Solved garlin's PowerShell scripts for updating Secure Boot CA 2023


When you have a Platform Key installed, your OS cannot delete any existing DB or DBX cert as a security measure. They can only add new certs (if properly signed). You can only delete certs by hand from the UEFI setup screens.

If you don't remember removing it, the most likely explanation is your PC shipped that way.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
Well, I’m using a Samsung Galaxy Book laptop, and before installing Windows 11 Pro (February ISO), I completely cleaned everything via UEFI — including TPM, storage, and Intel CSME (unconfigured and sanitized/purged).
So the SSD was completely clean, with no Samsung recovery partition or any bloatware left.

That’s probably the reason. 🙂
 

My Computer My Computer

At a glance

Windows 11 Pro
OS
Windows 11 Pro
Computer type
Laptop
Manufacturer/Model
Samsung Galaxy Book3 Pro
garlin said:
Are you using Windows Hello? If not, it should be 0 (users). Again, it only matters for users who can't do updates other than by using Setup Mode. If you're already updated or you have a supported PC, there's no need to think about Windows Hello.
Click to expand...

No, not using Hello, so the results I got (0) and that would be correct. Sorry for the confusion. I was trying to say I got a "0" and that would be correct as I do not use Hello. I was not worried about the Hello, I was just letting you know the command worked here. Thank you. :-)
 

My Computers My Computers

System One System Two

  • At a glance

    Windows 11 Pro 25H2 26200.8655Intel® Core™ Ultra 7 265 1.8GHz to 5.3GHz (Ar...SK Hynix 32GB DDR5 5600 Desktop RAM UDIMM Non...Dell NVIDIA® GeForce RTX™ 4060 8GB GDDR6 & (i...
    OS
    Windows 11 Pro 25H2 26200.8655
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Tower Plus EBT2250, DOB: 06/15/2025
    CPU
    Intel® Core™ Ultra 7 265 1.8GHz to 5.3GHz (Arrow Lake)
    Motherboard
    Dell Inc. 02D3NT A00 (U3E1)
    Memory
    SK Hynix 32GB DDR5 5600 Desktop RAM UDIMM Non-ECC PC5-5600B
    Graphics Card(s)
    Dell NVIDIA® GeForce RTX™ 4060 8GB GDDR6 & (iGPU) Integrated Intel® UHD Graphics
    Sound Card
    Chipset Realtek High-Definition Audio with Dolby Atmos
    Monitor(s) Displays
    Dell Ultra Sharp U2515H 25-Inch Screen LED-Lit
    Screen Resolution
    2560 X 1440
    Hard Drives
    Samsung (NVMe PM9C1a 1024GB) M.2 PCIe NVMe Solid State Drive (OS), with Samsung Piccolo (S4LY022) 6-Core 4 Channel Controller.

    Samsung T7 500GB SSD, USB-C External Drive
    PSU
    Dell 460W
    Case
    Dell Tower Plus EBT 2250
    Cooling
    Fan
    Keyboard
    Dell Wired Keyboard - KB216
    Mouse
    Logitech M510
    Internet Speed
    Intel Killer E3100G 2.5 Gigabit Ethernet Controller
    Browser
    Microsoft Edge
    Antivirus
    Microsoft Windows Security
    Other Info
    The Samsung NVMe PM9C1a 1024GB SSD does not use a Phison NAND controller. Instead, it uses Samsung's in-house developed Piccolo (S4LY022) 6-Core 4 Channel Controller. The PM9C1a utilizes a controller built using Samsung's 5-nanometer process and seventh-generation V-NAND technology. 🤔

  • At a glance

    Windows 11 Pro 25H2 26200.865510th Generation Intel Core i7-10510U Processo...16GB DDR4 RAMNVIDIA® GeForce® MX250 with 2GB GDDR5 graphic...
    Operating System
    Windows 11 Pro 25H2 26200.8655
    Computer type
    Laptop
    Manufacturer/Model
    Dell Inspiron 15 7000 (7591) 2-in-1, DOB: 11/30/2019
    CPU
    10th Generation Intel Core i7-10510U Processor (8MB Cache, up to 4.9 GHz) Comet Lake
    Motherboard
    Dell 0NNW5N
    Memory
    16GB DDR4 RAM
    Graphics card(s)
    NVIDIA® GeForce® MX250 with 2GB GDDR5 graphics memory
    Sound Card
    Chipset Realtek ALC3254 🤔🤣
    Monitor(s) Displays
    Dell 15.6-inch UHD Truelife Touch Narrow Border WVA Display with Active Pen support
    Screen Resolution
    3840 x 2160
    Hard Drives
    Intel NVME 512GB SSD with 32GB Intel Optane Memory, M.2 80mm PCIe 3.0 RAID

