Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

garlin · Apr 22, 2026

Great. I'll call up the Treasury Secretary and ask for all new bills be printed with "IN NELDOG WE TRUST".

neldog · Apr 22, 2026

Okay, I was just teasing.

TheVisitor · Apr 22, 2026

Okay, I admit I'm having trouble keeping up with all the new scripts. I last downloaded new scrips on 4/18 here is the output for the DBXbin:

PS C:\WINDOWS\system32> powershell -nop -ep bypass -f C:\temp3\secureboot-ca-2023-updates\check_dbxupdate.bin.ps1
SUCCESS: Matched 278/278 EFI signatures from "dbxupdate.bin"
Skipping C:\WINDOWS\System32\SecureBootUpdates\DBXUpdate2024.bin [April 2026 or later version]
SUCCESS: Matched 3/3 SVN signatures from "DBXUpdateSVN.bin"

Is this good or do I need look again for newer script.

DarkShadowMD · Apr 22, 2026

garlin said:
UPDATE 2026-04-22:

MS replied and admitted they changed DBXUpdate2024.bin to a different file format. The Secure Boot scheduled task knows how to deal with it, but anyone who's writing scripts based on the "normal" format will have problems because they added extra bytes of unexpected data.

The next version of DBXUpdate2024.bin (in May) will return to the usual file format.

There's the explanation of why the scripts stopped working after April's Patch Tuesday. Workarounds have been put into the scripts, so remember to download the latest ZIP file so you don't get any errors.

So, means it's safe to wait for May and run your script to update the SVN I assume.
Microsoft... even things like this are prone to be borked by them lol.

garlin · Apr 22, 2026

TheVisitor said:
Is this good or do I need look again for newer script.

A newer new script.
Sorry I've had to rewrite it several times in response to the last week's update. It wasn't obvious why MS made unplanned changes.

The latest DBX script no longer skips over "bad" files. It can read all of them for what needs to be done.

garlin · Apr 22, 2026

DarkShadowMD said:
So, means it's safe to wait for May and run your script to update the SVN I assume.
Microsoft... even things like this are prone to be borked by them lol.

If you have the latest ZIP file (from today), then you can use the update script to copy the new boot manager and reach SVN 8.0.

Code:

Update_UEFI-CA2023.ps1 -Revoke

To update the boot files on your USB drives:

Code:

Update_UEFI-CA2023.ps1 -BootMedia

TheVisitor · Apr 22, 2026

garlin said:
A newer new script.
Sorry I've had to rewrite it several times in response to the last week's update. It wasn't obvious why MS made unplanned changes.

The latest DBX script no longer skips over "bad" files. It can read all of them for what needs to be done.

Ok, I'm not finding the updated script from today. Guess I can wait till May. So confused.

gunrunnerjohn · Apr 22, 2026

garlin said:
If you have the latest ZIP file (from today), then you can use the update script to copy the new boot manager and reach SVN 8.0.

Code:

Update_UEFI-CA2023.ps1 -Revoke

Is the newest script on Github? Looks like the one there is from two weeks ago.

Klaver7 · Apr 22, 2026

Post #1,385 } IF YOU WANT TO PERFORM THE REVOCATION, BUT HAVE NOT STARTED, PLEASE DOWNLOAD THE LATEST ZIP FILE FROM POST #1.
Not the Github one !

garlin · Apr 22, 2026

Not the GitHub one. This is an emergency fix. GitHub won't get a new release until the dust settles.

Dirtyflash · Apr 22, 2026

JohnSmith13 said:
No disrespect, but like I said:
It most certainly is the latest version of the scripts, from the zip file, downloaded (again and again) moments ago.
Or, to be exact, it is the whatever version of the scripts in the zip file from the first post.

Once again, in the attachments you can see the contents and the hashes of the file downloaded from the first post.

I know you don't have time to waste. Well, neither do I.

I certainly do not have access to your file server or your personal test/dev rig, do I?
Have you checked the file that is been downloaded from the first post?
Have you tried downloading it yourself?

It's always easy to blame someone for incompetence, it is hard to admit we are wrong.

IDK, I downloaded the purported new scripts in post #1 and ran the Check_DBXUpdate.bin.ps1 and got this:

Klaver7 · Apr 22, 2026

Old script:

New script:

JamesSmith · Apr 22, 2026

This is a new entry for Check_UEFI-CA2023.ps1 -Verbose

UEFI Variable
-------------
SBAT (Linux only): sbat,1,2024010900 / shim,4 / grub,3 / grub.debian,4

:)

Dirtyflash · Apr 22, 2026

JamesSmith said:
This is a new entry for Check_UEFI-CA2023.ps1 -Verbose

UEFI Variable
-------------
SBAT (Linux only): sbat,1,2024010900 / shim,4 / grub,3 / grub.debian,4

:)

I only get that as part of the -Audit output.

anchamp65 · Apr 22, 2026

JohnSmith13 said:
No disrespect, but like I said:
It most certainly is the latest version of the scripts, from the zip file, downloaded (again and again) moments ago.
Or, to be exact, it is the whatever version of the scripts in the zip file from the first post.

