Solved garlin's PowerShell scripts for updating Secure Boot CA 2023


Is there a reason GIGABYTE is listed 2 times under
Factory Default UEFI DB Certs
and
UEFI DB Certs

One might be for motherboard and the other for notebooks. Here's what my ASUS says:

1773121319363.webp
 

My Computers My Computers

  • At a glance

    Win 11 Pro 25H2 26200.8737Intel® Core™ i7-14700KG.SKILL Ripjaws S5 Series 64GB (2 x 32GB) DDR5ASUS GeForce RTX 4070 Super 12GB
    OS
    Win 11 Pro 25H2 26200.8737
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self Built
    CPU
    Intel® Core™ i7-14700K
    Motherboard
    ASUS TUF Z690-PLUS WIFI BIOS 4505 11/29/25
    Memory
    G.SKILL Ripjaws S5 Series 64GB (2 x 32GB) DDR5
    Graphics Card(s)
    ASUS GeForce RTX 4070 Super 12GB
    Sound Card
    Sound Blaster AE-5 Plus
    Monitor(s) Displays
    ASUS TUF Gaming 27" 2K HDR Gaming
    Screen Resolution
    2560 x 1440
    Hard Drives
    Samsung 990 Pro 1TB NVMe (Win 11 25H2)
    SK hynix P41 500GB NVMe
    SK hynix P41 2TB NVMe (x3)
    Crucial P3 Plus 4TB
    PSU
    Corsair RM850x Shift
    Case
    Antec Dark Phantom DP502 FLUX
    Cooling
    Corsair Nautilus 360 RS AIO
    Keyboard
    Logitech MK 320
    Mouse
    Razer Basilisk V3
    Internet Speed
    750Mbs
    Browser
    Firefox
    Antivirus
    Winows Security
    Other Info
    MR 8.1 Home
  • At a glance

    Win 11 Pro 25H2 26200.8737Intel Core i5-1140064 GB DDR4MSI GeForce RTX 3060 Ventus 2X 12GB
    Operating System
    Win 11 Pro 25H2 26200.8737
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self Built
    CPU
    Intel Core i5-11400
    Motherboard
    Asus TUF Gaming Z590 Plus WiFi (BIOS 2803)
    Memory
    64 GB DDR4
    Graphics card(s)
    MSI GeForce RTX 3060 Ventus 2X 12GB
    Sound Card
    SoundBlaster Audigy Fx V2
    Monitor(s) Displays
    Samsung F27T350
    Screen Resolution
    1920x1080
    Hard Drives
    Samsung 980 Pro 1TB
    Samsung 970 EVO Plus 2TB
    Samsung 870 EVO 500GB SSD
    PSU
    Corsair HX750
    Case
    Cougar MX330-G Window
    Cooling
    Thermalright Frozen Edge 240 Black AIO
    Internet Speed
    350Mbps
    Browser
    Firefox
    Antivirus
    Windows Security
  • System Three
    Win 11 Pro 25H2 26200.8737
    ASUS PRIME Z370-P II BIOS 3004 7/12/21
    Intel Core i7-8700 CPU @ 3.20GHz
    32GB DDR4 RAM (4x8)
    iGPU Intel UHD Graphics 630
    Mid-Tower Desktop
One might be for motherboard and the other for notebooks. Here's what my ASUS says:
Unlike Gigabyte, ASUS has a clue and used the proper labeling on their self-issued certs. 🤷‍♂️
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
Unlike Gigabyte, ASUS has a clue and used the proper labeling on their self-issued certs. 🤷‍♂️

I was going to wait until 1 week before June to do these keys. I am thankful I have done it now. Garlin you are a legend. Thank you for troubleshooting all of that with me.

Last thing I need to deal with is the revoke part. Based on my output do I need to manually remove any entries or will MS take care of it?
 

