Solved garlin's PowerShell scripts for updating Secure Boot CA 2023


I will give you a different copy of the update script which bypasses the error (cannot read Secure Boot status). You are the 2nd person who's reported this problem with an older BIOS.
 

Attachments

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
I will give you a different copy of the update script which bypasses the error (cannot read Secure Boot status). You are the 2nd person who's reported this problem with an older BIOS.
Thank for going to all this trouble but I've just tried the new script, I've still got the ERROR: Failed to read UEFI Secure Boot settings
 

My Computer My Computer

At a glance

Windows 10 x64 PRO N with ESUi3-4005U8 GB DDR3Intel HD Graphics 4400 / NVIDIA GeForce 920M
OS
Windows 10 x64 PRO N with ESU
Computer type
Laptop
Manufacturer/Model
Acer
CPU
i3-4005U
Memory
8 GB DDR3
Graphics Card(s)
Intel HD Graphics 4400 / NVIDIA GeForce 920M
Hard Drives
512 GB SSD
Browser
Firefox
Other Info
10 years old, still running

My Computers My Computers

  • At a glance

    Windows 11 Pro 25H2 26200.8737AMD Ryzen 7 5825U with Radeon Graphics16GB
    OS
    Windows 11 Pro 25H2 26200.8737
    Computer type
    Laptop
    Manufacturer/Model
    Acemagic LX15PRO
    CPU
    AMD Ryzen 7 5825U with Radeon Graphics
    Motherboard
    BIOS CT_BI_AMI_LX15PRO_AB8139_A-004
    Memory
    16GB
    Screen Resolution
    1920 x 1080
    Hard Drives
    SSD 2TB
    Internet Speed
    30 Mbps
    Browser
    Brave
    Antivirus
    Webroot SecureAnywhere Complete beta
  • At a glance

    Windows 11 Pro 23H2 22631.2506Atom N450 1.66GHz2GB
    Operating System
    Windows 11 Pro 23H2 22631.2506
    Computer type
    Laptop
    Manufacturer/Model
    HP Mini 210-1090NR PC (bought in late 2009!)
    CPU
    Atom N450 1.66GHz
    Memory
    2GB
    Browser
    Brave
    Antivirus
    Webroot
  • Acer Swift SF114-34 laptop
    OS Windows 11 Pro 26200.8737
    CPU Pentium Silver N6000
    RAM 4GB
    BIOS v1.17
    SSD Samsung 970 EVO Plus SSD 2TB (an upgrade)
Choosing best option did select the 2023 cert.
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! Windows PowerShell update message FAQ - PowerShell

PS C:\Users\Martin> Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope Process
PS C:\Users\Martin> C:\Users\Martin\Downloads\SecureBoot-CA-2023-Updates\Check_UEFI-CA2023.ps1 -bootmedia
Secure Boot: OFF
Virtualization Based Security: ON
BitLocker on (C:) OFF
Skipping an invalid Microsoft.SecureBoot.Commands.UEFIEnvironmentVariable X509 certificate.
Skipping an invalid Microsoft.SecureBoot.Commands.UEFIEnvironmentVariable X509 certificate.

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Skipping an invalid Microsoft.SecureBoot.Commands.UEFIEnvironmentVariable X509 certificate.
Windows BootMgr SVN 7.0

EFI Files
---------
Disk 0: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

Disk 0: SkuSiPolicy.p7b (for VBS) is CURRENT.
Skipping an invalid Microsoft.SecureBoot.Commands.UEFIEnvironmentVariable X509 certificate.
Skipping an invalid Microsoft.SecureBoot.Commands.UEFIEnvironmentVariable X509 certificate.

STATUS REPORT
-------------
Registry: UEFICA2023Status = Updated

SUCCESS: NO UPDATES ARE REQUIRED.

PS C:\Users\Martin>
 

My Computers My Computers

  • At a glance

    Windows 11 Pro 25H2 26200.8737AMD Ryzen 7 5825U with Radeon Graphics16GB
    OS
    Windows 11 Pro 25H2 26200.8737
    Computer type
    Laptop
    Manufacturer/Model
    Acemagic LX15PRO
    CPU
    AMD Ryzen 7 5825U with Radeon Graphics
    Motherboard
    BIOS CT_BI_AMI_LX15PRO_AB8139_A-004
    Memory
    16GB
    Screen Resolution
    1920 x 1080
    Hard Drives
    SSD 2TB
    Internet Speed
    30 Mbps
    Browser
    Brave
    Antivirus
    Webroot SecureAnywhere Complete beta
  • At a glance

    Windows 11 Pro 23H2 22631.2506Atom N450 1.66GHz2GB
    Operating System
    Windows 11 Pro 23H2 22631.2506
    Computer type
    Laptop
    Manufacturer/Model
    HP Mini 210-1090NR PC (bought in late 2009!)
    CPU
    Atom N450 1.66GHz
    Memory
    2GB
    Browser
    Brave
    Antivirus
    Webroot
  • Acer Swift SF114-34 laptop
    OS Windows 11 Pro 26200.8737
    CPU Pentium Silver N6000
    RAM 4GB
    BIOS v1.17
    SSD Samsung 970 EVO Plus SSD 2TB (an upgrade)
Thank for going to all this trouble but I've just tried the new script, I've still got the ERROR: Failed to read UEFI Secure Boot settings
I suspect you have one of the "problem" firmwares which is too old, and can't be handled by a PowerShell script. Please reset the certs back to factory defaults. Because this is a really old PC, I would disable Secure Boot and leaving it alone. Don't want to risk making your PC unbootable.

Windows will eventually complain about your lack of updated certs, but will continue to work with Secure Boot disabled.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
PS C:\Users\Martin> C:\Users\Martin\Downloads\SecureBoot-CA-2023-Updates\Check_UEFI-CA2023.ps1 -bootmedia
Secure Boot: OFF
Virtualization Based Security: ON
BitLocker on (C:) OFF
Skipping an invalid Microsoft.SecureBoot.Commands.UEFIEnvironmentVariable X509 certificate.
Skipping an invalid Microsoft.SecureBoot.Commands.UEFIEnvironmentVariable X509 certificate.
UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Skipping an invalid Microsoft.SecureBoot.Commands.UEFIEnvironmentVariable X509 certificate.
Windows BootMgr SVN 7.0
That's not good. Somewhere you have a malformed cert or signature hash inserted in one of the UEFI variables.

Can you run the cjee21 script for comparison? If you can't boot the Macrium drive, I'm leaning towards some form of UEFI corruption instead of a scripting error. You may have to perform a factory reset, and repeat the update process to get out of this.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
That's not good. Somewhere you have a malformed cert or signature hash inserted in one of the UEFI variables.

Can you run the cjee21 script for comparison? If you can't boot the Macrium drive, I'm leaning towards some form of UEFI corruption instead of a scripting error. You may have to perform a factory reset, and repeat the update process to get out of this.

Thanks, but as your script says all is fine, I think I will stick. I'm very happy to turn off SB when I need to run Macrium Reflect. I really appreciate your hard work and all the individual replies to our members.
 

My Computers My Computers

  • At a glance

    Windows 11 Pro 25H2 26200.8737AMD Ryzen 7 5825U with Radeon Graphics16GB
    OS
    Windows 11 Pro 25H2 26200.8737
    Computer type
    Laptop
    Manufacturer/Model
    Acemagic LX15PRO
    CPU
    AMD Ryzen 7 5825U with Radeon Graphics
    Motherboard
    BIOS CT_BI_AMI_LX15PRO_AB8139_A-004
    Memory
    16GB
    Screen Resolution
    1920 x 1080
    Hard Drives
    SSD 2TB
    Internet Speed
    30 Mbps
    Browser
    Brave
    Antivirus
    Webroot SecureAnywhere Complete beta
  • At a glance

    Windows 11 Pro 23H2 22631.2506Atom N450 1.66GHz2GB
    Operating System
    Windows 11 Pro 23H2 22631.2506
    Computer type
    Laptop
    Manufacturer/Model
    HP Mini 210-1090NR PC (bought in late 2009!)
    CPU
    Atom N450 1.66GHz
    Memory
    2GB
    Browser
    Brave
    Antivirus
    Webroot
  • Acer Swift SF114-34 laptop
    OS Windows 11 Pro 26200.8737
    CPU Pentium Silver N6000
    RAM 4GB
    BIOS v1.17
    SSD Samsung 970 EVO Plus SSD 2TB (an upgrade)
Actually you have some weird error going on... but if it works for now, I guess that's alright.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
I suspect you have one of the "problem" firmwares which is too old, and can't be handled by a PowerShell script. Please reset the certs back to factory defaults. Because this is a really old PC, I would disable Secure Boot and leaving it alone. Don't want to risk making your PC unbootable.

Windows will eventually complain about your lack of updated certs, but will continue to work with Secure Boot disabled.

Thank you anyway for going to so much trouble.
Very appreciated
 

My Computer My Computer

At a glance

Windows 10 x64 PRO N with ESUi3-4005U8 GB DDR3Intel HD Graphics 4400 / NVIDIA GeForce 920M
OS
Windows 10 x64 PRO N with ESU
Computer type
Laptop
Manufacturer/Model
Acer
CPU
i3-4005U
Memory
8 GB DDR3
Graphics Card(s)
Intel HD Graphics 4400 / NVIDIA GeForce 920M
Hard Drives
512 GB SSD
Browser
Firefox
Other Info
10 years old, still running
I hope I'm not misconstruing this since I don't fully understand these matters, but winPE or some winPE versions/builds/etc might not be secure and hence they might not pass the Secure Boot filter, through one or other means. I've been myself unable to produce a SB-valid Macrium v8.1.8631 (latest for v8) "winPE" Rescue Media or to adapt previously produced ones (I didn't get the latter with stored "winRE" isos either, but my new "winRE" iso produced after rebuilding the WIM as instructed by Macrium, boots fine with SB-CA2023 enabled -I have also applied SkuSiPolicy.p7b but I have neither revoked 2011 nor SVN-, so I can use Macrium even w/o disabling SB).

I found this when researching about SkuSiPolicy.p7b :


(underlined part by me)
technically, that [a "customized" SHA256] might make sense as the Secure Boot signature does not apply to all the PE data in the first place, so one could defeat the DBX by altering one of these sections, as they wouldn't invalidate the signature, but would change the hash from the DBX, [...] HOW HARD WOULD IT HAVE BEEN TO DESIGN A NEW PE CONTAINER EXTENSION [...]?

I also found this from MS, which explains the SkuSiPolicy.p7b context in depth. Summarizing it's one of the mitigations deployed to prevent a VBS rollback.

 

My Computer My Computer

At a glance

Windows 11Celeron J4125 (10th gen)8GB DDR4
OS
Windows 11
Manufacturer/Model
MeLE Quieter 2Q (fanless miniPC)
CPU
Celeron J4125 (10th gen)
Memory
8GB DDR4
Monitor(s) Displays
Samsung SyncMaster T260
Screen Resolution
1920x1200
Hard Drives
256GB eMMC (Windows)
2TB USB3 HDD Toshiba (Data)
I also found this from MS, which explains the SkuSiPolicy.p7b context in depth. Summarizing it's one of the mitigations deployed to prevent a VBS rollback.


Maybe to make a little less abstract:

The latest stored but inactive file version can be found in \windows \system32\securebootupdates and gets updated with cumulative updates. For the moment SkuSIPolicy.p7b is not installed automatically. To activate it the file has to be copied into the EFI partition into the folder \EFI\Microsft\Boot.

Check in eventmanager (Application and services log/Microsoft/Windows/Codeintegrity) if SkuSiPolicy is loaded, the entry seems to be created with both SB active and disabled.

tmp5.webp

SkuSiPolicy version is stored in bios/ firmware NVRAM, latest now is 3.0.0.13. SkuSiPolicy has become a lot smaller and now seems to be a revocation tool for the OS loaders winload.efi and winresume.efi only. Once copied in the correct place or updated there to a newer version the version info in NVRAM gets either updated if newer version or newly written into the NVRAM at next reboot.

tmp6.webp

IF there's a version info in NVRAM and if secure boot is active when the system is booting,

bootmgrfw.efi checks existing SkusiPolicy.p7b version in EFI/Microsoft/Boot against NVRAM version
- If older file version is found or missing file SkuSiPolicy.p7b in EFI partition the system silently goes to the next boot option if any, shows a black screen or goes into UEFI (bios) setup settings
- If same or newer version is found then booting continues and bootmgrfw.efi loads and in case of newer version SkuSIPolicy.p7b found the information in NVRAM get's updated.

