Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

And I got this now after today's Windows updates:

Phirevixen said:

And I got this now after today's Windows updates:

View attachment 168845

Click to expand...

What about when you run the CheckUEFI script?

JamesSmith said:

What about when you run the CheckUEFI script?

Click to expand...

Looks like this:


Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF
Windows Hello PIN: ON

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 8.0

EFI Files
---------
Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

SkuSiPolicy.p7b is CURRENT.

STATUS REPORT
-------------
Registry: UEFICA2023Status = Updated

SUCCESS: UPDATES ARE FINISHED. UEFI CA 2023 certs are present, PCA 2011 cert is revoked.

I am confused because yesterday all was good and now I have no idea what is going on. Maybe its throwing up this error because when I run Get-SecurebootSVN I get firmwareSVN 2.0 instead of the latest. I am pretty sure I revoked the PCA 2011 cert previously.

or maybe the new windows update is not compatible with the script garlin wrote. I do have the green tick with no more certificate changes are needed .

I feel we are at the point now where you can just check in device security to see if secure boot is at the point you need to be.

JamesSmith said:

UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011


Windows BootMgr SVN 7.0
EFI_CERT_SHA256_GUID Signatures: 438

EFI Files
---------
Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
\\.\HarddiskVolume1\EFI\Microsoft\Boot\bootmgfw.efi
File Version: 28000.322, SVN 8.0

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

SkuSiPolicy.p7b is WRONG VERSION.
\\.\HarddiskVolume1\EFI\Microsoft\Boot\SkuSiPolicy.p7b
Version: 3.0.0.13

Click to expand...

JamesSmith said:

PS C:\SecureBoot-CA-2023-Updates> powershell -nop -ep bypass -f .\Check_DBXUpdate.bin.ps1
SUCCESS: Matched 278/278 EFI signatures from "dbxupdate.bin"
No EFI_CERT_SHA256 signatures in C:\WINDOWS\System32\SecureBootUpdates\DBXUpdate2024.bin
No EFI_CERT_SHA256 signatures in C:\WINDOWS\System32\SecureBootUpdates\DBXUpdate2024Legacy.bin
SUCCESS: Matched 278/278 EFI signatures from "dbxupdateLegacy.bin"
FAILED: Missing 1/3 SVN signatures from "DBXUpdateSVN.bin"
FAILED: Missing 1/3 SVN signatures from "DBXUpdateSVNLegacy.bin"

Click to expand...

. Why did they bother renaming the files?

You should be able to run "Update_UEFI-CA2023.ps1 -Revoke -SkuSiPolicy", and it should force SVN 8 and a newer SkuSiPolicy.

JamesSmith said:

I am confused because yesterday all was good and now I have no idea what is going on. Maybe its throwing up this error because when I run Get-SecurebootSVN I get firmwareSVN 2.0 instead of the latest. I am pretty sure I revoked the PCA 2011 cert previously.

or maybe the new windows update is not compatible with the script garlin wrote. I do have the green tick with no more certificate changes are needed .

Click to expand...

You'll continue to see Get-SecureBootSVN = 2.0 until the Windows bug fix is pushed. There's a train schedule which runs on time for Monthly Updates. If you don't catch a train with your code change, you must wait for the next one.

garlin said:

You'll continue to see Get-SecureBootSVN = 2.0 until the Windows bug fix is pushed. There's a train schedule which runs on time for Monthly Updates. If you don't catch a train with your code change, you must wait for the next one.

Click to expand...

I am about to run the command you said in your earlier post and see what happens. Will this happen every time MS changes something?

garlin said:

. Why did they bother renaming the files?

You should be able to run "Update_UEFI-CA2023.ps1 -Revoke -SkuSiPolicy", and it should force SVN 8 and a newer SkuSiPolicy.

Click to expand...

PS C:\SecureBoot-CA-2023-Updates> powershell -nop -ep bypass -f .\Check_UEFI-CA2023.ps1 -Verbose -Audit
Windows 11 25H2 (26200.8246)

Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

BIOS Firmware
-------------
LENOVO 20VD
Version: F8CN59WW(V2.22)
Date: 2024-06-14

Factory Default UEFI PK Cert
----------------------------
Ideapad Products

UEFI PK Cert
------------
Ideapad Products

Factory Default UEFI KEK Certs
------------------------------
Microsoft Corporation KEK CA 2011

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

Factory Default UEFI DB Certs
-----------------------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Compal_Test
F8V350-ITL

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023
Compal_Test
F8V350-ITL

Factory Default UEFI DBX Certs
------------------------------
(NONE)
EFI_CERT_SHA256_GUID Signatures: 33

UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 8.0
EFI_CERT_SHA256_GUID Signatures: 439

EFI Files
---------
Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
\\.\HarddiskVolume1\EFI\Microsoft\Boot\bootmgfw.efi
File Version: 28000.322, SVN 8.0

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

SkuSiPolicy.p7b is CURRENT.
\\.\HarddiskVolume1\EFI\Microsoft\Boot\SkuSiPolicy.p7b
Version: 3.0.0.14


AUDIT REPORT
============


STATUS REPORT
-------------
Registry: UEFICA2023Status = Updated

SUCCESS: UPDATES ARE FINISHED. UEFI CA 2023 certs are present, PCA 2011 cert is revoked.