My Computers My Computers

  • At a glance

    Windows 11 ProIntel Core i5-12600K 3.7 GHz 10-Core ProcessorCorsair Vengeance LPX 64 GB (2 x 32 GB) DDR4-...Integrated Intel UHD Graphics 770
    OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self built PC by me.
    CPU
    Intel Core i5-12600K 3.7 GHz 10-Core Processor
    Motherboard
    Gigabyte B760M H DDR4 Micro ATX LGA1700 Motherboard
    Memory
    Corsair Vengeance LPX 64 GB (2 x 32 GB) DDR4-3200 CL16 Memory
    Graphics Card(s)
    Integrated Intel UHD Graphics 770
    Sound Card
    Realtek
    Monitor(s) Displays
    LG
    Hard Drives
    Samsung 990 Pro 1 TB M.2-2280 PCIe 4.0 X4 NVME Solid State Drive
    Samsung 990 Pro 2 TB M.2-2280 PCIe 4.0 X4 NVME Solid State Drive
    PSU
    NZXT 850w ATX 3.1 Gold Fully Modular Power Supply
    Case
    Thermaltake Versa H25 ATX Mid Tower Case
    Cooling
    CPU Cooler Thermalright Assassin Spirit 120 EVO ARGB (ARGB Disabled) - Case Fans BlackThermalright TL-C12C-S X3 66.17 CFM 120 mm Fans 3-Pack (ARGB disabled)
    Internet Speed
    1 Gbps
    Other Info
    I hate ARGB.
  • At a glance

    Windows 11 Pro
    Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo ThinkBook 14 G2 ITL
MS hasn't announced when they'll begin the mandatory revocation process (most likely it will happen in June or later).

You can wait if you prefer. The major change after revoking is if you have existing USB boot media for Windows install or recovery software, the boot file needs to be replaced with the CA 2023 version.

In the UEFI model, you don't remove banned certs. Instead changes are made by appending new entries. The revoked PCA 2011 continues to exist in the DB variable, but is canceled by simultaneously existing in the DBX. The UEFI's allow list is created by subtracting the DBX entries from the DB list.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
MS hasn't announced when they'll begin the mandatory revocation process (most likely it will happen in June or later).

You can wait if you prefer. The major change after revoking is if you have existing USB boot media for Windows install or recovery software, the boot file needs to be replaced with the CA 2023 version.

In the UEFI model, you don't remove banned certs. Instead changes are made by appending new entries. The revoked PCA 2011 continues to exist in the DB variable, but is canceled by simultaneously existing in the DBX. The UEFI's allow list is created by subtracting the DBX entries from the DB list.

So as long as we have the updated certificates then it doesn't matter is what I am understanding.

I built this computer listed under (my computer) for myself and my father who is 70+ years old. What I am wondering is this job done?
Because it is a bit of a trip to fly to my dads house and do all for this for him. I assume if anything changes I assume you (garlin) will let us know if there are any more steps? But as of 10th of March I can say Job done?
 

My Computers My Computers

  • At a glance

    Windows 11 ProIntel Core i5-12600K 3.7 GHz 10-Core ProcessorCorsair Vengeance LPX 64 GB (2 x 32 GB) DDR4-...Integrated Intel UHD Graphics 770
    OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self built PC by me.
    CPU
    Intel Core i5-12600K 3.7 GHz 10-Core Processor
    Motherboard
    Gigabyte B760M H DDR4 Micro ATX LGA1700 Motherboard
    Memory
    Corsair Vengeance LPX 64 GB (2 x 32 GB) DDR4-3200 CL16 Memory
    Graphics Card(s)
    Integrated Intel UHD Graphics 770
    Sound Card
    Realtek
    Monitor(s) Displays
    LG
    Hard Drives
    Samsung 990 Pro 1 TB M.2-2280 PCIe 4.0 X4 NVME Solid State Drive
    Samsung 990 Pro 2 TB M.2-2280 PCIe 4.0 X4 NVME Solid State Drive
    PSU
    NZXT 850w ATX 3.1 Gold Fully Modular Power Supply
    Case
    Thermaltake Versa H25 ATX Mid Tower Case
    Cooling
    CPU Cooler Thermalright Assassin Spirit 120 EVO ARGB (ARGB Disabled) - Case Fans BlackThermalright TL-C12C-S X3 66.17 CFM 120 mm Fans 3-Pack (ARGB disabled)
    Internet Speed
    1 Gbps
    Other Info
    I hate ARGB.
  • At a glance

    Windows 11 Pro
    Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo ThinkBook 14 G2 ITL
The check script follows a long list of individual checks, before reporting "SUCCESS: NO UPDATES ARE REQUIRED."