Then bootmgrfw.efi compares WIndows OS loader (winload.efi) version to the blacklist in SkuSiPolicy.p7b
- If winload.efi is accepted the system will continue to boot
- If winload.efi is (black-) listed in SkuSiPolicy.p7b you get 0xc0000428 either in \windows\system32\winload.efi (normal installation) or \windows\system32\boot\winload.efi (boot media with boot.wim/winre.wim)

Afaik winload.efi/winresume.efi can't be updated as single files, one has to apply the complete cumulative update to the installation / wim- images.

If SB is disabled and there's SkuSiPolicy version information in NVRAM but the file itself is deleted / no longer in UEFI parttition the NVRAM information is deleted next boot.

If SB is active and there's a file in the EFI partition but no version information is found in NVRAM there might be an otherwise unspecified 0xc000000F error. Booting an updated recovery media should recreate the NVRAM information in NVRAM, but not all versions did that for me. This is difficult to reproduce, so I'm not completely sure.
 

My Computer My Computer

At a glance

W10
OS
W10
SkuSiPolicy version is stored in bios/ firmware NVRAM, latest now is 3.0.0.13. SkuSiPolicy has become a lot smaller and now seems to be a revocation tool for the OS loaders winload.efi and winresume.efi only. Once copied in the correct place or updated there to a newer version the version info in NVRAM gets either updated if newer version or newly written into the NVRAM at next reboot.
I believe the older version of the policy file was filled with EFI signature hashes (essentially duplicating DBX's block list), and it's switched to a smaller policy based on the SVN.

For comparison, here's the original file sizes from recent W11 ISO's:
Code:
162107 Dec  3  2023 23H2/SKUSiPolicy.P7b
 55616 Sep  5  2024 24H2/SKUSiPolicy.P7b
  6544 Sep 15 12:40 25h2/SKUSiPolicy.P7b

If SB is disabled and there's SkuSiPolicy version information in NVRAM but the file itself is deleted / no longer in UEFI parttition the NVRAM information is deleted next boot.
So in order to resolve the problem with some Insider builds not having a correct succession of higher versioned SkuSiPolicy's, the solution is:

1. Check if BitLocker is enabled. Disable or suspend BitLocker first!!

2. Delete the EFI policy file.
Code:
mountvol S: /s
del S:\EFI\Microsoft\Boot\SkuSiPolicy.p7b

3. Shutdown Windows, and disable Secure Boot.

4. Restart Windows, to clear the NVRAM's copy.

5. Recopy the EFI policy file.
Code:
mountvol S: /s
copy C:\Windows\System32\SecureBootUpdates\SkuSiPolicy.p7b S:\EFI\Microsoft\Boot\SkuSiPolicy.p7b

6. Enable Secure Boot, and restart Windows.

7. Re-enable BitLocker (if needed).
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
Yes, it was the SkuSiPolicy what was preventing my previous Macrium Rescue medias from booting with SB enabled, either RE or PE (I had installed in the ESP the same policy as in C:\Windows\System32\SecureBootUpdates , with date 01/15/2026 and size 6544 bytes). I had also tried a recent PE (done after uninstalling the PE stuff as published by Macrium, what downloads a new file from MS upon doing a new PE media) but it also failed. The old Windows Recovery disk and the RE medias were failing with a 0xC0000428 error in winload.efi (I was believing this was a kind of "soft" SB violation, but I've learnt that at least in my case it was a SkuSiPolicy one), and the PE ones did nothing but a slight blink in the screen.

I've never had a fail booting Windows. At first I installed the new certs w/o revoking anything, but I don't remember exactly what did I try or worked or not this way. Then I felt confident to do the revocations, but upon failing with the medias I "un-revoked" returning DBX to factory defaults. Afterwards I re-populated the DBX (except the 2011 cert) with a cjee21 script for it. Neither of these changes in the DBX varied any booting result as far as I recall. The Macrium medias were tried as iso files in WinSetupFromUSB disks or as standalone pendrives, either produced by Macrium (only v8.1.8631) or as isos "burned" by me manually after I learnt how. I also did a new Windows Recovery disk that has always worked fine.

I've only had one clear SB violation error since I started to set up this, that was when trying my old WinSetupFromUSB multiboot pendrive, that had my previous Windows Recovery Disk and several previous Macrium Rescue Media, all as iso files. I replaced the pendrive's \efi\Boot\bootx64.efi and it showed the menu to choose what to boot, but any option failed with 0xC0000428 error or screen blink.

I ended up doing a new WinSetupFromUSB pendrive with the new "working" (it can boot with SB on) Windows Recovery disk, the new "working" v8.1.8631 RE Macrium Rescue media, and old RE and PE Macrium isos (including a v8.1.8631 PE) that were only booting with SB off. After deleting SkuSiPolicy.p7b from my system's ESP they all boot fine with Secure Boot enabled.

I'll go on like this for now.
 

My Computer My Computer

At a glance

Windows 11Celeron J4125 (10th gen)8GB DDR4
OS
Windows 11
Manufacturer/Model
MeLE Quieter 2Q (fanless miniPC)
CPU
Celeron J4125 (10th gen)
Memory
8GB DDR4
Monitor(s) Displays
Samsung SyncMaster T260
Screen Resolution
1920x1200
Hard Drives
256GB eMMC (Windows)
2TB USB3 HDD Toshiba (Data)
Hi, today I tried one Dell Latitude 5580 notebook to update with the scripts provided. Did not work. I read all 34 pages, downloaded different ps files.
Notebook op system is Windows 10, SecureBoot is On, latest BIOS used from 2024, ver 1.39.0
Here are my results (3 PS results):

PS C:\temppp\ca2023> powershell -nop -ep bypass -noexit -f .\Check_UEFI-CA2023.ps1 -verbose
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell One grand view

Windows 10 22H2 (19045.6937)

Secure Boot: ON
Virtualization Based Security: OFF
BitLocker on (C:) OFF

BIOS Firmware
-------------
Dell Inc. Latitude 5580
Version: 1.39.0
Date: 2024-11-06

Factory Default UEFI PK Cert
----------------------------
Dell Inc. Platform Key

UEFI PK Cert
------------
Dell Inc. Platform Key
[KEK CA 2023] Update is available from Dell or Microsoft.

Factory Default UEFI KEK Certs
------------------------------
Microsoft Corporation KEK CA 2011
Dell Inc. Key Exchange Key

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Dell Inc. Key Exchange Key

Factory Default UEFI DB Certs
-----------------------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Dell Inc. UEFI DB

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Dell Inc. UEFI DB

Factory Default UEFI DBX Certs
------------------------------
Microsoft Windows PCA 2010
EFI_CERT_SHA256_GUID Signatures: 77

UEFI DBX Certs
--------------
Microsoft Windows PCA 2010
Windows BootMgr SVN is MISSING.
EFI_CERT_SHA256_GUID Signatures: 483

EFI Files
---------
Disk 0: Windows Boot Manager [Production PCA 2011] is ALLOWED.
bootmgfw.efi File version: 19041.4648

Registry: WindowsUEFICA2023Capable = 0
[Windows UEFI CA 2023] not in UEFI DB.


REQUIRED ACTION
===============

OPTION 1: DO NOTHING. Windows will apply the UEFI updates in 2026 (supported BIOS).

OPTION 2: To install [UEFI CA 2023] certs WITHOUT REVOKING the [PCA 2011] cert, run the commands:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

OPTION 3: To install [UEFI CA 2023] certs and REVOKE the [PCA 2011] cert, run the commands:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5bc4 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
--------------------------------------------------------------------------------------------------------------------------------------------------
PS C:\temppp\ca2023> powershell -nop -ep bypass -noexit -f .\Update_UEFI-CA2023.ps1
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell One grand view

Downloading "KEKUpdate_Dell_PK4.bin" from GitHub.
ERROR: Failed to append "KEKUpdate_Dell_PK4.bin" to UEFI KEK.
Unexpected Result, status error: 0xC000000D

PS C:\temppp\ca2023> powershell -nop -ep bypass -noexit -f .\WhatsMyPK.ps1
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell One grand view



Subject : CN=Dell Inc. Platform Key, O=Dell Inc., L=Round Rock, S=Texas, C=US
Issuer : CN=Dell Inc. Platform Key, O=Dell Inc., L=Round Rock, S=Texas, C=US
Thumbprint : 44D641CACA0809002398B4877B8E982ED26F7B76
FriendlyName :
NotBefore : 2016. 06. 01. 22:20:07
NotAfter : 2031. 06. 01. 22:30:06
Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid}

Any idea to solve this CA2023 issue on my Dell?
Prior thanks.
Regards,
Pal
 

My Computer My Computer

At a glance

Windows 10
OS
Windows 10
Computer type
Laptop
Manufacturer/Model
Dell/Latitude 5580
If you indeed read all pages you probably have seen that I posted a similar (or identical?) error for my Dell.

Clearing/Deleting all keys in Custom Mode to let the script install the Microsoft certificates did the trick for me.

Hope this helps!
 

My Computer My Computer

At a glance

Windows 11Intel Core i3-6006U @ 2.00 GHz16,0 GBIntel HD Graphics 520
OS
Windows 11
Computer type
Laptop
Manufacturer/Model
Dell Latitude 3380
CPU
Intel Core i3-6006U @ 2.00 GHz
Motherboard
Dell 0WM4F
Memory
16,0 GB
Graphics Card(s)
Intel HD Graphics 520
Sound Card
Realtek Audio
Monitor(s) Displays
Built-in
Screen Resolution
1366 x 768 @ 59 Hz
Hard Drives
SK Hynix SC311 SATA 128 GB SSD
Other Info
Multi-boot Windows/Ubuntu using rEFInd
Hello parttimewindows,
Thank you for confirmation. I was afraid of this. :(
Just to summarize:
1., I need to Disable SecureBoot in BIOS
2., Start Windows 10 as usual (now SecureBoot will be in Off state)
3., Back to BIOS with F2
4., SecureBoot Menu > Expert Key Management > Enable Custom Mode >Delete All Keys or Reset All Keys?
If I DELETE ALL KEYs, then all will be deleted irreversible.
If I RESET ALL KEYS, then only default settings will be set on all four.

Which one I need to choose for a proper updating process with garlin's update script?

I just do not want to screw up existing windows installation at all.

Bitlocker is used on other 49 devices. I guess that "suspend" will be enough before these things.
Or do you recommend a full disabling of Bitlocker?

Sorry to ask such noob questions, but I have a 50 pc's fleet to update without ANY risk or possible damage or reinstalling Win10.
Thank you in advance.
Regards,
Pali
 

My Computer My Computer

At a glance

Windows 10
OS
Windows 10
Computer type
Laptop
Manufacturer/Model
Dell/Latitude 5580
Bitlocker is used on other 49 devices. I guess that "suspend" will be enough before these things.
Or do you recommend a full disabling of Bitlocker?
Normally if you have BitLocker on drive C:, suspend it for at least two reboots:
Code:
Suspend-BitLocker -MountPoint "C:" -RebootCount 2

This prevents having to find the BitLocker recovery key or password (which is a time consuming process, if you're doing multiple PC's). You can disable BitLocker ahead of time, but I would manually try 2-3 PC's first, and see how the process goes.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
I ended up doing a new WinSetupFromUSB pendrive with the new "working" (it can boot with SB on) Windows Recovery disk, the new "working" v8.1.8631 RE Macrium Rescue media, and old RE and PE Macrium isos (including a v8.1.8631 PE) that were only booting with SB off. After deleting SkuSiPolicy.p7b from my system's ESP they all boot fine with Secure Boot enabled.
I'm thinking about changing my check script's advice to install SkuSiPolicy.

It's obvious in some cases, copying SkuSiPolicy to the EFI prevents some Windows or boot USB instances from working. But then MS's current security guidance says to implement SkuSiPolicy whenever VBS is enabled.

If you dig up the Memory Integrity docs, they mention it's possible to enable protections without an UEFI lock.
Enable memory integrity

Recommended settings (to enable memory integrity without UEFI Lock):
To enable VBS without UEFI lock (value 0):
To enable VBS with UEFI lock (value 1):
To enable memory integrity without UEFI lock (value 0):
To enable memory integrity with UEFI lock (value 1):

This might prevent the "lock out" condition, but the rest of the docs don't bother mentioning anything about the UEFI lock. Or how you could check (from Windows). None of this is super clear, and you shouldn't have to be working as a Windows security researcher to understand this!
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
@garlin I've been getting the impression SkuSiPolicy is more trouble than it's worth. I might go so far as to say it's overkill for everyday users. Corporate is a different matter altogether. I like to sum it up as, if you're not responsible for the nuclear launch codes in a missile silo. don't worry about it.
 
Last edited:

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
Just to chime in here real quick on the on the SkuSiPolicy thing.

I installed it last Sunday, and spent the entire day trying to sort out booting from usb drives.
I was unable to boot from any combination of newly created or boot file copied macrium usb.
A Windows 11 install usb created with the newest version of rufus and the 26200.7840 ISO
would boot up initially, and let me start an install, but after deleting all partitions and copying
over the Windows files to the hard drive it would then fail to start after the first reboot.

I eventually threw in the towel and deleted SkuSiPolicy.p7b, and all returned to working normal.

I'll be skipping that SkuSiPolicy.p7b step for now as well.

peace
wanna
 

My Computers My Computers

  • At a glance

    Windows 11 Pro 64 bitIntel® Core™ i5-14600KG.SKILL Ripjaws S5 Series DDR5 (2x16GB) 6400M...PNY RTX 5060 Ti OC 16GB
    OS
    Windows 11 Pro 64 bit
    Computer type
    PC/Desktop
    Manufacturer/Model
    Acme Mail Order (meep meep)
    CPU
    Intel® Core™ i5-14600K
    Motherboard
    MSI PRO Z790-A MAX WiFi bios 7E07vMA
    Memory
    G.SKILL Ripjaws S5 Series DDR5 (2x16GB) 6400MT/s CL32
    Graphics Card(s)
    PNY RTX 5060 Ti OC 16GB
    Sound Card
    Onboard Realtek® ALC4080 Codec
    Monitor(s) Displays
    2 x Dell - S3222DGM 32" LED Curved QHD FreeSync Gaming Monitor
    Screen Resolution
    2560x1440
    Hard Drives
    990 PRO PCIe 4.0 NVMe®1TB OS
    970 EVO PCIe 3.0 NVMe® SSD 500GB Games
    860 EVO SATA 2.5" SSD 1TB Storage
    PSU
    RMx Series™ RM850x — 80 PLUS® Gold
    Case
    LIAN LI PC-G70B Black Aluminum Full Tower
    Cooling
    Custom loop Optimus Foundation Block, MCP655-PWM D5 pump, MCR320 QP rad
    Keyboard
    Razer Black Widow Ultimate
    Mouse
    Razer Death Adder Elite
    Internet Speed
    500 down 20 up
    Browser
    Edge / Chrome
    Antivirus
    Microsoft Defender
    Other Info
    Always switching installs testing out the latest and greatest.
  • At a glance

    Windows 11 Pro 64 bit latest public releaseIntel® Core™ i5-11600KG.SKILL Ripjaws V Series 16GB DDR4 3600 (16-1...EVGA GeForce RTX 3060 XC GAMING 12GB
    Operating System
    Windows 11 Pro 64 bit latest public release
    Computer type
    PC/Desktop
    Manufacturer/Model
    Acme Mail Order (meep meep) Wife's PC Edition
    CPU
    Intel® Core™ i5-11600K
    Motherboard
    MSI - Z590 A Pro - bios 7D09v1B1
    Memory
    G.SKILL Ripjaws V Series 16GB DDR4 3600 (16-16-16-36)
    Graphics card(s)
    EVGA GeForce RTX 3060 XC GAMING 12GB
    Sound Card
    Onboard Realtek® ALC897 Codec
    Monitor(s) Displays
    2 x 27'' ACER S271HL
    Screen Resolution
    1920x1080
    Hard Drives
    980 PRO PCIe 4.0 NVMe® SSD 250GB OS
    Samsung 128GB 850 PRO SATA III for Storage
    PSU
    CORSAIR - CX-M Series 650W
    Case
    LIAN LI PC-A16B Black Aluminum ATX Mid Tower
    Cooling
    Thermalright Phantom Spirit 120SE Air Cooler
    Keyboard
    Logitech - K740 Illuminated
    Mouse
    Razer Death Adder Elite
    Internet Speed
    500 down 20 up
    Browser
    Chrome
    Antivirus
    Windows Defender
    Other Info
    Stock clocked, over cooled, and unmolested for a rock solid, whisper quiet, Wifey approved user experience.
Back
Top Bottom