Solved garlin's PowerShell scripts for updating Secure Boot CA 2023


SaliesBuzz said:
Their response was:

BIOS date ≠ computer manufacturing date. Many OEM machines don't necessarily have updated BIOS versions after leaving the factory; they often use a stable version.
Click to expand...
The core issue isn't the BIOS release date or which stable version. Their BIOS is missing the CA 2023 certs as factory defaults.

Most Chinese Mini PC vendors manufacture someone else's reference design. If they don't have the resources to manage their own BIOS, they should consult the upstream source for the BIOS provider.

SaliesBuzz said:
This script has two characteristics:

It's a community script, not an official Microsoft tool.
Click to expand...
It's not a community script. I wrote the entire set of scripts (minus the certificate decoding function borrowed from a well known Windows security researcher).

SaliesBuzz said:
It uses "rule-based judgment," not "security certification."
For example: Seeing AMI test PK
Marking it "untrustworthy."
But in reality:
Many OEM BIOS internal test keys may already exist
Or the fields are not fully standardized.
The script "judges by string," not certified by a security organization.
Click to expand...
That's hilarious. AMI Test PK is a well known concern in the PC security community for several years now.

CERT even released a GitHub fix of their own (2024) which replaces the test key. A question for them, is why are you even using the AMI Test Key? It violates AMI's instructions that vendors are supposed to create their own PK's.

GitHub - CERTCC/PKfail: Mitigations & detection tools for VU#455367

SaliesBuzz said:
Does it provide "chain of evidence verification"?
No (it only reads fields + rule-based judgment)
Is it possible for false alarms? ✔ Very high (especially the BIOS/UEFI section)

I get the distinct impression they are giving me "the finger"!
Click to expand...
It is rule-based, but I imagine the Secure Boot task when it runs, follows the same general set of rules. It's not rocket science if you read the Secure Boot specs and what MS has provided in piecemeal in their official guidance.

The short answer is (after fixing any user reported bugs), no one's found a significant disagreement between what the Secure Boot task returns (in reg key settings) and my script's report. I didn't randomly make up the checks, they're based on the logical requirements for how the process works. It's like solving a proof in math class.

Their response is essentially based on the fact that the only BIOS they can get their hands on is a copy of the AMI Test PK. Because the reference copy from AMI never had any CA 2023 certs added. And they're not going to admit the AMI Test PK is suspected of being compromised from a previous supply chain hack at an unnamed OEM, and shouldn't be trusted in 2026.

PKfail: Untrusted Platform Keys Undermine Secure Boot on UEFI Ecosystem

You don't have to use my script. Windows will report the same facts, but not in a well organized manner. But that doesn't change the fact no offbrand Chinese vendor should be using AMI Test PK.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
garlin said:
The core issue isn't the BIOS release date or which stable version. Their BIOS is missing the CA 2023 certs as factory defaults.

Most Chinese Mini PC vendors manufacture someone else's reference design. If they don't have the resources to manage their own BIOS, they should consult the upstream source for the BIOS provider.

.........
Click to expand...
Am I the only one that feels like we're getting a free course on Sceure Boot... :unsure:
It just shows that even after 40 years in the computer industry, you definitely can't know everything !

Thanks @garlin
 

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
garlin said:
That's hilarious. AMI Test PK is a well known concern in the PC security community for several years now.
Click to expand...
True story. Even a relative noob like myself is aware of this. :p
 

My Computer My Computer

At a glance

Win10 Pro lx64 19045.7184 (extended sec updts)Intel Core i7-6700HQ CPU @ 2.60GHz16gb DDR4Intel HD Graphics 530 (Skylake-H GT2) RealTek...
OS
Win10 Pro lx64 19045.7184 (extended sec updts)
Computer type
Laptop
Manufacturer/Model
MSI PE60 6QE
CPU
Intel Core i7-6700HQ CPU @ 2.60GHz
Motherboard
MSI MS-16J5
Memory
16gb DDR4
Graphics Card(s)
Intel HD Graphics 530 (Skylake-H GT2) RealTek ALC899
Sound Card
Intel Skylake PCH-H - High Definition Audio
Screen Resolution
1920x1080
Hard Drives
Samsung SSD 850 EVO M.2 250GB
HGST HTS721010A9E6301TB 7200 RPM
Samsung PSSD T9 USB SSD
Browser
Chrome
Antivirus
Defender
Other Info
Intel Dual Band Wireless-AC 3165
Qualcomm/Atheros AR8161/8165 PCI-E Gigabit Ethernet Controller
I know more than I ever wanted to know about Secure Boot, and I'm pretty sure I haven't scratched the surface as far people that actually know all the in's and out's of the process!

