Solved garlin's PowerShell scripts for updating Secure Boot CA 2023


Ok done. So is stuck on "suspending bitlocker for one reboot" and nothing happens.
So i tried to suspend bitlocker manually before running the script. What happens:
PS C:\Windows\system32> cd C:\SSB\GARLIN\
PS C:\SSB\GARLIN> powershell -ep bypass C:\ssb\GARLIN\Update_UEFI-CA2023.ps1
Successfully appended "DBUpdate3P2023.bin" to UEFI DB.

REQUIRED ACTION
---------------
Restart Windows, for UEFI updates to take effect.


I then try a check-uefi.bat before rebooting:

PS C:\SSB\GARLIN> .\Check-UEFI.bat
Windows PowerShell
Copyright (C) Microsoft Corporation. Tutti i diritti riservati.

Installa la versione più recente di PowerShell per nuove funzionalità e miglioramenti. Windows PowerShell update message FAQ - PowerShell

Secure Boot: ON
Virtualization Based Security: ON

BitLocker on (C:) OFF
SUSPENDED for 1 reboot.

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 7.0

EFI Files
---------
Disk 1: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

Disk 1: SkuSiPolicy.p7b (for VBS) is CURRENT.

STATUS REPORT
-------------
Registry: UEFICA2023Status = Updated

SUCCESS: NO UPDATES ARE REQUIRED.

PS C:\SSB\GARLIN>


Then i reboot... and if i do this check again it says

REQUIRED ACTION
===============

To install [UEFI CA 2023] certs, run the commands:

manage-bde -Protectors -Disable C: -RebootCount 1
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5000 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"


Like we didn't did anything.

 

My Computer My Computer

At a glance

w11 25h2
OS
w11 25h2
Computer type
PC/Desktop
Manufacturer/Model
asus
Tried also "powershell -ep bypass \your\path\Update_UEFI-CA2023.ps1" with powershell 7... same effect
 

My Computer My Computer

At a glance

w11 25h2
OS
w11 25h2
Computer type
PC/Desktop
Manufacturer/Model
asus
Before you updated this PC the first time, did you use Setup Mode or any manual enrollment? I'm wondering if this is one of those "problem" BIOS'es which don't return the correct results to Windows.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
Can be. Usually i set the regkey "availableupdates" on the value 0x5944 hex then start the secure boot scheduled task, then do 3-4 reboot. I then use your scripts to check the results (i also use another script taken from github - google "cjee guthub").
Is there a way i can check manually if that certificate is installed or not?
The same method has been used on more or less 20 DELL workstation that worked flawless. I have this strange behaviour only with HP zbook g11.
 

My Computer My Computer

At a glance

w11 25h2
OS
w11 25h2
Computer type
PC/Desktop
Manufacturer/Model
asus
Can be. Usually i set the regkey "availableupdates" on the value 0x5944 hex then start the secure boot scheduled task, then do 3-4 reboot. I then use your scripts to check the results (i also use another script taken from github - google "cjee guthub").
Is there a way i can check manually if that certificate is installed or not?
The same method has been used on more or less 20 DELL workstation that worked flawless. I have this strange behaviour only with HP zbook g11.
These HP machines are rather new and the latest firmware update does have updated default certificates already- and from certificate side everything should be OK.

There's the one presumption at Microsoft and in garlins scripts that might be inncorrect somtimes:
If ther's a Microsoft Corporation UEFI CA 2011 cert both the Microsoft UEFI CA 2023 and the Microsoft Option ROM UEFI CA 2023 certs should be added.

Since MS did split the function of the Microsoft Corporation UEFI CA 2011 (enabling secure boot with third party firmware and non MS bootloaders) into two different certificates (Microsoft UEFI CA 2023 for non-MS bootloaders and Microsoft Option ROM UEFI CA 2023 for third party firmware) not always both certs are necessary. For a laptop the third party firmware might not be necessary. They usually don't have any options for adding boot relevant hardware which could need its own firmware at boot, except for discrete graphics- if the manufacturer didn't include this firmware into the main bios.

(The Zbook G11 seems to have discrete NVidia graphics which again might have its own separate firmware which could/ would need this certificate if signed with 2023 certs, but I don't see any separate updates on HPs support- I assume the firmware is included in the main firmware)

Might adding the third party firmware cert (Microsoft Option ROM UEFI CA 2023) be harmful? At first glance not, but I read for example about a rare software som introduces a harddisk password by simulating a third party firmware which get's loaded before the MS bootmanager (see here, this post and the next). One could imagine other more destructive functions executed by such 'firmware'...