Once again, in the attachments you can see the contents and the hashes of the file downloaded from the first post.

I know you don't have time to waste. Well, neither do I.

I certainly do not have access to your file server or your personal test/dev rig, do I?
Have you checked the file that is been downloaded from the first post?
Have you tried downloading it yourself?

It's always easy to blame someone for incompetence, it is hard to admit we are wrong.

Guys, come on, Garlin is working hard to help all of us.
Lets play nice and cut him some slack...

@garlin
I just downloaded the latest zip from post #1,

Check_DBXUpdate.bin.ps1 shows "VERSION 2026.04.18"
Check_UEFI-CA2023.ps1 shows "VERSION 2026.04.18"
Update_UEFI-CA2023.ps1 shows "VERSION 2026.04.21"

Is that your latest versions ?

Suggestion, maybe add the publish date to the zip file name on post #1
People can see if they have the latest and greatest more easily

And thanks for taking time to answer each and everyone

garlin · Apr 22, 2026

Dirtyflash said:
I only get that as part of the -Audit output.

Not everyone has the SBAT variable. Windows uses the SVN to prevent older boot files from running. Microsoft (like Apple) benefits from being the only company in charge of their OS.

There are several Linux distros (prolly too many at this point), and sometimes they agree to share software bits and other times disagree. I think part of the Linux appeal is everyone enjoys fighting someone outside of their tribe.

Instead of a single number, SBAT is a config file which can contain any number of lines which instruct the different Linux boot managers on what versions are allowed. A line may change for one vendor and their friends, and it might not for someone else.

MS really doesn't care; but they see it as professional courtesy to push out a baseline SBAT for Linux users. Of course, your Linux can manage SBAT too. If your Linux fails to boot, it's not because of the SVN... the SBAT is blocking them.

I'm adding SBAT (only from -Verbose mode), just so you know it;s there. You don't need to understand what the individual lines mean unless you're a Linux user. Ventoy and Rufus use Linux-based boot loaders, so they fall under the SBAT's control. While their devs are careful, it's entirely possible that a bad SBAT fiile breaks Linux. It happened before, by accident Windows broke a bunch of Linux systems with SBAT.

You can opt out of SBAT by setting a reg key.

Code:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\SBAT /v OptOut /d 1 /t REG_DWORD

My update script will never force SBAT, you have to specifically ask for it using the -SBAT option. It's because I have no way of predicting whether you will be using Linux or a tool like Rufus or Ventoy.

KevTech · Apr 22, 2026

anchamp65 said:
Suggestion, maybe add the publish date to the zip file name on post #1

I just look at the date modified of the files.

garlin · Apr 22, 2026

Normally we don't go through so many script versions in a short time, but I'll add a VERSION.TXT in the next ZIP file.

I can't name the file "README.TXT" because GitHub uses that reserved file name to describe your project page.

Dirtyflash · Apr 22, 2026

@garlin thank you again for the extraordinary project. I been following this thread from inception. I can't believe how much time and effort you've put into helping others. As I said to you before; ' you're a saint ' and it's appreciated, as can be seen by the many acknowledgements.

666pierog · Apr 23, 2026

Okay, i got new bios version for all certificates (before the update the certificate was missing Option ROM UEFI CA 2023)
What about that Failures? what does that mean?

"This device has updated Secure Boot CA/keys. This device signature information is included here.
DeviceAttributes: BaseBoardManufacturer:ASRock;FirmwareManufacturer:American Megatrends International, LLC.;FirmwareVersion:14.01;OEMModelNumber:B760 Pro RS;OEMModelBaseBoard:B760 Pro RS;OEMModelSystemFamily:To Be Filled By O.E.M.;OEMManufacturerName:ASRock;OEMModelSKU:To Be Filled By O.E.M.;OSArchitecture:amd64;
BucketId: a84d412c9164001d30a05e6c7bdccc21ecb4f809b11ae561f3da754e4fd282ea
BucketConfidenceLevel: No Data Observed - Action Required
UpdateType: Windows UEFI CA 2023 (DB), Option ROM CA 2023 (DB), 3P UEFI CA 2023 (DB), KEK 2023, Boot Manager (2023)
For more information, please see Windows Secure Boot certificate expiration and CA updates - Microsoft Support."

Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Peaceful Citizen

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Member

Attachments

My Computer