Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

garlin · Apr 9, 2026

neldog said:
Here are my results with the "updated script", I don't get the "Windows Hello PIN" part. I guess that is because I don't have that activated on my computer.

The newest version of the script checks for Windows Hello users. When the Setup Mode is required for updating certs, the TPM gets worried that something bad happened and invalidates the PIN that's securely saved.

You could be unintentionally locked out from Windows if you only had the PIN option. So it's better to highlight those situations where PIN users need to exercise caution by disabling the PIN first. The same principle applies to BitLocker protection, TPM can invalidate the saved key and ask you for a recovery key on USB, or entering the recovery password. We want to avoid causing harm whenever possible.

cool59 · Apr 9, 2026

Hello!

When I decided to enter the BIOS to update the certificates, I disabled the Windows Hello pin because I had read something that warned about this issue.
So I only had the password to log into the PC.
After the updates, when I wanted to reactivate the PIN... I couldn't do it at all.
The problem was solved with a backup I had made a few days before when the PIN was activated.
As soon as it finished, the PIN returned (the same as before).

neldog · Apr 9, 2026

garlin said:
The newest version of the script checks for Windows Hello users. When the Setup Mode is required for updating certs, the TPM gets worried that something bad happened and invalidates the PIN that's securely saved.

You could be unintentionally locked out from Windows if you only had the PIN option. So it's better to highlight those situations where PIN users need to exercise caution by disabling the PIN first. The same principle applies to BitLocker protection, TPM can invalidate the saved key and ask you for a recovery key on USB, or entering the recovery password. We want to avoid causing harm whenever possible.

That's a great idea - no telling how many people you may save from having a huge headache.

garlin · Apr 9, 2026

UPDATE: The Secure Boot folks have confirmed to me, that someone will be assigned to fix the Get-SecureBootSVN bug. Let's hope it arrives in the May or June monthly update cycle.

JamesSmith · Apr 9, 2026

garlin said:
UPDATE: The Secure Boot folks have confirmed to me, that someone will be assigned to fix the Get-SecureBootSVN bug. Let's hope it arrives in the May or June monthly update cycle.

Is there anything you can't do?!
Amazing work.

Phirevixen · Apr 10, 2026

neldog said:
Here are my results with the "updated script", I don't get the "Windows Hello PIN" part. I guess that is because I don't have that activated on my computer.

View attachment 168219

I got the Windows Hello Pin activated, but my output doesn't show it either. Mine looks exactly like yours.

garlin · Apr 10, 2026

Phirevixen said:
I got the Windows Hello Pin activated, but my output doesn't show it either. Mine looks exactly like yours.

Can you run these commands from PowerShell (as Admin)? It should return the number of PIN users.

Code:

$NGC_Credential_Provider = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}'
((Get-ChildItem -Path $NGC_Credential_Provider) | where { (Get-ItemProperty $_.PSPath).LogonCredsAvailable -eq 1 }).Count

Phirevixen · Apr 10, 2026

garlin said:
Can you run these commands from PowerShell (as Admin)? It should return the number of PIN users.

Code:

$NGC_Credential_Provider = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}' ((Get-ChildItem -Path $NGC_Credential_Provider) | where { (Get-ItemProperty $_.PSPath).LogonCredsAvailable -eq 1 }).Count

garlin · Apr 10, 2026

Well, you don't have this version I'm working on.

I might end up hiding the Windows Hello status because it only matters if you're about to delete keys. Adding certs doesn't trigger a bad response from the TPM. The final goal is to remind users to turn off PIN's when necessary.

Phirevixen · Apr 10, 2026

garlin said:
Well, you don't have this version I'm working on.

I might end up hiding the Windows Hello status because it only matters if you're about to delete keys. Adding certs doesn't trigger a bad response from the TPM. The final goal is to remind users to turn off PIN's when necessary.

GunnzAkimbo · Apr 10, 2026

hmmmmmm umm!!!
Previous posts back i did the deleting of ALL SB files in bios and entered secure boot setup mode then used the older script to check then update, completely oblivious to the fact i had windows hello pin enabled... WHAT???!!!

It all worked fine though, but what i did was used the built in admin account that doesn't use my microsoft account, just local password for the entire process until it was all updated.
THEN i logged into my MS user account.

So now i run your new check and eek!

I must of avoided the windows hello part somehow??? i dunno. Weird.
What ya think happened?

------------------------------------------------------------------------

PS D:\AdminTools\CheckCA2023> .\Check_UEFI-CA2023.ps1
Secure Boot: ON
Virtualization Based Security: OFF
BitLocker on (C:) OFF
Windows Hello PIN: ON

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 7.0

EFI Files
---------
Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

STATUS REPORT
-------------
Registry: UEFICA2023Status = Updated

SUCCESS: UPDATES ARE FINISHED. UEFI CA 2023 certs are present, PCA 2011 cert is revoked.

t2s50 · Apr 10, 2026

Just for your information: W10 ESU, Powershell 7.4.14 LTS gives a small error in the beginning and displays Bitlocker state of all drives (possibly since it can't determine the system drive):

Powershell 7.4.14 LTS is installed parallely to the standard Powershell 5.1 where the script works without error message and only gives Bitlocker state of drive C:

Thanks for your work!

garlin · Apr 10, 2026

GunnzAkimbo said:
hmmmmmm umm!!!
Previous posts back i did the deleting of ALL SB files in bios and entered secure boot setup mode then used the older script to check then update, completely oblivious to the fact i had windows hello pin enabled... WHAT???!!!

It all worked fine though, but what i did was used the built in admin account that doesn't use my microsoft account, just local password for the entire process until it was all updated.
THEN i logged into my MS user account.

So now i run your new check and eek!

I must of avoided the windows hello part somehow??? i dunno. Weird.
What ya think happened?

Windows Hello is unrelated to the Secure Boot update process. But if you have to do something drastic like enter Setup mode (because you have an unsupported BIOS), TPM will cancel your PIN. And that's bad news.

Not everyone will end up needing to do Setup mode. You shouldn't jump to that solution, until after you've confirmed that manual KEK enrollment doesn't work for you. Always try the least intrusive solution first before going to Setup mode.

Windows Hello didn't enter the picture because nobody else mentioned it before. It's like disabling BitLocker, if you didn't have a fallback strategy then it gets ugly when TPM stops trusting itself.

garlin · Apr 10, 2026

t2s50 said:
Just for your information: W10 ESU, Powershell 7.4.14 LTS gives a small error in the beginning and displays Bitlocker state of all drives (possibly since it can't determine the system drive):

Thanks, I had two stragglers for Get-WmiObject.

Change line 1177 on your script from:

Code:

SystemDrive = (Get-WmiObject Win32_OperatingSystem).SystemDrive

to:

Code:

SystemDrive = (Get-CimInstance -ClassName Win32_OperatingSystem).SystemDrive

t2s50 · Apr 10, 2026

Thank you!

Changing line 1177 to

Code:

$SystemDrive = (Get-CimInstance -ClassName Win32_OperatingSystem).SystemDrive

worked for me. Now both PS versions (5.1. and 7.4.14) have the same output.

neldog · Apr 10, 2026

garlin said:
Can you run these commands from PowerShell (as Admin)? It should return the number of PIN users.

Code:

$NGC_Credential_Provider = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\Credential Providers\{D6886603-9D2F-4EB2-B667-1971041FA96B}' ((Get-ChildItem -Path $NGC_Credential_Provider) | where { (Get-ItemProperty $_.PSPath).LogonCredsAvailable -eq 1 }).Count

That did show 0 for me.

Forestlander · Apr 10, 2026

@garlin
Firstly, thanks for your effort and time!

Secondly, is there anything that I can do or everything on pictures bellow is fine!?

Also thanks @antspants for advice about updating SkuSiPolicy from this post!

garlin · Apr 10, 2026

neldog said:
That did show 0 for me.

Are you using Windows Hello? If not, it should be 0 (users). Again, it only matters for users who can't do updates other than by using Setup Mode. If you're already updated or you have a supported PC, there's no need to think about Windows Hello.

garlin · Apr 10, 2026

Forestlander said:
@garlin
Firstly, thanks for your effort and time!
Secondly, is there anything that I can do or everything on pictures bellow is fine!?

You're done. It's strange that your DB is missing "Microsoft Corporation UEFI CA 2011".

This cert was only used by Linux (not Windows), but you do have its newer replacement "Microsoft UEFI CA 2023". Most Linux distros (if you ever need to install one) have moved to CA 2023 any way. I wouldn't worry about it, maybe the factory image didn't come with that cert.

Forestlander · Apr 10, 2026

Few weeks ago uninstalled Linux Mint/Fedora from dual boot and deleted everything from SSD so maybe that's the reason...

Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

Well-known member

My Computer My Computer

At a glance

Well-known member

My Computer My Computer

At a glance

Rancho Seldom Siesta

My Computers My Computers

At a glance

At a glance

Well-known member

My Computer My Computer

At a glance

Well-known member

My Computers My Computers

At a glance

At a glance

Well-known member

My Computer My Computer

At a glance

Well-known member

My Computer My Computer

At a glance

Well-known member

Attachments

My Computer My Computer

At a glance

Well-known member

Attachments

My Computer My Computer

At a glance

Well-known member

My Computer My Computer

At a glance

Well-known member

My Computer My Computer

At a glance

Member

My Computer My Computer

At a glance

Well-known member

My Computer My Computer

At a glance

Well-known member

My Computer My Computer

At a glance

Member

My Computer My Computer

At a glance

Rancho Seldom Siesta

My Computers My Computers

At a glance

At a glance

New member

My Computer My Computer

At a glance

Well-known member

My Computer My Computer

At a glance

Well-known member

My Computer My Computer

At a glance

New member

My Computer My Computer

At a glance

My Computer

My Computer

My Computers

My Computer

My Computers

My Computer

My Computer

My Computer

My Computer

My Computer

My Computer

My Computer

My Computer

My Computer

My Computer

My Computers

My Computer

My Computer

My Computer

My Computer