Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

Fracer · Jan 20, 2026

Fracer said:
Hidden folders:

Relative path is .\C:\WINDOWS\System32\SecureBootUpdates

PS D:\UTILS95\UEFISecureBootVariables-garlin>

Yes, appears to be an "operator error"!
With apologies, here are the re-runs with both powershell & pwsh (slightly different).

======================================================================
$Paths = (C:\WINDOWS\System32\SecureBootUpdates)

Testing path to "C:\WINDOWS\System32\SecureBootUpdates"

Test-Path "C:" is valid.
Read 5195 directory items

Hidden folders:

Mode Name
---- ----
d--h-- GroupPolicy

Test-Path "C:\WINDOWS" is valid.
Read 124 directory items

Hidden folders:
d--h-- ELAMBKUP
d--hs- Installer
d--h-- LanguageOverlayCache

Test-Path "C:\WINDOWS\System32" is valid.
Read 5195 directory items

Hidden folders:
d--h-- GroupPolicy

Test-Path "C:\WINDOWS\System32\SecureBootUpdates" is valid.
Read 11 directory items

Hidden folders:

Relative path is .\SecureBootUpdates

PS C:\WINDOWS\system32> [note current directory]
======================================================================

PowerShell 7.5.4
$Paths = (C:\WINDOWS\System32\SecureBootUpdates)

Testing path to "C:\WINDOWS\System32\SecureBootUpdates"

Test-Path "C:" is valid.
Read 18 directory items

Hidden folders:

Mode Name
---- ----
d--hs $Recycle.Bin
d--h- $WINDOWS.~BT
d--h- $Windows.~WS
l--hs Documents and Settings
d--h- ProgramData
d--hs Recovery
d--hs System Volume Information

Test-Path "C:\WINDOWS" is valid.
Read 124 directory items

Hidden folders:
d--h- ELAMBKUP
d--hs Installer
d--h- LanguageOverlayCache

Test-Path "C:\WINDOWS\System32" is valid.
Read 5195 directory items

Hidden folders:
d--h- GroupPolicy

Test-Path "C:\WINDOWS\System32\SecureBootUpdates" is valid.
Read 11 directory items

Hidden folders:

Relative path is C:\WINDOWS\System32\SecureBootUpdates

PS D:\UTILS95\UEFISecureBootVariables-garlin>

Rollback_Jockey · Jan 20, 2026

@garlin Ref the following screensnap, is this an issue on my system or something in your code. Is it something i could /need to resolve

nikki605 · Jan 20, 2026

garlin said:
This one needs to be updated. Leave it plugged, and run Update_UEFI-CA2023.ps1 -BootMedia

I ran the update and then the check but it doesn't look like it worked. Did I do something wrong?

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! Install PowerShell on Windows - PowerShell

PS C:\WINDOWS\system32> Set-ExecutionPolicy unrestricted

Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose
you to the security risks described in the about_Execution_Policies help topic at
https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
[Y] Yes [A] Yes to All [N] No [L] No to All Suspend [?] Help (default is "N"): y
PS C:\WINDOWS\system32> cd C:\SecureBoot\SecureBoot-CA-2023-Updates_v2026-01-18
PS C:\SecureBoot\SecureBoot-CA-2023-Updates_v2026-01-18> .\Update_UEFI-CA2023.ps1 -BootMedia

Security warning
Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your
computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning
message. Do you want to run C:\SecureBoot\SecureBoot-CA-2023-Updates_v2026-01-18\Update_UEFI-CA2023.ps1?
[D] Do not run [R] Run once Suspend [?] Help (default is "D"): r
Copying EFI boot files to USB Drive E: "MACRIUMT490"
Boot files successfully created.

SUCCESS: NO UPDATES ARE REQUIRED.

PS C:\SecureBoot\SecureBoot-CA-2023-Updates_v2026-01-18> .\Check_UEFI-CA2023.ps1 -BootMedia

Security warning
Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your
computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning
message. Do you want to run C:\SecureBoot\SecureBoot-CA-2023-Updates_v2026-01-18\Check_UEFI-CA2023.ps1?
[D] Do not run [R] Run once Suspend [?] Help (default is "D"): r
Secure Boot: ON
Virtualization Based Security: OFF
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 7.0

EFI Files
---------
Disk 0: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

Bootable Media
--------------
USB Drive E: "MACRIUMT490"
Boot File [Production PCA 2011] is BANNED.

STATUS REPORT
-------------
Registry: UEFICA2023Status = Updated

SUCCESS: NO UPDATES ARE REQUIRED.

PS C:\SecureBoot\SecureBoot-CA-2023-Updates_v2026-01-18>

*****UPDATE: I think I found the problem, but I don't know how to fix it. On the Macrium boot stick, the bootx64.efi file is not located in the \EFI\Microsoft\Boot\ folder. It is located in the \EFI\Boot\ folder. That file is also located in the same folder on the Windows 11 Recovery boot stick. *****

garlin · Jan 20, 2026

Rollback_Jockey said:
@garlin Ref the following screensnap, is this an issue on my system or something in your code. Is it something i could /need to resolve

Offhand, I'm gonna blame you for naming a folder "Steve's Downloads".

Try moving the SecureBoot folder to somewhere without an apostrophe in the pathname. If that works, I'll have to figure out a method for making the script safe for "special characters".

Rollback_Jockey · Jan 20, 2026

garlin said:
Offhand, I'm gonna blame you for naming a folder "Steve's Downloads".

Try moving the SecureBoot folder to somewhere without an apostrophe in the pathname. If that works, I'll have to figure out a method for making the script safe for "special characters".

Yes, that was the answer.

gunrunnerjohn · Jan 20, 2026

garlin said:
Offhand, I'm gonna blame you for naming a folder "Steve's Downloads".

Try moving the SecureBoot folder to somewhere without an apostrophe in the pathname. If that works, I'll have to figure out a method for making the script safe for "special characters".

Apparently, this is a problem with any special character in the pathname. Is there a way to make this work with any valid path?

garlin · Jan 20, 2026

gunrunnerjohn said:
Apparently, this is a problem with any special character in the pathname. Is there a way to make this work with any valid path?

Looking at it. The scripts call themselves again if you're not already in Admin mode. So the path matters.

Dirtyflash · Jan 20, 2026

garlin said:
This is "wrong".

This one is good.

This one needs to be updated. Leave it plugged, and run Update_UEFI-CA2023.ps1 -BootMedia

This may be a silly question, but where can I find the Update_UEFI-CA2023.ps1 -BootMedia script to download?

gunrunnerjohn · Jan 20, 2026

garlin said:
Looking at it. The scripts call themselves again if you're not already in Admin mode. So the path matters.

They seem to have the issue even if I am in Admin mode, as soon as I remove any special characters they work. If I insert some special characters, they fail. Spaces seem OK in the name. I added an @ to the name and it didn't like that, though that's valid in a Windows file or folder name.

With the @ in the folder name, the command window opens and immediately closes. No problem with me, I just removed the @ from the folder name now that I know it's an issue.

Rollback_Jockey · Jan 20, 2026

Dirtyflash said:
This may be a silly question, but where can I find the Update_UEFI-CA2023.ps1 -BootMedia script to download?

The '-Bootmedia' part is typed in by the user after entering the filename 'Check_EFIBootFile.ps1'

garlin · Jan 20, 2026

Rollback_Jockey said:
Yes, that was the answer.

OK, try this fixed version. I ran the script from a folder named:

Code:

Steve's F@lder with $

Rollback_Jockey · Jan 20, 2026

garlin said:
OK, try this fixed version. I ran the script from a folder named:

Code:

Steve's F@lder with $

Rollback_Jockey · Jan 20, 2026

Rollback_Jockey said:
View attachment 160604

Scratch that, i downloaded it again and moved it to the folder specified and it worked that time.. I am confident it was safely copied the first time as i checked the timestamp.

garlin · Jan 20, 2026

Worked...not worked? Sorry, confused to which instance you're referring to.

Winuser · Jan 20, 2026

garlin said:
It's believed the "reg add" for SkuSiPolicy (0x20), doesn't work for the scheduled task.

You'll need to copy it manually, or use the latest version of the update script:

Code:

Update_UEFI-CA2023.ps1 -SkuSiPolicy

I guess I'll have to add it manually or wait for MS. When I tried running it on my old desktop running the Canary build I get a Build 28020.1371 is unsupported.

garlin · Jan 20, 2026

Winuser said:
I guess I'll have to add it manually or wait for MS. When I tried running it on my old desktop running the Canary build I get a Build 28020.1371 is unsupported.

If you're on a beta release, use the interim script from post #273.

Rollback_Jockey · Jan 20, 2026

garlin said:
Worked...not worked? Sorry, confused to which instance you're referring to.

The edition you added just above (Post 311) DID work on the 2nd attempt.

gunrunnerjohn · Jan 20, 2026

garlin said:
OK, try this fixed version. I ran the script from a folder named:

Code:

Steve's F@lder with $

Failed as soon as I added the @ sign.

The folder it's in is: C:\BAT\Check Update Secure Boot Certs by @garlin_2026
If I remove the @ and run, I it runs fine in this folder.

C:\BAT\Check Update Secure Boot Certs by garlin_2026

garlin · Jan 20, 2026

Works for me. Are you inside the folder (or outside) when calling the script? Are you in CMD or powershell at the time?

EB2XR6 · Jan 21, 2026

PowerShell 7.5.4
Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 7.0

EFI Files
---------
Disk 0: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

Disk 0: SkuSiPolicy.p7b (for VBS) is NOT PRESENT.

REQUIRED ACTION
===============

To install SkuSiPolicy.p7b, run the command:
Update_UEFI-CA2023.ps1 -SkuSiPolicy

Garlin thank you for the updated scripts.

I tried the required action and I get this error
PS C:\Downloads> Update_UEFI-CA2023.ps1 -SkuSiPolicy
Update_UEFI-CA2023.ps1: The term 'Update_UEFI-CA2023.ps1' is not recognized as a name of a cmdlet, function, script file, or executable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

The Script is in the C:\Downloads folder.

Also I tried to revoke the 2011 Keys and that did not work.

I am not sure what to try next please? Thanks again.

Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

New member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

Attachments

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Active member

My Computer