Solved garlin's PowerShell scripts for updating Secure Boot CA 2023


Okay! Imma do this on Monday then! Probably will consult about updating my macrium USB drive as well (created using Macrium Free V8), I'll let you know the result for all my PC's, including mom's, which theoretically shouldn't be a problem because is almost the same specs as my desktop, except it uses an iGPU only X3.

One more question: This is permanent, right? If I reset a BIOS to defaults for some reason, this persists... right?

Thanks a bunch for all the help!
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built PC
    CPU
    AMD Ryzen 5 5600G @ 3.9/4.4Ghz
    Motherboard
    MSI B550M-PRO-WiFi Ver. 1.4
    Memory
    2 x 16 GB DDR4 Kingston Fury Beast 3200 Mhz
    Graphics Card(s)
    AMD Radeon RX 6600 XT MSI Mech 2X OC Edition 8 GB
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    Samsung C50Rx 27" LED / HP S2031 20" LCD
    Screen Resolution
    1920 x 1080 px / 1600 x 900 px
    Hard Drives
    WD Blue SN570 NVME M.2 SSD [1 TB] -- External Drives: - WD Scorpion Blue 250 GB 5400 RPM (Data Backup) - Hitachi 500 GB 5400 RPM (Software / ISOs Backup) - Toshiba MQ01ABD100 1 TB 5400 RPM (OS Images) - HGST TravelStar 7K1000 1 TB, 7200 RPM USB 3.0 - ADATA SU800 2TB SSD USB 3.0
    PSU
    Corsair RM750e 750W Fully Modular
    Case
    Naceb Hydra NA-1602
    Cooling
    Naceb Orpheus x 3 (Front) + Naceb Cepheus 1200 RPM Max (Rear) + ThemalRight Assasin X 90 SE (CPU)
    Keyboard
    Logitech MK470 Wireless
    Mouse
    Logitech MK470 Wireless
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - VMs: WMware Player - Windows 8.1 Pro x64 / Windows 11 Pro
    - Wacom Intuos Pro Small Tablet PTH-460
  • Operating System
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    HP Pavilion 15-eh3000la (80M53LA)
    CPU
    AMD Ryzen 7 7730U @ 2.0/4.5 Ghz
    Motherboard
    HP 8BC7
    Memory
    2 x 16 GB Kingston Fury Impact DDR4 3200 Mhz
    Graphics card(s)
    Radeon (tm) Graphics Vega 8 (512 MB)
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    AU Optronics
    Screen Resolution
    1920 x 1080 px (125% size)
    Hard Drives
    WD Blue SN570 1TB NVME M.2 Drive
    PSU
    45 Watt Charger
    Cooling
    Laptop Cooling Pad
    Keyboard
    Free Wolf Foldable Portable Keyboard
    Mouse
    Free Wolf Wireless Mouse
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - 41mWh battery.
    - Wacom Intuos Pro Small Tablet PTH-460
FerchogtX said:
Oh BTW... when doing this, is this permanent? Meaning if I reset my BIOS settings for whatever reason on any PC, will the Certs still be installed in there?
Click to expand...
Typically a reset of normal BIOS settings won't clear the certs. If it does, then you get the factory default ones.

Which is why it's important to have the latest BIOS firmware, because it's more likely the newer certs are included in the factory list. If installing an updated BIOS magically adds the missing CA 2023 certs, then it will always be there on a reset. The only other to clear them is to perform Setup Mode, which means you clear them to allow a custom set of certs.
 

My Computer

System One

  • OS
    Windows 7
garlin said:
Typically a reset of normal BIOS settings won't clear the certs. If it does, then you get the factory default ones.

Which is why it's important to have the latest BIOS firmware, because it's more likely the newer certs are included in the factory list. If installing an updated BIOS magically adds the missing CA 2023 certs, then it will always be there on a reset. The only other to clear them is to perform Setup Mode, which means you clear them to allow a custom set of certs.
Click to expand...
Ah, fantastic! How about my Desktop? Didn't have a BIOS Update, but had the same successful results you saw earlier. Means it already had the certs available?
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built PC
    CPU
    AMD Ryzen 5 5600G @ 3.9/4.4Ghz
    Motherboard
    MSI B550M-PRO-WiFi Ver. 1.4
    Memory
    2 x 16 GB DDR4 Kingston Fury Beast 3200 Mhz
    Graphics Card(s)
    AMD Radeon RX 6600 XT MSI Mech 2X OC Edition 8 GB
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    Samsung C50Rx 27" LED / HP S2031 20" LCD
    Screen Resolution
    1920 x 1080 px / 1600 x 900 px
    Hard Drives
    WD Blue SN570 NVME M.2 SSD [1 TB] -- External Drives: - WD Scorpion Blue 250 GB 5400 RPM (Data Backup) - Hitachi 500 GB 5400 RPM (Software / ISOs Backup) - Toshiba MQ01ABD100 1 TB 5400 RPM (OS Images) - HGST TravelStar 7K1000 1 TB, 7200 RPM USB 3.0 - ADATA SU800 2TB SSD USB 3.0
    PSU
    Corsair RM750e 750W Fully Modular
    Case
    Naceb Hydra NA-1602
    Cooling
    Naceb Orpheus x 3 (Front) + Naceb Cepheus 1200 RPM Max (Rear) + ThemalRight Assasin X 90 SE (CPU)
    Keyboard
    Logitech MK470 Wireless
    Mouse
    Logitech MK470 Wireless
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - VMs: WMware Player - Windows 8.1 Pro x64 / Windows 11 Pro
    - Wacom Intuos Pro Small Tablet PTH-460
  • Operating System
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    HP Pavilion 15-eh3000la (80M53LA)
    CPU
    AMD Ryzen 7 7730U @ 2.0/4.5 Ghz
    Motherboard
    HP 8BC7
    Memory
    2 x 16 GB Kingston Fury Impact DDR4 3200 Mhz
    Graphics card(s)
    Radeon (tm) Graphics Vega 8 (512 MB)
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    AU Optronics
    Screen Resolution
    1920 x 1080 px (125% size)
    Hard Drives
    WD Blue SN570 1TB NVME M.2 Drive
    PSU
    45 Watt Charger
    Cooling
    Laptop Cooling Pad
    Keyboard
    Free Wolf Foldable Portable Keyboard
    Mouse
    Free Wolf Wireless Mouse
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - 41mWh battery.
    - Wacom Intuos Pro Small Tablet PTH-460
FerchogtX said:
You... think there could be another way to complete this without having to run updates? Sadly this can vary from system to system and would be a kick in the b*lls if any of my PC's ran into issues because an update broke something, or they have boot or shutdown issues -_-;

Oh also, I'm not looking into revoking certs just yet, maybe when I'm closer to June... is that fine or I absolutely need to?
Click to expand...
The requirement for the Windows Update check is MS will sometimes update the Secure Boot files.

The major changes started back in April and June 2024, rolling out the SecureBootUpdates folder. But MS has revised some of the file versions (DBXUpdate.bin, DBXUpdate SVN and SkuSiPolicy) with minor added entries.

- July 2025 was the next major checkpoint with the DBXUpdate.bin getting one extra exclusion for a 3rd-party EFI shim (intermediate boot loader).​
- October 2025 pushed a newer SkuSiPolicy file.​

Are these recent changes really that important? Not so much to getting CA 2023 enabled, but like having the most recent Defender signatures for blocking new malware, it's better to have the later versions of both files.

Here's a version of the update script which removes the Windows build checking. If you do eventually update Windows, then please re-run the normal update script to make sure you have the latest DBX files.

The update script is smart, it doesn't "assume" anything. It checks what's in your UEFI and will detect if the local Secure Boot files (updated by Windows Update) are newer than what's currently installed. If there's no difference, then it will inform that no changes are required.
 

Attachments

My Computer

System One

  • OS
    Windows 7
FerchogtX said:
Ah, fantastic! How about my Desktop? Didn't have a BIOS Update, but had the same successful results you saw earlier. Means it already had the certs available?
Click to expand...
Because CA 2023 deployment is still optional (right now), the only ways to get the full set of certs:

1. Your last BIOS update included them in the factory defaults. This is MS's preferred outcome from the OEM's.
2. You ran some update script, or followed the Windows update process.
3. You ran Mosby.

The SkuSiPolicy file is copied to the EFI partition, so it's outside of the UEFI. Technically you can copy it by hand, by the update script has the -SkuSiPolicy option to perform the copy for you. It's only needed if VBS is enabled to improve its security.
 

My Computer

System One

  • OS
    Windows 7
garlin said:
Because CA 2023 deployment is still optional (right now), the only ways to get the full set of certs:

1. Your last BIOS update included them in the factory defaults. This is MS's preferred outcome from the OEM's.
2. You ran some update script, or followed the Windows update process.
3. You ran Mosby.

The SkuSiPolicy file is copied to the EFI partition, so it's outside of the UEFI. Technically you can copy it by hand, by the update script has the -SkuSiPolicy option to perform the copy for you. It's only needed if VBS is enabled to improve its security.
Click to expand...
Ahhh Okay, seems I went the #2 route using your scripts... which means my desktop won't clear the certs... I hope lol, I remember you told me my MoBo was in some sort of support list, which supports this theory?

garlin said:
The requirement for the Windows Update check is MS will sometimes update the Secure Boot files.

The major changes started back in April and June 2024, rolling out the SecureBootUpdates folder. But MS has revised some of the file versions (DBXUpdate.bin, DBXUpdate SVN and SkuSiPolicy) with minor added entries.

- July 2025 was the next major checkpoint with the DBXUpdate.bin getting one extra exclusion for a 3rd-party EFI shim (intermediate boot loader).​
- October 2025 pushed a newer SkuSiPolicy file.​

Are these recent changes really that important? Not so much to getting CA 2023 enabled, but like having the most recent Defender signatures for blocking new malware, it's better to have the later versions of both files.

Here's a version of the update script which removes the Windows build checking. If you do eventually update Windows, then please re-run the normal update script to make sure you have the latest DBX files.

The update script is smart, it doesn't "assume" anything. It checks what's in your UEFI and will detect if the local Secure Boot files (updated by Windows Update) are newer than what's currently installed. If there's no difference, then it will inform that no changes are required.
Click to expand...

Saved! I'll run it on Monday! Thanks a ton mate!
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built PC
    CPU
    AMD Ryzen 5 5600G @ 3.9/4.4Ghz
    Motherboard
    MSI B550M-PRO-WiFi Ver. 1.4
    Memory
    2 x 16 GB DDR4 Kingston Fury Beast 3200 Mhz
    Graphics Card(s)
    AMD Radeon RX 6600 XT MSI Mech 2X OC Edition 8 GB
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    Samsung C50Rx 27" LED / HP S2031 20" LCD
    Screen Resolution
    1920 x 1080 px / 1600 x 900 px
    Hard Drives
    WD Blue SN570 NVME M.2 SSD [1 TB] -- External Drives: - WD Scorpion Blue 250 GB 5400 RPM (Data Backup) - Hitachi 500 GB 5400 RPM (Software / ISOs Backup) - Toshiba MQ01ABD100 1 TB 5400 RPM (OS Images) - HGST TravelStar 7K1000 1 TB, 7200 RPM USB 3.0 - ADATA SU800 2TB SSD USB 3.0
    PSU
    Corsair RM750e 750W Fully Modular
    Case
    Naceb Hydra NA-1602
    Cooling
    Naceb Orpheus x 3 (Front) + Naceb Cepheus 1200 RPM Max (Rear) + ThemalRight Assasin X 90 SE (CPU)
    Keyboard
    Logitech MK470 Wireless
    Mouse
    Logitech MK470 Wireless
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - VMs: WMware Player - Windows 8.1 Pro x64 / Windows 11 Pro
    - Wacom Intuos Pro Small Tablet PTH-460
  • Operating System
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    HP Pavilion 15-eh3000la (80M53LA)
    CPU
    AMD Ryzen 7 7730U @ 2.0/4.5 Ghz
    Motherboard
    HP 8BC7
    Memory
    2 x 16 GB Kingston Fury Impact DDR4 3200 Mhz
    Graphics card(s)
    Radeon (tm) Graphics Vega 8 (512 MB)
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    AU Optronics
    Screen Resolution
    1920 x 1080 px (125% size)
    Hard Drives
    WD Blue SN570 1TB NVME M.2 Drive
    PSU
    45 Watt Charger
    Cooling
    Laptop Cooling Pad
    Keyboard
    Free Wolf Foldable Portable Keyboard
    Mouse
    Free Wolf Wireless Mouse
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - 41mWh battery.
    - Wacom Intuos Pro Small Tablet PTH-460
FerchogtX said:
Ahhh Okay, seems I went the #2 route using your scripts... which means my desktop won't clear the certs... I hope lol, I remember you told me my MoBo was in some sort of support list, which supports this theory?
Click to expand...
The check script's output for your desktop listed "OPTION 1: (DO NOTHING)". This means your PK is fully supported, and either Windows or the update script can finish without any problems.

MS maintains a list of OEM-provided KEK files on GitHub, and the script can confirm if your PK is registered or not.
 

My Computer

System One

  • OS
    Windows 7
garlin said:
The check script's output for your desktop listed "OPTION 1: (DO NOTHING)". This means your PK is fully supported, and either Windows or the update script can finish without any problems.

MS maintains a list of OEM-provided KEK files on GitHub, and the script can confirm if your PK is registered or not.
Click to expand...
Sorry if I sound stupid lol... this means the MoBo already had the certs?
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built PC
    CPU
    AMD Ryzen 5 5600G @ 3.9/4.4Ghz
    Motherboard
    MSI B550M-PRO-WiFi Ver. 1.4
    Memory
    2 x 16 GB DDR4 Kingston Fury Beast 3200 Mhz
    Graphics Card(s)
    AMD Radeon RX 6600 XT MSI Mech 2X OC Edition 8 GB
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    Samsung C50Rx 27" LED / HP S2031 20" LCD
    Screen Resolution
    1920 x 1080 px / 1600 x 900 px
    Hard Drives
    WD Blue SN570 NVME M.2 SSD [1 TB] -- External Drives: - WD Scorpion Blue 250 GB 5400 RPM (Data Backup) - Hitachi 500 GB 5400 RPM (Software / ISOs Backup) - Toshiba MQ01ABD100 1 TB 5400 RPM (OS Images) - HGST TravelStar 7K1000 1 TB, 7200 RPM USB 3.0 - ADATA SU800 2TB SSD USB 3.0
    PSU
    Corsair RM750e 750W Fully Modular
    Case
    Naceb Hydra NA-1602
    Cooling
    Naceb Orpheus x 3 (Front) + Naceb Cepheus 1200 RPM Max (Rear) + ThemalRight Assasin X 90 SE (CPU)
    Keyboard
    Logitech MK470 Wireless
    Mouse
    Logitech MK470 Wireless
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - VMs: WMware Player - Windows 8.1 Pro x64 / Windows 11 Pro
    - Wacom Intuos Pro Small Tablet PTH-460
  • Operating System
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    HP Pavilion 15-eh3000la (80M53LA)
    CPU
    AMD Ryzen 7 7730U @ 2.0/4.5 Ghz
    Motherboard
    HP 8BC7
    Memory
    2 x 16 GB Kingston Fury Impact DDR4 3200 Mhz
    Graphics card(s)
    Radeon (tm) Graphics Vega 8 (512 MB)
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    AU Optronics
    Screen Resolution
    1920 x 1080 px (125% size)
    Hard Drives
    WD Blue SN570 1TB NVME M.2 Drive
    PSU
    45 Watt Charger
    Cooling
    Laptop Cooling Pad
    Keyboard
    Free Wolf Foldable Portable Keyboard
    Mouse
    Free Wolf Wireless Mouse
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - 41mWh battery.
    - Wacom Intuos Pro Small Tablet PTH-460
garlin said:
Or it's on the supported PK list.
Click to expand...
Either way... means I just can't accidentally erase them if I just perform a reset bios settings, or for example shorting two pins for emergencies?
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built PC
    CPU
    AMD Ryzen 5 5600G @ 3.9/4.4Ghz
    Motherboard
    MSI B550M-PRO-WiFi Ver. 1.4
    Memory
    2 x 16 GB DDR4 Kingston Fury Beast 3200 Mhz
    Graphics Card(s)
    AMD Radeon RX 6600 XT MSI Mech 2X OC Edition 8 GB
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    Samsung C50Rx 27" LED / HP S2031 20" LCD
    Screen Resolution
    1920 x 1080 px / 1600 x 900 px
    Hard Drives
    WD Blue SN570 NVME M.2 SSD [1 TB] -- External Drives: - WD Scorpion Blue 250 GB 5400 RPM (Data Backup) - Hitachi 500 GB 5400 RPM (Software / ISOs Backup) - Toshiba MQ01ABD100 1 TB 5400 RPM (OS Images) - HGST TravelStar 7K1000 1 TB, 7200 RPM USB 3.0 - ADATA SU800 2TB SSD USB 3.0
    PSU
    Corsair RM750e 750W Fully Modular
    Case
    Naceb Hydra NA-1602
    Cooling
    Naceb Orpheus x 3 (Front) + Naceb Cepheus 1200 RPM Max (Rear) + ThemalRight Assasin X 90 SE (CPU)
    Keyboard
    Logitech MK470 Wireless
    Mouse
    Logitech MK470 Wireless
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - VMs: WMware Player - Windows 8.1 Pro x64 / Windows 11 Pro
    - Wacom Intuos Pro Small Tablet PTH-460
  • Operating System
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    HP Pavilion 15-eh3000la (80M53LA)
    CPU
    AMD Ryzen 7 7730U @ 2.0/4.5 Ghz
    Motherboard
    HP 8BC7
    Memory
    2 x 16 GB Kingston Fury Impact DDR4 3200 Mhz
    Graphics card(s)
    Radeon (tm) Graphics Vega 8 (512 MB)
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    AU Optronics
    Screen Resolution
    1920 x 1080 px (125% size)
    Hard Drives
    WD Blue SN570 1TB NVME M.2 Drive
    PSU
    45 Watt Charger
    Cooling
    Laptop Cooling Pad
    Keyboard
    Free Wolf Foldable Portable Keyboard
    Mouse
    Free Wolf Wireless Mouse
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - 41mWh battery.
    - Wacom Intuos Pro Small Tablet PTH-460
You're stressing out too much. If your current BIOS firmware has the CA 2023 certs built-in, then a reset will copy the certs back. You will need to run the update script to pull the latest DBX revocations since those are not fixed (unlike the CA 2023 certs). Otherwise if you don't have factory CA 2023 certs built-in, you temporarily disable Secure Boot in BIOS, boot Windows normally, and then re-run the update script. Then re-enable Secure Boot mode.

Some of the other folks out there have more to worry about, because they have unsupported BIOS'es on old PC's.
 

My Computer

System One

  • OS
    Windows 7
I guess you are right X3
Thank you so much mate, I'll return with results on Monday!
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built PC
    CPU
    AMD Ryzen 5 5600G @ 3.9/4.4Ghz
    Motherboard
    MSI B550M-PRO-WiFi Ver. 1.4
    Memory
    2 x 16 GB DDR4 Kingston Fury Beast 3200 Mhz
    Graphics Card(s)
    AMD Radeon RX 6600 XT MSI Mech 2X OC Edition 8 GB
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    Samsung C50Rx 27" LED / HP S2031 20" LCD
    Screen Resolution
    1920 x 1080 px / 1600 x 900 px
    Hard Drives
    WD Blue SN570 NVME M.2 SSD [1 TB] -- External Drives: - WD Scorpion Blue 250 GB 5400 RPM (Data Backup) - Hitachi 500 GB 5400 RPM (Software / ISOs Backup) - Toshiba MQ01ABD100 1 TB 5400 RPM (OS Images) - HGST TravelStar 7K1000 1 TB, 7200 RPM USB 3.0 - ADATA SU800 2TB SSD USB 3.0
    PSU
    Corsair RM750e 750W Fully Modular
    Case
    Naceb Hydra NA-1602
    Cooling
    Naceb Orpheus x 3 (Front) + Naceb Cepheus 1200 RPM Max (Rear) + ThemalRight Assasin X 90 SE (CPU)
    Keyboard
    Logitech MK470 Wireless
    Mouse
    Logitech MK470 Wireless
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - VMs: WMware Player - Windows 8.1 Pro x64 / Windows 11 Pro
    - Wacom Intuos Pro Small Tablet PTH-460
  • Operating System
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    HP Pavilion 15-eh3000la (80M53LA)
    CPU
    AMD Ryzen 7 7730U @ 2.0/4.5 Ghz
    Motherboard
    HP 8BC7
    Memory
    2 x 16 GB Kingston Fury Impact DDR4 3200 Mhz
    Graphics card(s)
    Radeon (tm) Graphics Vega 8 (512 MB)
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    AU Optronics
    Screen Resolution
    1920 x 1080 px (125% size)
    Hard Drives
    WD Blue SN570 1TB NVME M.2 Drive
    PSU
    45 Watt Charger
    Cooling
    Laptop Cooling Pad
    Keyboard
    Free Wolf Foldable Portable Keyboard
    Mouse
    Free Wolf Wireless Mouse
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - 41mWh battery.
    - Wacom Intuos Pro Small Tablet PTH-460
garlin said:
Here's the one to run.
Click to expand...
And here's the output:
Code: 
Subject      : CN=Dell Inc. Platform Key, O=Dell Inc., L=Round Rock, S=Texas, C=US
Issuer       : CN=Dell Inc. Platform Key, O=Dell Inc., L=Round Rock, S=Texas, C=US
Thumbprint   : 44D641CACA0809002398B4877B8E982ED26F7B76
FriendlyName :
NotBefore    : 6/1/2016 10:20:07 PM
NotAfter     : 6/1/2031 10:30:06 PM
Extensions   : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell Latitude 3380
    CPU
    Intel Core i3-6006U @ 2.00 GHz
    Motherboard
    Dell 0WM4F
    Memory
    16,0 GB
    Graphics Card(s)
    Intel HD Graphics 520
    Sound Card
    Realtek Audio
    Monitor(s) Displays
    Built-in
    Screen Resolution
    1366 x 768 @ 59 Hz
    Hard Drives
    SK Hynix SC311 SATA 128 GB SSD
    Other Info
    Multi-boot Windows/Ubuntu using rEFInd
This is a supported PK, according to the KEK list on GitHub:
Code: 
    "44d641caca0809002398b4877b8e982ed26f7b76": {
        "KEKUpdate": "Dell/KEKUpdate_Dell_PK4.bin",
        "Certificate": {
            "serial_number": "50a1bd858ae7b6bc402dca78cdd268a1",
            "issued_to": "CN=Dell Inc. Platform Key,O=Dell Inc.,L=Round Rock,ST=Texas,C=US",
            "issued_by": "CN=Dell Inc. Platform Key,O=Dell Inc.,L=Round Rock,ST=Texas,C=US"
        }
    },

Unless your UEFI variables are corrupted, it should allow Windows or my update script to append CA 2023 certs. If you're having problems, I would try a factory reset of the UEFI certs first, or put it into Setup Mode (no certs). My script will handle both scenarios.

The GitHub issues for Mosby note that some AMI BIOS variants have a bug where appending to the KEK throws an error. It might be bypassed by using Setup Mode, since the script installs a DefaultKEK.bin which includes both KEK CA 2011 & KEK CA 2023 (thus no appending is needed).
 

My Computer

System One

  • OS
    Windows 7
garlin said:
I would try a factory reset of the UEFI certs first, or put it into Setup Mode (no certs)
Click to expand...
The reset did not change anything, but after manually deleting all four certs using Expert Management in Custom Mode, I did no longer get an error at the first Update_UEFI-CA2023.ps1 run, but Windows is now using a different PK?
Code: 
Subject      : CN=Windows OEM Devices PK, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Issuer       : CN=Microsoft RSA Third Party PCA 2023, O=Microsoft Corporation, C=US
Thumbprint   : 3D8660C0CB2D57B189C3D7995572A552F75E48B5
FriendlyName :
NotBefore    : 9/21/2023 10:28:26 PM
NotAfter     : 9/18/2038 10:28:26 PM
Extensions   : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
               System.Security.Cryptography.Oid...}

Also, the script referred me to a README_UEFI.TXT which told me to manually import "Windows OEM Devices PK" and "KEK 2K CA 2023" into the BIOS, but I got the same error as before about signatures/format...

I ran the Update script a few more times (since the -Audit option gave different instructions every run) and finally ended up with this Check_UEFI-CA2023.ps1 output:
Code: 
Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011
    Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Microsoft Option ROM UEFI CA 2023
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023

UEFI DBX Certs
--------------
    Microsoft Windows Production PCA 2011
    Windows BootMgr SVN 7.0

EFI Files
---------
    Disk 0: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.

    Registry: WindowsUEFICA2023Capable = 2
        [Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

    Disk 0: SkuSiPolicy.p7b (for VBS) is CURRENT.

STATUS REPORT
-------------
    Registry: UEFICA2023Status = Updated

SUCCESS: NO UPDATES ARE REQUIRED.

Does this actually mean I'm good now? Or should the 2011 parts have been removed instead of blacklisted?
 
Last edited:

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell Latitude 3380
    CPU
    Intel Core i3-6006U @ 2.00 GHz
    Motherboard
    Dell 0WM4F
    Memory
    16,0 GB
    Graphics Card(s)
    Intel HD Graphics 520
    Sound Card
    Realtek Audio
    Monitor(s) Displays
    Built-in
    Screen Resolution
    1366 x 768 @ 59 Hz
    Hard Drives
    SK Hynix SC311 SATA 128 GB SSD
    Other Info
    Multi-boot Windows/Ubuntu using rEFInd
Below the verbose output. There's probably no hint there why I can't get it to work with Dell's default PK?
Code: 
Windows 11 25H2 (26200.7705)

Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

BIOS Firmware
-------------
    Dell Inc. Latitude 3380
    Version: 1.28.0
    Date: 2024-07-05

Factory Default UEFI PK Cert
----------------------------
    Dell Inc. Platform Key

UEFI PK Cert
------------
    Windows OEM Devices PK

Factory Default UEFI KEK Certs
------------------------------
    Microsoft Corporation KEK CA 2011
    Dell Inc. Key Exchange Key

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011
    Microsoft Corporation KEK 2K CA 2023

Factory Default UEFI DB Certs
-----------------------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Dell Inc. UEFI DB

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Microsoft Option ROM UEFI CA 2023
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023

Factory Default UEFI DBX Certs
------------------------------
    Microsoft Windows PCA 2010
    EFI_CERT_SHA256_GUID Signatures: 77

UEFI DBX Certs
--------------
    Microsoft Windows Production PCA 2011
    Windows BootMgr SVN 7.0
    EFI_CERT_SHA256_GUID Signatures: 437

EFI Files
---------
    Disk 0: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
        bootmgfw.efi File version: 26100.30227

    Registry: WindowsUEFICA2023Capable = 2
        [Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

    Disk 0: SkuSiPolicy.p7b (for VBS) is CURRENT.

STATUS REPORT
-------------
    Registry: UEFICA2023Status = Updated

SUCCESS: NO UPDATES ARE REQUIRED.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell Latitude 3380
    CPU
    Intel Core i3-6006U @ 2.00 GHz
    Motherboard
    Dell 0WM4F
    Memory
    16,0 GB
    Graphics Card(s)
    Intel HD Graphics 520
    Sound Card
    Realtek Audio
    Monitor(s) Displays
    Built-in
    Screen Resolution
    1366 x 768 @ 59 Hz
    Hard Drives
    SK Hynix SC311 SATA 128 GB SSD
    Other Info
    Multi-boot Windows/Ubuntu using rEFInd
And maybe not import for this forum, but the rEFInd boot manager and Ubuntu both still boot after these changes 🎉
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell Latitude 3380
    CPU
    Intel Core i3-6006U @ 2.00 GHz
    Motherboard
    Dell 0WM4F
    Memory
    16,0 GB
    Graphics Card(s)
    Intel HD Graphics 520
    Sound Card
    Realtek Audio
    Monitor(s) Displays
    Built-in
    Screen Resolution
    1366 x 768 @ 59 Hz
    Hard Drives
    SK Hynix SC311 SATA 128 GB SSD
    Other Info
    Multi-boot Windows/Ubuntu using rEFInd

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2 Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Sin-built 2013
    CPU
    Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz
    Motherboard
    ASUS ROG Maximus VI Formula
    Memory
    32.0 GB of I forget and the box is in storage.
    Graphics Card(s)
    Gigabyte nVidia GeForce GTX 1660 Super OC 6GB
    Sound Card
    Onboard thingy
    Monitor(s) Displays
    5 x LG 25MS500-B - 1 x 24MK430H-B - 1 x Wacom Pro 22" Touch Screen Tablet
    Screen Resolution
    All over the place
    Hard Drives
    Too many to list.
    OS on Samsung 1TB 870 QVO SATA
    PSU
    Silverstone 1500
    Case
    NZXT Phantom 820 Full-Tower Case
    Cooling
    Noctua NH-D15 Elite Class Dual Tower CPU Cooler / 6 x EziDIY 120mm / 2 x Corsair 140mm somethings / 1 x 140mm Thermaltake something / 2 x 200mm Corsair.
    Keyboard
    Corsair K95 / Logitech diNovo Edge Wireless
    Mouse
    Logitech: G402 / G502 / Mx Masters / Mx Air Cordless
    Internet Speed
    2000/500Mbps
    Browser
    All sorts
    Antivirus
    Kaspersky Premium
    Other Info
    ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
    TP-Link BE9300 WiFi 7 Bluetooth 5.4 (Archer TBE550E)
    TP-Link TX201 V1 2.5GB Lan

    Grandstream HT812 - VoIP
    ASUS DSL-AX82U - Mesh
    ASUS RT-AC68U - Mesh
    ASUS RT-BE88U Router

    Brother MFC-L2880DW Printer

    I’m on a horse.
  • Operating System
    Windows 11 Pro 25H2 Build 26200.8524
    Computer type
    Laptop
    Manufacturer/Model
    LENOVO Yoga 7 14IRL8 - 7i EVO OLED 14" Touchscreen i5 12 Core 16GB/512GB
    CPU
    Intel Core 12th Gen i5-1240P Processor (1.7 - 4.4GHz)
    Memory
    16GB LPDDR5 RAM
    Graphics card(s)
    Intel Iris Xe Graphics Processor
    Sound Card
    Optimized with Dolby Atmos®
    Screen Resolution
    QHD 2880 x 1800 OLED
    Hard Drives
    M.2 512GB
    Antivirus
    Defender / Malwarebytes
    Other Info
    …still on a horse.
Hey!

Today I ran the script to update the VBS thing. All good. The only thing I'm skipping is revoking the 2011 certs at least until May I guess, I dunno if it's recommended to do it earlier or just wait... But at least all is updated as it should.

Now begins my quest to add the certs to the BIOS of both my desktop PCs... because they don't seem to have them by default (please forgive me, for I betrayed you using another script to check if the BIOS has them by default). Fortunately the F.09 BIOS for my HP has them, so doing a reset is not an issue... but not for my desktop PCs lol...

Wish me luck, I'll contact MSI and check if they ever released updates that include the certs... they have been updating BIOSes, but as usual, they never state exactly what they update, unless is something like fixing Sinkclose vulneravilities or fixing TPM issues...

Thanks a ton @garlin & @antspants for all your support and help!!!! I'll keep you updated guys!
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built PC
    CPU
    AMD Ryzen 5 5600G @ 3.9/4.4Ghz
    Motherboard
    MSI B550M-PRO-WiFi Ver. 1.4
    Memory
    2 x 16 GB DDR4 Kingston Fury Beast 3200 Mhz
    Graphics Card(s)
    AMD Radeon RX 6600 XT MSI Mech 2X OC Edition 8 GB
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    Samsung C50Rx 27" LED / HP S2031 20" LCD
    Screen Resolution
    1920 x 1080 px / 1600 x 900 px
    Hard Drives
    WD Blue SN570 NVME M.2 SSD [1 TB] -- External Drives: - WD Scorpion Blue 250 GB 5400 RPM (Data Backup) - Hitachi 500 GB 5400 RPM (Software / ISOs Backup) - Toshiba MQ01ABD100 1 TB 5400 RPM (OS Images) - HGST TravelStar 7K1000 1 TB, 7200 RPM USB 3.0 - ADATA SU800 2TB SSD USB 3.0
    PSU
    Corsair RM750e 750W Fully Modular
    Case
    Naceb Hydra NA-1602
    Cooling
    Naceb Orpheus x 3 (Front) + Naceb Cepheus 1200 RPM Max (Rear) + ThemalRight Assasin X 90 SE (CPU)
    Keyboard
    Logitech MK470 Wireless
    Mouse
    Logitech MK470 Wireless
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - VMs: WMware Player - Windows 8.1 Pro x64 / Windows 11 Pro
    - Wacom Intuos Pro Small Tablet PTH-460
  • Operating System
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    HP Pavilion 15-eh3000la (80M53LA)
    CPU
    AMD Ryzen 7 7730U @ 2.0/4.5 Ghz
    Motherboard
    HP 8BC7
    Memory
    2 x 16 GB Kingston Fury Impact DDR4 3200 Mhz
    Graphics card(s)
    Radeon (tm) Graphics Vega 8 (512 MB)
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    AU Optronics
    Screen Resolution
    1920 x 1080 px (125% size)
    Hard Drives
    WD Blue SN570 1TB NVME M.2 Drive
    PSU
    45 Watt Charger
    Cooling
    Laptop Cooling Pad
    Keyboard
    Free Wolf Foldable Portable Keyboard
    Mouse
    Free Wolf Wireless Mouse
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - 41mWh battery.
    - Wacom Intuos Pro Small Tablet PTH-460
FerchogtX said:
Fortunately the F.09 BIOS for my HP has them, so doing a reset is not an issue... but not for my desktop PCs lol...

Wish me luck, I'll contact MSI and check if they ever released updates that include the certs... they have been updating BIOSes, but as usual, they never state exactly what they update...
Click to expand...

My desktop machine has an MSI B450M Bazooka motherboard, and the latest BIOS update (dated 2025-09-23) came with the 2023 certs.
 

My Computer

System One

  • OS
    Windows 11 pro 25h2
    Computer type
    PC/Desktop
    Manufacturer/Model
    DIY
    CPU
    AMD Ryzen 7 5700G
    Motherboard
    MSI B450M Bazooka, BIOS version 7A38vHJ5 (latest beta as of 2025-09-23)
    Memory
    64 GB G.Skill (F4-3200C16Q-64GVK)
    Graphics Card(s)
    Integrated into CPU
    Sound Card
    Realtek (built into motherboard)
    Monitor(s) Displays
    Generic HDMI
    Screen Resolution
    1080p
    Hard Drives
    System and apps: SK hynix Gold P31 1TB M.2
    Data: Toshiba HDWQ140 4TB internal SATA
    PSU
    Seasonic 400W SS-400FL2 fanless
    Case
    Fractal Design Define R5
    Cooling
    Cooler Master Hyper 212 Evo
    Keyboard
    Lenovo Preferred Pro II Wired External USB Keyboard (4X30M86879)
    Mouse
    Belkin cheapo corded USB mouse
    Internet Speed
    300 MBit/sec
    Browser
    Firefox
    Antivirus
    Windows Defender
You must log in or register to reply here.

Latest Support Threads

Latest Tutorials

Back
Top Bottom