All good now?

garlin said:

Why did they bother renaming the files?

Click to expand...

Here is before and after the update today.

garlin said:

You should be able to run "Update_UEFI-CA2023.ps1 -Revoke -SkuSiPolicy", and it should force SVN 8 and a newer SkuSiPolicy.

Click to expand...

That did the trick, thanks.

JamesSmith said:

UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 8.0
EFI_CERT_SHA256_GUID Signatures: 439

EFI Files
---------
Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
\\.\HarddiskVolume1\EFI\Microsoft\Boot\bootmgfw.efi
File Version: 28000.322, SVN 8.0

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

SkuSiPolicy.p7b is CURRENT.
\\.\HarddiskVolume1\EFI\Microsoft\Boot\SkuSiPolicy.p7b
Version: 3.0.0.14

Click to expand...

All good.

As for the DBX update checks, I'll have to investigate. No idea why MS decided to make changes to the filenames. I would have expected them to just push a newer version of the existing files in place, unless there's some unexplained reason why "Legacy" needs to be separated out.

garlin said:

All good.

As for the DBX update checks, I'll have to investigate. No idea why MS decided to make changes to the filenames. I would have expected them to just push a newer version of the existing files in place, unless there's some unexplained reason why "Legacy" needs to be separated out.

Click to expand...

Is Check_DBXUpdate.bin.ps1 showing the correct output?

Scott said:

That did the trick, thanks.

Click to expand...

I planned ahead in writing the update script, and expected the SVN and SkuSiPolicy file to change over time.

MS is weird in shipping the 26H1 version of the boot file (28000.322), when everyone's on 24H2/25H2 (26100, 26200). Now the boot file is kept on the EFI partition so there's no requirement its version (28000) needs to match Windows (26?00). A higher build number is normally acceptable.

What's exceptional is that 26H1 is considered a dead-end for this year. When 26H2 arrives, it will be 26300 and 26H1 users can't update to 26H2. Instead they'll probably have to wait until 2027 before they can rejoin the main Windows branch. Given that case, it's strange that 26H2 will end up with a 26H1 boot file (while waiting for 2027).

Now that my taxes are filed, I can sit and update to April 2026 and join the fun.

JamesSmith said:

Is Check_DBXUpdate.bin.ps1 showing the correct output?

Click to expand...

Should be correct, but I'm waiting to install April 2026 so I can see what's been modified.

garlin said:

Should be correct, but I'm waiting to install April 2026 so I can see what's been modified.

Click to expand...

First of all thank you for all of the hard work and prompt responses.

I was hoping this would be a once and done situation. But it seems the SkuSiPolicy needs constant updating along with the Windows boot manager and other things. I guess what I’m saying is when can we just forget this? Or will we be required to check every month for things to be updated?

I believe the Secure Boot scheduled task will be handling future updates to SVN and SkuSiPolicy.

So after you've installed KEK CA 2023 and live in a post-CA 2011 world, all that would change over time is the boot manager, SVN and SkuSiPolicy files. For security reasons, those three will be locked in step with each other.

A check script might still be handy, to confirm if your updates are being applied.

There is no set schedule for revising those files, it happens as the boot file gets replaced for security or Windows bugs. MS doesn't want a mixed bag where some PC's have a much older (and insecure) boot file compared to another PC.

Where the update script would remain helpful is updating the boot files on your USB drives, since the Secure Boot task doesn't care about them.

hvoqasimo said:

I would like to share the outcome of the following script running with you:everything looks good.

powershell -nop -ep bypass -f "C:\temp\SecureBoot-CA-2023-Updates\Check_DBXUpdate.bin.ps1”
SUCCESS: Matched 431/431 EFI signatures from "dbxupdate.bin"
SUCCESS: Matched 3/3 SVN signatures from "DBXUpdate2024.bin"
SUCCESS: Matched 3/3 SVN signatures from "DBXUpdateSVN.bin"

Click to expand...

View attachment 168870

hvoqasimo said:

I would like to share the outcome of the following script running with you:everything looks good.

powershell -nop -ep bypass -f "C:\temp\SecureBoot-CA-2023-Updates\Check_DBXUpdate.bin.ps1”
SUCCESS: Matched 431/431 EFI signatures from "dbxupdate.bin"
SUCCESS: Matched 3/3 SVN signatures from "DBXUpdate2024.bin"
SUCCESS: Matched 3/3 SVN signatures from "DBXUpdateSVN.bin"

Click to expand...

After the last update to 26200.8246, the following output is available:
Secure Boot is enabled and all certificate updates have been applied. No further certificate changes are required.
Thanks @garlin for support.

KevTech said:

Here is before and after the update today.

View attachment 168855

Click to expand...

Same, just ran that win update.
I might see if garlin does an updated script then clear the keys and run update script again.

I was confused before yesterday's MS updates... now I'm totally flummoxed. Maybe I'll go work in the yard today. I'm getting too old for this sh*t.