Solved garlin's PowerShell scripts for updating Secure Boot CA 2023


garlin said:
There are two planned phases in the normal CA 2023 migration:

1. CA 2023 certs should be added to Windows. The April 2026 update to Security Center will report Green if you have the CA 2023 certs, but ignores if you have not revoked CA 2011.

2. PCA 2011 cert should be revoked. This step is still optional for now. A future version of Security Center will not report Green if you have not complied by revoking PCA 2011.


The update script also breaks the required actions in two parts.

If you don't request to revoke PCA 2011, the script will only add the CA 2023 certs. I do not automatically force a revocation because a number of users are very concerned if the revocation is done at the same time of the CA 2023 updates.

To complete the second part, you can run the "REQUIRED ACTIONS" now, or wait for Windows to finish the job later this summer. The difference is if you have a bootable Windows ISO or recovery media on USB drives, the outdated boot files on them must also be replaced.
Click to expand...
Thank you Garlin... Just to be clear I had previously revoked the 2011 cert. Today I had to do it again. T
 

My Computer

System One

  • OS
    win 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell Precision M4800
    CPU
    Intell Core i7 4900 MQ
    Motherboard
    Dell QT3YTY A00
    Memory
    DDR3 16 GB
Hi

I'm using Veeam Agent for Windows free edition on a few older PC where I do not want to pay for Macrium licences.
On a test Surface Pro 5, I have used the update script with the revoke option and all is done.
Macrium has a knowledge base article that explains how to create boot media with WinRE or WinPE and have the 2023 certificates.

Veeam, free community edition, I cannot find any info on handling 2023 certificates.
When I create a rescue media in Veeam, the resulting USB or ISO always seems stuck with the 2011 certificates.
I have uninstalled Veeam, restarted Windows, and reinstalled it to make sure it's not something stuck in the installation.
Using latest version: 13.0.2.1102.

That's why yesterday I was asking about updating the recovery partion, but as Garlin explained, I do not need to do anything with the recovery partition. Veeam documentation says it uses the recovery partition in building the rescue media.

I can use the update script to fix the USB bootmedia no issue, but can never use the boot media from Veeam directly, it fails to boot because it does not have the 2023 certificates. If I use the check script it reports the bootable media uses "Boot File [Production PCA 2011] is BANNED".

Anyone has info/guidance on getting Veeam to use the 2023 certificates ?

Thanks in advance
 

My Computer

System One

  • OS
    Windows 11
LeeElectrode said:
Thank you Garlin... Just to be clear I had previously revoked the 2011 cert. Today I had to do it again. T
Click to expand...
I had the same thing when I checked with the new script. The revoked cert was already in the DBX, but the script message said it needed to be revoked. The only way to get rid of the message from the script was to run the reg command.

Not a problem, just FYI.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 24H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo P16s Workstation
    CPU
    Intel i7-1260P 12th Gen 4.7GHz
    Memory
    32GB DDR4-3200
    Graphics Card(s)
    NVIDIA T550 Laptop GPU
    Sound Card
    Realtek Audio
    Monitor(s) Displays
    16" Laptop Display
    Screen Resolution
    2560x1600
    Hard Drives
    2TB Samsung M.2 2280 SSD PCIe 4.0 x 4 NVMe
    Mouse
    Logitech MX Anywhere 2s
    Internet Speed
    1000 Mb
    Browser
    Firefox
    Antivirus
    Avast
  • Operating System
    Windows 11 Pro 24H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo P50 Workstation
    CPU
    i7-6820HQ 6th Gen 3.6 GHz
    Memory
    32GB DDR4-2133
    Graphics card(s)
    NVIDIA Quadro M2000M Laptop GPU
    Sound Card
    Realtek Audio
    Monitor(s) Displays
    15.6" Laptop Display
    Screen Resolution
    1920x1080
    Hard Drives
    2 x 1TB Samsung M.2 2280 SSD PCIe 3.0 x 4 NVMe
    Cooling
    Dual Fan System
    Mouse
    Logitech MX Anywhere 2s
    Internet Speed
    1000 Mb
    Browser
    Firefox
    Antivirus
    Avast
anchamp65 said:
That's why yesterday I was asking about updating the recovery partion, but as Garlin explained, I do not need to do anything with the recovery partition. Veeam documentation says it uses the recovery partition in building the rescue media.

I can use the update script to fix the USB bootmedia no issue, but can never use the boot media from Veeam directly, it fails to boot because it does not have the 2023 certificates. If I use the check script it reports the bootable media uses "Boot File [Production PCA 2011] is BANNED".

Anyone has info/guidance on getting Veeam to use the 2023 certificates ?
Click to expand...
Secure Boot certificates are part of the UEFI, outside of any Windows, Linux or bootable USB image.

When a device wants to boot, the UEFI checks the boot file's signing cert for compliance. The trick is trying to figure out if your bootable USB has the right version (CA 2011 or CA 2023) of this file. Most backup vendors will either use WinPE or WinRE as their file source.

But in reality, the required boot files are already part of your Windows, presuming you allow the Monthly Updates.

I don't use Veeam myself, but when you say their boot media isn't compliant, what part do you mean? Is there a support page on their website you can point me to?
 

My Computer

System One

  • OS
    Windows 7
A quick read of Veeam's support page says they use the Windows ADK, which tends to lag behind in the latest boot file. April 2026's Monthly Update just replaced it again to close some security holes.

You should be able to use the update script's -BootMedia command line option to replace the USB drive's boot file.
 

My Computer

System One

  • OS
    Windows 7
Updated all my older computers, thanks for the scripts
 

My Computers

System One System Two

  • OS
    Windows 11 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom Built
    CPU
    Intel i9 14900KF
    Motherboard
    ASUS Z790 ProArt Creator WiFi
    Memory
    64GB Corsair Vengeance RGB
    Graphics Card(s)
    MSI 4090 Suprim X
    Sound Card
    Onboard
    Monitor(s) Displays
    1 x Asus 24". 1 x Asus 32"
    Screen Resolution
    1920 x 1080 & 2560 x 1440
    Hard Drives
    Multiple
    PSU
    Corsair 1200HX
    Case
    Corsair 7000D RGB
    Cooling
    Corsair H150I Capellix XT
    Keyboard
    Corsair K70 RGB PRO
    Mouse
    Corsair M55 RGB Pro
    Internet Speed
    1000Mbps
    Browser
    Edge
    Antivirus
    Windows Default
  • Operating System
    Windows 11 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom Built
    CPU
    Intel i7 6800K
    Motherboard
    ASUS Z99 Deluxe
    Memory
    32GB DDR4 (Corsair)
    Graphics card(s)
    ASUS GTX 1080ti
    Sound Card
    Onboard
    Monitor(s) Displays
    1x Viewsonic 24" 1x LG 19"
    Screen Resolution
    1920 x 1080 & 1600 x 900
    Hard Drives
    3 x SATA SSD
    PSU
    650W Gigabyte Bronze
    Case
    Coolermaster HAF-X
    Cooling
    Noctua NH-15 Chroma black
    Keyboard
    Generic RGB
    Mouse
    Microsoft Basic
    Internet Speed
    1000Mbps
    Browser
    Edge
    Antivirus
    Windows Default
Phil_C said:
I had the same thing when I checked with the new script. The revoked cert was already in the DBX, but the script message said it needed to be revoked. The only way to get rid of the message from the script was to run the reg command.

Not a problem, just FYI.
Click to expand...
Interesting... I might have been using the new script since I had to unblock them all
 

My Computer

System One

  • OS
    win 11
    Computer type
    Laptop
    Manufacturer/Model
    Dell Precision M4800
    CPU
    Intell Core i7 4900 MQ
    Motherboard
    Dell QT3YTY A00
    Memory
    DDR3 16 GB
garlin said:
A quick read of Veeam's support page says they use the Windows ADK, which tends to lag behind in the latest boot file. April 2026's Monthly Update just replaced it again to close some security holes.

You should be able to use the update script's -BootMedia command line option to replace the USB drive's boot file.
Click to expand...
Yes, I can update the USB drive with your script, that works perfectly.
As for ADK, I did not install it and if Veeam is using it, maybe I can figure out a way to update it.
I will look into this tomorrow...
Thanks
 

My Computer

System One

  • OS
    Windows 11
I used to feel sorry for Macrium, AOMEI, and Veeam. But they need to hire a Windows security consultant.

Before the whole CA 2023 migration, Windows boot file security was rather weak. If someone reported a boot file vulnerability to MS, they would quietly fix the bug and issue a new boot file. The problem was there wasn't a strong effort to make sure everyone was running the latest file. Someone could be running an older version and not realize it.

How do you force everyone to use the latest boot file?

Every month, Windows Update might drop a new boot file. This month (April 2026), they closed two security holes related to boot manager. A newer version of the boot file was released in sync with a new SVN number. The SVN is a version number which controls which boot file is allowed to work, since every boot file knows its own SVN number.

After your UEFI gets updated to a higher SVN, older boot files cannot be used. This takes care of Windows system security.

That doesn't help your bootable USB drive. It has an older boot file, with the wrong SVN. The solution is very simple, just copy the same boot file that's on Windows under the System32\SecureBootUpdates folder.

Backup companies like Macrium, AOMEI, and Veeam are trapped like it's 2023. They keep asking users for the Windows ADK, which has an outdated copy of the boot file. The ADK is provided to IT admins so they can built custom Windows install images. But it doesn't change as quickly as the Monthly Updates. If you're using the ADK, it's already two (three?) versions out of date. The SVN has gone from 2.0 -> 5.0 -> 7.0 -> 8.0.

MS has patched the boot manager a few times to make sure the reported security holes are gone. So if you're in the new Secure Boot world, they should stop trying to require the ADK. The current boot file will be included with whatever version of Windows you're on.

Some vendors allow you to use the WinRE method, which is better. WinRE shares the same boot file as normal Windows. So that's much better than depending on the ADK. But we are still left with one annoying problem...

Your backup vendor doesn't bother checking with MS if a new boot file arrived. If that happens, you need to replace the boot file on that USB drive again. They should come up with a method which alerts users that "a new boot file was released", and have the backup tool refresh your recovery drive for you. But those companies are acting like it's 2023. :facepalm:
 

My Computer

System One

  • OS
    Windows 7
garlin said:
Some vendors allow you to use the WinRE method, which is better. WinRE shares the same boot file as normal Windows. So that's much better than depending on the ADK. But we are still left with one annoying problem...
Click to expand...
Ya, I avoid ADK as much as possible, not for what you just explained, I didn't know...
It's just a pain of always making sure it's up to date and having that +/- 1GB sitting on my systems just for creating a rescue disk of the imaging tool maybe 2 or 3 times during a year.

I use WinRE with Macrium.
And with what I just learned from your post, I'm glad I do !

Any suggestions for a free imaging tool that does use WinRE ?
As mentioned in my earlier post today, I don't want to pay for those old computers and image is so usefull.
I use those older computers to test when VM is not adaquate to test, like testing hardware...
 

My Computer

System One

  • OS
    Windows 11
anchamp65 said:
Ya, I avoid ADK as much as possible, not for what you just explained, I didn't know...
It's just a pain of always making sure it's up to date and having that +/- 1GB sitting on my systems just for creating a rescue disk of the imaging tool maybe 2 or 3 times during a year.
Click to expand...
The ADK is modular, and you can install specific features of it. But the real problem is ADK requires you to download the entire 1 GB of install CAB files, before you're allowed to choose what to install. The boot files reside in one of the smallest individual features of the ADK.

anchamp65 said:
I use WinRE with Macrium
And with what I just learned from your post, I'm glad I do !

Any suggestions for a free imaging tool that does use WinRE ?
Click to expand...
You should probably ask the experts over in the "Backup and Restore" sub-forum.
I know Macrium has the option to use WinRE, other products might also.
 

My Computer

System One

  • OS
    Windows 7
UPDATE 2026-04017:
Emergency fixes for unexpected changes in the April 2026 DBX update files. Please re-download the ZIP file from post #1.

1. MS removed 151 EFI signatures from DBXUpdate.bin, shrinking the file from 431 to 278 signatures.

In order to save valuable space in the UEFI's NVRAM, hashes for previously banned Windows boot files were removed. There is no downside to the removals, all of the missing files would have been banned by revoking the PCA 2011 cert. This removes the duplication of effort.

If you have already applied the DBX updates before April 2026, your UEFI will have 431 (or more) entries. There is no supported method to delete the extra 151 entries, and you should not worry about them. In order to clear the extra 151 entries, you would have to Delete All Keys and restart the whole update process from scratch. Which is not worth your time.

If you have not applied the DBX updates, your final count will be 278 (or more) entries.

Check_DBXUpdate.bin.ps1 now detects the 151 removed entries, and informs you if you're using an older version of DBXUpdate.bin (before April 2026). This allows users to continue scanning older DBX update files, if they're curious.


2. MS changed the internal data format for DBXUpdate2024.bin, and it's no longer possible to check the stored SVN numbers. But it's not important.

DBXupdate contains both the PCA 2011 cert (for revocation) and a starting SVN of 2.0. When you follow the normal revocation process, DBXupdateSVN.bin will be applied afterwards. The second file bumps the SVN up the latest number (8.0 as of April 2026).

Therefore we don't need to check SVN's in DBXUpdate2024.bin, because those SVN's will never change (2.0). Any new SVN's are always pushed using the DBXUpdateSVN.bin file.

Check_DBXUpdate.bin.ps1 will now skip over SecureBootUpdate's DBXUpdateSVN.bin, if it was issued on or after April 11, 2026.
 

My Computer

System One

  • OS
    Windows 7
garlin said:
AvailableUpdates is 0x200 or missing the SVN.

The script should make a better distinction. But it's almost like you to create a finite state machine to keep up with all the possible permutations. I'll add a "$UpdateFlags -band 0x200" check and throw out a SVN-only message.

Thanks.
Click to expand...
Thanks a lot! Should've checked myself, Sorry! But I think this might get you some additional questions?

Seems that MS didn't update the minimal SVN / revoke SVN 7 for the boot manager in the latest update.

How do you interpret the *Legacy.bin files in securebootupdates? DBXUpdateSVNLegacy contains the same SVNs but is signed with the 2011 cert?
 

My Computer

System One

  • OS
    W10
Honestly, I can't read the file... If you perform a deep dive on everyone's breakdown of how the EFI_SIGNATURE_LIST data structures work, it doesn't follow the expected pattern. But how do I know we've reached SVN 8.0? Several people have reported it using my check script. It can't be simple coincidence it happened after Patch Tuesday.

Digging around the recent CVE's, there are two separate bugs closed on the Windows boot manager. According to the docs, the minimum version to get a fix is April 2026 across the supported Windows releases. Whenever the boot manager changes from a security fix, they have to bump SVN.

If someone didn't run my update script, obviously the Secure Boot task pushed out the SVN.

Based on a lazy 'strings' comparison between the legacy and non-legacy files, it looks like they've switched the auth cert.
Code: 
% strings DBXUpdate2024.bin | grep pki | sed -e "s/%20/ /g"
Vhttp://www.microsoft.com/pkiops/crl/Microsoft Corporation KEK 2K CA 2023.crl0t
Xhttp://www.microsoft.com/pkiops/certs/Microsoft Corporation KEK 2K CA 2023.crt0
Thttp://www.microsoft.com/pkiops/crl/Microsoft RSA Devices Root CA 2021.crl0r
Vhttp://www.microsoft.com/pkiops/certs/Microsoft RSA Devices Root CA 2021.crt0
Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
>http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0

% strings DBXUpdate2024Legacy.bin | grep pki
Ehttp://www.microsoft.com/pkiops/crl/MicCorKEKCA2011_2011-06-24.crl%200`
Dhttp://www.microsoft.com/pkiops/certs/MicCorKEKCA2011_2011-06-24.crt0
Khttp://crl.microsoft.com/pki/crl/products/MicCorThiParMarRoo_2010-10-05.crl0`
Dhttp://www.microsoft.com/pki/certs/MicCorThiParMarRoo_2010-10-05.crt0
Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
>http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
 

My Computer

System One

  • OS
    Windows 7
Hmm seems like the Check-UEFI nor Check-DBX is working on Windows 11 Enterprise 26H1:

Powershell: 
Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) ON

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011
    Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
    Microsoft Windows Production PCA 2011
    Microsoft Option ROM UEFI CA 2023
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023

UEFI DBX Certs
--------------
    Microsoft Windows Production PCA 2011
    Windows BootMgr SVN 5.0
Get-Partition: C:\Users\RYSZARD\Desktop\wdqqd\Check_UEFI-CA2023.ps1:1432
Line |
1432 |      $GUID = (Get-Partition -DiskNumber $SystemDisk | Where-Object { $ …
     |                                         ~~~~~~~~~~~
     | Cannot validate argument on parameter 'DiskNumber'. The argument is null. Provide a valid value for the
     | argument, and then try running the command again.
Get-Volume_DevicePath: C:\Users\RYSZARD\Desktop\wdqqd\Check_UEFI-CA2023.ps1:1434
Line |
1434 |      $EFI_Path = '{0}EFI' -f (Get-Volume_DevicePath $GUID)
     |                                                     ~~~~~
     | Cannot bind argument to parameter 'VolumeGUID' because it is an empty string.
Command cannot find any of the specified files.
PS C:\Windows\System32>
 

My Computers

System One System Two

  • OS
    Windows 11 Enterprise 26H1
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo ThinkPad X1 Carbon Gen 12
    CPU
    Intel Core Ultra 7 (Liquid Metal)
    Motherboard
    OEM
    Memory
    32GB DDR5
    Graphics Card(s)
    Intel Graphics (Integrated)
    Sound Card
    Realtek
    Monitor(s) Displays
    Lenovo OLED
    Screen Resolution
    2880x1800
    Hard Drives
    2TB Samsung 990 Pro
    PSU
    OEM
    Case
    OEM
    Cooling
    OEM
    Keyboard
    ru-RU
    Mouse
    Lenovo Haptic Touchpad
    Internet Speed
    2Gbps (Xfinity ISP)
    Browser
    Chromium, Firefox
    Antivirus
    Windows Security
  • Operating System
    Windows 11 Enterprise 26H1
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo P3 Ultra
    CPU
    Intel Core i9-13900 (Delidded, Liquid Metal)
    Motherboard
    OEM
    Memory
    64GB DDR5
    Graphics card(s)
    EVGA GeForce RTX 3090 FTW3 Ultra
    Sound Card
    Reaktek
    Monitor(s) Displays
    49" Odyssey OLED G9 (G95SC)
    Screen Resolution
    5120x1440
    Hard Drives
    512GB NVMe (OS), 4TB NVMe (Folders, Games)
    PSU
    Thermaltake Smart M 650W Bronze
    Case
    OEM
    Cooling
    OEM
    Keyboard
    Razer Huntsman V3 Pro 8KHz
    Mouse
    Razer Basilisk V3 Pro 35K
    Internet Speed
    2Gbps (Xfinity ISP)
    Browser
    Chromium, Firefox
    Antivirus
    Windows Security
@garlin When I ran your check_uefi-CA2023.ps1 script in my already-updated desktop PC, I got the following warning in REQUIRED ACTION section:

To revoke the [PCA2011] cert, run the commands. But as can be seen from below screenshot of the .ps1 output, PCA 2011 was already in UEFI DBX certs list.

DBX.webp

Anyway, I ran the commands and the warning disappeared. I don't know if this is of any importance. But I wanted to let you know anyway. I also updated the SkuSiPolicy.p7b and SVN got one step up from 7 to 8.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Built
    CPU
    Intel i7-4790
    Motherboard
    Asus H97 Pro Gamer with add-on TPM1.2 module
    Memory
    Teams DDR3-1600 4x4 GB
    Graphics Card(s)
    MSI Nvidia GeForce GTX 1050Ti
    Sound Card
    Realtek ALC1150
    Monitor(s) Displays
    Dell P2425D
    Screen Resolution
    2560 by 1440 pixels
    Hard Drives
    Corsair NVMe M.2 Core XT 1000 GB (Windows 11 v.25H2); Samsung SATA Evo 870 500 GB (Windows 11 v.25H2);
    PSU
    Corsair HX850
    Case
    Gigabyte Solo 210
    Cooling
    Zalman CNPS7X Tower
    Keyboard
    Microsoft AIO Wireless (includes touchpad)
    Mouse
    HP S1000 Plus Wireless
    Internet Speed
    500 Mb fiber optic
    Browser
    Chrome; MS Edge
    Antivirus
    Windows Defender
  • Operating System
    MacOS 12 Monterey
    Computer type
    Laptop
    Manufacturer/Model
    Apple Macbook Air
    CPU
    Intel Core i5
    Memory
    8 GB
    Graphics card(s)
    Intel integrated
    Screen Resolution
    1440 by 900 pixels
    Hard Drives
    128 GB
    Keyboard
    Built-in
    Mouse
    Microsoft Wireless
    Internet Speed
    802.11 ac
    Browser
    Chrome; Safari
    Antivirus
    N/A
garlin said:
That doesn't help your bootable USB drive. It has an older boot file, with the wrong SVN. The solution is very simple, just copy the same boot file that's on Windows under the System32\SecureBootUpdates folder.
Click to expand...
@garlin I revoked the PCA 2011 cert as you instructed.

2011CertRevoked.webp

So now I have to copy the updated boot file on my Macrium Free 8.0 Rescue boot drive as you instructed above, but I don't see anything that looks like a boot file in the Windows\System32\SecureBootUpdates folder after this last patch Tuesday. Which file(s) should am I looking for? Is it 1 or 2 files? Which folder do I put it/them in on the Macrium boot drive?

SecureBootUpdateFolder.webp
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    Lenovo T490 (2020 Hardware)
    CPU
    i7-8565U
    Motherboard
    20N20028US
    Memory
    16GB
    Graphics Card(s)
    Intel UHD Graphics 620
    Sound Card
    Realtec Audio
    Monitor(s) Displays
    ASUS VE248
    Screen Resolution
    1920 X 1080
    Hard Drives
    Samsung SSD 970 PRO 512GB NVMe
    Internet Speed
    Frontier fiber 1GB
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Norton 360 Deluxe Plus
    Other Info
    Supported hardware, upgraded from Windows 10 Pro to Windows 11 Pro version 24H2 on 06/01/2025 using the Windows 11 ISO file. Used the enablement package to upgrade to version 25H2 on 10/07/2025. Secure boot enabled. Secure Boot CA 2023 updated.
  • Operating System
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Lenovo ThinkCentre M83 (2014 Hardware)
    CPU
    i7-4770 (with SSE4.2, and POPCNT)
    Motherboard
    10AL000GUS
    Memory
    16GB
    Graphics card(s)
    Intel HD Graphics 4600
    Sound Card
    Realtec High Definition Audio
    Monitor(s) Displays
    ASUS VE248
    Screen Resolution
    1920 X 1080
    Hard Drives
    Samsung SSD 860 PRO 1TB SATA
    Internet Speed
    Frontier fiber 1GB
    Browser
    Chrome, Firefox, Edge
    Antivirus
    Norton 360 Deluxe Plus
    Other Info
    Unsupported hardware, upgraded from Windows 10 Pro (TPM 1.2 & unsupported CPU, but does have SSE4.2, and POPCNT) to Windows 11 Pro version 24H2 on 06/15/2025. Added Registry Key HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup – AllowUpgradesWithUnsupportedTPMOrCPU=1 to allow installation using the Windows 11 ISO file. Used the enablement package to upgrade to version 25H2 on 10/08/2025. Secure boot enabled. Secure Boot CA 2023 updated.
rtorres said:
Hmm seems like the Check-UEFI nor Check-DBX is working on Windows 11 Enterprise 26H1:
Click to expand...
There's a leftover script line which uses Get-WMIObject to find SystemDrive (instead Get-CimInstance). This seems to break on Server and newer Enterprise releases (deprecated?).

Please download the fixed ZIP file in post #1 (not the GitHub link).
 

My Computer

System One

  • OS
    Windows 7
suatcini54 said:
@garlin When I ran your check_uefi-CA2023.ps1 script in my already-updated desktop PC, I got the following warning in REQUIRED ACTION section:

To revoke the [PCA2011] cert, run the commands. But as can be seen from below screenshot of the .ps1 output, PCA 2011 was already in UEFI DBX certs list.
Click to expand...
The script has to account for many different possibilities. AvailableUpdates is correct (0x200 is for SVN), but the text summary uses only one sentence to describe all the different combinations ("you want to revoke PCA 2011").

Please download the fixed ZIP file in post #1 (not the GitHub link). I changed the script's output to recognize you only need to update SVN. The provided commands are still correct from before.
 

My Computer

System One

  • OS
    Windows 7
You must log in or register to reply here.

Latest Support Threads

Latest Tutorials

Back
Top Bottom