When you see those words, it's checked for everything required before the revocation. Since the deadline for revocation hasn't been announced, the script doesn't make it mandatory that you follow the revocation steps. After a date has been given, I'll probably update the script.

You have the option to revoke CA 2011 now (using the update script's -Revoke option), and test if the system boots. That way you don't need to worry about when MS decides to roll forward, and have to scheduled a possible check-in visit. All you need to do is to update the boot files on any bootable USB drives that are used to install Windows, or to run a Macrium-style recovery tool. After that's done, all your bases are covered.

Worse case, you can always temporarily disable Secure Boot mode. You might want to take pictures of the UEFI setup screen, so it's easily to show your dad how to do this in case of emergency.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
I seem to have a DB cert in my DBX list. Is that worth worrying about?

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 7.0


Code:
Secure Boot: ON
Virtualization Based Security: OFF
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011
    Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Microsoft Option ROM UEFI CA 2023
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023

UEFI DBX Certs
--------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Windows BootMgr SVN 7.0

EFI Files
---------
    Disk 2: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.

    Registry: WindowsUEFICA2023Capable = 2
        [Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

STATUS REPORT
-------------
    Registry: UEFICA2023Status = Updated

SUCCESS: NO UPDATES ARE REQUIRED.
 

My Computers My Computers

  • At a glance

    Windows 11 Pro 25H2 Build 26200.8655Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz32.0 GB of I forget and the box is in storage.Gigabyte nVidia GeForce GTX 1660 Super OC 6GB
    OS
    Windows 11 Pro 25H2 Build 26200.8655
    Computer type
    PC/Desktop
    Manufacturer/Model
    Sin-built 2013
    CPU
    Intel(R) Core(TM) i7-4770K CPU @ 3.50GHz
    Motherboard
    ASUS ROG Maximus VI Formula
    Memory
    32.0 GB of I forget and the box is in storage.
    Graphics Card(s)
    Gigabyte nVidia GeForce GTX 1660 Super OC 6GB
    Sound Card
    ROG SupremeFX Formula 8-Channel High Definition Audio
    Monitor(s) Displays
    5 x LG 25MS500-B - 1 x 24MK430H-B - 1 x Wacom Pro 22" Touch Screen Tablet
    Screen Resolution
    All over the place
    Hard Drives
    Too many to list. OS on Samsung 1TB 870 QVO SATA
    PSU
    Silverstone 1500
    Case
    NZXT Phantom 820 Full-Tower Case
    Cooling
    Noctua NH-D15 Elite Class Dual Tower CPU Cooler / 6 x EziDIY 120mm / 2 x Corsair 140mm somethings / 1 x 140mm Thermaltake something / 2 x 200mm Corsair.
    Keyboard
    Corsair K95 / Logitech diNovo Edge Wireless
    Mouse
    Logitech: G402 / G502 / Mx Masters / Mx Air Cordless
    Internet Speed
    2000/500Mbps
    Browser
    All sorts
    Antivirus
    Kaspersky Premium
    Other Info
    ㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤㅤ⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀
    TP-Link BE9300 WiFi 7 Bluetooth 5.4 (Archer TBE550E)
    TP-Link TX201 V1 2.5GB Lan

    Grandstream HT812 - VoIP
    ASUS DSL-AX82U - Mesh
    ASUS RT-AC68U - Mesh
    ASUS RT-BE88U Router

    Brother MFC-L2880DW Printer

    I’m on a horse.
  • At a glance

    Windows 11 Pro 25H2 Build 26200.8655 (Wifes)13th Generation Intel® Core™ i5-1340P Process...16GB LPDDR5-52001x Intel® Iris® Xe Graphics
    Operating System
    Windows 11 Pro 25H2 Build 26200.8655 (Wifes)
    Computer type
    Laptop
    Manufacturer/Model
    LENOVO Yoga 7 14IRL8 - Type 82YL
    CPU
    13th Generation Intel® Core™ i5-1340P Processor(Core™ i5-1340P)
    Memory
    16GB LPDDR5-5200
    Graphics card(s)
    1x Intel® Iris® Xe Graphics
    Sound Card
    Optimized with Dolby Atmos®
    Screen Resolution
    QHD 2880 x 1800 OLED
    Hard Drives
    M.2 512 GB SSD PCIe
    Mouse
    Logiteck MX Master 3S
    Internet Speed
    2000/500
    Antivirus
    Defender / Malwarebytes
    Other Info
    …still on a horse.


    Wireless Network: Wi-Fi 6E 2x2 AX; Bluetooth® 5.1 or above
    Ports: 1x 1 Novo button; 2 in 1 Audio Combo jack; Micro SD Card Reader; HDMI 1.4b; 2 x USB Type-C (TBT4)
    USB 3.2 Gen 2 DP 1.4a
    PD 3.0); 1 x USB 3.2 Gen1 Type A
    Camera
    1x 1080P FHD IR/RGB Hybrid with Privacy Shutter and Dual Array Microphone
    Graphics
    1x Intel® Iris® Xe Graphics
    Monitor
    14" WUXGA
    Form Factor
    Convertible Notebook
  • Windows 11 Pro 25H2 Build 26200.8655 (Wifes)

    Yoga 7 2-in-1 14IML9 - Type 83DJ

    Processor: Intel® Core™ Ultra 7 155H Processor(Core™ Ultra 7 155H)

    Memory: 32GB LPD5X-7467

    Hard Drive: 1 TB SSD PCIe

    Wireless Network: 1x Wi-Fi 6E 2x2 AX; Bluetooth® 5.1 or above

    Ports: 1 x HDMI 2.1 TMDS; 1 x Novo Button; 1 x Combo Audio Jack
    2 x USB-C (USB 4.0)
    1 x USB-A 3.2 Gen 1

    Camera: 1080P FHD IR Hybrid with Dual Microphone

    Graphics: Intel® Arc™ Graphics

    Monitor: 14" 2.8K

    ...Where's my horse?
I have an old Surface Pro 4 that I have managed to install Windows 11 25H2 on.
The BIOS is the default Microsoft BIOS that will not be updated.
Can I still use the script to update the EFI partition?
There is no option in the BIOS to enter a "Setup" mode.
The only options under Secure Boot Configuration are:
Select a Secure Boot certificate:
Microsoft Only
Microsoft & 3rd party CA
None
Which one should I choose prior to running the update script?
Also the Check script throws the following errors that are not written into the log with the -verbose and -log option:

You cannot call a method on a null-valued expression.
At C:\Buzz\SecureBoot\SecureBoot-CA-2023-Updates\Check_UEFI-CA2023.ps1:1007 char:9
+ $BIOS_Date = $BIOS.ReleaseDate.ToString('yyyy-MM-dd')
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull

and:

Get-SecureBootUEFI : Variable is currently undefined: 0xC0000100
At C:\Buzz\SecureBoot\SecureBoot-CA-2023-Updates\Check_UEFI-CA2023.ps1:1115 char:62
+ ... gnatures: {1}' -f $Tab4, (Get-SecureBootUEFI -Name dbxDefault | Get-U ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (Microsoft.Secur...BootUefiCommand:GetSecureBootUefiCommand) [G
et-SecureBootUEFI], StatusException
+ FullyQualifiedErrorId : GetFWVarFailed,Microsoft.SecureBoot.Commands.GetSecureBootUefiCommand

Any advice will be gratefully received!

Regards
SaliesBuzz
 

My Computer My Computer

At a glance

Windows11Intel(R) N97, 2000 Mhz, 4 Core(s), 4 Logical16GbIntel(R) UHD Graphics
OS
Windows11
Computer type
PC/Desktop
Manufacturer/Model
Acemagic S1
CPU
Intel(R) N97, 2000 Mhz, 4 Core(s), 4 Logical
Memory
16Gb
Graphics Card(s)
Intel(R) UHD Graphics
Sound Card
(Generic USB Audio)
Monitor(s) Displays
2
Screen Resolution
2560 x 1440 x 59 hertz
Hard Drives
Model KPART512GBC2DVT 512Gb
I seem to have a DB cert in my DBX list. Is that worth worrying about?

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 7.0
This means you (or someone else like a vendor) has decided to ban the Microsoft UEFI CA 2011, which is used by Linux. Technically that's not required because modern Linux distros use the SBAT file mechanism in place of DBX, and most of them have moved to Microsoft UEFI CA 2023 any way.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
I have an old Surface Pro 4 that I have managed to install Windows 11 25H2 on.
The BIOS is the default Microsoft BIOS that will not be updated.
From the UEFI menu, you set the Secure Boot keys to "None" or "Delete All Secure Boot keys", in order to enter Setup Mode.

The update script detects Setup Mode and uses the MS GitHub files to replace the Surface PK with Windows OEM Devices PK (also provided by MS). You may need this interim version of the check and update scripts. I haven't officially pushed all the changes back into the official script yet.
 

Attachments

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
One more question, that I'm posting here since the other thread hasn't seen activity in four months;

According to the secure boot objects repo, DBXupdateSVN.bin should be from early September 2025, yet mine appears to be from July 2025. Will this cause problems come revocation time, and is there a way to get up to date manually (or should I just wait for Windows Update to handle it)?
 

My Computer My Computer

At a glance

Windows 11 Pro 25H2AMD Ryzen 9 3950X64 GB DDR4-3600 CL18 (2x32 GB)MSI Ventus RTX 2060 Super
OS
Windows 11 Pro 25H2
Computer type
PC/Desktop
Manufacturer/Model
custom
CPU
AMD Ryzen 9 3950X
Motherboard
ASUS ROG Strix X570-E (first gen)
Memory
64 GB DDR4-3600 CL18 (2x32 GB)
Graphics Card(s)
MSI Ventus RTX 2060 Super
Sound Card
Audient iD4 Mk.I
Monitor(s) Displays
2x AOC 24G1 / 1x XP-Pen Artist Pro 16 Gen 2 2.5K
Screen Resolution
1080p / 2560x1600
Hard Drives
1TB WD/SanDisk SN850X (main) / 2TB Sabrent Rocket 4 / 6TB WD MyBook EE
PSU
Corsair RM850X 850W Gold (2019)
Case
Lian-Li O11-D
Cooling
EKWB EK-AIO 360 RGB
Keyboard
wooting Two HE fullsize
Mouse
some old mouse from an older PC
Internet Speed
Gigabit symmetric (fibre); Bell Fibe
Browser
Firefox
Antivirus
ol' reliable Windows Defender
Other Info
Other peripherals:

- Shure SM7B (Mexico)
- AKG K 240 Studio (calibrated flat)
- PDP FaceOff wired Switch gamepad
I believe I've successfully did this.
After updating the computer with the latest BIOS (that had the vendor's 2023 certificate), I run garlin's scripts and got this at the end:

----------------------

.\Check_UEFI-CA2023.ps1 -Audit -Log


Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 7.0

EFI Files
---------
Disk 1: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

Disk 1: SkuSiPolicy.p7b (for VBS) is CURRENT.


AUDIT REPORT
============


STATUS REPORT
-------------
Registry: UEFICA2023Status = Updated

SUCCESS: NO UPDATES ARE REQUIRED.

Log file saved as "C:\_To Do\_Secure Boot\SecureBoot-CA-2023-Updates\2026-03-10 B660M-HDV Check-UEFI.log"

PS C:\_To Do\_Secure Boot\SecureBoot-CA-2023-Updates>

-------------------

Smooth operation all around.

Thank you very much garlin for your efforts and help.
 

My Computer My Computer

At a glance

Windows 11 Pro for Workstations 25H2 26200.87376C+4c Intel 13th Gen Intel(R) Core(TM) i5-134...64 GBNVIDIA GeForce RTX 4060, Intel UHD Graphics 730
OS
Windows 11 Pro for Workstations 25H2 26200.8737
Computer type
PC/Desktop
Manufacturer/Model
ASRock
CPU
6C+4c Intel 13th Gen Intel(R) Core(TM) i5-13400, 4100 M
Motherboard
ASRock B660M-HDV
Memory
64 GB
Graphics Card(s)
NVIDIA GeForce RTX 4060, Intel UHD Graphics 730
Sound Card
Realtek
Monitor(s) Displays
AOC 24V2W1G5
Screen Resolution
1920x1080
Hard Drives
Samsung SSD 990 Pro with Heatsink
Keyboard
Logitech
Mouse
Logitech
Internet Speed
1GB
Antivirus
Windows Defender
According to the secure boot objects repo, DBXupdateSVN.bin should be from early September 2025, yet mine appears to be from July 2025. Will this cause problems come revocation time, and is there a way to get up to date manually (or should I just wait for Windows Update to handle it)?
If your Windows has been receiving monthly updates, C:\Windows\System32\SecureBootUpdates will contain the latest versions of the GitHub files. DBXUpdateSVN.bin got bumped in Oct 2025 from SVN 5.0 to 7.0.

My update script has an option to check the MS GitHub for a newer version of both DBXUpdate.bin & DBXUpdateSVN.bin.
Code:
Update_UEFI-CA2023.ps1 -Revoke -Latest

The script doesn't base its check on the filesizes or timestamps, it compares the actual contents and decides if the GitHub files have updates which your current UEFI is missing (431 EFI signature hashes in DBX, and SVN 7.0). If there's no changes, it will skip over them.

You can re-run "-Revoke -Latest" at any time to force a comparison against the GitHub files.

Only DBXUpdate.bin & DBXUpdateSVN.bin are expected to change over the time, as the other cert .bin files are static. The Confidence Bucket and KEK databases are for the Secure Boot task's internal use, and don't matter after you've completed all the Secure Boot steps.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
If your Windows has been receiving monthly updates, C:\Windows\System32\SecureBootUpdates will contain the latest versions of the GitHub files. DBXUpdateSVN.bin got bumped in Oct 2025 from SVN 5.0 to 7.0.

My update script has an option to check the MS GitHub for a newer version of both DBXUpdate.bin & DBXUpdateSVN.bin.
Code:
Update_UEFI-CA2023.ps1 -Revoke -Latest

The script doesn't base its check on the filesizes or timestamps, it compares the actual contents and decides if the GitHub files have updates which your current UEFI is missing (431 EFI signature hashes in DBX, and SVN 7.0). If there's no changes, it will skip over them.

You can re-run "-Revoke -Latest" at any time to force a comparison against the GitHub files.

Only DBXUpdate.bin & DBXUpdateSVN.bin are expected to change over the time, as the other cert .bin files are static. The Confidence Bucket and KEK databases are for the Secure Boot task's internal use, and don't matter after you've completed all the Secure Boot steps.
powershell -nop -ep bypass -f C:\Users\dark\Downloads\SecureBoot-CA-2023-Updates\Update_UEFI-CA2023.ps1 -Revoke -Latest
"dbxupdate.bin" is not a newer version of file.
Successfully appended "DBXUpdate2024.bin" to UEFI DBX

Hm. It's not listing DBXUpdateSVN at all, and confirming DBXUpdate is older (? The wording is a bit confusing here). Though, my DBXUpdate.bin is dated 24 October 2025, so that suggests it's at least recent. I don't use BitLocker, so I just quit out after it asked me for a mount point.

Notably, I have SVN 7.0 listed now that I've run that command, and no more updates required.
 

My Computer My Computer

At a glance

Windows 11 Pro 25H2AMD Ryzen 9 3950X64 GB DDR4-3600 CL18 (2x32 GB)MSI Ventus RTX 2060 Super
OS
Windows 11 Pro 25H2
Computer type
PC/Desktop
Manufacturer/Model
custom
CPU
AMD Ryzen 9 3950X
Motherboard
ASUS ROG Strix X570-E (first gen)
Memory
64 GB DDR4-3600 CL18 (2x32 GB)
Graphics Card(s)
MSI Ventus RTX 2060 Super
Sound Card
Audient iD4 Mk.I
Monitor(s) Displays
2x AOC 24G1 / 1x XP-Pen Artist Pro 16 Gen 2 2.5K
Screen Resolution
1080p / 2560x1600
Hard Drives
1TB WD/SanDisk SN850X (main) / 2TB Sabrent Rocket 4 / 6TB WD MyBook EE
PSU
Corsair RM850X 850W Gold (2019)
Case
Lian-Li O11-D
Cooling
EKWB EK-AIO 360 RGB
Keyboard
wooting Two HE fullsize
Mouse
some old mouse from an older PC
Internet Speed
Gigabit symmetric (fibre); Bell Fibe
Browser
Firefox
Antivirus
ol' reliable Windows Defender
Other Info
Other peripherals:

- Shure SM7B (Mexico)
- AKG K 240 Studio (calibrated flat)
- PDP FaceOff wired Switch gamepad
DBXUpdate.bin = bans specific EFI boot files by adding their unique signature hashes
DBXUpdate2024.bin = adds PCA 2011 to the DBX (revocation), sets SVN initially to 2.0
DBXUpdateSVN.bin = bumps SVN up to 7.0

The BitLocker bug is fixed in the work-in-progress version, scroll back up to post #770.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
DBXUpdate.bin = bans specific EFI boot files by adding their unique signature hashes
DBXUpdate2024.bin = adds PCA 2011 to the DBX (revocation), sets SVN initially to 2.0
DBXUpdateSVN.bin = bumps SVN up to 7.0

The BitLocker bug is fixed in the work-in-progress version, scroll back up to post #770.
Might have another error in the Update script;

PowerShell 7.5.4
PS C:\Users\dark> powershell -nop -ep bypass -f C:\Users\dark\Downloads\SecureBoot-CA-2023-Updates\Update_UEFI-CA2023.ps1 -Revoke -Latest
At C:\Users\dark\Downloads\SecureBoot-CA-2023-Updates\Update_UEFI-CA2023.ps1:664 char:107
+ ... SiPolicy.p7b (for VBS) is missing [OPTIONAL]`n" -f ('{0}.' -f $index+
+ ~
You must provide a value expression following the '+' operator.
At C:\Users\dark\Downloads\SecureBoot-CA-2023-Updates\Update_UEFI-CA2023.ps1:664 char:107
+ ... SiPolicy.p7b (for VBS) is missing [OPTIONAL]`n" -f ('{0}.' -f $index+
+ ~
Missing closing ')' in expression.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : ExpectedValueExpression

All this being said, my last Windows Update was the February Patch Tuesday update, so I shoooould still be fine? I mean I'm already running the 2023 bootmgr anyway.
 

My Computer My Computer

At a glance

Windows 11 Pro 25H2AMD Ryzen 9 3950X64 GB DDR4-3600 CL18 (2x32 GB)MSI Ventus RTX 2060 Super
OS
Windows 11 Pro 25H2
Computer type
PC/Desktop
Manufacturer/Model
custom
CPU
AMD Ryzen 9 3950X
Motherboard
ASUS ROG Strix X570-E (first gen)
Memory
64 GB DDR4-3600 CL18 (2x32 GB)
Graphics Card(s)
MSI Ventus RTX 2060 Super
Sound Card
Audient iD4 Mk.I
Monitor(s) Displays
2x AOC 24G1 / 1x XP-Pen Artist Pro 16 Gen 2 2.5K
Screen Resolution
1080p / 2560x1600
Hard Drives
1TB WD/SanDisk SN850X (main) / 2TB Sabrent Rocket 4 / 6TB WD MyBook EE
PSU
Corsair RM850X 850W Gold (2019)
Case
Lian-Li O11-D
Cooling
EKWB EK-AIO 360 RGB
Keyboard
wooting Two HE fullsize
Mouse
some old mouse from an older PC
Internet Speed
Gigabit symmetric (fibre); Bell Fibe
Browser
Firefox
Antivirus
ol' reliable Windows Defender
Other Info
Other peripherals:

- Shure SM7B (Mexico)
- AKG K 240 Studio (calibrated flat)
- PDP FaceOff wired Switch gamepad
Sorry, that was a typo on line 664.
 

Attachments

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
Sorry, that was a typo on line 664.

No problem, at least it's fixed now. (y)

PS C:\Users\dark> powershell -nop -ep bypass -f C:\Users\dark\Downloads\SecureBoot-CA-2023-Updates\Update_UEFI-CA2023.ps1 -Revoke -Latest
"dbxupdate.bin" is not a newer version of file.
"DBXUpdateSVN.bin" is not a newer version of file.

SUCCESS: NO UPDATES ARE REQUIRED.

This looks a lot better; looks like I had the latest SVN bin all along (duh! It added 7.0 to the DBX!). I should be all set, barring any Microsoft weirdness.

For posterity, DBX now looks like this according to the check script:

UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 7.0
EFI_CERT_SHA256_GUID Signatures: 489
 

My Computer My Computer

At a glance

Windows 11 Pro 25H2AMD Ryzen 9 3950X64 GB DDR4-3600 CL18 (2x32 GB)MSI Ventus RTX 2060 Super
OS
Windows 11 Pro 25H2
Computer type
PC/Desktop
Manufacturer/Model
custom
CPU
AMD Ryzen 9 3950X
Motherboard
ASUS ROG Strix X570-E (first gen)
Memory
64 GB DDR4-3600 CL18 (2x32 GB)
Graphics Card(s)
MSI Ventus RTX 2060 Super
Sound Card
Audient iD4 Mk.I
Monitor(s) Displays
2x AOC 24G1 / 1x XP-Pen Artist Pro 16 Gen 2 2.5K
Screen Resolution
1080p / 2560x1600
Hard Drives
1TB WD/SanDisk SN850X (main) / 2TB Sabrent Rocket 4 / 6TB WD MyBook EE
PSU
Corsair RM850X 850W Gold (2019)
Case
Lian-Li O11-D
Cooling
EKWB EK-AIO 360 RGB
Keyboard
wooting Two HE fullsize
Mouse
some old mouse from an older PC
Internet Speed
Gigabit symmetric (fibre); Bell Fibe
Browser
Firefox
Antivirus
ol' reliable Windows Defender
Other Info
Other peripherals:

- Shure SM7B (Mexico)
- AKG K 240 Studio (calibrated flat)
- PDP FaceOff wired Switch gamepad
The total count of SHA256_GUID signatures can vary, starting from a minimum of 431 (installed by MS) and any non-duplicated factory defaults. In the old days, vendors started out by adding new DBX EFI signatures but that role is now done by MS exclusively.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
From the UEFI menu, you set the Secure Boot keys to "None" or "Delete All Secure Boot keys", in order to enter Setup Mode.

The update script detects Setup Mode and uses the MS GitHub files to replace the Surface PK with Windows OEM Devices PK (also provided by MS). You may need this interim version of the check and update scripts. I haven't officially pushed all the changes back into the official script yet.
I have set the keys to none in the Microsoft BIOS. It booted with a Red Padlock at the top of the screen.
There is no Bitlocker set, though, the system has a yellow cross against the C: drive which Bitlocker in Windows reports as "waiting for activation"
I have run the update script you posted and it does not run throwing the following errors:
"
At C:\Buzz\SecureBoot\SecureBoot-CA-2023-Updates\Update_UEFI-CA2023.ps1:664 char:107
+ ... SiPolicy.p7b (for VBS) is missing [OPTIONAL]`n" -f ('{0}.' -f $index+
+ ~
You must provide a value expression following the '+' operator.
At C:\Buzz\SecureBoot\SecureBoot-CA-2023-Updates\Update_UEFI-CA2023.ps1:664 char:107
+ ... SiPolicy.p7b (for VBS) is missing [OPTIONAL]`n" -f ('{0}.' -f $index+
+ ~
Missing closing ')' in expression.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : ExpectedValueExpression"

Any advice as to what to try next would be much appreciated.
Regards
SaliesBuzz
 

My Computer My Computer

At a glance

Windows11Intel(R) N97, 2000 Mhz, 4 Core(s), 4 Logical16GbIntel(R) UHD Graphics
OS
Windows11
Computer type
PC/Desktop
Manufacturer/Model
Acemagic S1
CPU
Intel(R) N97, 2000 Mhz, 4 Core(s), 4 Logical
Memory
16Gb
Graphics Card(s)
Intel(R) UHD Graphics
Sound Card
(Generic USB Audio)
Monitor(s) Displays
2
Screen Resolution
2560 x 1440 x 59 hertz
Hard Drives
Model KPART512GBC2DVT 512Gb
Back
Top Bottom