    SanDisk 256GB Extreme microSDXC UHS-I Memory Card
    PSU
    Dell 4-Cell Battery, 68 Whr (Integrated), 90 Watt AC Adapter
    Case
    Dell Inspiron 15 7000 2-in-1 (7591)
    Cooling
    Standard Dell Case Fan & Havit HV-F2056 USB Powered (3 Fans) Laptop Cooling Pad.
    Keyboard
    Dell
    Mouse
    Logitech Wireless Mouse M650L
    Internet Speed
    Wireless/Wired connectivity (WiFi 6 - 802.11 ax)
    Browser
    Microsoft Edge
    Antivirus
    Microsoft Windows Security
    Other Info
    From Dell: 512GB NVME Solid State Drive accelerated by 32GB Intel Optane Memory are the fastest as compared to NAND SSDs. Intel Optane H10 with SSD offers speedy storage and accelerates opening your programs.
As I recall, when I updated all my keys a few months ago and moved to the 2023 cert, the setup did remove my PIN. However, I just used the password to login and setup the PIN again.
 

My Computers My Computers

System One System Two Other systems

  • At a glance

    Win 11 Pro 25H2, Build 26200.8737Intel Core i5 1450064GB DDR4GeForce RTX 4060
    OS
    Win 11 Pro 25H2, Build 26200.8737
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14500
    Motherboard
    Gigabyte B760M G P WIFI
    Memory
    64GB DDR4
    Graphics Card(s)
    GeForce RTX 4060
    Sound Card
    Chipset Realtek
    Monitor(s) Displays
    LG 45" Ultragear, Acer 24" 1080p
    Screen Resolution
    5120x1440, 1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 3D NAND NVMe M.2 SSD (O/S)
    Silicon Power 2TB US75 NVMe PCIe Gen4 M.2 2280 SSD (backup)
    Crucial BX500 2TB 3D NAND (2nd backup)
    Seagate 4TB Ironwolf, rotating HDD archive files
    External off-line backup Drives: 2 NVMe 4TB drives in external enclosures
    PSU
    Thermaltake Toughpower GF3 750W
    Case
    LIAN LI LANCOOL 216 E-ATX PC Case
    Cooling
    Lots of fans!
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security

  • At a glance

    Win 11 Pro 25H2, Build 26200.8655Intel Core i5 1440032GB DDR5Intel 700 Embedded GPU
    Operating System
    Win 11 Pro 25H2, Build 26200.8655
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14400
    Motherboard
    Gigabyte B760M DS3H AX
    Memory
    32GB DDR5
    Graphics card(s)
    Intel 700 Embedded GPU
    Sound Card
    Realtek Embedded
    Monitor(s) Displays
    27" HP 1080p
    Screen Resolution
    1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 eD NAND PCIe SSD
    Samsung EVO 990 2TB NVMe Gen4 SSD
    Samsung 2TB SATA SSD
    PSU
    Thermaltake Smart BM3 650W
    Case
    Okinos Micro ATX Case
    Cooling
    Fans
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
  • Nimo N171 17" Laptop, (Intel i3-1215U, 16GB RAM, 2TB NVMe, Win11 Pro)
    Acemagic Vista Mini PC V1 (Intel N150, 16GB RAM, 1TB NVMe, Win11 Pro)
    HP ENVY h8-1540t, (24GB RAM, 2TB SSD, 2TB HDD, Win11 Pro)
Hello everyone I need help, what do I have to do? I have an Acer Nitro 5 AN517-52 gaming laptop.

Screenshot 2026-04-10 215217.webp
 

My Computer My Computer

At a glance

Windows 11 Home
OS
Windows 11 Home
Computer type
Laptop
Manufacturer/Model
Acer Nitro 5 AN517-52
Your PC is missing the KEK CA 2023 cert.
Please shutdown Windows, and temporarily disable Secure Boot mode in BIOS (so you can boot again).

The last BIOS was Oct. 2022, which is too old. While you're in the BIOS, check if you have a UEFI menu screen with manual key enrollment. There might be an option to load a key file. If you find that option for the KEK key, browse the system disk and check if there's a \EFI\Certs folder with a KEK file inside.

Presuming you don't have a manual key enrollment option, or the import fails, you will need to look for "Custom mode". Select Custom mode, and search for an option to Delete All Keys. This will clear all the keys and your BIOS will be in Setup mode (no certs).

With Secure Boot disabled, boot in Windows. Run the update script, it should recognize you're in Setup Mode and replace all the certs for you. Try the manual key enrollment first, and only pick Custom mode/delete keys as the last option.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
This is my BIOS menu. I couldn't find anything for key enrollment. The BIOS is in German; I don't know if you can still read everything there.

Bios.webp
 

My Computer My Computer

At a glance

Windows 11 Home
OS
Windows 11 Home
Computer type
Laptop
Manufacturer/Model
Acer Nitro 5 AN517-52
Bios in english17758563475924646602900067485645.webp
 

My Computer My Computer

At a glance

Windows 11 Home
OS
Windows 11 Home
Computer type
Laptop
Manufacturer/Model
Acer Nitro 5 AN517-52
Thanks. --> "Erase all Secure Boot Setting". It should change Secure Boot Mode from "Standard" to "Custom".

Before you erase the certs, please check if you are using a Hello PIN for Windows logon. The PIN will stop working, so you should disable the PIN in Windows before wiping the certs. If you don't use Hello PIN, then erase now.

Boot into Windows, and run the update script.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
what i need to do?

Screenshot 2026-04-10 234010.webp
 

My Computer My Computer

At a glance

Windows 11 Home
OS
Windows 11 Home
Computer type
Laptop
Manufacturer/Model
Acer Nitro 5 AN517-52
and now ?

Screenshot 2026-04-10 234613.webp
 

My Computer My Computer

At a glance

Windows 11 Home
OS
Windows 11 Home
Computer type
Laptop
Manufacturer/Model
Acer Nitro 5 AN517-52
Run the check script, you should have:
- 2 KEK certs
- 5 DB certs
- 0 DBX certs (not revoked yet)
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
so i check it

Screenshot 2026-04-10 235137.webp
 

My Computer My Computer

At a glance

Windows 11 Home
OS
Windows 11 Home
Computer type
Laptop
Manufacturer/Model
Acer Nitro 5 AN517-52
I'm not sure why the SVN parsing is broken for your UEFI. But you've added all the CA 2023 certs, and you can revoke the PCA 2011 cert now or wait for Windows later this summer.

If you want to revoke now, you can re-run the update script:
Code: 
Update_UEFI-CA2023.ps1 -Revoke
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
garlin said:
I'm not sure why the SVN parsing is broken for your UEFI. But you've added all the CA 2023 certs, and you can revoke the PCA 2011 cert now or wait for Windows later this summer.

If you want to revoke now, you can re-run the update script:
Code: 
Update_UEFI-CA2023.ps1 -Revoke
Click to expand...
Will this cause me any problems? Or am I still protected?And can I reactivate Secure Boot now?
 

My Computer My Computer

At a glance

Windows 11 Home
OS
Windows 11 Home
Computer type
Laptop
Manufacturer/Model
Acer Nitro 5 AN517-52
Revoking PCA 2011 now means you need to check a;l bootable USB drives (like a Windows ISO or recovery drive), and replace the boot files. Otherwise they may still have the banned CA 2011 version and not CA 2023.

The worse case if you didn't update them is to temporarily disable Secure Boot and use the untouched drives. When you're finished , switch Secure Boot back on. Or replace the boot files when you have time.

The script can replace the boot file on any removable USB media.
Code: 
Update_UEFI-CA2023.ps1 -BootMedia

It should be safe to re-enable Secure Boot.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
Okay, maybe I'll do that later with the boot files. Could you tell me if everything is okay here? It says updated, but what about the other registry entries?

Screenshot 2026-04-11 002832.webp
 

My Computer My Computer

At a glance

Windows 11 Home
OS
Windows 11 Home
Computer type
Laptop
Manufacturer/Model
Acer Nitro 5 AN517-52
dreamer29 said:
Okay, maybe I'll do that later with the boot files. Could you tell me if everything is okay here? It says updated, but what about the other registry entries?
Click to expand...
Trust the check script's report, instead of trying to decode the reg key details.
Most of the error data is because Windows's Secure Boot task failed in its attempt to update your unsupported BIOS.

ConfidenceLevel - MS hasn't found enough users with your exact motherboard/model & BIOS version to decide if updates will be successful. If you don't own a more popular PC model, there may not be enough data samples collected to reach a good confidence level.

KEKLastUpdateError - Secure Boot task cannot perform a manual KEK enrollment or reset into Setup Mode. Therefore it failed.

KEKLastUpdateErrorReason - Acer never signed a KEK CA 2023 for this model. You must use the Windows OEM Devices PK set of certs as a replacement.
 
Last edited:

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
garlin said:
Trust the check script's report, instead of trying to decode the reg key details.
Most of the error data is because Windows's Secure Boot task failed in its attempt to update your unsupported BIOS.

ConfidenceLevel - MS hasn't found enough users with your exact motherboard/model & BIOS version to decide if updates will be successful. If you don't own a more popular PC model, there may not be enough data samples collected to reach a good confidence level.

KEKLastUpdateError - Secure Boot task cannot perform a manual KEK enrollment or reset into Setup Mode. Therefore it failed.

KEKLastUpdateErrorReason - Acer never signed a KEK CA 2023 for this model. You must use the Windows OEM Devices PK set of certs as a replacement.
Click to expand...
thanks for your help
 

My Computer My Computer

At a glance

Windows 11 Home
OS
Windows 11 Home
Computer type
Laptop
Manufacturer/Model
Acer Nitro 5 AN517-52
garlin said:
The script can replace the boot file on any removable USB media.
Code: 
Update_UEFI-CA2023.ps1 -BootMedia
Click to expand...
Is this still limited to things like Windows recovery disks, etc.? I believe you mentioned in the past that it can't deal with non-standard boot disks that have their files in other locations?
 

My Computers My Computers

System One System Two Other systems

  • At a glance

    Win 11 Pro 25H2, Build 26200.8737Intel Core i5 1450064GB DDR4GeForce RTX 4060
    OS
    Win 11 Pro 25H2, Build 26200.8737
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14500
    Motherboard
    Gigabyte B760M G P WIFI
    Memory
    64GB DDR4
    Graphics Card(s)
    GeForce RTX 4060
    Sound Card
    Chipset Realtek
    Monitor(s) Displays
    LG 45" Ultragear, Acer 24" 1080p
    Screen Resolution
    5120x1440, 1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 3D NAND NVMe M.2 SSD (O/S)
    Silicon Power 2TB US75 NVMe PCIe Gen4 M.2 2280 SSD (backup)
    Crucial BX500 2TB 3D NAND (2nd backup)
    Seagate 4TB Ironwolf, rotating HDD archive files
    External off-line backup Drives: 2 NVMe 4TB drives in external enclosures
    PSU
    Thermaltake Toughpower GF3 750W
    Case
    LIAN LI LANCOOL 216 E-ATX PC Case
    Cooling
    Lots of fans!
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security

  • At a glance

    Win 11 Pro 25H2, Build 26200.8655Intel Core i5 1440032GB DDR5Intel 700 Embedded GPU
    Operating System
    Win 11 Pro 25H2, Build 26200.8655
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14400
    Motherboard
    Gigabyte B760M DS3H AX
    Memory
    32GB DDR5
    Graphics card(s)
    Intel 700 Embedded GPU
    Sound Card
    Realtek Embedded
    Monitor(s) Displays
    27" HP 1080p
    Screen Resolution
    1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 eD NAND PCIe SSD
    Samsung EVO 990 2TB NVMe Gen4 SSD
    Samsung 2TB SATA SSD
    PSU
    Thermaltake Smart BM3 650W
    Case
    Okinos Micro ATX Case
    Cooling
    Fans
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
  • Nimo N171 17" Laptop, (Intel i3-1215U, 16GB RAM, 2TB NVMe, Win11 Pro)
    Acemagic Vista Mini PC V1 (Intel N150, 16GB RAM, 1TB NVMe, Win11 Pro)
    HP ENVY h8-1540t, (24GB RAM, 2TB SSD, 2TB HDD, Win11 Pro)
You must log in or register to reply here.

Latest Support Threads

Latest Tutorials

Back
Top Bottom