Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

Nebulon Ranger · Mar 10, 2026

garlin said:
The total count of SHA256_GUID signatures can vary, starting from a minimum of 431 (installed by MS) and any non-duplicated factory defaults. In the old days, vendors started out by adding new DBX EFI signatures but that role is now done by MS exclusively.

Yeah, I didn't pay too much attention to that entry in particular, just the first two. -Verbose just outputs it anyway.

Nebulon Ranger · Mar 10, 2026

SaliesBuzz said:
I have set the keys to none in the Microsoft BIOS. It booted with a Red Padlock at the top of the screen.
There is no Bitlocker set, though, the system has a yellow cross against the C: drive which Bitlocker in Windows reports as "waiting for activation"
I have run the update script you posted and it does not run throwing the following errors:
"
At C:\Buzz\SecureBoot\SecureBoot-CA-2023-Updates\Update_UEFI-CA2023.ps1:664 char:107
+ ... SiPolicy.p7b (for VBS) is missing [OPTIONAL]`n" -f ('{0}.' -f $index+
+ ~
You must provide a value expression following the '+' operator.
At C:\Buzz\SecureBoot\SecureBoot-CA-2023-Updates\Update_UEFI-CA2023.ps1:664 char:107
+ ... SiPolicy.p7b (for VBS) is missing [OPTIONAL]`n" -f ('{0}.' -f $index+
+ ~
Missing closing ')' in expression.
+ CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
+ FullyQualifiedErrorId : ExpectedValueExpression"

Any advice as to what to try next would be much appreciated.
Regards
SaliesBuzz

Run the updated version from this post:

garlin said:
Sorry, that was a typo on line 664.

OldNavy · Mar 10, 2026

I'm trying to run the scripts but the window closes imediately, how do i stop that?

garlin · Mar 10, 2026

OldNavy said:
I'm trying to run the scripts but the window closes imediately, how do i stop that?

Are you clicking on the files from File Explorer? They're only supposed to run from the command line inside an CMD, PowerShell window, or from Terminal.

OldNavy · Mar 10, 2026

running from powershell

OldNavy · Mar 10, 2026

i can get it to work if i use .\

garlin · Mar 10, 2026

For security reasons, PS is picky about a script's filepath. Unlike CMD, it doesn't automatically run a script in your current folder.

You have to add the ".\" (or a full path) to explicitly say, "I know which file I'm running, it's in the current folder". It's to prevent attackers from sneaking a different script with the same name in your PATH variable.

OldNavy · Mar 10, 2026

Cheers, tricky stuff this.
I've done one computer but troubles with another. I'll get there eventually.

JamesSmith · Mar 10, 2026

Just wanted to ask why my output is different to everyone else. This is from a success no updates required. This was check update -verbose

UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 7.0
EFI_CERT_SHA256_GUID Signatures: 487

I am seeing everyone has 437 signatures not 487?

Thanks

garlin · Mar 10, 2026

JamesSmith said:
Just wanted to ask why my output is different to everyone else. This is from a success no updates required. This was check update -verbose

I am seeing everyone has 437 signatures not 487?

The expected minimum count of DBX entries (as of today) is 437.

431 banned EFI signatures + 3 SVN's (from DBXUpdate2024) + 3 SVN's (from DBXUpdateSVN) = 437

SVN's are a special form of EFI signatures, used to hide a SVN version number in the signature. Like the rest of the UEFI security model, you don't delete old entries but keep on appending new ones to replace old entries.

Since your OEM might have a legacy list of EFI signatures (which are probably obsolete after the PCA 2011 gets revoked), the non-duplicated entries are merged into DBX. Which leads to a DBX count of higher than 437. Sometimes the final tally for some firmwares is anywhere from 437 to about 487.

The UEFI industry group is understandably concerned that DBX count keeps on rising, because each new entry eats away from the limited amount of NVRAM memory available to store UEFI data. One day, it might be possible to run out of space on older BIOS chips. The rate of new DBX updates has slowed down, so the DBX count will probably stay stable for a long time (unless a terrible security hole is revealed).

SaliesBuzz · Mar 10, 2026

Nebulon Ranger said:
Run the updated version from this post:

Yes, that ran with no errors, thank you.
In case there are others with old stuff like the Surface Pro 4, the output of Check_UEFI is now:
Windows 11 25H2 (26200.7922)

Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

BIOS Firmware
-------------
Microsoft Corporation Surface Pro 4
Version: 109.3748.768
Date:

Factory Default UEFI PK Cert
----------------------------
(NONE)

UEFI PK Cert
------------
Windows OEM Devices PK

Factory Default UEFI KEK Certs
------------------------------
(NONE)

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

Factory Default UEFI DB Certs
-----------------------------
(NONE)

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

Factory Default UEFI DBX Certs
------------------------------
(NONE)
EFI_CERT_SHA256_GUID Signatures: 0

UEFI DBX Certs
--------------
(NONE)
Windows BootMgr SVN is MISSING.
EFI_CERT_SHA256_GUID Signatures: 431

EFI Files
---------
Disk 0: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
bootmgfw.efi File version: 26100.30227

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

Disk 0: SkuSiPolicy.p7b (for VBS) is missing [OPTIONAL].

