Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

TheVisitor · Jan 1, 2026

Dirtyflash said:
Let me try helping you out. I created a folder under C called Temp, essentially called C/Temp. I then put both the Check and Update commands into that folder. Next step, open PowerShell as an Administrator. To run the commands, they would look like this:

powershell -nop -ep bypass -f C:\Temp\Check_UEFI-CA2023.ps1

powershell -nop -ep bypass -f C:\Temp\Update_UEFI-CA2023.ps1

Thanks, that worked...not sure if there is more I need to do other than wait:
PS C:\WINDOWS\system32> powershell -nop -ep bypass -f C:\temp\update_uefi-ca2023.ps1
Successfully appended "DBUpdate3P2023.bin" to UEFI DB.
Successfully appended "DBUpdateOROM2023.bin" to UEFI DB.
Downloading "edk2-x64-secureboot-binaries.zip" from GitHub.
Incorrect authentication data: 0xC0000022
PS C:\WINDOWS\system32> powershell -nop -ep bypass -f C:\temp\check_uefi-ca2023.ps1
Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
(NONE)

EFI Files
---------
Disk 0: Windows Boot Manager [Production PCA 2011] is ALLOWED.

Registry: WindowsUEFICA2023Capable = 1
[Windows UEFI CA 2023] in UEFI DB.

Disk 0: SkuSiPolicy.p7b (for VBS) is NOT PRESENT.

REQUIRED ACTION
===============

Run the command:
Update_UEFI-CA2023.ps1 -Revoke

Finish the UEFI steps to manually add the [KEK CA 2023] cert, if the script provided instructions.

I DID NOT run the update revoke, don't know how to finish the steps to manually add the KEK ca 2023

bikemanAMD · Jan 1, 2026

Results from Check UEFI-CA2023.ps1

Code:

PS C:\Temp> powershell -nop -ep bypass -f Check_UEFI-CA2023.ps1
Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011
    Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Microsoft Option ROM UEFI CA 2023
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023

UEFI DBX Certs
--------------
    Microsoft Windows Production PCA 2011
    Windows BootMgr SVN 7.0

EFI Files
---------
    Disk 0: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.

    Registry: WindowsUEFICA2023Capable = 2
        [Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

    Disk 0: SkuSiPolicy.p7b (for VBS) is NOT PRESENT.


REQUIRED ACTION
===============

To install SkuSiPolicy.p7b, run the commands:

    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x20 /f
    powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

So do i just add that Reg key and restart system? and i'll be all set

garlin · Jan 1, 2026

cybesis said:
This looks like a great resource for managing Secure Boot CA updates! The automation approach with PowerShell is definitely the way to go - it eliminates a lot of the manual guesswork that comes with following various guides.

Have you tested these scripts on both traditional BIOS and UEFI systems? I'm curious about the compatibility across different motherboard manufacturers, especially with some of the older hardware that might still be running Windows 11.

If your PC is normal BIOS, then Secure Boot doesn't exist.
If your PC is UEFI running in legacy/CSM mode, Secure Boot isn't supported.

cybesis · Jan 1, 2026

Ah got it, thanks for clarifying! That makes sense - I should have been more specific in my question. I was thinking more about the UEFI systems that are running in CSM/legacy mode where Secure Boot would be disabled.

starchase · Jan 1, 2026

Dirtyflash said:
I couldn't get out of Setup Mode in order to turn Secure Boot back on without Resetting Factory Keys.

If I understand your point correctly, when I ran @garlin 's Update command and rebooted I didn't have to go into the UEFI firmware to turn Secure Boot back on. The script accomplished that itself, I think because since the script populated the new Certs that automatically turned Secure Boot on.

Dirtyflash · Jan 1, 2026

starchase said:
If I understand your point correctly, when I ran @garlin 's Update command and rebooted I didn't have to go into the UEFI firmware to turn Secure Boot back on. The script accomplished that itself, I think because since the script populated the new Certs that automatically turned Secure Boot on.

Yeah, if the certs are in place after the update, Secure Boot will typically enable itself and switch back to User Mode. If it goes off the rails, then you're stuck with having to reset the factory keys.

Brian48 · Jan 1, 2026

Aramil said:
Run the following commands in an elevated Windows PowerShell prompt to install skuSipolicy manually if the script is having trouble (line by line)

That fixed it, thankyou

gunrunnerjohn · Jan 1, 2026

I ran the two commands to fix the SkuSiPolicy.p7b (for VBS) is NOT PRESENT error. After rebooting I still have the same error.

garlin · Jan 1, 2026

bikemanAMD said:
So do i just add that Reg key and restart system? and i'll be all set

No, there's an incoming fix where the update script will get a -SkuPolicy option to push the file.

For now (as Administrator):

Code:

mountvol s: /s
copy \Windows\system32\SecureBootUpdates\SKUSiPolicy.P7b s:\EFI\Microsoft\Boot
mountvol s: /d

bikemanAMD · Jan 1, 2026

Ran the Reg Add command to fix SkuSiPolicy.p7b, after Check again, and looks like now i'm all set

Code:

PS C:\Temp> powershell -nop -ep bypass -f Check_UEFI-CA2023.ps1
Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011
    Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Microsoft Option ROM UEFI CA 2023
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023

UEFI DBX Certs
--------------
    Microsoft Windows Production PCA 2011
    Windows BootMgr SVN 7.0

EFI Files
---------
    Disk 0: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.

    Registry: WindowsUEFICA2023Capable = 2
        [Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

    Disk 0: SkuSiPolicy.p7b (for VBS) is CURRENT.

STATUS REPORT
-------------
    Registry: UEFICA2023Status = Updated

SUCCESS: NO UPDATES ARE REQUIRED.

Looks like i'm totally all set now

Scott · Jan 1, 2026

All 3 of my computers are good to go. This is from my oldest. And thank you @garlin for the new scripts.
System 3 Specs
25H2 26200.7462 Clean Install
ASUS PRIME Z370-P II BIOS 3004 7/12/21
Intel Core i7-8700 CPU @ 3.20GHz
32GB DDR4 RAM (4x8)
iGPU Intel UHD Graphics 630

Rollback_Jockey · Jan 1, 2026

Is there any way to revert this to 2011 standards, i've got a Toshiba Satellite that's not playing ball.

garlin · Jan 1, 2026

Rollback_Jockey said:
Is there any way to revert this to 2011 standards, i've got a Toshiba Satellite that's not playing ball.

Regardless of how you update, do a factory reset from the UEFI menu. If you're having real problems, try the UEFI's Setup Mode (which clears all the certs), and run the upgrade script. Then it shouldn't be restricted by any weird BIOS bugs.

Rollback_Jockey · Jan 1, 2026

garlin said:
Regardless of how you update, do a factory reset from the UEFI menu. If you're having real problems, try the UEFI's Setup Mode (which clears all the certs), and run the upgrade script. Then it shouldn't be restricted by any weird BIOS bugs.

Thais the problem, this old Toshiba laptop doesn't have such options, it's On or Off, nothing else.

suatcini54 · Jan 2, 2026

garlin said:
Back in 2023, MS made the first recommendation to copy SkuSiPolicy.p7b, whenever Windows is running VBS.

cjee21's GitHub suggests AvailableUpdates = 0x20 will force the scheduled task to copy the file. But in reviewing the MS docs, there isn't confirmation of that. I found online comments from 2023 that suggest using a 0x10 (enable policy enforcement) or 0x30 value (0x10 + 0x20).

All we have right now are instructions to simply copy the file, without making other changes. Since MS hasn't indicated you should be using AvailableUpdates to push SkuSiPolicy.p7b, I will change the script's output to suggest you use the update script.

Thanks for your answer. I guess my PC doesn't have "Virtualization Based Security". That was my initial thought when I got the Required Action suggestion the second time.

Happy new year.

kelper · Jan 2, 2026

I got part way and then this error

PS C:\Users\mross> cd C:\Users\mross\Downloads\SecureBoot-CA-2023-Updates
PS C:\Users\mross\Downloads\SecureBoot-CA-2023-Updates> powershell -nop -ep bypass -f Update_UEFI-CA2023.ps1 -Revoke
Successfully appended "DBXUpdate2024.bin" to UEFI DBX.
Successfully appended "DBXUpdateSVN.bin" (SVN 7.0) to UEFI DBX.
Deployed SkuSiPolicy.p7b (for VBS).
Downloading "edk2-x64-secureboot-binaries.zip" from GitHub.
Incorrect authentication data: 0xC0000022

So I went into BIOS and erased all Secure Boot settings and tried again - it worked!

I have this result. Many thanks to Garlin

PS C:\Users\mross\Downloads\SecureBoot-CA-2023-Updates> powershell -nop -ep bypass -f Update_UEFI-CA2023.ps1 -Revoke
Downloading "edk2-x64-secureboot-binaries.zip" from GitHub.
Successfully wrote "Default3PDb.bin" to UEFI DB.
Successfully wrote "DefaultDbx.bin" to UEFI DBX.
Successfully wrote "DefaultKek.bin" to UEFI KEK.
Successfully wrote "DefaultPk.bin" to UEFI PK.
Successfully appended "DBXUpdate2024.bin" to UEFI DBX.
Successfully appended "DBXUpdateSVN.bin" (SVN 7.0) to UEFI DBX.

PS C:\Users\mross\Downloads\SecureBoot-CA-2023-Updates> powershell -nop -ep bypass -f Check_UEFI-CA2023.ps1
Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 7.0

EFI Files
---------
Disk 0: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

Disk 0: SkuSiPolicy.p7b (for VBS) is CURRENT.

STATUS REPORT
-------------
Registry: UEFICA2023Status = Updated

SUCCESS: NO UPDATES ARE REQUIRED.

Dirtyflash · Jan 2, 2026

kelper said:
I got part way and then this error

PS C:\Users\mross> cd C:\Users\mross\Downloads\SecureBoot-CA-2023-Updates
PS C:\Users\mross\Downloads\SecureBoot-CA-2023-Updates> powershell -nop -ep bypass -f Update_UEFI-CA2023.ps1 -Revoke
Successfully appended "DBXUpdate2024.bin" to UEFI DBX.
Successfully appended "DBXUpdateSVN.bin" (SVN 7.0) to UEFI DBX.
Deployed SkuSiPolicy.p7b (for VBS).
Downloading "edk2-x64-secureboot-binaries.zip" from GitHub.
Incorrect authentication data: 0xC0000022

So I went into BIOS and erased all Secure Boot settings and tried again - it worked!

I have this result. Many thanks to Garlin

PS C:\Users\mross\Downloads\SecureBoot-CA-2023-Updates> powershell -nop -ep bypass -f Update_UEFI-CA2023.ps1 -Revoke
Downloading "edk2-x64-secureboot-binaries.zip" from GitHub.
Successfully wrote "Default3PDb.bin" to UEFI DB.
Successfully wrote "DefaultDbx.bin" to UEFI DBX.
Successfully wrote "DefaultKek.bin" to UEFI KEK.
Successfully wrote "DefaultPk.bin" to UEFI PK.
Successfully appended "DBXUpdate2024.bin" to UEFI DBX.
Successfully appended "DBXUpdateSVN.bin" (SVN 7.0) to UEFI DBX.

PS C:\Users\mross\Downloads\SecureBoot-CA-2023-Updates> powershell -nop -ep bypass -f Check_UEFI-CA2023.ps1
Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 7.0

EFI Files
---------
Disk 0: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

Disk 0: SkuSiPolicy.p7b (for VBS) is CURRENT.

STATUS REPORT
-------------
Registry: UEFICA2023Status = Updated

SUCCESS: NO UPDATES ARE REQUIRED.

Thought I would give it a try by using Clear Keys instead of Setup Mode in the Secure Boot BIOS. Well, made a bit more progress, but ran into the same problem that I seem to have had with Mosby. There seems to be a problem with the BIOS allowing the PK Key to be updated, some sort of security restriction that is coded into the BIOS by Lenovo. It means I must now resort back to the Factory Keys in order to turn Secure Boot back on, oh well.

Scott · Jan 2, 2026

suatcini54 said:
Thanks for your answer. I guess my PC doesn't have "Virtualization Based Security". That was my initial thought when I got the Required Action suggestion the second time.

Your System 1 does have VBS. It needs to be enabled in BIOS.

Dirtyflash · Jan 2, 2026

@garlin is there a way for the Update script to run and leave the Lenovo PK in place? It seems when running the update it blows out the Lenovo key and tries to replace it, which is restricted and generates an error. Otherwise from my previous post you can see everything else installed nicely. I've reset the Factory Keys and fixed the bootloader so that I could turn Secure Boot back on.

suatcini54 · Jan 2, 2026

Scott said:
Your System 1 does have VBS. It needs to be enabled in BIOS.

View attachment 158645

Thanks. Virtualization Tech is already enabled in BIOS because I have an Hyper-V VM running. But I am not able to enable Memory İntegrity in Core Isolation. I have an Asus driver in my system that blocks turning on of Memory Integrity if this is what makes me think I have no VBS. I have checked for an updated driver but there is none. Asus has already stopped supporting my M/B.

Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Active member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers