Solved garlin's PowerShell scripts for updating Secure Boot CA 2023


Although my AM5 B850 system is showing event 1808, I noted my AM4 B550 PC is just showing 1801. I understand updating is an ongoing process, and haven't looked further than the event or run any scripts etc, but I thought I'd ask a few questions-

I don't often update mb BIOS but did last September to get an update that added TPM-B FW as well various other fixes - but it made no mention of whether it includes new SB certs.

A Gigabyte AM4 board defaults to SB Not Active after a BIOS update. The method to get SB to show as Active is to select Custom and then either a) restore factory keys and stay in Custom or b) switch back to Standard which also loads defaults

1) there's a post above about whether a BIOS update overwrites keys - even if it doesn't those steps to change SB to Active would seem to overwrite them with those from the BIOS - what happens then?

2) I chose method b) so I'm not in Custom any more - is there any chance this is preventing Windows from installing the certs - i.e is there some some of read-only state?
This part is tricky, because it depends on the BIOS your OEM sourced from their BIOS supplier. Honestly, I don't know because my experience is on Dell and Lenovo PC's.

3) over time there are many BIOS versions - including interim 'beta' releases - so each user might end up with a different one - is the exact BIOS version used by the telemetry in deciding whether Windows will go ahead with the update?
The confidence buckets are grouped by motherboard (model) and BIOS version. You're correct that some users are behind on firmware. It's possible to have many combinations of them. Unless MS or the OEM is going to test every combination (which they can't do because of time), the strategy appears to be creating a confidence level for any bucket combo, once they reach a certain sample size and the results are conclusive.

It's simply a numbers game. They will try first migrate the buckets with high success numbers. All stragglers might have to wait until MS changes the selection criteria (not enough sample count, but high success). The problem comes with the low confidence/high failure buckets, at some point MS will declare they're too risky.

Then it's a finger pointing game. MS isn't responsible for your BIOS. They have to be careful in not "throwing the OEM under the bus". Some BIOS'es have a good history of successful updates, others seem to break PC's. For old models, a factory swap of the motherboard isn't available.

The end game is they may simply tell you to never enable Secure Boot (leaving it insecure), or upgrade to a new PC. It's not the users' fault, some of these vendor firmwares were bad in the first place.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
That's exactly what I did. I had no reason to keep images from 4 months ago. I usually keep the most recent 3.
I keep the most recent eight Windows drive images. I also have staggered images back at least six months on two 4TB USB NVMe drives. Caught with my pants down ain't happening! :lmao:
 

My Computers My Computers

  • At a glance

    Win 11 Pro 25H2, Build 26200.8737Intel Core i5 1450064GB DDR4GeForce RTX 4060
    OS
    Win 11 Pro 25H2, Build 26200.8737
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14500
    Motherboard
    Gigabyte B760M G P WIFI
    Memory
    64GB DDR4
    Graphics Card(s)
    GeForce RTX 4060
    Sound Card
    Chipset Realtek
    Monitor(s) Displays
    LG 45" Ultragear, Acer 24" 1080p
    Screen Resolution
    5120x1440, 1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 3D NAND NVMe M.2 SSD (O/S)
    Silicon Power 2TB US75 NVMe PCIe Gen4 M.2 2280 SSD (backup)
    Crucial BX500 2TB 3D NAND (2nd backup)
    Seagate 4TB Ironwolf, rotating HDD archive files
    External off-line backup Drives: 2 NVMe 4TB drives in external enclosures
    PSU
    Thermaltake Toughpower GF3 750W
    Case
    LIAN LI LANCOOL 216 E-ATX PC Case
    Cooling
    Lots of fans!
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
  • At a glance

    Win 11 Pro 25H2, Build 26200.8655Intel Core i5 1440032GB DDR5Intel 700 Embedded GPU
    Operating System
    Win 11 Pro 25H2, Build 26200.8655
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14400
    Motherboard
    Gigabyte B760M DS3H AX
    Memory
    32GB DDR5
    Graphics card(s)
    Intel 700 Embedded GPU
    Sound Card
    Realtek Embedded
    Monitor(s) Displays
    27" HP 1080p
    Screen Resolution
    1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 eD NAND PCIe SSD
    Samsung EVO 990 2TB NVMe Gen4 SSD
    Samsung 2TB SATA SSD
    PSU
    Thermaltake Smart BM3 650W
    Case
    Okinos Micro ATX Case
    Cooling
    Fans
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
  • Nimo N171 17" Laptop, (Intel i3-1215U, 16GB RAM, 2TB NVMe, Win11 Pro)
    Acemagic Vista Mini PC V1 (Intel N150, 16GB RAM, 1TB NVMe, Win11 Pro)
    HP ENVY h8-1540t, (24GB RAM, 2TB SSD, 2TB HDD, Win11 Pro)
Since the tool was unable to use the Dell KEK certificate and I had to use the Windows OEM files instead, I'm wondering whether I could manually check whether any of the (other) Dell KEKs Microsoft has in their GitHub repository are signed by the PK on my machine (Dell Latitude 3380).

Once I have saved the PK and downloaded the 4 KEK files, which command can I use to check whether a KEK is signed by that PK?
 

My Computer My Computer

At a glance

Windows 11Intel Core i3-6006U @ 2.00 GHz16,0 GBIntel HD Graphics 520
OS
Windows 11
Computer type
Laptop
Manufacturer/Model
Dell Latitude 3380
CPU
Intel Core i3-6006U @ 2.00 GHz
Motherboard
Dell 0WM4F
Memory
16,0 GB
Graphics Card(s)
Intel HD Graphics 520
Sound Card
Realtek Audio
Monitor(s) Displays
Built-in
Screen Resolution
1366 x 768 @ 59 Hz
Hard Drives
SK Hynix SC311 SATA 128 GB SSD
Other Info
Multi-boot Windows/Ubuntu using rEFInd
Since the tool was unable to use the Dell KEK certificate and I had to use the Windows OEM files instead, I'm wondering whether I could manually check whether any of the (other) Dell KEKs Microsoft has in their GitHub repository are signed by the PK on my machine (Dell Latitude 3380).

Once I have saved the PK and downloaded the 4 KEK files, which command can I use to check whether a KEK is signed by that PK?
1. An OEM's PK is used to cross sign the generic pre-signed KEK, which becomes one of the post-signed KEK's stored in the MS GitHub. There is only one matching KEK per unique PK.

2. An unique PK may be used for multiple PC models by the OEM.

3. An OEM may have multiple PK's.

All you care about is that every unique PK has a specific certificate thumbprint. None of the other KEK files will match your PC's PK. This script will return the name of the matching KEK file in the GitHub (if one exists).
 

Attachments

Last edited:

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
Although my AM5 B850 system is showing event 1808, I noted my AM4 B550 PC is just showing 1801. I understand updating is an ongoing process, and haven't looked further than the event or run any scripts etc, but I thought I'd ask a few questions-

I don't often update mb BIOS but did last September to get an update that added TPM-B FW as well various other fixes - but it made no mention of whether it includes new SB certs.

A Gigabyte AM4 board defaults to SB Not Active after a BIOS update. The method to get SB to show as Active is to select Custom and then either a) restore factory keys and stay in Custom or b) switch back to Standard which also loads defaults

1) there's a post above about whether a BIOS update overwrites keys - even if it doesn't those steps to change SB to Active would seem to overwrite them with those from the BIOS - what happens then?

2) I chose method b) so I'm not in Custom any more - is there any chance this is preventing Windows from installing the certs - i.e is there some some of read-only state?

3) over time there are many BIOS versions - including interim 'beta' releases - so each user might end up with a different one - is the exact BIOS version used by the telemetry in deciding whether Windows will go ahead with the update?
For your B550 board there is in fact the same update I have as well, is a Beta BIOS, and fixes not only the TPM for BF6, but also includes the new CA 2023 Certs. I don't know if it's the same exact model as mine, but installing that update brought me the default certs installed. I had to check with an MSI employee, which told me the beta BIOS also included those, so you should be covered. If you reset the BIOS or the certs, it should restore even the new certs from default database, since they already included them.
 

My Computers My Computers

  • At a glance

    Windows 11 Pro 25H2AMD Ryzen 5 5600G @ 3.9/4.4Ghz2 x 16 GB DDR4 Kingston Fury Beast 3200 MhzAMD Radeon RX 6600 XT MSI Mech 2X OC Edition ...
    OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built PC
    CPU
    AMD Ryzen 5 5600G @ 3.9/4.4Ghz
    Motherboard
    MSI B550M-PRO-WiFi Ver. 1.4
    Memory
    2 x 16 GB DDR4 Kingston Fury Beast 3200 Mhz
    Graphics Card(s)
    AMD Radeon RX 6600 XT MSI Mech 2X OC Edition 8 GB
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    Samsung C50Rx 27" LED / HP S2031 20" LCD
    Screen Resolution
    1920 x 1080 px / 1600 x 900 px
    Hard Drives
    WD Blue SN570 NVME M.2 SSD [1 TB] -- External Drives: - WD Scorpion Blue 250 GB 5400 RPM (Data Backup) - Hitachi 500 GB 5400 RPM (Software / ISOs Backup) - Toshiba MQ01ABD100 1 TB 5400 RPM (OS Images) - HGST TravelStar 7K1000 1 TB, 7200 RPM USB 3.0 - ADATA SU800 2TB SSD USB 3.0
    PSU
    Corsair RM750e 750W Fully Modular
    Case
    Naceb Hydra NA-1602
    Cooling
    Naceb Orpheus x 3 (Front) + Naceb Cepheus 1200 RPM Max (Rear) + ThemalRight Assasin X 90 SE (CPU)
    Keyboard
    Logitech MK470 Wireless
    Mouse
    Logitech MK470 Wireless
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - VMs: WMware Player - Windows 8.1 Pro x64 / Windows 11 Pro
    - Wacom Intuos Pro Small Tablet PTH-460
  • At a glance

    Windows 11 Pro 25H2AMD Ryzen 7 7730U @ 2.0/4.5 Ghz2 x 16 GB Kingston Fury Impact DDR4 3200 MhzRadeon (tm) Graphics Vega 8 (512 MB)
    Operating System
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    HP Pavilion 15-eh3000la (80M53LA)
    CPU
    AMD Ryzen 7 7730U @ 2.0/4.5 Ghz
    Motherboard
    HP 8BC7
    Memory
    2 x 16 GB Kingston Fury Impact DDR4 3200 Mhz
    Graphics card(s)
    Radeon (tm) Graphics Vega 8 (512 MB)
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    AU Optronics
    Screen Resolution
    1920 x 1080 px (125% size)
    Hard Drives
    WD Blue SN570 1TB NVME M.2 Drive
    PSU
    45 Watt Charger
    Cooling
    Laptop Cooling Pad
    Keyboard
    Free Wolf Foldable Portable Keyboard
    Mouse
    Free Wolf Wireless Mouse
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - 41mWh battery.
    - Wacom Intuos Pro Small Tablet PTH-460
This script will return the name of the matching KEK file in the GitHub (if one exists).
It fails for me with this error:
Code:
Get-UEFIVariable : The term 'Get-UEFIVariable' is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.

However, I modified the script to print the entire JSON file at the end and I do indeed see that using the PK thumbprint (which I previously got via one of your scripts) as the key in this dictionary indeed gives the value "Dell/KEKUpdate_Dell_PK4.bin", which matches what the script from you first post in this thread tried to use as KEK.

I wonder why all my attempts to use that KEK (using your script, using the firmware update tool in Ubuntu, and manually importing it in custom Secure Boot mode in the BIOS) failed.

Maybe a bug in the DELL BIOS/firmware?

(I have Secure Boot working using the Microsoft OEM certificates, but was wondering whether I could get it to work with Dell certificates as well - just as a learning experience)
 

My Computer My Computer

At a glance

Windows 11Intel Core i3-6006U @ 2.00 GHz16,0 GBIntel HD Graphics 520
OS
Windows 11
Computer type
Laptop
Manufacturer/Model
Dell Latitude 3380
CPU
Intel Core i3-6006U @ 2.00 GHz
Motherboard
Dell 0WM4F
Memory
16,0 GB
Graphics Card(s)
Intel HD Graphics 520
Sound Card
Realtek Audio
Monitor(s) Displays
Built-in
Screen Resolution
1366 x 768 @ 59 Hz
Hard Drives
SK Hynix SC311 SATA 128 GB SSD
Other Info
Multi-boot Windows/Ubuntu using rEFInd
For your B550 board there is in fact the same update I have as well, is a Beta BIOS, and fixes not only the TPM for BF6, but also includes the new CA 2023 Certs. I don't know if it's the same exact model as mine, but installing that update brought me the default certs installed. I had to check with an MSI employee, which told me the beta BIOS also included those, so you should be covered. If you reset the BIOS or the certs, it should restore even the new certs from default database, since they already included them.
My B550i is Gigabyte. It's been showing 1801 events for months, and in the registry UEFICA2023Status is NotStarted.
WindowsUEFICA2023Capable is 2 meaning "Windows UEFI CA 2023" certificate is in the DB and the system is starting from the 2023 signed boot manager.

This is a quite common motherboard but has a beta BIOS from September than not many users may have.

My B850M is MSI, and is a less common product with a BIOS from June, but shows UEFICA2023Status of Updated and 1808 events.

So I suspect the B850M BIOS may have the new certs but my B550i doesn't.

Only after the most recent Windows Update is ConfidenceLevel showing as 'Under Observation - More Data Needed' - so maybe we are only now at the start of the process of installing certs even with only a few months remaining - perhaps like W10 there will be an extension.
 

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
It fails for me with this error:
Code:
Get-UEFIVariable : The term 'Get-UEFIVariable' is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.

However, I modified the script to print the entire JSON file at the end and I do indeed see that using the PK thumbprint (which I previously got via one of your scripts) as the key in this dictionary indeed gives the value "Dell/KEKUpdate_Dell_PK4.bin", which matches what the script from you first post in this thread tried to use as KEK.

I wonder why all my attempts to use that KEK (using your script, using the firmware update tool in Ubuntu, and manually importing it in custom Secure Boot mode in the BIOS) failed.

Maybe a bug in the DELL BIOS/firmware?

(I have Secure Boot working using the Microsoft OEM certificates, but was wondering whether I could get it to work with Dell certificates as well - just as a learning experience)
That script didn't work for me either the same way.
 

My Computer My Computer

At a glance

Windows 11 Pro 25H2Gen 11 Core i516GB
OS
Windows 11 Pro 25H2
Computer type
Laptop
Manufacturer/Model
HP
CPU
Gen 11 Core i5
Memory
16GB
My B550i is Gigabyte. It's been showing 1801 events for months, and in the registry UEFICA2023Status is NotStarted.
WindowsUEFICA2023Capable is 2 meaning "Windows UEFI CA 2023" certificate is in the DB and the system is starting from the 2023 signed boot manager.

This is a quite common motherboard but has a beta BIOS from September than not many users may have.

My B850M is MSI, and is a less common product with a BIOS from June, but shows UEFICA2023Status of Updated and 1808 events.

So I suspect the B850M BIOS may have the new certs but my B550i doesn't.

Only after the most recent Windows Update is ConfidenceLevel showing as 'Under Observation - More Data Needed' - so maybe we are only now at the start of the process of installing certs even with only a few months remaining - perhaps like W10 there will be an extension.
If Gigabyte has some sort of contact for consumer service, your best bet is to bug them to know if the latest BIOS has the certs. If they manage their B550 like MSI did with mine, probably the latest Beta BIOS they probably have might contain them.

I had to ask MSI, because the latest BIOS only focused their notes on the BF6 TMP fix... but it also had the certs.
 

My Computers My Computers

  • At a glance

    Windows 11 Pro 25H2AMD Ryzen 5 5600G @ 3.9/4.4Ghz2 x 16 GB DDR4 Kingston Fury Beast 3200 MhzAMD Radeon RX 6600 XT MSI Mech 2X OC Edition ...
    OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built PC
    CPU
    AMD Ryzen 5 5600G @ 3.9/4.4Ghz
    Motherboard
    MSI B550M-PRO-WiFi Ver. 1.4
    Memory
    2 x 16 GB DDR4 Kingston Fury Beast 3200 Mhz
    Graphics Card(s)
    AMD Radeon RX 6600 XT MSI Mech 2X OC Edition 8 GB
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    Samsung C50Rx 27" LED / HP S2031 20" LCD
    Screen Resolution
    1920 x 1080 px / 1600 x 900 px
    Hard Drives
    WD Blue SN570 NVME M.2 SSD [1 TB] -- External Drives: - WD Scorpion Blue 250 GB 5400 RPM (Data Backup) - Hitachi 500 GB 5400 RPM (Software / ISOs Backup) - Toshiba MQ01ABD100 1 TB 5400 RPM (OS Images) - HGST TravelStar 7K1000 1 TB, 7200 RPM USB 3.0 - ADATA SU800 2TB SSD USB 3.0
    PSU
    Corsair RM750e 750W Fully Modular
    Case
    Naceb Hydra NA-1602
    Cooling
    Naceb Orpheus x 3 (Front) + Naceb Cepheus 1200 RPM Max (Rear) + ThemalRight Assasin X 90 SE (CPU)
    Keyboard
    Logitech MK470 Wireless
    Mouse
    Logitech MK470 Wireless
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - VMs: WMware Player - Windows 8.1 Pro x64 / Windows 11 Pro
    - Wacom Intuos Pro Small Tablet PTH-460
  • At a glance

    Windows 11 Pro 25H2AMD Ryzen 7 7730U @ 2.0/4.5 Ghz2 x 16 GB Kingston Fury Impact DDR4 3200 MhzRadeon (tm) Graphics Vega 8 (512 MB)
    Operating System
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    HP Pavilion 15-eh3000la (80M53LA)
    CPU
    AMD Ryzen 7 7730U @ 2.0/4.5 Ghz
    Motherboard
    HP 8BC7
    Memory
    2 x 16 GB Kingston Fury Impact DDR4 3200 Mhz
    Graphics card(s)
    Radeon (tm) Graphics Vega 8 (512 MB)
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    AU Optronics
    Screen Resolution
    1920 x 1080 px (125% size)
    Hard Drives
    WD Blue SN570 1TB NVME M.2 Drive
    PSU
    45 Watt Charger
    Cooling
    Laptop Cooling Pad
    Keyboard
    Free Wolf Foldable Portable Keyboard
    Mouse
    Free Wolf Wireless Mouse
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - 41mWh battery.
    - Wacom Intuos Pro Small Tablet PTH-460
@garlin Thank you for helping me with my wife's Laptop.

I just wanted to check something with you before I take the leap and attempt to do this with the PC I have listed in my "my computer" under this post.

I am running the BIOS circled in red and I ran ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023') and it said false.

firmware.webp


Do I need to manually go into the BIOS and change some of the settings to enable these key updates? or can I do all of this running your script?



Thanks.
 

My Computers My Computers

  • At a glance

    Windows 11 ProIntel Core i5-12600K 3.7 GHz 10-Core ProcessorCorsair Vengeance LPX 64 GB (2 x 32 GB) DDR4-...Integrated Intel UHD Graphics 770
    OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self built PC by me.
    CPU
    Intel Core i5-12600K 3.7 GHz 10-Core Processor
    Motherboard
    Gigabyte B760M H DDR4 Micro ATX LGA1700 Motherboard
    Memory
    Corsair Vengeance LPX 64 GB (2 x 32 GB) DDR4-3200 CL16 Memory
    Graphics Card(s)
    Integrated Intel UHD Graphics 770
    Sound Card
    Realtek
    Monitor(s) Displays
    LG
    Hard Drives
    Samsung 990 Pro 1 TB M.2-2280 PCIe 4.0 X4 NVME Solid State Drive
    Samsung 990 Pro 2 TB M.2-2280 PCIe 4.0 X4 NVME Solid State Drive
    PSU
    NZXT 850w ATX 3.1 Gold Fully Modular Power Supply
    Case
    Thermaltake Versa H25 ATX Mid Tower Case
    Cooling
    CPU Cooler Thermalright Assassin Spirit 120 EVO ARGB (ARGB Disabled) - Case Fans BlackThermalright TL-C12C-S X3 66.17 CFM 120 mm Fans 3-Pack (ARGB disabled)
    Internet Speed
    1 Gbps
    Other Info
    I hate ARGB.
  • At a glance

    Windows 11 Pro
    Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo ThinkBook 14 G2 ITL
My guess is your current BIOS has factory support for CA 2023 (but hasn't been reset to factory defaults). Normally the firmware update should populate all missing certs. But if that didn't happen, the good news is they would have registered their signed KEK CA 2023 with MS.

June 2025 would have been in the middle of MS's final push for OEM's to include CA 2023 in firmware.

You can run the check script in verbose mode:
Code:
Check_UEFI-CA2023.ps1 -Verbose

If you see the words "Update is available from Gigabyte or Microsoft.", the update script should work without problems.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
Google say I'm all set for now . . . what saith thou

1771462680550.webp

What's up with it saying "... run the commands, run the commands" Does it have a stutter?

1771462721410.webp
 

My Computers My Computers

  • At a glance

    Windows 11 (up to date)Intel i5 12400Corsair Vengeance LPX 16GBOn Board the Z690
    OS
    Windows 11 (up to date)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom
    CPU
    Intel i5 12400
    Motherboard
    Gigabyte Z690 UA
    Memory
    Corsair Vengeance LPX 16GB
    Graphics Card(s)
    On Board the Z690
    Sound Card
    On Board
    Monitor(s) Displays
    43" Samsung tu7000
    Screen Resolution
    2560 x 1440
    Hard Drives
    SAMSUNG SSD 1TB NVMe M.2
    PSU
    Thermaltake smart 500w 80+
    Case
    LIAN LANCOOL_205M
    Cooling
    Bunch of fans . . . :o) (lights dont work)
    Keyboard
    Unicomp: Ultra Classic White Buckling Spring USB
    Mouse
    M510
    Internet Speed
    50mbps on Ethernet
    Browser
    Fire Fox
    Antivirus
    Windows
    Other Info
    Love this computer but I still prefer Win-7 like I love my old Lazy Boy Recliner . . . it just feels better.
  • At a glance

    WIN-7-64BIT and Win-11 pro for testing on uns...i5-3570K CPU @ 3.40GHz, 3801 Mhz, 4 Core(s), ...16 GB - Crucial Ballistick 4GB PC3-14900 DDR3...NVIDIA GeForce GTX 1050
    Operating System
    WIN-7-64BIT and Win-11 pro for testing on unsupported hardware
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home built
    CPU
    i5-3570K CPU @ 3.40GHz, 3801 Mhz, 4 Core(s), 4 Logical Processor(s)
    Motherboard
    GA-Z77-HD3
    Memory
    16 GB - Crucial Ballistick 4GB PC3-14900 DDR3-1333 MHz
    Graphics card(s)
    NVIDIA GeForce GTX 1050
    Sound Card
    On Board
    Monitor(s) Displays
    ASUS VP278
    Screen Resolution
    1920 x 1080
    Hard Drives
    4 - internal Samsung 2.5" SSD, 1 WD HDD 7200 and some external drives
    PSU
    EVGA 550w
    Case
    Old Gygabyte Tower
    Cooling
    Yes
    Keyboard
    Unicomp - UNIOP4A USB (like the old IBM Model H that I started with)
    Mouse
    M510
    Internet Speed
    50mbps
    Browser
    Firefox
    Antivirus
    Windows
    Other Info
    The only thing it lack is USB-3.2 on the front face but it has 3.0 on the back

My Computers My Computers

  • At a glance

    Windows 11 Pro 25H2 Build 26200.8655Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz32.0 GB of I forget and the box is in storage.Gigabyte nVidia GeForce GTX 1660 Super OC 6GB
    OS
    Windows 11 Pro 25H2 Build 26200.8655
    Computer type
    PC/Desktop
    Manufacturer/Model
    Sin-built 2013
    CPU
    Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz
    Motherboard
    ASUS ROG Maximus VI Formula
    Memory
    32.0 GB of I forget and the box is in storage.
    Graphics Card(s)
    Gigabyte nVidia GeForce GTX 1660 Super OC 6GB
    Sound Card
    ROG SupremeFX Formula 8-Channel High Definition Audio
    Monitor(s) Displays
    5 x LG 25MS500-B - 1 x 24MK430H-B - 1 x Wacom Pro 22" Touch Screen Tablet
    Screen Resolution
    All over the place
    Hard Drives
    Too many to list. OS on Samsung 1TB 870 QVO SATA
    PSU
    Silverstone 1500
    Case
    NZXT Phantom 820 Full-Tower Case
    Cooling
    Noctua NH-D15 Elite Class Dual Tower CPU Cooler / 6 x EziDIY 120mm / 2 x Corsair 140mm somethings / 1 x 140mm Thermaltake something / 2 x 200mm Corsair.
    Keyboard
    Corsair K95 / Logitech diNovo Edge Wireless
    Mouse
    Logitech: G402 / G502 / Mx Masters / Mx Air Cordless
    Internet Speed
    2000/500Mbps
    Browser
    All sorts
    Antivirus
    Kaspersky Premium
    Other Info
    ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
    TP-Link BE9300 WiFi 7 Bluetooth 5.4 (Archer TBE550E)
    TP-Link TX201 V1 2.5GB Lan

    Grandstream HT812 - VoIP
    ASUS DSL-AX82U - Mesh
    ASUS RT-AC68U - Mesh
    ASUS RT-BE88U Router

    Brother MFC-L2880DW Printer

    I’m on a horse.
  • At a glance

    Windows 11 Pro 25H2 Build 26200.8655 (Wifes)13th Generation Intel® Core™ i5-1340P Process...16GB LPDDR5-52001x Intel® Iris® Xe Graphics
    Operating System
    Windows 11 Pro 25H2 Build 26200.8655 (Wifes)
    Computer type
    Laptop
    Manufacturer/Model
    LENOVO Yoga 7 14IRL8 - Type 82YL
    CPU
    13th Generation Intel® Core™ i5-1340P Processor(Core™ i5-1340P)
    Memory
    16GB LPDDR5-5200
    Graphics card(s)
    1x Intel® Iris® Xe Graphics
    Sound Card
    Optimized with Dolby Atmos®
    Screen Resolution
    QHD 2880 x 1800 OLED
    Hard Drives
    M.2 512 GB SSD PCIe
    Mouse
    Logiteck MX Master 3S
    Internet Speed
    2000/500
    Antivirus
    Defender / Malwarebytes
    Other Info
    …still on a horse.


    Wireless Network: Wi-Fi 6E 2x2 AX; Bluetooth® 5.1 or above
    Ports: 1x 1 Novo button; 2 in 1 Audio Combo jack; Micro SD Card Reader; HDMI 1.4b; 2 x USB Type-C (TBT4)
    USB 3.2 Gen 2 DP 1.4a
    PD 3.0); 1 x USB 3.2 Gen1 Type A
    Camera
    1x 1080P FHD IR/RGB Hybrid with Privacy Shutter and Dual Array Microphone
    Graphics
    1x Intel® Iris® Xe Graphics
    Monitor
    14" WUXGA
    Form Factor
    Convertible Notebook
  • Windows 11 Pro 25H2 Build 26200.8655 (Wifes)

    Yoga 7 2-in-1 14IML9 - Type 83DJ

    Processor: Intel® Core™ Ultra 7 155H Processor(Core™ Ultra 7 155H)

    Memory: 32GB LPD5X-7467

    Hard Drive: 1 TB SSD PCIe

    Wireless Network: 1x Wi-Fi 6E 2x2 AX; Bluetooth® 5.1 or above

    Ports: 1 x HDMI 2.1 TMDS; 1 x Novo Button; 1 x Combo Audio Jack
    2 x USB-C (USB 4.0)
    1 x USB-A 3.2 Gen 1

    Camera: 1080P FHD IR Hybrid with Dual Microphone

    Graphics: Intel® Arc™ Graphics

    Monitor: 14" 2.8K

    ...Where's my horse?
Google say I'm all set for now . . . what saith thou
You've successfully applied the CA 2023 certs, but haven't revoked the PCA 2011 cert.
MS says you should be "here" on the current deployment schedule.

When the revocation is done, CA 2011 will be listed under DBX. And no signatures will be missing from any of the 3 DBX update files.
What's up with it saying "... run the commands, run the commands" Does it have a stutter?
Yes, it does! I copied some output text without noticing 'run the command' was duplicated elsewhere.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
When the revocation is done, CA 2011 will be listed under DBX. And no signatures will be missing from any of the 3 DBX update files.
Will some future update do the revoking?
 

My Computers My Computers

  • At a glance

    Windows 11 (up to date)Intel i5 12400Corsair Vengeance LPX 16GBOn Board the Z690
    OS
    Windows 11 (up to date)
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom
    CPU
    Intel i5 12400
    Motherboard
    Gigabyte Z690 UA
    Memory
    Corsair Vengeance LPX 16GB
    Graphics Card(s)
    On Board the Z690
    Sound Card
    On Board
    Monitor(s) Displays
    43" Samsung tu7000
    Screen Resolution
    2560 x 1440
    Hard Drives
    SAMSUNG SSD 1TB NVMe M.2
    PSU
    Thermaltake smart 500w 80+
    Case
    LIAN LANCOOL_205M
    Cooling
    Bunch of fans . . . :o) (lights dont work)
    Keyboard
    Unicomp: Ultra Classic White Buckling Spring USB
    Mouse
    M510
    Internet Speed
    50mbps on Ethernet
    Browser
    Fire Fox
    Antivirus
    Windows
    Other Info
    Love this computer but I still prefer Win-7 like I love my old Lazy Boy Recliner . . . it just feels better.
  • At a glance

    WIN-7-64BIT and Win-11 pro for testing on uns...i5-3570K CPU @ 3.40GHz, 3801 Mhz, 4 Core(s), ...16 GB - Crucial Ballistick 4GB PC3-14900 DDR3...NVIDIA GeForce GTX 1050
    Operating System
    WIN-7-64BIT and Win-11 pro for testing on unsupported hardware
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home built
    CPU
    i5-3570K CPU @ 3.40GHz, 3801 Mhz, 4 Core(s), 4 Logical Processor(s)
    Motherboard
    GA-Z77-HD3
    Memory
    16 GB - Crucial Ballistick 4GB PC3-14900 DDR3-1333 MHz
    Graphics card(s)
    NVIDIA GeForce GTX 1050
    Sound Card
    On Board
    Monitor(s) Displays
    ASUS VP278
    Screen Resolution
    1920 x 1080
    Hard Drives
    4 - internal Samsung 2.5" SSD, 1 WD HDD 7200 and some external drives
    PSU
    EVGA 550w
    Case
    Old Gygabyte Tower
    Cooling
    Yes
    Keyboard
    Unicomp - UNIOP4A USB (like the old IBM Model H that I started with)
    Mouse
    M510
    Internet Speed
    50mbps
    Browser
    Firefox
    Antivirus
    Windows
    Other Info
    The only thing it lack is USB-3.2 on the front face but it has 3.0 on the back
Yes. But probably not before the June 2026 deadline for rolling out CA 2023. Expect the revocation in the 2nd half of the year.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
Hi Garlin,
Thanks for your scripts. I guess it must be time consuming.

After running your script, I got the following: MANUAL UPDATE of the BIOS is required.
I checked my BIOS, I think my PC doesn't support manual key management of individual keys.
Here are 2 screenshots of my ACER BIOS.

If I understand rightly, I have to choose "Erase all Secure Boot Setting", press ENTER and then F10. Boot into Windows and run the Update_UEFI-CA2023.ps1 script.
Can you confirm this?

Have a nice day.

IMG_20260219_155546a_cr.webp

IMG_20260219_155731a_cr.webp
 

My Computer My Computer

At a glance

Windows 10 x64 PRO N with ESUi3-4005U8 GB DDR3Intel HD Graphics 4400 / NVIDIA GeForce 920M
OS
Windows 10 x64 PRO N with ESU
Computer type
Laptop
Manufacturer/Model
Acer
CPU
i3-4005U
Memory
8 GB DDR3
Graphics Card(s)
Intel HD Graphics 4400 / NVIDIA GeForce 920M
Hard Drives
512 GB SSD
Browser
Firefox
Other Info
10 years old, still running
You should first try the 2nd option: "Select an UEFI file as trusted for executing".

The update script will copy the KEK CA 2023 cert file to folder "\EFI\Certs", on the EFI partition. The 2nd option should allow to search the system drive and find the \EFI\Certs folder. Enroll the named cert file if possible.

If that works, you can reboot into Windows and re-run the update script to finish the process.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
You should first try the 2nd option: "Select an UEFI file as trusted for executing".

The update script will copy the KEK CA 2023 cert file to folder "\EFI\Certs", on the EFI partition. The 2nd option should allow to search the system drive and find the \EFI\Certs folder. Enroll the named cert file if possible.

If that works, you can reboot into Windows and re-run the update script to finish the process.
Thanks for very quick reply. I'll keep you posted when I try it. It seems easy, but I must say I'm a little bit worried to do it (changing settings in the BIOS for ever).
 

My Computer My Computer

At a glance

Windows 10 x64 PRO N with ESUi3-4005U8 GB DDR3Intel HD Graphics 4400 / NVIDIA GeForce 920M
OS
Windows 10 x64 PRO N with ESU
Computer type
Laptop
Manufacturer/Model
Acer
CPU
i3-4005U
Memory
8 GB DDR3
Graphics Card(s)
Intel HD Graphics 4400 / NVIDIA GeForce 920M
Hard Drives
512 GB SSD
Browser
Firefox
Other Info
10 years old, still running
Adding a single key (enrollment) is less drastic than erasing all Secure Boot settings. MS has provided a set of replacement keys which the script can use in the "Setup Mode" scenario where all keys have been cleared.

But it's always better to take the smaller approach (single key enrollment) if your BIOS supports it.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
Back
Top Bottom