Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

garlin · Apr 18, 2026

SaliesBuzz said:
BIOS Firmware
-------------
LENOVO 81N6
Version: AGCN24WW(V1.07)
Date: 2019-09-16

SaliesBuzz said:
UEFI DBX Certs
--------------
(NONE)
Windows BootMgr SVN is MISSING.
EFI_CERT_SHA256_GUID Signatures: 483

Some the Lenovo's can get a signed KEK CA 2023, even if there's no recent BIOS update. Lenovo has been submitting them to MS.
This PC has all of the CA 2023 certs, but revocation hasn't been applied.

If your brother does nothing, Windows will handle revocation later this year.

Caledon Ken · Apr 18, 2026

Would @garlin script, Update_Uefi-CA2023.ps1, achieve the same objective?

garlin · Apr 18, 2026

Caledon Ken said:
If I run those commands and something goes south can I just disable secure boot and at least boot?

The fallback is you can ALWAYS disable Secure Boot mode, and have Windows working again. You will have less security against rootkit attacks, but it will allow you to run check scripts, and figure out what to do next.

garlin · Apr 18, 2026

Caledon Ken said:
Would @garlin script, Update_Uefi-CA2023.ps1, achieve the same objective?

The update script does a best effort to update your PC.

1. If you have a supported KEK (the OEM submitted a signed copy to MS), it will download the KEK from GitHub and apply it.

2. Failing that, it will try copying the KEK certificate to your EFI partition. If your BIOS has a custom mode, and has "KEK key management", you can try importing the file (from the EFI's filesystem) and apply it.

3. Worse case, you can delete all existing certs and enter Setup Mode. The update script will recognize you're in Setup Mode and replace all the certs with a new set provided by Microsoft for this purpose. You start from option 1 and keep going if the first two options don't work for your PC. Some PC's are easier to update, depending on the age of their BIOS. Newer BIOS'es make this process easier than old ones.

Caledon Ken · Apr 18, 2026

Thank you Garlin.

So is your script or the individual powershell commands the better route to go.

In your #3 when you say enter Setup Mode, I assume you mean enter the BIOS. My machine is already reporting Option 1, Patch Tuesday didn't update anything hence I'm here.

My BIOS (UEFI) is date Sept 2021

Josey Wales · Apr 18, 2026

Caledon Ken said:
Thank you Garlin.

So is your script or the individual powershell commands the better route to go.

In your #3 when you say enter Setup Mode, I assume you mean enter the BIOS. My machine is already reporting Option 1, Patch Tuesday didn't update anything hence I'm here.

My BIOS (UEFI) is date Sept 2021

My Wife's ASUS Laptop just got a BIOS Update maybe on Tuesday.

garlin · Apr 18, 2026

Josey Wales said:
My Wife's ASUS Laptop just got a BIOS Update maybe on Tuesday.

Some of the Taiwanese OEM's are pumping out last minute BIOS updates. It's crunch time before this summer's deadline.

garlin · Apr 18, 2026

Caledon Ken said:
My BIOS (UEFI) is date Sept 2021

Your BIOS is probably too old for factory certs. But you should check the UEFI menus, and see if there's manual key enrollment (option 2). It's the less disruptive than option 3 (Setup Mode). Every BIOS will have slightly different screens.

nikki605 · Apr 18, 2026

nikki605 said:
I need classes in Powershell. I don't have much hair left to pull out. I copied your scripts to a shorter folder C:\UEFI but it still didn't work.

View attachment 169220

@garlin a little help please. I need to get the Macrium boot drive working again.

t2s50 · Apr 18, 2026

garlin said:
It might be waiting for the next reboot? Here's my conjecture on the path moving forward:
- Windows Update rolls a new boot manager and SVN file- The update adds 0x300 to AvailableUpdates- Secure Boot task does the needful, and eventually (maybe after a reboot or two), we get there
Secure Boot task is super paranoid (that's a good thing). It probably wants to replace the boot manager, reboot and confirm it used the newer file. Then apply the SVN. And reboot again to know everything was done.

I don't think so, see registry after last reboot for april updates, 'Available updates' is on 0x4000, but there were some remarks
[UploadedForCurrentBootCycle]
[RestartRequiredForKeyRolling]
[RestartRequiredForVSMBFSVCAI]
[SBInstalledInCurrentBootCycle]
"SBUpdateType"=dword:00000002
But even after two reboots nothing changed but the remarks / empty keys disappeared after the first reboot already without changing anything. The dbx update error came with the march '26 updates.

Applied dbx update and SVN revocation manually after reboot, but that didn't change the registry.

Windows 10 22H2 (19045.7184)

Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) ON

BIOS Firmware
-------------
Gigabyte Technology Co. B760M DS3H DDR4
Version: F23
Date: 2025-12-02

Factory Default UEFI PK Cert
----------------------------
GIGABYTE

UEFI PK Cert
------------
GIGABYTE

Factory Default UEFI KEK Certs
------------------------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023
GIGABYTE

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023
GIGABYTE

Factory Default UEFI DB Certs
-----------------------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Windows UEFI CA 2023
GIGABYTE
GIGABYTE

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023
GIGABYTE
GIGABYTE

Factory Default UEFI DBX Certs
------------------------------
(NONE)
EFI_CERT_SHA256_GUID Signatures: 430

UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 8.0
EFI_CERT_SHA256_GUID Signatures: 436

EFI Files
---------
Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
\\.\HarddiskVolume4\EFI\Microsoft\Boot\bootmgfw.efi
File Version: 28000.322, SVN 8.0

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

SkuSiPolicy.p7b is CURRENT.
\\.\HarddiskVolume4\EFI\Microsoft\Boot\SkuSiPolicy.p7b
Version: 3.0.0.14

STATUS REPORT
-------------
Registry: UEFICA2023Status = Updated

SUCCESS: UPDATES ARE FINISHED. UEFI CA 2023 certs are present, PCA 2011 cert is revoked.

Caledon Ken · Apr 18, 2026

garlin said:
Your BIOS is probably too old for factory certs. But you should check the UEFI menus, and see if there's manual key enrollment (option 2). It's the less disruptive than option 3 (Setup Mode). Every BIOS will have slightly different screens.

Thanks for the info.

So even though your script reports, Option 1, Do Nothing Windows will apply the uefi updates it actual won't.

So in my BIOS I have a section for PK, KEK, DB and DBX Management. If I click on any I get an option to "Set New Key"

I do not have a simple option to disable Secure Boot. It appears I have to clear all keys which then disables it. I'm not sure "Set New Key" is the same as Manual add key. The kill of all this, an old Asus laptop with a 2014 BISO, Windows 10, was updated.

There is also an Append Key option which sounds like I can add something.

I

garlin · Apr 18, 2026

Run the update script. It should copy the KEK CA 2023 cert as both a .der and .crt file to the EFI partition.

Select Append Key / Load from file...
Browse the disks, see if there's a folder view with \EFI folder. Search under that folder for "Certs" folder.
Find the the KEK CA 2023 file, and import it.

If that works fine, restart Windows. Run the update script one more time, it should now add the CA 2023 certs.

Caledon Ken · Apr 18, 2026

Looks promising.

When you say select Append Key I assume I do that under the KEK heading as that is the cert we are importing. Or should I be in a different heading.

When you say browse the disks, see if there is a folder with \efi would this be on C: or could it be on any disk / partition. My understanding is I can't search the efi partition as it has no drive letter.

suatcini54 · Apr 18, 2026

Caledon Ken said:
I believe suatcini54 is offline at the moment.

Would anyone else know if I run these commands and things go south will I be able to boot with secure boot off. Can't afford to lose this machine. Thank you.

Sorry. I turned off my PC. It is late into the night here. I am typing off my iPad. The script I advised you to run is harmless. If you get a true value after running the script, it means your m/b is capable of accepting the CA2023 certificates. You may continue to install other updated certificates as I did in my PC about a year ago. If you do not continue, you may continue using your PC as before. If you get a false value, it means your PC does not readily accept the new certificates. You have to try other ways.

