Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

garlin · Jan 2, 2026

Dirtyflash said:
@garlin is there a way for the Update script to run and leave the Lenovo PK in place? It seems when running the update it blows out the Lenovo key and tries to replace it, which is restricted and generates an error. Otherwise from my previous post you can see everything else installed nicely. I've reset the Factory Keys and fixed the bootloader so that I could turn Secure Boot back on.

1. The normal mode of the update script tries to only append Secure Boot keys. It's very safe because if you have a PK (of any sort) in place, then only appends are allowed in the UEFI security model.

2. The script can detect you have a valid PK, but no KEK CA 2023. Then it will copy the KEK CA 2023 cert in file format to the EFI partition. And now you have to help the script by going into your UEFI menu and enrolling it.

3. The script can detect you're in Setup Mode, then it overwrites the PK with the Windows OEM Devices PK (provided by MS). It's done because your vendor hasn't signed a KEK for MS (yet).

I suspect for some users, the script has a bug where it's incorrectly detecting Setup Mode, and skipping past 1 and 2. Working on a possible fix.

Dirtyflash · Jan 2, 2026

garlin said:
1. The normal mode of the update script tries to only append Secure Boot keys. It's very safe because if you have a PK (of any sort) in place, then only appends are allowed in the UEFI security model.

2. The script can detect you have a valid PK, but no KEK CA 2023. Then it will copy the KEK CA 2023 cert in file format to the EFI partition. And now you have to help the script by going into your UEFI menu and enrolling it.

3. The script can detect you're in Setup Mode, then it overwrites the PK with the Windows OEM Devices PK (provided by MS). It's done because your vendor hasn't signed a KEK for MS (yet).

I suspect for some users, the script has a bug where it's incorrectly detecting Setup Mode, and skipping past 1 and 2. Working on a possible fix.

Thanks for the taking the time to reply and explains how the update process works. I'll be your guinea pig if you need someone to test your possible fix.

TheVisitor · Jan 2, 2026

what does this mean: I ran the Update_UEFI-CA2023.ps1 then at the end of the report is shows the below. Why I Revoke that I just ran ?

REQUIRED ACTION
===============

Run the command:
Update_UEFI-CA2023.ps1 -Revoke

garlin · Jan 2, 2026

Can you share the check script's full output? It should be more informative

By default the Update script will only install the CA 2023 certs, but not revoke CA 2011. But some additional actions are only provided in the revoke phase.

Update only actions:
Add KEK CA 2023 (if possible)
Add UEFI CA certs
Install new boot file (if cert adds were successful)

Revoke only actions:
Revoke CA 2011 cert
Update DBX list with list of banned EFI files
Add DBX SVN to prevent use of older boot files
Add SkuSiPolicy file to prevent use of older boot files

If you have VBS enabled in Windows, the current version of the script might be asking you to run -Revoke to add the SkuSiPolicy file. In the next version of the script, this can be done without calling the entire revoke sequence.

The reason the script is split in two phases, is the Update only half is additive (it doesn't take away anything you could do before), and the Revoke only half is subtractive (it takes away options to enforce security).

TheVisitor · Jan 2, 2026

@garlin :
PS C:\WINDOWS\system32> powershell -nop -ep bypass -f C:\temp\update_uefi-ca2023.ps1
Successfully appended "DBUpdate3P2023.bin" to UEFI DB.
Successfully appended "DBUpdateOROM2023.bin" to UEFI DB.
Downloading "edk2-x64-secureboot-binaries.zip" from GitHub.
Incorrect authentication data: 0xC0000022
PS C:\WINDOWS\system32> powershell -nop -ep bypass -f C:\temp\check_uefi-ca2023.ps1
Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
(NONE)

EFI Files
---------
Disk 0: Windows Boot Manager [Production PCA 2011] is ALLOWED.

Registry: WindowsUEFICA2023Capable = 1
[Windows UEFI CA 2023] in UEFI DB.

Disk 0: SkuSiPolicy.p7b (for VBS) is NOT PRESENT.

REQUIRED ACTION
===============

Run the command:
Update_UEFI-CA2023.ps1 -Revoke

Finish the UEFI steps to manually add the [KEK CA 2023] cert, if the script provided instructions.

garlin · Jan 2, 2026

That's exactly what I expected. Check wants to you run -Revoke just to copy the SkuSiPolicy.p7b file. That will be fixed in the next release.

Can you run:

Code:

powershell -nop -ep bypass -f C:\temp\check_uefi-ca2023.ps1 -Verbose -Audit

I need to understand more details about your PC's UEFI.

TheVisitor · Jan 2, 2026

@ garlin, here is the audit report:
PS C:\WINDOWS\system32> powershell -nop -ep bypass -f C:\temp\check_uefi-ca2023.ps1 -Verbose -Audit
Windows 11 25H2 (26200.7462)

Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

BIOS Firmware
-------------
HP HP Pavilion Desktop TP01-1xxx
Version: F.54
Date: 2025-08-03

Factory Default UEFI PK Cert
----------------------------
(NONE)

UEFI PK Cert
------------
(NONE)
[KEK CA 2023] Update is available from HP or Microsoft.

Factory Default UEFI KEK Certs
------------------------------
Microsoft Corporation KEK CA 2011

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011

Factory Default UEFI DB Certs
-----------------------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

Factory Default UEFI DBX Certs
------------------------------
(NONE)
EFI_CERT_SHA256_GUID Signatures: 77

UEFI DBX Certs
--------------
(NONE)
Windows BootMgr SVN is missing.
EFI_CERT_SHA256_GUID Signatures: 483

EFI Files
---------
Disk 0: Windows Boot Manager [Production PCA 2011] is ALLOWED.
bootmgfw.efi File version: 26100.30227

Registry: WindowsUEFICA2023Capable = 1
[Windows UEFI CA 2023] in UEFI DB.

Disk 0: SkuSiPolicy.p7b (for VBS) is NOT PRESENT.

AUDIT REPORT
============
1. Secure Boot is DISABLED
2. [Microsoft Corporation KEK 2K CA 2023] is missing from UEFI KEK
3. [Production PCA 2011] is missing from UEFI DBX
4. Windows BootMgr SVN is missing from UEFI DBX
5. Windows Boot Manager [Production PCA 2011] is wrong version
6. SkuSiPolicy.p7b (for VBS) is missing

REQUIRED ACTION
===============

Run the command:
Update_UEFI-CA2023.ps1 -Revoke

Finish the UEFI steps to manually add the [KEK CA 2023] cert, if the script provided instructions.

I'm getting more confused as things go along, Secure Boot is ON but audit says its not ?

cool59 · Jan 2, 2026

Hello.

I'm sorry to add more confusion, but I'm getting a very similar output to @TheVisitor, with one difference: in
Efi files, I get this:
Disk 0: Windows Boot Manager [Windows UEFI CA 2023] is BANNED.
In Audit, I also get "secure boot is disabled".
On the other hand, the script doesn't seem to detect the factory PK UEFI and UEFI PK Certs, which I think I have, as per the screenshot I'm also attaching.
I also have the combined Kek Cert 2023 and SkuSiPolicy.p7b in the secure boot folder, but they haven't been applied yet, perhaps awaiting processing by Microsoft.
And when I try to run the update script, I get the error:
Downloading "edk2-x64-secureboot-binaries.zip" from GitHub.
incorrect authentication data: 0xC0000022

I hope I haven't been too confusing.

Results:

Audit:
Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
Microsoft Windows PCA 2010
Windows BootMgr SVN 7.0

EFI Files
---------
Disk 0: Windows Boot Manager [Windows UEFI CA 2023] is BANNED.

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

Disk 0: SkuSiPolicy.p7b (for VBS) is NOT PRESENT.

AUDIT REPORT
============
1. Secure Boot is DISABLED
2. [Microsoft Corporation KEK 2K CA 2023] is missing from UEFI KEK
3. [Production PCA 2011] is missing from UEFI DBX
4. SkuSiPolicy.p7b (for VBS) is missing

REQUIRED ACTION
===============

Run the command:
Update_UEFI-CA2023.ps1 -Revoke

Finish the UEFI steps to manually add the [KEK CA 2023] cert, if the script provided instructions.

PS C:\WINDOWS\system32>

Verbose:
Windows 11 25H2 (26200.7462)

Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

BIOS Firmware
-------------
Dell Inc. XPS 13 9360
Version: 2.21.0
Date: 2022-06-02

Factory Default UEFI PK Cert
----------------------------
(NONE)

UEFI PK Cert
------------
(NONE)
Manual update of [KEK CA 2023] is REQUIRED.

Factory Default UEFI KEK Certs
------------------------------
Microsoft Corporation KEK CA 2011

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011

Factory Default UEFI DB Certs
-----------------------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

Factory Default UEFI DBX Certs
------------------------------
Microsoft Windows PCA 2010
EFI_CERT_SHA256_GUID Signatures: 77

UEFI DBX Certs
--------------
Microsoft Windows PCA 2010
Windows BootMgr SVN 7.0
EFI_CERT_SHA256_GUID Signatures: 486

EFI Files
---------
Disk 0: Windows Boot Manager [Windows UEFI CA 2023] is BANNED.
bootmgfw.efi File version: 26100.30227

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

Disk 0: SkuSiPolicy.p7b (for VBS) is NOT PRESENT.

REQUIRED ACTION
===============

Run the command:
Update_UEFI-CA2023.ps1 -Revoke

Finish the UEFI steps to manually add the [KEK CA 2023] cert, if the script provided instructions.

PS C:\WINDOWS\system32>

Thanks

garlin · Jan 2, 2026

TheVisitor said:
@ garlin, here is the audit report:
PS C:\WINDOWS\system32> powershell -nop -ep bypass -f C:\temp\check_uefi-ca2023.ps1 -Verbose -Audit
Windows 11 25H2 (26200.7462)

Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

BIOS Firmware
-------------
HP HP Pavilion Desktop TP01-1xxx
Version: F.54
Date: 2025-08-03

Factory Default UEFI PK Cert
----------------------------
(NONE)

UEFI PK Cert
------------
(NONE)
[KEK CA 2023] Update is available from HP or Microsoft.

Interesting. Maybe that's why my script is acting weird for certain PC's, the function can find a valid cert name.

Can you run this PS script?

Code:

powershell -nop -ep bypass -f C:\temp\WhatsMyPK.ps1

Example:

Code:

Subject      : CN=UEFI PK, OU=VirtualBox, O=Oracle Corporation, L=Redwood City, S=California, C=US
Issuer       : CN=UEFI PK, OU=VirtualBox, O=Oracle Corporation, L=Redwood City, S=California, C=US
Thumbprint   : 71294BE55141D77AC2901618E69F8A6DCA7E8B9D
FriendlyName :
NotBefore    : 9/29/2021 12:26:17 PM
NotAfter     : 1/15/2038 11:26:17 AM
Extensions   : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}

TheVisitor · Jan 2, 2026

@garlin: your request

PS C:\WINDOWS\system32> powershell -nop -ep bypass -f C:\temp\WhatsMyPK.ps1

Subject : O=HP Inc., C=US, OU=CODE-SIGN, CN=HP UEFI Secure Boot PK 2017
Issuer : CN=HP Inc. PK 2016 CA, O=HP Inc., C=US
Thumbprint : D52AC7DB954C167A386E1AA955249A4D9BDADEDD
FriendlyName :
NotBefore : 1/19/2017 7:00:00 PM
NotAfter : 1/16/2033 6:59:59 PM
Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
System.Security.Cryptography.Oid...}

garlin · Jan 2, 2026

Thank you!! That explains why the update script's been failing for several users. HP's PK certificate uses a different ordering for the "CN=" part. Which confuses my string parser, which expects it to be different, and falsely claims there's no PK cert.

I'll go work on a fix tonight.

TheVisitor · Jan 2, 2026

garlin said:
Thank you!! That explains why the update script's been failing for several users. HP's PK certificate uses a different ordering for the "CN=" part. Which confuses my string parser, which expects it to be different, and falsely claims there's no PK cert.

I'll go work on a fix tonight.

Thanks...

Dirtyflash · Jan 2, 2026

Here the output from the unsupported device if it's of any interest:

Fracer · Jan 2, 2026

And here is another sample, one of my problematical machines, a Lenovo M83 desktop:

Subject : CN=DO NOT TRUST - AMI Test PK
Issuer : CN=DO NOT TRUST - AMI Test PK
Thumbprint : 9A3056B5260F628645B4D9AC61AEBD8060305C3E
FriendlyName :
NotBefore : Wed 03 06 2013 08:16:55 AM
NotAfter : Mon 03 06 2017 08:16:54 AM
Extensions : {System.Security.Cryptography.Oid}

garlin · Jan 2, 2026

Dirtyflash said:
Here the output from the unsupported device if it's of any interest:

That's both interesting and strange.

I was puzzled to why Lenovo sneaked in the word "KEK" in their PK's name. But it's part of their submission to the MS master list:

Code:

    "7b4d9735151cb81afdc09531ebbff2f0e3588775": {
        "KEKUpdate": "Lenovo/KEKUpdate_Lenovo_PK2.bin",
        "Certificate": {
            "serial_number": "91dafcdb9605b0d8",
            "issued_to": "[email protected],CN=TPCDL-KEK,OU=TPCDL,O=Lenovo(Beijing) Ltd.,L=Beijing,ST=Beijing,C=CN",
            "issued_by": "[email protected],CN=TPCDL-KEK,OU=TPCDL,O=Lenovo(Beijing) Ltd.,L=Beijing,ST=Beijing,C=CN"
        }
    },

For the curious, the bug was in the regular expression I used to split the CN= field. What the script is supposed to extract is colored in orange.
Courtesy of regex101: build, test, and debug regex

UPDATE:
Future @garlin would like to remind past @garlin that '(CN=)([^,]+)' works just fine.

garlin · Jan 2, 2026

Fracer said:
And here is another sample, one of my problematical machines, a Lenovo M83 desktop:

Subject : CN=DO NOT TRUST - AMI Test PK
Issuer : CN=DO NOT TRUST - AMI Test PK
Thumbprint : 9A3056B5260F628645B4D9AC61AEBD8060305C3E
FriendlyName :
NotBefore : Wed 03 06 2013 08:16:55 AM
NotAfter : Mon 03 06 2017 08:16:54 AM
Extensions : {System.Security.Cryptography.Oid}

I have a specific check to trap "DO NOT TRUST" or "TEST" PK's in Check_UEFI-CA2023.ps1

AMI released a PK fix in 2024 for the "DO NOT TRUST" PK, in the form of a PowerShell script to swap out the PK. It's kinda geeky.
GitHub - CERTCC/PKfail: Mitigations & detection tools for VU#455367

Technically Lenovo should have pushed a firmware fix, but they might have abandoned it...

What you can do is to set your UEFI into Setup Mode (clearing the certs), and Update_UEFI-CA2023.ps1 will install the "Windows OEM Devices PK" as a replacement for "DO NOT TRUST". Functionally it's the same thing as the official fix.

I would wait until tomorrow, after I check in the latest bug fixes before trying to update your UEFI.

cool59 · Jan 3, 2026

Here's my output in case it can help:

PS C:\WINDOWS\system32> C:\Users\Desktop\WhatsMyPK.ps1
Subject : CN=Dell Inc. UEFI Platform Key, OU=Signing, OU=1, DC=dell, DC=com
Issuer : CN=Dell Inc. Issuing CA 1, CN=AIA, CN=Public Key Services, CN=Services, CN=Configuration, DC=dell,
DC=com
Thumbprint : 0762693DF96808460ED8ECB869A02AE287EA4FD9
FriendlyName :
NotBefore : 17/07/2012 01:51:45
NotAfter : 17/07/2014 02:21:45
Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
System.Security.Cryptography.Oid...}

PS C:\WINDOWS\system32>

Thanks

suatcini54 · Jan 3, 2026

@garlin Hi.

I have run the command check_uefi-ca2023.ps1 in audit mode, which you wrote, and I got the below result. I place the result here, thinking that it may somehow help you because I saw some inconsistencies in the result.

First: At the beginning of the result output, it read the secure boot is on.

At the end, it read Secure Boot is disabled. How could this be ?

Also, at some point during calculation the PS script yielded an error.

If these things do not mean anything, please disregard this post.

I also have a complete text output of the PS script.

Windows 11 25H2 (26200.7462)

Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

BIOS Firmware
-------------
ASUS All Series
Version: 2503
Date: 2016-02-26

Factory Default UEFI PK Cert
----------------------------
(NONE)

UEFI PK Cert
------------
(NONE)

Factory Default UEFI KEK Certs
------------------------------
(NONE)

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

Factory Default UEFI DB Certs
-----------------------------
(NONE)

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

Factory Default UEFI DBX Certs
------------------------------
(NONE)
Get-SecureBootUEFI : Variable is currently undefined: 0xC0000100
At H:\DOWNLOADS\SecureBoot-CA-2023-Updates\check_uefi-ca2023.ps1:1079 char:62
+ ... gnatures: {1}' -f $Tab4, (Get-SecureBootUEFI -Name dbxDefault | Get-U ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (Microsoft.Secur...BootUefiCommand:GetSecureBootUefiCommand) [Get-S
ecureBootUEFI], StatusException
+ FullyQualifiedErrorId : GetFWVarFailed,Microsoft.SecureBoot.Commands.GetSecureBootUefiCommand

UEFI DBX Certs
--------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 7.0
EFI_CERT_SHA256_GUID Signatures: 438

EFI Files
---------
Disk 0: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
bootmgfw.efi File version: 26100.30227

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

Disk 0: SkuSiPolicy.p7b (for VBS) is NOT PRESENT.

AUDIT REPORT
============
1. Secure Boot is DISABLED
2. SkuSiPolicy.p7b (for VBS) is missing

REQUIRED ACTION
===============

To install SkuSiPolicy.p7b, run the commands:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x20 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Please keep up the good work.

gunrunnerjohn · Jan 3, 2026

@garlin Hi,

Is there an alternate way to install the SkuSiPolicy.p7b? I've tried the following several times, but I still get the same error. I'm running Win 11 Pro 25H2, Build 26220.7523.

Phil_C · Jan 3, 2026

gunrunnerjohn said:
@garlin Hi,

Is there an alternate way to install the SkuSiPolicy.p7b? I've tried the following several times, but I still get the same error. I'm running Win 11 Pro 25H2, Build 26220.7523.

View attachment 158768

See post #69. Worked for me.

Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

Attachments

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

New member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers