAM 2400 megahert (2 slots),
    dedicated graphics Nvidia GeForce MX250 2 GB Graphics,
    PCIe 512GB Intel SSD + 32GB Optane Memory (Intel Optane Memory H10 with solid-state storage),
    wireless-AX & Bluetooth
    Battery: 68wh, Type 4VGMP 4 cell
Amazing work, MS should make you CEO for a day with pay, which must millions $$$. Thank you for the incredible effort you put into it. Your instructions are simple and straight forward, which will help a lot of people.
 

My Computer

System One

  • OS
    Windows 11
1767221903591.webp
Should i be concerned?
 

My Computers

System One System Two

  • OS
    Windows 11 Enterprise 25H2 26200 7462
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom Build
    CPU
    Intel XEON E5-2699 v3
    Motherboard
    ASUS X99-A
    Memory
    64GB Teamgroup UD4-3600
    Graphics Card(s)
    NVIDIA GeForce GTX 1080 Ti
    Sound Card
    Integrated
    Monitor(s) Displays
    ACER X34 Predator
    Screen Resolution
    3440 x 1440
    Hard Drives
    Crucial CT1000P 3P SSD8 1TB
    Crucial CT1000 BX500 SSD 1TB
    PSU
    GameMax Pro
    Case
    Fractal Design
    Cooling
    Corsair H110iGT + 6 140mm Fans
    Keyboard
    Corsair K4
    Mouse
    G-Skill G502
    Internet Speed
    300MBs
    Browser
    Chrome
    Antivirus
    OEM
    Other Info
    ASUS RT-AC87U Router
  • Operating System
    25H2 26200.5074
    Computer type
    Laptop
    Manufacturer/Model
    ASUS X555LA
    Memory
    8GB
    Browser
    Chrome
    Antivirus
    OEM
Rollback_Jockey said:
View attachment 158506
Should i be concerned?
Click to expand...
Yes, because you don't have a KEK CA 2023.

Run the script in -Verbose mode, and confirm no signed KEK exists for your current PK. You will need to have the Upgrade script copy the KEK certificate in file format to the EFI partition, and hopefully your UEFI has a manual enrollment option for the KEK (from a file). If you don't, then you need to follow the Setup Mode route and clear your certs.

You can always add new DB certs, but the certs aren't enforceable in the chain of trust without the underlying KEK cert. KEK CA 2023 undersigns the UEFI CA 2023 certs, so you need it at a minimum to validate the Windows UEFI CA 2023.
 

My Computer

System One

  • OS
    Windows 7
garlin said:
Yes, because you don't have a KEK CA 2023.

Run the script in -Verbose mode, and confirm no signed KEK exists for your current PK. You will need to have the Upgrade script copy the KEK certificate in file format to the EFI partition, and hopefully your UEFI has a manual enrollment option for the KEK (from a file). If you don't, then you need to follow the Setup Mode route and clear your certs.

You can always add new DB certs, but the certs aren't enforceable in the chain of trust without the underlying KEK cert. KEK CA 2023 undersigns the UEFI CA 2023 certs, so
Click to expand...
garlin said:
you need it at a minimum to validate the Windows UEFI CA 2023.
Click to expand...
Curious about the 2023 KEK, I ran the script below, it indicates if there is a 2023 KEK available for the device it is run on. It apparently works on all devices by checking the repository ( GitHub ), which supposedly gets updated on a regular basis. The script I found in one of the many threads and it was suggested to ignore Lenovo in its naming.

The link below has the 2023 KEK which can be downloaded. Is it some kind of generic 2023 KEK and can it be installed using your method?


learn.microsoft.com

Windows Secure Boot Key Creation and Management Guidance

Windows Secure Boot Key Creation and Management Guidance
learn.microsoft.com
 

Attachments

My Computer

System One

  • OS
    Windows 11
That's one of my older scripts. The same thumbprint feature is rolled into both scripts.

If you're missing the KEK CA 2023 cert, Check_UEFI-CA2023.ps1 searches for your BIOS' thumbprint on the GitHub site.

Update_UEFI-CA2023.ps1 should be able to install the KEK CA 2023, based on your thumbprint. It downloads the bin file from GitHub, and applies it. pbatard (Akeo) has reported a weird bug with a version of the AMI BIOS where appending to an existing KEK (which has a KEK 2011 present) doesn't work at all. This might be the case for you.

What I would try is this:
1. Disable Secure Boot.
2. If you don't have any 3rd-party certs (outside of MS), then enter Setup Mode. This will clear all existing certs from UEFI.
3. Restart Windows. Run the update script, it should recognize you're in Setup Mode and be able to write both KEK certs at the same time (it's not appending to an existing cert because you entered Setup Mode to clear the existing cert).
4. Run the check script. If everything's fixed, then enable Secure Boot.
 

My Computer

System One

  • OS
    Windows 7
garlin said:
That's one of my older scripts. The same thumbprint feature is rolled into both scripts.

If you're missing the KEK CA 2023 cert, Check_UEFI-CA2023.ps1 searches for your BIOS' thumbprint on the GitHub site.

Update_UEFI-CA2023.ps1 should be able to install the KEK CA 2023, based on your thumbprint. It downloads the bin file from GitHub, and applies it. pbatard (Akeo) has reported a weird bug with a version of the AMI BIOS where appending to an existing KEK (which has a KEK 2011 present) doesn't work at all. This might be the case for you.

What I would try is this:
1. Disable Secure Boot.
2. If you don't have any 3rd-party certs (outside of MS), then enter Setup Mode. This will clear all existing certs from UEFI.
3. Restart Windows. Run the update script, it should recognize you're in Setup Mode and be able to write both KEK certs at the same time (it's not appending to an existing cert because you entered Setup Mode to clear the existing cert).
4. Run the check script. If everything's fixed, then enable Secure Boot.
Click to expand...
I'll give that a try even though the last time I checked ( weeks ago ) there was no 2023 KEK for my device. This was my last unsuccessful attempt to install the keys using Mosby. I think it's something related to the PK key.

If you don't mind, remind how to run those PowerShell commands, not having any luck with these. Last time I copy/pasted the path to the command and it worked, not this time.
Mosby BIOS.webp
 

My Computer

System One

  • OS
    Windows 11
I don't believe the reported bug was because of the PK, but rather as you see in the Mosby output "Merged KEK list".

By using the Setup Mode method of overwriting all the variables using the LegacyFirmwareDefaults, hopefully you can skip around the problem. The LegacyFirmwareDefaults include both KEK's in the bin file. So no append operation (merging) is required as both certs are applied at the same time.
 

My Computer

System One

  • OS
    Windows 7
Was i successful?

1767230177483.webp
 

My Computers

System One System Two

  • OS
    Windows 11 Enterprise 25H2 26200 7462
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom Build
    CPU
    Intel XEON E5-2699 v3
    Motherboard
    ASUS X99-A
    Memory
    64GB Teamgroup UD4-3600
    Graphics Card(s)
    NVIDIA GeForce GTX 1080 Ti
    Sound Card
    Integrated
    Monitor(s) Displays
    ACER X34 Predator
    Screen Resolution
    3440 x 1440
    Hard Drives
    Crucial CT1000P 3P SSD8 1TB
    Crucial CT1000 BX500 SSD 1TB
    PSU
    GameMax Pro
    Case
    Fractal Design
    Cooling
    Corsair H110iGT + 6 140mm Fans
    Keyboard
    Corsair K4
    Mouse
    G-Skill G502
    Internet Speed
    300MBs
    Browser
    Chrome
    Antivirus
    OEM
    Other Info
    ASUS RT-AC87U Router
  • Operating System
    25H2 26200.5074
    Computer type
    Laptop
    Manufacturer/Model
    ASUS X555LA
    Memory
    8GB
    Browser
    Chrome
    Antivirus
    OEM
Dirtyflash said:
Would you mind telling me how those scripts are run in PowerShell? Right clicking only makes a window popup and disappear...hmm :unsure:
Click to expand...
In my case the folder was in my downloads directory so in Powershell i typed

cd "D:\Users\Steve\Steve's Downloads\SecureBoot-CA-2023-Updates"

followed by

./Check_UEFI-CA2023.ps1
 

My Computers

System One System Two

  • OS
    Windows 11 Enterprise 25H2 26200 7462
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom Build
    CPU
    Intel XEON E5-2699 v3
    Motherboard
    ASUS X99-A
    Memory
    64GB Teamgroup UD4-3600
    Graphics Card(s)
    NVIDIA GeForce GTX 1080 Ti
    Sound Card
    Integrated
    Monitor(s) Displays
    ACER X34 Predator
    Screen Resolution
    3440 x 1440
    Hard Drives
    Crucial CT1000P 3P SSD8 1TB
    Crucial CT1000 BX500 SSD 1TB
    PSU
    GameMax Pro
    Case
    Fractal Design
    Cooling
    Corsair H110iGT + 6 140mm Fans
    Keyboard
    Corsair K4
    Mouse
    G-Skill G502
    Internet Speed
    300MBs
    Browser
    Chrome
    Antivirus
    OEM
    Other Info
    ASUS RT-AC87U Router
  • Operating System
    25H2 26200.5074
    Computer type
    Laptop
    Manufacturer/Model
    ASUS X555LA
    Memory
    8GB
    Browser
    Chrome
    Antivirus
    OEM
Rollback_Jockey said:
In my case the folder was in my downloads directory so in Powershell i typed

cd "D:\Users\Steve\Steve's Downloads\SecureBoot-CA-2023-Updates"

followed by

./Check_UEFI-CA2023.ps1
Click to expand...
No luck, but thank you nevertheless! I think it may be because I'm running an older version of 24H2.
 
Last edited:

My Computer

System One

  • OS
    Windows 11
garlin said:
So it might work, but then I don't have one of these PC's available for testing. Let me know if it works.
Click to expand...
I am absolutely dumbfounded. With just running one script, the Update_UEFI-CA2023.ps1 script (actually I first ran the Check_UEFI-CA2023.ps1 to see what the current state was) , my ASUS Secure Boot state was returned to the 12/13/25 state!!!! I ran this: powershell -nop -ep bypass -f C:\temp\Check_UEFI-CA2023.ps1 powershell Administrator mode, as I copied the scripts to the C:\temp folder, as instructed and it produced the output below. It said reboot but I didn't know if I should boot into the UEFI bios and make any selection about Enabling Secure Boot so I just rebooted right into Windows and ran the Check script and your script populated all th4e Certs that I had before I messed up my settings. Seems since the scripts were now there it automatically turned on Secure Boot. How cool is that!. I am beside myself with glee!!

The first output below is the result from running Update_UEFI-CA2023.ps1, the second, in case you were interested, is the result from the \Check_UEFI-CA2023.ps1 script.

I don't know if you can appreciate how grateful I am that you published this! Thanks VERY MUCH!

After your update script:
Code: 
PS C:\Users\theislands> powershell -nop -ep bypass -f C:\temp\Check_UEFI-CA2023.ps1
Secure Boot: ON
Virtualization Based Security: OFF
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011
    Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Microsoft Option ROM UEFI CA 2023
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023

UEFI DBX Certs
--------------
    (NONE)

EFI Files
---------
    Disk 0: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.

    Registry: WindowsUEFICA2023Capable = 2
        [Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.


REQUIRED ACTION
===============

To revoke the [PCA 2011] cert, run the commands, run the commands:

    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x280 /f
    powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

PS C:\Users\theislands>

Before your Update script:
Code: 
PS C:\Users\theislands> powershell -nop -ep bypass -f C:\temp\Check_UEFI-CA2023.ps1
Secure Boot: OFF
Virtualization Based Security: OFF
BitLocker on (C:) OFF

UEFI is in Setup Mode (NO CERTS).
    Windows BootMgr SVN 7.0

EFI Files
---------
    Disk 0: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.

    Registry: WindowsUEFICA2023Capable = 0
        [Windows UEFI CA 2023] not in UEFI DB.


REQUIRED ACTION
===============

OPTION 1:  To install [UEFI CA 2023] certs WITHOUT REVOKING the [PCA 2011] cert, run the command:

    Update_UEFI-CA2023.ps1


OPTION 2:  To install [UEFI CA 2023] certs and REVOKE the [PCA 2011] cert, run the command:

    Update_UEFI-CA2023.ps1 -Revoke

PS C:\Users\theislands> powershell -nop -ep bypass -f C:\temp\Update_UEFI-CA2023.ps1
Downloading "edk2-x64-secureboot-binaries.zip" from GitHub.
Successfully wrote "Default3PDb.bin" to UEFI DB.
Successfully wrote "DefaultDbx.bin" to UEFI DBX.
Successfully wrote "DefaultKek.bin" to UEFI KEK.
Successfully wrote "DefaultPk.bin" to UEFI PK.

REQUIRED ACTION
---------------
Restart Windows, for UEFI updates to take effect.

PS C:\Users\theislands>
 

My Computers

System One System Two

  • OS
    Windows 11 Home, ver 25H2 build 26200.8246
    Computer type
    Laptop
    Manufacturer/Model
    Hewlett-Packard Spectre 13-4001 x360 convertable
    CPU
    Intel Core i5 5200U @ 2.20GH
    Motherboard
    Hewlett-Packard 802D
    Memory
    4 GB
    Graphics Card(s)
    Intel HD Graphics 5500 on board
    Sound Card
    Intel Smart Sound Technology (Intel SST)
    Hard Drives
    Micron 256GB M.2 2280 NGFF SSD MTFDDAV256TBN, (SATA 6.0 Gb/s)
    Keyboard
    Model # G01KB
    Antivirus
    Microsoft Defender
    Other Info
    born on date: 25 Feb 2016
  • Operating System
    Win 11 Home 25H2 build 26200.7922
    Computer type
    PC/Desktop
    Manufacturer/Model
    Asus Desktop model M32AD-US019S (DOM: 6/9/2014 )
    CPU
    Intel Core i7 4th Gen 4790 (3.60GHz), Haswell 22nm Technology, SOCKET 1150
    Motherboard
    H81M-E/M51AD/DP_MB
    Memory
    Samsung 16 GB DDR3 (8GB in 2 modules)
    Graphics card(s)
    NVIDIA GeForce GTX 760, 3GB, and on-board Intel HD Graphics 4600 Rev 6
    Monitor(s) Displays
    HP EliteDisplay E241i LED; HP EliteDisplay E243
    Hard Drives
    Samsung 500GB SSD, 870 EVO (SATA 6.0 )
    Micron 250GB SSD, CT250MX500
    Toshiba HDD, 3GB (original drive w/PC)
    Case
    ASUS
    Keyboard
    ASUS-------------------------
    Antivirus
    MS Defender
    Other Info
    Additional Laptops:

    HEWLETT PACKARD
    HP OmniBook X Flip NGAI (Next Gen AI),
    Model: 16-as0023dx
    PT# B5UH1UA#ABA Product #: B5UH1UA
    delivered and setup 7/25/25
    16" 2K Touch-Screen Laptop
    Intel Core Ultra 7 256V '24 Series 2 - CPU
    Boost Clock Frequency 4.8 gigahertz; Neural Processing Unit (NPU) Yes;
    16GB Memory, LPDDR5X
    1TB SSD PCIe 4.0
    Graphics: Intel Arc 140V
    1 x HDMI 2.1
    1 x Thunderbolt 4
    2K Touch-Screen display, LED, IPS; 1920 x 1200 (Full HD+)
    USB Ports: 1 x USB-C 3.1, 2 x USB-A 3.1
    Wi-Fi 6E
    weight 4.15 pounds

    DELL
    Model:I7591-7483BLK-PUS 2-in-1 (7000 Series)
    purchased 12/3/2019,
    15.6 inch 2-IN-1;
    4K Ultra HD Touch-Screen, 3840 x 2160,
    Intel Core i7 10510U CPU 1.80GHz,
    16GB RAM DDR4 SDRAM 2400 megahert (2 slots),
    dedicated graphics Nvidia GeForce MX250 2 GB Graphics,
    PCIe 512GB Intel SSD + 32GB Optane Memory (Intel Optane Memory H10 with solid-state storage),
    wireless-AX & Bluetooth
    Battery: 68wh, Type 4VGMP 4 cell
You must log in or register to reply here.

Latest Support Threads

Latest Tutorials

Back
Top Bottom