REQUIRED ACTION
===============

To revoke the [PCA 2011] cert, run the commands:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x280 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

I ran it without the -revoke switch

For info, the Check UEFI script threw one error that is not written into the log:

You cannot call a method on a null-valued expression.
At C:\Buzz\SecureBoot\SecureBoot-CA-2023-Updates\Check_UEFI-CA2023.ps1:1146 char:5
+ $BIOS_Date = $BIOS.ReleaseDate.ToString('yyyy-MM-dd')
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull

I presume this is because the BIOS on my Surface Pro 4 has no date.

In case anyone is wondering why I am using such old kit, it is to do with screen resolution. I am an amateur musician and use this with my Yamaha DGX 670, running Cakewalk and also displaying musical scores. For this you need a High Definition Screen, (at least 1920 x 1080). the tablet I was using is an old Windows 10 machine and cannot , (lack of space), be updated to Windows 11. One struggles to find a Windows Tablet PC with a suitably sized screen that has High Definition. This old Surface Pro has a 2736 x 1824 display that I run at 200% scale and it is pin sharp.
I cannot afford the price of the new Surface kit!

Once again thanks to Garlin and others on this forum. I am sure this will keep many old bits of kit alive and out of the bin during this year of major change for the Secure Boot Certificates
Regards
SaliesBuzz

garlin · Mar 10, 2026

SaliesBuzz said:
For info, the Check UEFI script threw one error that is not written into the log:

You cannot call a method on a null-valued expression.
At C:\Buzz\SecureBoot\SecureBoot-CA-2023-Updates\Check_UEFI-CA2023.ps1:1146 char:5
+ $BIOS_Date = $BIOS.ReleaseDate.ToString('yyyy-MM-dd')
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull

I presume this is because the BIOS on my Surface Pro 4 has no date.

I guess it doesn't. Will put in some error handling in the script.

SaliesBuzz said:
Once again thanks to Garlin and others on this forum. I am sure this will keep many old bits of kit alive and out of the bin during this year of major change for the Secure Boot Certificates
Regards
SaliesBuzz

It's kinda strange that MS won't support the legacy Surfaces. One of the marketing features was that MS encouraged large corporations to write their own Platform Keys for Surface PC's, so the keys wouldn't be under MS or your government's control). They even provided scripted examples of how to do this.

SaliesBuzz · Mar 11, 2026

Hello Again
When I run Check_DBXUpdate.bin on a Nipogi Mini PC that has had Update_UEFI-CA2023 successfully applied I get the following error:
Resolve-Path : Cannot find path 'C:\WINDOWS\System32\SecureBootUpdates' because it does not exist.
At C:\Buzz\SecureBoot\SecureBoot-CA-2023-Updates\Check_DBXUpdate.bin.ps1:547 char:18
+ $Path = (Resolve-Path $item).Path
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\WINDOWS\System32\SecureBootUpdates:String) [Resolve-Path], ItemNotFo
undException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.ResolvePathCommand

Test-Path : Cannot bind argument to parameter 'Path' because it is null.
At C:\Buzz\SecureBoot\SecureBoot-CA-2023-Updates\Check_DBXUpdate.bin.ps1:549 char:23
+ if (Test-Path $Path -PathType Container) {
+ ~~~~~
+ CategoryInfo : InvalidData: (:) [Test-Path], ParameterBindingValidationException
+ FullyQualifiedErrorId : ParameterArgumentValidationErrorNullNotAllowed,Microsoft.PowerShell.Commands.TestPathCom
mand
I have checked for the presence of the relevant Folder (C:\WINDOWS\System32\SecureBootUpdates) and it is there and contains the following files:

Any ideas what the problem might be?
Regards
SaliesBuzz

garlin · Mar 11, 2026

SaliesBuzz said:
Hello Again
When I run Check_DBXUpdate.bin on a Nipogi Mini PC that has had Update_UEFI-CA2023 successfully applied I get the following error:
Resolve-Path : Cannot find path 'C:\WINDOWS\System32\SecureBootUpdates' because it does not exist.

SaliesBuzz said:
Any ideas what the problem might be?
Regards
SaliesBuzz

Someone else reported the exact same problem, the script can't resolve the path to SecureBootUpdates folder. I could never figure what the problem was, but it was specific to their Windows and nobody else (until you) complained.

Can you try this version of the script? I bypassed the Resolve-Path logic if you're calling the script without arguments.

SaliesBuzz · Mar 11, 2026

garlin said:
Someone else reported the exact same problem, the script can't resolve the path to SecureBootUpdates folder. I could never figure what the problem was, but it was specific to their Windows and nobody else (until you) complained.

Can you try this version of the script? I bypassed the Resolve-Path logic if you're calling the script without arguments.

OK,
I ran the script you posted with:
powershell -ExecutionPolicy Bypass -File "C:\Buzz\SecureBoot\SecureBoot-CA-2023-Updates\01-Check_DBXUpdate.bin.ps1"
The result still throws a Path error as shown below:

Get-ChildItem : Cannot find path 'C:\WINDOWS\System32\SecureBootUpdates' because it does not exist.
At C:\Buzz\SecureBoot\SecureBoot-CA-2023-Updates\01-Check_DBXUpdate.bin.ps1:519 char:24
+ ... ($File in (Get-ChildItem "$env:SystemRoot\System32\SecureBootUpdates ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (C:\WINDOWS\System32\SecureBootUpdates:String) [Get-ChildItem], ItemNotF
oundException
+ FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

C:\WINDOWS\System32\SecureBootUpdates certainly does exist as I showed the contents in my earlier post.

Hope the above is of some help!

garlin · Mar 11, 2026

Can you provide the output of these commands?

Code:

Get-ChildItem "C:\Windows\System32\SecureBootUpdates"
Get-ChildItem "$env:SystemRoot\System32\SecureBootUpdates"
Get-ChildItem "$env:windir\System32\SecureBootUpdates"

dir env:

JamesSmith · Mar 11, 2026

I probably shouldn’t have looked at event viewer I understand all of the entries except for this one. Googling has not helped.

It happens every time I boot windows.

https://imgur.com/a/lMlrMSX

Google says it’s a problem then the next search says it’s nothing to worry about.

garlin · Mar 11, 2026

Measured boot is a Secure Boot auditing feature, which traces each of the UEFI boot and Windows startup steps, and confirms if a signed file was used in every step of the way. There are special CPU registers that get populated with key hashes; and after you're up and running, you can query the registers to extract the list of certs used to validate the boot process.

Event 1046 is used for informational alerts, so that wouldn't be considered an error. Honestly, I don't know how to make the messages disappear.

JamesSmith · Mar 11, 2026

garlin said:
Measured boot is a Secure Boot auditing feature, which traces each of the UEFI boot and Windows startup steps, and confirms if a signed file was used in every step of the way. There are special CPU registers that get populated with key hashes; and after you're up and running, you can query the registers to extract the list of certs used to validate the boot process.

Event 1046 is used for informational alerts, so that wouldn't be considered an error. Honestly, I don't know how to make the messages disappear.

Can I safely ignore this message?

Considering it is deleting a file every time I boot.

Thanks again.

TheVisitor · Mar 11, 2026

I opened the .json file with NotePad++ and this is what I got: Don't know that gives us much info just the test values that garlin pointed out above.

{"Version":1,"HealthStatus":"Attestable","Required":[{"Field":"TpmPresent","Value":true,"DesiredValue":true},{"Field":"TpmMeetsMinimumVersion","Value":true,"DesiredValue":true},{"Field":"TpmIsResponsive","Value":true,"DesiredValue":true},{"Field":"EkCertIsAvailable","Value":true,"DesiredValue":true},{"Field":"TcgLogFound","Value":true,"DesiredValue":true}],"Expected":[{"Field":"PcrsMatchTcgLog","Value":true,"DesiredValue":true}],"Informational":[{"Field":"SecureBootEnabled","ValueFromComputer":true,"ValueFromTcgLog":true,"DesiredValue":true,"TcgValueIsVerifiable":true},{"Field":"VirtualSecureMemory","ValueFromComputer":false,"ValueFromTcgLog":false,"DesiredValue":true,"TcgValueIsVerifiable":true},{"Field":"SecureCorePCCompliant","ValueFromComputer":false,"ValueFromTcgLog":false,"DesiredValue":true,"TcgValueIsVerifiable":true}{"Field":"BootTcgLogFoundInFileSystem","Value":true,"DesiredValue":true},{"Field":"CurrentTcgLogFoundInFileSystem","Value":true,"DesiredValue":true}]}

Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

Member

My Computer

Member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Member

My Computer

Well-known member

My Computer

Member

My Computer

Well-known member

Attachments

My Computer

Member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer