Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

starchase · Dec 31, 2025

Dirtyflash said:
No luck, but thank you nevertheless! I think it may be because I'm running an older version of 24H2.

I appended the text from the previous powershell check scripts so it looks like this:
PS C:\Users\theislands> powershell -nop -ep bypass -f C:\temp\Check_UEFI-CA2023.ps1
as I have the scripts copied to the temp folder in Windows root.

garlin · Dec 31, 2025

Rollback_Jockey said:
Was i successful?

Absolutely. Both scripts run a specific set of checks to see if all the target conditions are met.

I don't just depend on the two Windows registry values to confirm if we were successful. This is why you don't need to bother reading the Windows event logs. Because of the extensive checking, the script knows right away whether everything went well.

garlin · Dec 31, 2025

starchase said:
I am absolutely dumbfounded. With just running one script, the Update_UEFI-CA2023.ps1 script (actually I first ran the Check_UEFI-CA2023.ps1 to see what the current state was) , my ASUS Secure Boot state was returned to the 12/13/25 state!!!! I ran this: powershell -nop -ep bypass -f C:\temp\Check_UEFI-CA2023.ps1 powershell Administrator mode, as I copied the scripts to the C:\temp folder, as instructed and it produced the output below. It said reboot but I didn't know if I should boot into the UEFI bios and make any selection about Enabling Secure Boot so I just rebooted right into Windows and ran the Check script and your script populated all th4e Certs that I had before I messed up my settings. Seems since the scripts were now there it automatically turned on Secure Boot. How cool is that!. I am beside myself with glee!!

The first output below is the result from running Update_UEFI-CA2023.ps1, the second, in case you were interested, is the result from the \Check_UEFI-CA2023.ps1 script.

I don't know if you can appreciate how grateful I am that you published this! Thanks VERY MUCH!

Thank you for confirming it worked! I wasn't sure before, since I don't have a PC with one of the older BIOS'es in my home.

At this point, you have the CA 2023 certs installed but have not cancelled the CA 2011 certs. Which is still optional for now.

Steve C · Jan 1, 2026

Where are the links to the scripts e.g. Check_UEFI-CA2023.ps1

garlin · Jan 1, 2026

The ZIP file is attached to post #1, or available from the GitHub link in post #1.

Genix · Jan 1, 2026

Good morning.
After completing the check, it indicates that I have an action to perform.
When I try to update, I get the error shown in the second screenshot.
Is there a solution?
Thank you.

garlin · Jan 1, 2026

Genix said:
Good morning.
After completing the check, it indicates that I have an action to perform.
When I try to update, I get the error shown in the second screenshot.
Is there a solution?
Thank you.

That looks like a bug. Screen image #1 reports everything is updated, except the missing SkuSiPolicy.p7b file.

Screen image #2 looks like Update_UEFI-CA2023.ps1 thinks your system is in Setup Mode, and wants to install all the certs from scratch ("Downloading edk2 from GitHub"). The script fails, because as Screen 1 reports, your PC already has the certs applied ("authentication error 0xC0000022").

The question is why does the update script think it needs to start over? Can you try:

Code:

Unblock-File -Path C:\Users\genix\x\Update_UEFI-CA2023.ps1
C:\Users\genix\x\Update_UEFI-CA2023.ps1

If that doesn't work:

Code:

pwsh -nop -ep bypass -f C:\Users\genix\x\Update_UEFI-CA2023.ps1

Genix · Jan 1, 2026

garlin said:
That looks like a bug. Screen image #1 reports everything is updated, except the missing SkuSiPolicy.p7b file.

Screen image #2 looks like Update_UEFI-CA2023.ps1 thinks your system is in Setup Mode, and wants to install all the certs from scratch ("Downloading edk2 from GitHub"). The script fails, because as Screen 1 reports, your PC already has the certs applied ("authentication error 0xC0000022").

The question is why does the update script think it needs to start over? Can you try:

Code:

Unblock-File -Path C:\Users\genix\x\Update_UEFI-CA2023.ps1 C:\Users\genix\x\Update_UEFI-CA2023.ps1

If that doesn't work:

Code:

pwsh -nop -ep bypass -f C:\Users\genix\x\Update_UEFI-CA2023.ps1

Thank you so much for your reply.

I've tried, but as you can see in the screenshot, it's not working.

I think the Boot/EFI partition/folder is protected and inaccessible.

garlin · Jan 1, 2026

Do you have a dual-boot setup, or is the EFI partition on a different disk than Windows?

Steve C · Jan 1, 2026

I got the result below for my 5 year old HP laptop. Copilot advises my laptop will still boot fine after 2026 even if the 2023 certificates are not installed.

Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011

UEFI DBX Certs
--------------
(NONE)

EFI Files
---------
Disk 0: Windows Boot Manager [Production PCA 2011] is ALLOWED.

Registry: WindowsUEFICA2023Capable = 0
[Windows UEFI CA 2023] not in UEFI DB.

Disk 0: SkuSiPolicy.p7b (for VBS) is NOT PRESENT.

REQUIRED ACTION
===============

OPTION 1: DO NOTHING. Windows will apply the UEFI updates in 2026 (supported BIOS).

OPTION 2: To install [UEFI CA 2023] certs WITHOUT REVOKING the [PCA 2011] cert, run the commands:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

OPTION 3: To install [UEFI CA 2023] certs and REVOKE the [PCA 2011] cert, run the commands:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5be4 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Genix · Jan 1, 2026

garlin said:
Do you have a dual-boot setup, or is the EFI partition on a different disk than Windows?

No, this is the route, but there's like an "EX" image

garlin · Jan 1, 2026

Steve C said:
I got the result below for my 5 year old HP laptop. Copilot advises my laptop will still boot fine after 2026 even if the 2023 certificates are not installed.

That is true, you can continue booting from CA 2011 certs unless MS gets a report of a new security hole in the boot manager. In that case, they would be forced to ship a replacement boot file, and the CA 2011 cert would no longer be valid to sign it (since it expired after 2026).

But the "OPTION 1:" message indicates HP has worked with MS to guarantee the CA 2023 updates can be applied to your model without any troubles.

garlin · Jan 1, 2026

Genix said:
Thank you so much for your reply.

I've tried, but as you can see in the screenshot, it's not working.

I think the Boot/EFI partition/folder is protected and inaccessible.

I have a suspicion it might be your Windows language is Portuguese, and the script is expecting to match an error message in English.

Try this:

Code:

$PSCulture = 'en-US'
$PSUICulture = 'en-US'
C:\Users\genix\x\Update_UEFI-CA2023.ps1

Genix · Jan 1, 2026

garlin said:
I have a suspicion it might be your Windows language is Portuguese, and the script is expecting to match an error message in English.

Try this:

Code:

$PSCulture = 'en-US' $PSUICulture = 'en-US' C:\Users\genix\x\Update_UEFI-CA2023.ps1

It's in Spanish.
It doesn't recognize the command: $PSCulture

I'm sorry to be giving you more work than I'd like.

garlin · Jan 1, 2026

Code:

[Threading.Thread]::CurrentThread.CurrentUICulture = 'en-US'
[Threading.Thread]::CurrentThread.CurrentCulture = 'en-US'

pewa · Jan 1, 2026

This is good stuff. I have copied your scripts for future use. Thanks.

Genix · Jan 1, 2026

garlin said:

Nothing, authentication not supported.

What if I clear the certificates from the BIOS?

garlin · Jan 1, 2026

What I don't understand is your first screen shows the check script can read the UEFI variables, but the second screen proves the update script cannot.

But the two scripts share the same internal functions. If you run the check script again, it reports the same information? Everything is updated, except for SkuSiPolicy.p7b?

Genix · Jan 1, 2026

garlin said:
What I don't understand is your first screen shows the check script can read the UEFI variables, but the second screen proves the update script cannot.

But the two scripts share the same internal functions. If you run the check script again, it reports the same information? Everything is updated, except for SkuSiPolicy.p7b?

Apparently, it allows reading but not writing.
If everything seems to be up to date, I'll show you another checker.
Perhaps it's best to leave it as it is?

garlin · Jan 1, 2026

I'll try a few tests tomorrow, I am concerned if someone actually does get a localized error message. Which I should fix anyway.

Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Member

Attachments

My Computer

Well-known member

My Computer

Member

Attachments

My Computer

Well-known member

My Computer

Well-known member

My Computer

Member

Attachments

My Computer

Well-known member

My Computer

Well-known member

My Computer

Member

Attachments

My Computer

Well-known member

My Computer

Banned

My Computer

Member

Attachments

My Computer

Well-known member

My Computer

Member

Attachments

My Computer

Well-known member

My Computer