So HP might be completely correct by not adding this cert to the defaults in the firmware and maybe in prohibiting adding additional certs. There might be (but this is guessing now) mechanisms in (their) newer firmwares to remove certs not wished for. Or there are other protection mechanisms- direct access to larger parts of NVRAM is prohibited, maybe the NVRAM area with certs is compared to the default at every boot. And HP has it's own firmware protections active.

Well, actually they admit this here:

temp2.webp

In conclusion for you:
You simply don't need the third party firmware cert that can't be updated (and HPs making sure you have only the certificates needed for that machine- if you like it or not)
 

My Computer My Computer

At a glance

W10
OS
W10
That's the same conclusion i came yesterday reading a lot of stuff- but thank you for point it out, especially the HP note.
So if i understood correctly

1) if a vendor don't publish an updated firmware for a computer model, is forcing you to change it if you want to keep secureboot functioning.
2) Microsoft can act with computer manufacturers to update only "ms secureboot certificates", and ignore the rest (at the expense of other operating systems that do not use that certificate, such as Linux)

?
 

My Computer My Computer

At a glance

w11 25h2
OS
w11 25h2
Computer type
PC/Desktop
Manufacturer/Model
asus
1) if a vendor don't publish an updated firmware for a computer model, is forcing you to change it if you want to keep secureboot functioning.
Unclear, what do you mean by "change it"?

2) Microsoft can act with computer manufacturers to update only "ms secureboot certificates", and ignore the rest (at the expense of other operating systems that do not use that certificate, such as Linux)?
No, that'd be manufacturers decision. And if there weren't special protection mechanisms enabled you/ MS / another OS could manually add these certificates- like you tried.

But when buying workstation laptops one normally appreciates a high security level (=> firmware protection).
 

My Computer My Computer

At a glance

W10
OS
W10
change it = buy a new one
 

My Computer My Computer

At a glance

w11 25h2
OS
w11 25h2
Computer type
PC/Desktop
Manufacturer/Model
asus
1) if a vendor don't publish an updated firmware for a computer model, is forcing you to change it = buy a new one if you want to keep secureboot functioning.
No.

Afaik if a vendor doesn't publish new firmware and if the vendor doesn't supply a new KEK signed with vendors PK, then one can't update the secure boot system after certificates expire.

Just to avoid misunderstandings: Your Zbook G11 doesn't prevent you from installing other OS, this cert exists, it prevents you from using boot devices with own firmware needed for boot.
 

My Computer My Computer

At a glance

W10
OS
W10
The revoke step is not mandatory in the update script. If I forced a revocation, some users would be afraid to run it (not kidding).
Re-run the script with "-Revoke" flag, and you'll be done.
Okay "not mandatory." Does that mean that since I've successfully run your scripts on both my PCs, I can just wait for Microsoft to remove the old certs via an update sometime later this year and not bother running the -Revoke step sooner?
 

My Computers My Computers

  • At a glance

    Windows 11 Pro 25H2i7-8565U16GBIntel UHD Graphics 620
    OS
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo T490 (2020 Hardware)
    CPU
    i7-8565U
    Motherboard
    20N20028US
    Memory
    16GB
    Graphics Card(s)
    Intel UHD Graphics 620
    Sound Card
    Realtec Audio
    Monitor(s) Displays
    ASUS VE248
    Screen Resolution
    1920 X 1080
    Hard Drives
    Samsung SSD 970 PRO 512GB NVMe
    Internet Speed
    Frontier fiber 1GB
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Norton 360 Deluxe Plus
    Other Info
    Supported hardware, upgraded from Windows 10 Pro to Windows 11 Pro version 24H2 on 06/01/2025 using the Windows 11 ISO file. Used the enablement package to upgrade to version 25H2 on 10/07/2025. Secure boot enabled. Secure Boot CA 2023 updated.
  • At a glance

    Windows 11 Pro 25H2i7-4770 (with SSE4.2, and POPCNT)16GBIntel HD Graphics 4600
    Operating System
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo ThinkCentre M83 (2014 Hardware)
    CPU
    i7-4770 (with SSE4.2, and POPCNT)
    Motherboard
    10AL000GUS
    Memory
    16GB
    Graphics card(s)
    Intel HD Graphics 4600
    Sound Card
    Realtec High Definition Audio
    Monitor(s) Displays
    ASUS VE248
    Screen Resolution
    1920 X 1080
    Hard Drives
    Samsung SSD 860 PRO 1TB SATA
    Internet Speed
    Frontier fiber 1GB
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Norton 360 Deluxe Plus
    Other Info
    Unsupported hardware, upgraded from Windows 10 Pro (TPM 1.2 & unsupported CPU, but does have SSE4.2, and POPCNT) to Windows 11 Pro version 24H2 on 06/15/2025. Added Registry Key HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup – AllowUpgradesWithUnsupportedTPMOrCPU=1 to allow installation using the Windows 11 ISO file. Used the enablement package to upgrade to version 25H2 on 10/08/2025. Secure boot enabled. Secure Boot CA 2023 updated.
Okay "not mandatory." Does that mean that since I've successfully run your scripts on both my PCs, I can just wait for Microsoft to remove the old certs via an update sometime later this year and not bother running the -Revoke step sooner?
MS will start the mandatory revocations in the second half of 2026. One of the Secure Boot docs states that MS will provide at least 6 months notice before a date is selected. You're free to wait for their timetable when it gets finally announced.

It'll probably be another gradual rollout, where different PC's get picked at random until they're done with everyone.

Under the UEFI cert model, you don't remove any banned certs. They continue to exist where they were before in the DB, but are also represented in DBX simultaneously.

The security model works like a math equation:
(empty set) + [list of DB certs] - [list of DBX certs] = [list of allowed certs]
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
Afaik if a vendor doesn't publish new firmware and if the vendor doesn't supply a new KEK signed with vendors PK, then one can't update the secure boot system after certificates expire.
That's the whole reason behind the Windows OEM Devices PK (and other EDK2 binary files that MS provides on their GitHub).

Assuming your BIOS is functional (and not brain dead because of your vendor's stupid design), you can enter Setup Mode and replace the default vendor PK with the "generic" Windows OEM PK. Obviously since the PK re-signs the KEK, MS also provides you with a corresponding CA 2011 and CA 2023 KEK to drop in.

The Windows OEM Devices PK was first proposed as a solution to the dreaded AMI Test/Do Not Ship PK fiasco.
GitHub - CERTCC/PKfail: Mitigations & detection tools for VU#455367

A Mosby-like tool could be written to use the EDK2 files that MS provided, instead of creating a custom PK. I'm not going into the politics of that privacy discussion, other than its technically feasible. The drawback is MS now owns both the PK and the KEK (if you install it), instead of separating those ownerships into different parties.

Windows OEM PK to me looks like a reasonable compromise for orphaned PC's. But it can't be used in a number of cases because your legacy BIOS is flat broken or not a mature product compared to later generations of BIOS'es.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
Last sarcasm for the day: HP SureStop.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
MS will start the mandatory revocations in the second half of 2026. One of the Secure Boot docs states that MS will provide at least 6 months notice before a date is selected. You're free to wait for their timetable when it gets finally announced.

It'll probably be another gradual rollout, where different PC's get picked at random until they're done with everyone.

Under the UEFI cert model, you don't remove any banned certs. They continue to exist where they were before in the DB, but are also represented in DBX simultaneously.

The security model works like a math equation:
(empty set) + [list of DB certs] - [list of DBX certs] = [list of allowed certs]
Looks like the gradual rollout has started for some users:

 

My Computers My Computers

  • At a glance

    Windows 11 Pro 25H2i7-8565U16GBIntel UHD Graphics 620
    OS
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo T490 (2020 Hardware)
    CPU
    i7-8565U
    Motherboard
    20N20028US
    Memory
    16GB
    Graphics Card(s)
    Intel UHD Graphics 620
    Sound Card
    Realtec Audio
    Monitor(s) Displays
    ASUS VE248
    Screen Resolution
    1920 X 1080
    Hard Drives
    Samsung SSD 970 PRO 512GB NVMe
    Internet Speed
    Frontier fiber 1GB
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Norton 360 Deluxe Plus
    Other Info
    Supported hardware, upgraded from Windows 10 Pro to Windows 11 Pro version 24H2 on 06/01/2025 using the Windows 11 ISO file. Used the enablement package to upgrade to version 25H2 on 10/07/2025. Secure boot enabled. Secure Boot CA 2023 updated.
  • At a glance

    Windows 11 Pro 25H2i7-4770 (with SSE4.2, and POPCNT)16GBIntel HD Graphics 4600
    Operating System
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo ThinkCentre M83 (2014 Hardware)
    CPU
    i7-4770 (with SSE4.2, and POPCNT)
    Motherboard
    10AL000GUS
    Memory
    16GB
    Graphics card(s)
    Intel HD Graphics 4600
    Sound Card
    Realtec High Definition Audio
    Monitor(s) Displays
    ASUS VE248
    Screen Resolution
    1920 X 1080
    Hard Drives
    Samsung SSD 860 PRO 1TB SATA
    Internet Speed
    Frontier fiber 1GB
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Norton 360 Deluxe Plus
    Other Info
    Unsupported hardware, upgraded from Windows 10 Pro (TPM 1.2 & unsupported CPU, but does have SSE4.2, and POPCNT) to Windows 11 Pro version 24H2 on 06/15/2025. Added Registry Key HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup – AllowUpgradesWithUnsupportedTPMOrCPU=1 to allow installation using the Windows 11 ISO file. Used the enablement package to upgrade to version 25H2 on 10/08/2025. Secure boot enabled. Secure Boot CA 2023 updated.
Assuming your BIOS is functional (and not brain dead because of your vendor's stupid design), you can enter Setup Mode and replace the default vendor PK with the "generic" Windows OEM PK. Obviously since the PK re-signs the KEK, MS also provides you with a corresponding CA 2011 and CA 2023 KEK to drop in.
You might as well take the certs from a newer machine from same manufacturer (if the machine gives access to import certifiates). Tried this for an old Haswell MSI board and it worked, too. (Updating KEK with stock PK in place with normal MS-/ Windows- procedure didn't work).
 

My Computer My Computer

At a glance

W10
OS
W10
Tried updating after checking this is what I got, I really don't know to finish or do
2023bios.webp
 

My Computer My Computer

At a glance

windows 11Intel i5-10600kf32gb corsair vengerance proAMD RX 6500XT
OS
windows 11
Computer type
PC/Desktop
Manufacturer/Model
Antec/Case
CPU
Intel i5-10600kf
Motherboard
GIGABYTE Z590 UD AC
Memory
32gb corsair vengerance pro
Graphics Card(s)
AMD RX 6500XT
Sound Card
onboard
Monitor(s) Displays
40" Hisense
Hard Drives
Samsung 850
Samsung 870
Seagate 2TB
PSU
EVGA GQ 750
Tried updating after checking this is what I got, I really don't know to finish or do
Can you run the check script, with the "-Verbose" option added to the command line? I suspect you don't have a KEK CA 2023 written (which is why the boot manager isn't supported). If you have Secure Boot currently enabled, shutdown Windows and temporarily disable Secure Boot so you can continue booting Windows for now.

You have a BIOS that is unsupported for automatic updates. While you're looking the BIOS, find the UEFI setup menu and see if this BIOS supports manual key enrollment. If it does, check if there's a KEK category and select load key from a file. The script should have copied a cert file to the EFI, and you can scroll through the different disk devices and look for an "\EFI\Certs" folder. Load the KEK CA 2023 file from inside the folder.

If you don't have what looks like a manual KEK option, search for a Setup Mode option.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
Can you run the check script, with the "-Verbose" option added to the command line? I suspect you don't have a KEK CA 2023 written (which is why the boot manager isn't supported). If you have Secure Boot currently enabled, shutdown Windows and temporarily disable Secure Boot so you can continue booting Windows for now.

You have a BIOS that is unsupported for automatic updates. While you're looking the BIOS, find the UEFI setup menu and see if this BIOS supports manual key enrollment. If it does, check if there's a KEK category and select load key from a file. The script should have copied a cert file to the EFI, and you can scroll through the different disk devices and look for an "\EFI\Certs" folder. Load the KEK CA 2023 file from inside the folder.

If you don't have what looks like a manual KEK option, search for a Setup Mode option.
If that is one of those ps1 files no I was not able to run any of those
 

My Computer My Computer

At a glance

windows 11Intel i5-10600kf32gb corsair vengerance proAMD RX 6500XT
OS
windows 11
Computer type
PC/Desktop
Manufacturer/Model
Antec/Case
CPU
Intel i5-10600kf
Motherboard
GIGABYTE Z590 UD AC
Memory
32gb corsair vengerance pro
Graphics Card(s)
AMD RX 6500XT
Sound Card
onboard
Monitor(s) Displays
40" Hisense
Hard Drives
Samsung 850
Samsung 870
Seagate 2TB
PSU
EVGA GQ 750
How did you get the report output from above? Did you run the batch file instead?

For the batch file:
Code:
Check-UEFI.bat -Verbose
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
If that is one of those ps1 files no I was not able to run any of those

Most batch files now need to be unblocked (Right click)
Some systems wont allow PS1 scripts. Try the following in Powershell before you run the ps1

Run in terminal as admin:
Set-ExecutionPolicy Unrestricted

I had to do this to run those scripts.
 

My Computers My Computers

  • At a glance

    Windows 11 Pro 25H2 Build 26200.8655Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz32.0 GB of I forget and the box is in storage.Gigabyte nVidia GeForce GTX 1660 Super OC 6GB
    OS
    Windows 11 Pro 25H2 Build 26200.8655
    Computer type
    PC/Desktop
    Manufacturer/Model
    Sin-built 2013
    CPU
    Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz
    Motherboard
    ASUS ROG Maximus VI Formula
    Memory
    32.0 GB of I forget and the box is in storage.
    Graphics Card(s)
    Gigabyte nVidia GeForce GTX 1660 Super OC 6GB
    Sound Card
    ROG SupremeFX Formula 8-Channel High Definition Audio
    Monitor(s) Displays
    5 x LG 25MS500-B - 1 x 24MK430H-B - 1 x Wacom Pro 22" Touch Screen Tablet
    Screen Resolution
    All over the place
    Hard Drives
    Too many to list. OS on Samsung 1TB 870 QVO SATA
    PSU
    Silverstone 1500
    Case
    NZXT Phantom 820 Full-Tower Case
    Cooling
    Noctua NH-D15 Elite Class Dual Tower CPU Cooler / 6 x EziDIY 120mm / 2 x Corsair 140mm somethings / 1 x 140mm Thermaltake something / 2 x 200mm Corsair.
    Keyboard
    Corsair K95 / Logitech diNovo Edge Wireless
    Mouse
    Logitech: G402 / G502 / Mx Masters / Mx Air Cordless
    Internet Speed
    2000/500Mbps
    Browser
    All sorts
    Antivirus
    Kaspersky Premium
    Other Info
    ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
    TP-Link BE9300 WiFi 7 Bluetooth 5.4 (Archer TBE550E)
    TP-Link TX201 V1 2.5GB Lan

    Grandstream HT812 - VoIP
    ASUS DSL-AX82U - Mesh
    ASUS RT-AC68U - Mesh
    ASUS RT-BE88U Router

    Brother MFC-L2880DW Printer

    I’m on a horse.
  • At a glance

    Windows 11 Pro 25H2 Build 26200.8655 (Wifes)13th Generation Intel® Core™ i5-1340P Process...16GB LPDDR5-52001x Intel® Iris® Xe Graphics
    Operating System
    Windows 11 Pro 25H2 Build 26200.8655 (Wifes)
    Computer type
    Laptop
    Manufacturer/Model
    LENOVO Yoga 7 14IRL8 - Type 82YL
    CPU
    13th Generation Intel® Core™ i5-1340P Processor(Core™ i5-1340P)
    Memory
    16GB LPDDR5-5200
    Graphics card(s)
    1x Intel® Iris® Xe Graphics
    Sound Card
    Optimized with Dolby Atmos®
    Screen Resolution
    QHD 2880 x 1800 OLED
    Hard Drives
    M.2 512 GB SSD PCIe
    Mouse
    Logiteck MX Master 3S
    Internet Speed
    2000/500
    Antivirus
    Defender / Malwarebytes
    Other Info
    …still on a horse.


    Wireless Network: Wi-Fi 6E 2x2 AX; Bluetooth® 5.1 or above
    Ports: 1x 1 Novo button; 2 in 1 Audio Combo jack; Micro SD Card Reader; HDMI 1.4b; 2 x USB Type-C (TBT4)
    USB 3.2 Gen 2 DP 1.4a
    PD 3.0); 1 x USB 3.2 Gen1 Type A
    Camera
    1x 1080P FHD IR/RGB Hybrid with Privacy Shutter and Dual Array Microphone
    Graphics
    1x Intel® Iris® Xe Graphics
    Monitor
    14" WUXGA
    Form Factor
    Convertible Notebook
  • Windows 11 Pro 25H2 Build 26200.8655 (Wifes)

    Yoga 7 2-in-1 14IML9 - Type 83DJ

    Processor: Intel® Core™ Ultra 7 155H Processor(Core™ Ultra 7 155H)

    Memory: 32GB LPD5X-7467

    Hard Drive: 1 TB SSD PCIe

    Wireless Network: 1x Wi-Fi 6E 2x2 AX; Bluetooth® 5.1 or above

    Ports: 1 x HDMI 2.1 TMDS; 1 x Novo Button; 1 x Combo Audio Jack
    2 x USB-C (USB 4.0)
    1 x USB-A 3.2 Gen 1

    Camera: 1080P FHD IR Hybrid with Dual Microphone

    Graphics: Intel® Arc™ Graphics

    Monitor: 14" 2.8K

    ...Where's my horse?
Back
Top Bottom