Hope this clarifies.

garlin · Apr 18, 2026

Caledon Ken said:
Looks promising.

When you say select Append Key I assume I do that under the KEK heading as that is the cert we are importing. Or should I be in a different heading.

When you say browse the disks, see if there is a folder with \efi would this be on C: or could it be on any disk / partition. My understanding is I can't search the efi partition as it has no drive letter.

1. First run the update script, it will create a new \EFI\Certs folder on the EFI partition.

2. Shutdown Windows.

3. In the BIOS menu, open KEK Management / Append Key

4. There are no drive letters. You will be presented with a random list of disk devices. Search each of them one at time until you see an \EFI folder. If you don't have one, it's the wrong drive. Keep going until you see it. Then drill down until you reach \EFI -> \Certs folder. Load any of the files you see in there as the Key.

Phil_C · Apr 18, 2026

For those folks having trouble with Macrium boot media, I have managed to get things working on my two systems.

Update_UEFI-CA2023.ps1 -BootMedia did not work, although it gave a "success" message.

I had to use a short script from elsewhere to copy the boot file. BUT, while Check-UEFI gave a successful result, the USB would NOT boot to Macrium.

The solution on both machines was to rebuild the WinRE boot media in Macrium. This reverted to the older boot file. Running the short script again copied the boot file. Now both machines boot properly into Macrium from the respective USB drives.

I don't know why @garlin's Update script does not work with the recent updates. This is the .bat file that worked. Change the .txt to .bat.

Caledon Ken · Apr 18, 2026

Thanks guys, Garlin while I was waiting for response I popped into my BIOS to see how append would present data.

If just gives a mass of data, something you likely can read but I can't. Pic attached. Are these the lines I should be clicking on to search for efi folder?

Sorry. I thank you for your patience.

garlin · Apr 18, 2026

Phil_C said:
I don't know why @garlin's Update script does not work with the recent updates. This is the .bat file that worked. Change the .txt to .bat.

Thanks for the report.

That's the same process used by my script, I'll have to check if it's not detecting the difference between a boot file and boot folder.

Code:

if (Test-Path $EFI_BootMgr) {
    $EFI_BootMgr_Hash = (Get-FileHash -LiteralPath $EFI_BootMgr).Hash

    if ($EFI_BootMgr_Hash -ne $BootMgrEX_File_Hash) {
        $BCD = "${DriveLetter}:\EFI\Microsoft\Boot\BCD"
        $Backup_BCD = "$env:TEMP\BCD.BAK"

        try {
            Copy-Item $BCD $Backup_BCD -Force
            Start-Process 'bcdboot' -ArgumentList "$env:SystemRoot /s $EFI_DriveLetter /f UEFI /bootex" -NoNewWindow -Wait
            Copy-Item $Backup_BCD $BCD -Force
            Remove-Item $Backup_BCD -Force
        }
        catch {
            $_.Exception.Message
            exit 1
        }
    }
}

garlin · Apr 18, 2026

Caledon Ken said:
Thanks guys, Garlin while I was waiting for response I popped into my BIOS to see how append would present data.

If just gives a mass of data, something you likely can read but I can't. Pic attached. Are these the lines I should be clicking on to search for efi folder?

Sorry. I thank you for your patience.

Pick the ones that say "HD(Part 1)" or partition 1. It should list any folders or files present. If you don't see any files, then it was the wrong disk. And try a different one until you find it.

Remember there will be no files unless you ran the update script ONCE, and it said it copied files for you.

Caledon Ken · Apr 18, 2026

Got it. and thanks for the quick response. I went out and booted to BIOS and saw exactly what you are talking about.

My EFI partition on my boot disk is in Partition 2. ( I checked out Disk Management)

Very clear I need to run script once.

I'm getting some funny looks from better half. Computer time is over apparently.

Again thank you and I will be back

Real support is hard to find, you have been very helpful

Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Endeavor to Persevere

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Member

Attachments

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

Attachments

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer