Solved garlin's PowerShell scripts for updating Secure Boot CA 2023


Am i supposed to use Macrium Reflect X Windows RE Boot Media or Windows PE Boot Media after revoking the 2011 Cert? thats last part i need to get all taken care of, and think i should be fine hopefully

Windows Media believe is already using 2023 Cert as Windows is using 2023 CA version from my last clean install of 25H2

Just need to get Macrium Reflect X Rescue Media all squared away and im good
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2 26200.8037
    Computer type
    PC/Desktop
    Manufacturer/Model
    PreBuilt
    CPU
    AMD Ryzen 7700X
    Motherboard
    MSI B650 VC WIfi Rev 1.0
    Memory
    32GB DDR 5 RGB 5600Mhz
    Graphics Card(s)
    Radeon 7800XT
    Sound Card
    Onboard Audio
    Monitor(s) Displays
    Asus VG245H
    Screen Resolution
    1920x1080
    Hard Drives
    Samsung 990 Evo Plus NVMe Boot
    Samsung 990 Pro 1TB Game NVMe



    External
    Western Digital Elements 500GB
    Western Digital My Passport 2TB Blue
    Western Digital My Passport 2TB Red
    Toshiba 2TB in External Enclosure
    Seagate 8TB in External Enclosure
    Seagate 1TB Portable USB 3 External Drive
    Western Digital My Book 8TB (Primary Backup drive)
    Western Digital Black 4TB In External Enclosure
    PSU
    750 Watt High Power
    Case
    Lian Li Lan Cool 216 ARGB Airflow
    Cooling
    2 160MM Front, 1 140MM Rear Exhaust
    Keyboard
    Logitech G513
    Mouse
    Logitech G502 X
    Internet Speed
    Gigabit 1100Mb/35 Upload
    Browser
    MS Edge Chromium and Bing Search
    Antivirus
    Windows Defender, Malwarebytes Premium
    Other Info
    UEFI, Secure Boot, TPM 2.0, Macrium Reflect X
  • Operating System
    Windows 11 Pro 25H2 26200.8037
    Computer type
    Laptop
    Manufacturer/Model
    Asus TUF A16 Advantage Edition FA617NT.A16.R7700
    CPU
    Ryzen 7 7735HS
    Motherboard
    OEM Asus Motherboard
    Memory
    16GB DDR 5
    Graphics card(s)
    AMD Radeon™ 680M & Radeon 7700S
    Sound Card
    Onboard
    Monitor(s) Displays
    16inch FHD 165hz
    Screen Resolution
    1920x1080
    Hard Drives
    512GB NVMe Boot Drive
    PSU
    Laptop PSU
    Case
    Laptop Case
    Cooling
    OEM Cooling
    Keyboard
    OEM Laptop Keyboard
    Mouse
    Touchpad & G502 Hero
    Internet Speed
    Gigabit 1100 Download/35 Upload
    Browser
    MS Edge with Bing search
    Antivirus
    Windows Defender & Malwarebytes Premium
    Other Info
    Macrium Reflect X
bikemanAMD said:
Am i supposed to use Macrium Reflect X Windows RE Boot Media or Windows PE Boot Media after revoking the 2011 Cert? thats last part i need to get all taken care of, and think i should be fine hopefully

Windows Media believe is already using 2023 Cert as Windows is using 2023 CA version from my last clean install of 25H2

Just need to get Macrium Reflect X Rescue Media all squared away and im good
Click to expand...

For the new scripts, the USB bootable media check isn't on by default. Insert your USB drive(s), and run the command:
Code: 
Check_UEFI-CA2023.ps1 -BootMedia

If you need to update the same USB drive(s), then run:
Code: 
Update_UEFI-CA2023.ps1 -BootMedia

I didn't want the script touching the USB drive's boot file (without permission), since it might be shared with another PC.
 

My Computer

System One

  • OS
    Windows 7
Except when i run the Update_UEFI-CA2023.ps1 -bootmedia portion i receive the following error

PS C:\Temp> ./Update_UEFI-CA2023.ps1 -BootMedia
Downloading "edk2-x64-secureboot-binaries.zip" from GitHub.
Incorrect authentication data: 0xC0000022


Guess at this point i'll hope i don't ever have a need to use it, then re update the Macrium Reflect X recovery USB after June 2026 lol.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2 26200.8037
    Computer type
    PC/Desktop
    Manufacturer/Model
    PreBuilt
    CPU
    AMD Ryzen 7700X
    Motherboard
    MSI B650 VC WIfi Rev 1.0
    Memory
    32GB DDR 5 RGB 5600Mhz
    Graphics Card(s)
    Radeon 7800XT
    Sound Card
    Onboard Audio
    Monitor(s) Displays
    Asus VG245H
    Screen Resolution
    1920x1080
    Hard Drives
    Samsung 990 Evo Plus NVMe Boot
    Samsung 990 Pro 1TB Game NVMe



    External
    Western Digital Elements 500GB
    Western Digital My Passport 2TB Blue
    Western Digital My Passport 2TB Red
    Toshiba 2TB in External Enclosure
    Seagate 8TB in External Enclosure
    Seagate 1TB Portable USB 3 External Drive
    Western Digital My Book 8TB (Primary Backup drive)
    Western Digital Black 4TB In External Enclosure
    PSU
    750 Watt High Power
    Case
    Lian Li Lan Cool 216 ARGB Airflow
    Cooling
    2 160MM Front, 1 140MM Rear Exhaust
    Keyboard
    Logitech G513
    Mouse
    Logitech G502 X
    Internet Speed
    Gigabit 1100Mb/35 Upload
    Browser
    MS Edge Chromium and Bing Search
    Antivirus
    Windows Defender, Malwarebytes Premium
    Other Info
    UEFI, Secure Boot, TPM 2.0, Macrium Reflect X
  • Operating System
    Windows 11 Pro 25H2 26200.8037
    Computer type
    Laptop
    Manufacturer/Model
    Asus TUF A16 Advantage Edition FA617NT.A16.R7700
    CPU
    Ryzen 7 7735HS
    Motherboard
    OEM Asus Motherboard
    Memory
    16GB DDR 5
    Graphics card(s)
    AMD Radeon™ 680M & Radeon 7700S
    Sound Card
    Onboard
    Monitor(s) Displays
    16inch FHD 165hz
    Screen Resolution
    1920x1080
    Hard Drives
    512GB NVMe Boot Drive
    PSU
    Laptop PSU
    Case
    Laptop Case
    Cooling
    OEM Cooling
    Keyboard
    OEM Laptop Keyboard
    Mouse
    Touchpad & G502 Hero
    Internet Speed
    Gigabit 1100 Download/35 Upload
    Browser
    MS Edge with Bing search
    Antivirus
    Windows Defender & Malwarebytes Premium
    Other Info
    Macrium Reflect X
Results i get from trying this one

Code: 
PS C:\Temp> ./Update_UEFI-CA2023.ps1 -BootMedia

Security warning
Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your
computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning
message. Do you want to run C:\Temp\Update_UEFI-CA2023.ps1?
[D] Do not run  [R] Run once  [S] Suspend  [?] Help (default is "D"): R
At C:\Temp\Update_UEFI-CA2023.ps1:998 char:73
+ ... if ((Compare-Object (Get-SecureBootUEFI SetupMode).Bytes @(1)).Count)
+                                                                         ~
Missing statement block after if ( condition ).
At C:\Temp\Update_UEFI-CA2023.ps1:1280 char:1
+ }
+ ~
Unexpected token '}' in expression or statement.
    + CategoryInfo          : ParserError: (:) [], ParseException
    + FullyQualifiedErrorId : MissingStatementBlock
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2 26200.8037
    Computer type
    PC/Desktop
    Manufacturer/Model
    PreBuilt
    CPU
    AMD Ryzen 7700X
    Motherboard
    MSI B650 VC WIfi Rev 1.0
    Memory
    32GB DDR 5 RGB 5600Mhz
    Graphics Card(s)
    Radeon 7800XT
    Sound Card
    Onboard Audio
    Monitor(s) Displays
    Asus VG245H
    Screen Resolution
    1920x1080
    Hard Drives
    Samsung 990 Evo Plus NVMe Boot
    Samsung 990 Pro 1TB Game NVMe



    External
    Western Digital Elements 500GB
    Western Digital My Passport 2TB Blue
    Western Digital My Passport 2TB Red
    Toshiba 2TB in External Enclosure
    Seagate 8TB in External Enclosure
    Seagate 1TB Portable USB 3 External Drive
    Western Digital My Book 8TB (Primary Backup drive)
    Western Digital Black 4TB In External Enclosure
    PSU
    750 Watt High Power
    Case
    Lian Li Lan Cool 216 ARGB Airflow
    Cooling
    2 160MM Front, 1 140MM Rear Exhaust
    Keyboard
    Logitech G513
    Mouse
    Logitech G502 X
    Internet Speed
    Gigabit 1100Mb/35 Upload
    Browser
    MS Edge Chromium and Bing Search
    Antivirus
    Windows Defender, Malwarebytes Premium
    Other Info
    UEFI, Secure Boot, TPM 2.0, Macrium Reflect X
  • Operating System
    Windows 11 Pro 25H2 26200.8037
    Computer type
    Laptop
    Manufacturer/Model
    Asus TUF A16 Advantage Edition FA617NT.A16.R7700
    CPU
    Ryzen 7 7735HS
    Motherboard
    OEM Asus Motherboard
    Memory
    16GB DDR 5
    Graphics card(s)
    AMD Radeon™ 680M & Radeon 7700S
    Sound Card
    Onboard
    Monitor(s) Displays
    16inch FHD 165hz
    Screen Resolution
    1920x1080
    Hard Drives
    512GB NVMe Boot Drive
    PSU
    Laptop PSU
    Case
    Laptop Case
    Cooling
    OEM Cooling
    Keyboard
    OEM Laptop Keyboard
    Mouse
    Touchpad & G502 Hero
    Internet Speed
    Gigabit 1100 Download/35 Upload
    Browser
    MS Edge with Bing search
    Antivirus
    Windows Defender & Malwarebytes Premium
    Other Info
    Macrium Reflect X
Nope, It ran as was deigned it looked like

Code: 
PS C:\Temp> ./Update_UEFI-CA2023.ps1 -BootMedia

Security warning
Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your
computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning
message. Do you want to run C:\Temp\Update_UEFI-CA2023.ps1?
[D] Do not run  [R] Run once  [S] Suspend  [?] Help (default is "D"): R
Downloading "edk2-x64-secureboot-binaries.zip" from GitHub.
Incorrect authentication data: 0xC0000022

And thats why i still end up
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2 26200.8037
    Computer type
    PC/Desktop
    Manufacturer/Model
    PreBuilt
    CPU
    AMD Ryzen 7700X
    Motherboard
    MSI B650 VC WIfi Rev 1.0
    Memory
    32GB DDR 5 RGB 5600Mhz
    Graphics Card(s)
    Radeon 7800XT
    Sound Card
    Onboard Audio
    Monitor(s) Displays
    Asus VG245H
    Screen Resolution
    1920x1080
    Hard Drives
    Samsung 990 Evo Plus NVMe Boot
    Samsung 990 Pro 1TB Game NVMe



    External
    Western Digital Elements 500GB
    Western Digital My Passport 2TB Blue
    Western Digital My Passport 2TB Red
    Toshiba 2TB in External Enclosure
    Seagate 8TB in External Enclosure
    Seagate 1TB Portable USB 3 External Drive
    Western Digital My Book 8TB (Primary Backup drive)
    Western Digital Black 4TB In External Enclosure
    PSU
    750 Watt High Power
    Case
    Lian Li Lan Cool 216 ARGB Airflow
    Cooling
    2 160MM Front, 1 140MM Rear Exhaust
    Keyboard
    Logitech G513
    Mouse
    Logitech G502 X
    Internet Speed
    Gigabit 1100Mb/35 Upload
    Browser
    MS Edge Chromium and Bing Search
    Antivirus
    Windows Defender, Malwarebytes Premium
    Other Info
    UEFI, Secure Boot, TPM 2.0, Macrium Reflect X
  • Operating System
    Windows 11 Pro 25H2 26200.8037
    Computer type
    Laptop
    Manufacturer/Model
    Asus TUF A16 Advantage Edition FA617NT.A16.R7700
    CPU
    Ryzen 7 7735HS
    Motherboard
    OEM Asus Motherboard
    Memory
    16GB DDR 5
    Graphics card(s)
    AMD Radeon™ 680M & Radeon 7700S
    Sound Card
    Onboard
    Monitor(s) Displays
    16inch FHD 165hz
    Screen Resolution
    1920x1080
    Hard Drives
    512GB NVMe Boot Drive
    PSU
    Laptop PSU
    Case
    Laptop Case
    Cooling
    OEM Cooling
    Keyboard
    OEM Laptop Keyboard
    Mouse
    Touchpad & G502 Hero
    Internet Speed
    Gigabit 1100 Download/35 Upload
    Browser
    MS Edge with Bing search
    Antivirus
    Windows Defender & Malwarebytes Premium
    Other Info
    Macrium Reflect X
What happens if you run:
Code: 
((Get-SecureBootUEFI SetupMode).Bytes -Join '') -eq 1
 

My Computer

System One

  • OS
    Windows 7
This is the Result i get from that

Code: 
PS C:\Temp> ((Get-SecureBootUEFI SetupMode).Bytes -Join '') -eq 1
False
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2 26200.8037
    Computer type
    PC/Desktop
    Manufacturer/Model
    PreBuilt
    CPU
    AMD Ryzen 7700X
    Motherboard
    MSI B650 VC WIfi Rev 1.0
    Memory
    32GB DDR 5 RGB 5600Mhz
    Graphics Card(s)
    Radeon 7800XT
    Sound Card
    Onboard Audio
    Monitor(s) Displays
    Asus VG245H
    Screen Resolution
    1920x1080
    Hard Drives
    Samsung 990 Evo Plus NVMe Boot
    Samsung 990 Pro 1TB Game NVMe



    External
    Western Digital Elements 500GB
    Western Digital My Passport 2TB Blue
    Western Digital My Passport 2TB Red
    Toshiba 2TB in External Enclosure
    Seagate 8TB in External Enclosure
    Seagate 1TB Portable USB 3 External Drive
    Western Digital My Book 8TB (Primary Backup drive)
    Western Digital Black 4TB In External Enclosure
    PSU
    750 Watt High Power
    Case
    Lian Li Lan Cool 216 ARGB Airflow
    Cooling
    2 160MM Front, 1 140MM Rear Exhaust
    Keyboard
    Logitech G513
    Mouse
    Logitech G502 X
    Internet Speed
    Gigabit 1100Mb/35 Upload
    Browser
    MS Edge Chromium and Bing Search
    Antivirus
    Windows Defender, Malwarebytes Premium
    Other Info
    UEFI, Secure Boot, TPM 2.0, Macrium Reflect X
  • Operating System
    Windows 11 Pro 25H2 26200.8037
    Computer type
    Laptop
    Manufacturer/Model
    Asus TUF A16 Advantage Edition FA617NT.A16.R7700
    CPU
    Ryzen 7 7735HS
    Motherboard
    OEM Asus Motherboard
    Memory
    16GB DDR 5
    Graphics card(s)
    AMD Radeon™ 680M & Radeon 7700S
    Sound Card
    Onboard
    Monitor(s) Displays
    16inch FHD 165hz
    Screen Resolution
    1920x1080
    Hard Drives
    512GB NVMe Boot Drive
    PSU
    Laptop PSU
    Case
    Laptop Case
    Cooling
    OEM Cooling
    Keyboard
    OEM Laptop Keyboard
    Mouse
    Touchpad & G502 Hero
    Internet Speed
    Gigabit 1100 Download/35 Upload
    Browser
    MS Edge with Bing search
    Antivirus
    Windows Defender & Malwarebytes Premium
    Other Info
    Macrium Reflect X
@garlin, When I run the latest version of the "Check_UEFI-CA2023.ps1" script with the verbose, audit and log options set, this is my output.
Under the "Audit Report" it says Secure Boot is DISABLED. I have checked my BIOS setting and it is definitely enabled and also "msinfo32.exe" shows it as being on too.
Is this a bug with the script?

Windows 11 25H2 (26200.7462)

Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

BIOS Firmware
-------------
HP HP Laptop 15s-fq5xxx
Version: F.27
Date: 2025-12-10

Factory Default UEFI PK Cert
----------------------------
HP UEFI Secure Boot PK 2017

UEFI PK Cert
------------
HP UEFI Secure Boot PK 2017

Factory Default UEFI KEK Certs
------------------------------
Microsoft Corporation KEK CA 2011
HP UEFI Secure Boot KEK 2017
Microsoft Corporation KEK 2K CA 2023

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
HP UEFI Secure Boot KEK 2017
Microsoft Corporation KEK 2K CA 2023

Factory Default UEFI DB Certs
-----------------------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
HP UEFI Secure Boot DB 2017
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
HP UEFI Secure Boot DB 2017
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

Factory Default UEFI DBX Certs
------------------------------
Debian Secure Boot Signer
Canonical Ltd. Secure Boot Signing
EFI_CERT_SHA256_GUID Signatures: 190

UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Debian Secure Boot Signer
Canonical Ltd. Secure Boot Signing
Windows BootMgr SVN 7.0
EFI_CERT_SHA256_GUID Signatures: 446

EFI Files
---------
Disk 0: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
bootmgfw.efi File version: 26100.30227

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

Disk 0: SkuSiPolicy.p7b (for VBS) is CURRENT.


AUDIT REPORT
============
1. Secure Boot is DISABLED

STATUS REPORT
-------------
Registry: UEFICA2023Status = Updated

SUCCESS: NO UPDATES ARE REQUIRED.
 

My Computer

System One

  • OS
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    HP 15s-fq5xxx
    CPU
    12th Gen Intel(R) Core(TM) i7-1255U (1.70 GHz
    Memory
    16.0 GB
    Graphics Card(s)
    Intel iRIS Xe
    Screen Resolution
    1920 x 1080
    Hard Drives
    Samsung SSD 512 GB
    Mouse
    Logitech Pebble
    Internet Speed
    500/50 Mb/sec
    Browser
    Chrome
    Antivirus
    Defender
Brian48 said:
@garlin, When I run the latest version of the "Check_UEFI-CA2023.ps1" script with the verbose, audit and log options set, this is my output.
Under the "Audit Report" it says Secure Boot is DISABLED. I have checked my BIOS setting and it is definitely enabled and also "msinfo32.exe" shows it as being on too.
Is this a bug with the script?
Click to expand...
Brian48 said:
AUDIT REPORT
============
1. Secure Boot is DISABLED
Click to expand...
Maybe a bug. Try this version.
 

Attachments

My Computer

System One

  • OS
    Windows 7

My Computer

System One

  • OS
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    HP 15s-fq5xxx
    CPU
    12th Gen Intel(R) Core(TM) i7-1255U (1.70 GHz
    Memory
    16.0 GB
    Graphics Card(s)
    Intel iRIS Xe
    Screen Resolution
    1920 x 1080
    Hard Drives
    Samsung SSD 512 GB
    Mouse
    Logitech Pebble
    Internet Speed
    500/50 Mb/sec
    Browser
    Chrome
    Antivirus
    Defender
I also get the Audit Report "Secure Boot is DISABLED" every time, even though everything else looks good.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 24H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo P16s Workstation
    CPU
    Intel i7-1260P 12th Gen 4.7GHz
    Memory
    32GB DDR4-3200
    Graphics Card(s)
    NVIDIA T550 Laptop GPU
    Sound Card
    Realtek Audio
    Monitor(s) Displays
    16" Laptop Display
    Screen Resolution
    2560x1600
    Hard Drives
    2TB Samsung M.2 2280 SSD PCIe 4.0 x 4 NVMe
    Mouse
    Logitech MX Anywhere 2s
    Internet Speed
    1000 Mb
    Browser
    Firefox
    Antivirus
    Avast
  • Operating System
    Windows 11 Pro 24H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo P50 Workstation
    CPU
    i7-6820HQ 6th Gen 3.6 GHz
    Memory
    32GB DDR4-2133
    Graphics card(s)
    NVIDIA Quadro M2000M Laptop GPU
    Sound Card
    Realtek Audio
    Monitor(s) Displays
    15.6" Laptop Display
    Screen Resolution
    1920x1080
    Hard Drives
    2 x 1TB Samsung M.2 2280 SSD PCIe 3.0 x 4 NVMe
    Cooling
    Dual Fan System
    Mouse
    Logitech MX Anywhere 2s
    Internet Speed
    1000 Mb
    Browser
    Firefox
    Antivirus
    Avast
Out of curiousity, are you using PS 5 (powershell.exe) or PS 7 (pwsh.exe)?
 

My Computer

System One

  • OS
    Windows 7
garlin said:
Out of curiousity, are you using PS 5 (powershell.exe) or PS 7 (pwsh.exe)?
Click to expand...
It's pwsh.exe. Under Installed Apps it's 7.5.4.0 10/24/2025.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 24H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo P16s Workstation
    CPU
    Intel i7-1260P 12th Gen 4.7GHz
    Memory
    32GB DDR4-3200
    Graphics Card(s)
    NVIDIA T550 Laptop GPU
    Sound Card
    Realtek Audio
    Monitor(s) Displays
    16" Laptop Display
    Screen Resolution
    2560x1600
    Hard Drives
    2TB Samsung M.2 2280 SSD PCIe 4.0 x 4 NVMe
    Mouse
    Logitech MX Anywhere 2s
    Internet Speed
    1000 Mb
    Browser
    Firefox
    Antivirus
    Avast
  • Operating System
    Windows 11 Pro 24H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo P50 Workstation
    CPU
    i7-6820HQ 6th Gen 3.6 GHz
    Memory
    32GB DDR4-2133
    Graphics card(s)
    NVIDIA Quadro M2000M Laptop GPU
    Sound Card
    Realtek Audio
    Monitor(s) Displays
    15.6" Laptop Display
    Screen Resolution
    1920x1080
    Hard Drives
    2 x 1TB Samsung M.2 2280 SSD PCIe 3.0 x 4 NVMe
    Cooling
    Dual Fan System
    Mouse
    Logitech MX Anywhere 2s
    Internet Speed
    1000 Mb
    Browser
    Firefox
    Antivirus
    Avast
garlin said:
My bad, didn't see where I used an "or" instead of an "and" to check for [not in Setup Mode & not in Secure Boot mode].
Click to expand...

This is what I get now.
Using powershell.exe BTW.
Screenshot 2026-01-06 152953.webp
 

My Computer

System One

  • OS
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    HP 15s-fq5xxx
    CPU
    12th Gen Intel(R) Core(TM) i7-1255U (1.70 GHz
    Memory
    16.0 GB
    Graphics Card(s)
    Intel iRIS Xe
    Screen Resolution
    1920 x 1080
    Hard Drives
    Samsung SSD 512 GB
    Mouse
    Logitech Pebble
    Internet Speed
    500/50 Mb/sec
    Browser
    Chrome
    Antivirus
    Defender
garlin said:
I think the reason for both problems is I disabled Secure Boot on my test setup, to speed up some repetitive testing; and now that turned out to be a bad decision.
Click to expand...

Audit Report now empty :-):-)
Thanks so much for tracking this down.

Screenshot 2026-01-06 155903.webp
 

My Computer

System One

  • OS
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    HP 15s-fq5xxx
    CPU
    12th Gen Intel(R) Core(TM) i7-1255U (1.70 GHz
    Memory
    16.0 GB
    Graphics Card(s)
    Intel iRIS Xe
    Screen Resolution
    1920 x 1080
    Hard Drives
    Samsung SSD 512 GB
    Mouse
    Logitech Pebble
    Internet Speed
    500/50 Mb/sec
    Browser
    Chrome
    Antivirus
    Defender
@garlin After running your latest script, I also no longer get SecureBoot disabled in the Audit section, but I do get "[Production PCA 2011] is missing from UEFI DBX" Is that something I need to be concerned about? This is on my Lenovo T490 laptop. I still need to run it on my older Lenovo M83 desktop.

Secure Boot: ON
Virtualization Based Security: OFF
BitLocker on (C:) OFF

BIOS Firmware
-------------
LENOVO 20N20028US
Version: N2IETA6W (1.84 )
Date: 2025-07-02

Factory Default UEFI PK Cert
----------------------------
Lenovo Ltd. PK CA 2012

UEFI PK Cert
------------
Lenovo Ltd. PK CA 2012

Factory Default UEFI KEK Certs
------------------------------
Microsoft Corporation KEK CA 2011
Lenovo Ltd. KEK CA 2012
Microsoft Corporation KEK 2K CA 2023

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Lenovo Ltd. KEK CA 2012
Microsoft Corporation KEK 2K CA 2023

Factory Default UEFI DB Certs
-----------------------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
ThinkPad Product CA 2012
Lenovo UEFI CA 2014
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
ThinkPad Product CA 2012
Lenovo UEFI CA 2014
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

Factory Default UEFI DBX Certs
------------------------------
Debian Secure Boot Signer
Canonical Ltd. Secure Boot Signing
EFI_CERT_SHA256_GUID Signatures: 466

UEFI DBX Certs
--------------
(NONE)
Windows BootMgr SVN 7.0
EFI_CERT_SHA256_GUID Signatures: 486

EFI Files
---------
Disk 0: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
bootmgfw.efi File version: 26100.30227

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.


AUDIT REPORT
============
1. [Production PCA 2011] is missing from UEFI DBX


REQUIRED ACTION
===============

To revoke the [PCA 2011] cert, run the commands, run the commands:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x80 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo T490 (2020 Hardware)
    CPU
    i7-8565U
    Motherboard
    20N20028US
    Memory
    16GB
    Graphics Card(s)
    Intel UHD Graphics 620
    Sound Card
    Realtec Audio
    Monitor(s) Displays
    ASUS VE248
    Screen Resolution
    1920 X 1080
    Hard Drives
    Samsung SSD 970 PRO 512GB NVMe
    Internet Speed
    Frontier fiber 1GB
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Norton 360 Deluxe Plus
    Other Info
    Supported hardware, upgraded from Windows 10 Pro to Windows 11 Pro version 24H2 on 06/01/2025 using the Windows 11 ISO file. Used the enablement package to upgrade to version 25H2 on 10/07/2025. Secure boot enabled.
  • Operating System
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo ThinkCentre M83 (2014 Hardware)
    CPU
    i7-4770 (with SSE4.2, and POPCNT)
    Motherboard
    10AL000GUS
    Memory
    16GB
    Graphics card(s)
    Intel HD Graphics 4600
    Sound Card
    Realtec High Definition Audio
    Monitor(s) Displays
    ASUS VE248
    Screen Resolution
    1920 X 1080
    Hard Drives
    Samsung SSD 860 PRO 1TB SATA
    Internet Speed
    Frontier fiber 1GB
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Norton 360 Deluxe Plus
    Other Info
    Unsupported hardware, upgraded from Windows 10 Pro (TPM 1.2 & unsupported CPU, but does have SSE4.2, and POPCNT) to Windows 11 Pro version 24H2 on 06/15/2025. Added Registry Key HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup – AllowUpgradesWithUnsupportedTPMOrCPU=1 to allow installation using the Windows 11 ISO file. Used the enablement package to upgrade to version 25H2 on 10/08/2025. Secure boot enabled.
You must log in or register to reply here.

Latest Support Threads

Latest Tutorials

Back
Top Bottom