I know for sure that I shouldn't have to know that much about it to keep my computer running with reasonable security! I'm certainly thankful for people like @garlin that have really explored all the twists and turns of the process and shared the fruits of his labors with us unwashed masses. :clap:
 

My Computers My Computers

System One System Two Other systems

  • At a glance

    Win 11 Pro 25H2, Build 26200.8737Intel Core i5 1450064GB DDR4GeForce RTX 4060
    OS
    Win 11 Pro 25H2, Build 26200.8737
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14500
    Motherboard
    Gigabyte B760M G P WIFI
    Memory
    64GB DDR4
    Graphics Card(s)
    GeForce RTX 4060
    Sound Card
    Chipset Realtek
    Monitor(s) Displays
    LG 45" Ultragear, Acer 24" 1080p
    Screen Resolution
    5120x1440, 1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 3D NAND NVMe M.2 SSD (O/S)
    Silicon Power 2TB US75 NVMe PCIe Gen4 M.2 2280 SSD (backup)
    Crucial BX500 2TB 3D NAND (2nd backup)
    Seagate 4TB Ironwolf, rotating HDD archive files
    External off-line backup Drives: 2 NVMe 4TB drives in external enclosures
    PSU
    Thermaltake Toughpower GF3 750W
    Case
    LIAN LI LANCOOL 216 E-ATX PC Case
    Cooling
    Lots of fans!
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security

  • At a glance

    Win 11 Pro 25H2, Build 26200.8655Intel Core i5 1440032GB DDR5Intel 700 Embedded GPU
    Operating System
    Win 11 Pro 25H2, Build 26200.8655
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14400
    Motherboard
    Gigabyte B760M DS3H AX
    Memory
    32GB DDR5
    Graphics card(s)
    Intel 700 Embedded GPU
    Sound Card
    Realtek Embedded
    Monitor(s) Displays
    27" HP 1080p
    Screen Resolution
    1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 eD NAND PCIe SSD
    Samsung EVO 990 2TB NVMe Gen4 SSD
    Samsung 2TB SATA SSD
    PSU
    Thermaltake Smart BM3 650W
    Case
    Okinos Micro ATX Case
    Cooling
    Fans
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
  • Nimo N171 17" Laptop, (Intel i3-1215U, 16GB RAM, 2TB NVMe, Win11 Pro)
    Acemagic Vista Mini PC V1 (Intel N150, 16GB RAM, 1TB NVMe, Win11 Pro)
    HP ENVY h8-1540t, (24GB RAM, 2TB SSD, 2TB HDD, Win11 Pro)
gunrunnerjohn said:
I know more than I ever wanted to know about Secure Boot, and I'm pretty sure I haven't scratched the surface as far people that actually know all the in's and out's of the process!

I know for sure that I shouldn't have to know that much about it to keep my computer running with reasonable security! I'm certainly thankful for people like @garlin that have really explored all the twists and turns of the process and shared the fruits of his labors with us unwashed masses. :clap:
Click to expand...

I can say the same. However, I can't help but wonder about the other 99.99% of users around the world that don't visit, or participate in Windows forums. What will they do if they experience problems related to Secure Boot, let me guess, they'll go out and buy a new computer, there, fixed.
 

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
Dirtyflash said:
I can say the same. However, I can't help but wonder about the other 99.99% of users around the world that don't visit, or participate in Windows forums. What will they do if they experience problems related to Secure Boot, let me guess, they'll go out and buy a new computer, there, fixed.
Click to expand...
I can cite Reddit for example, there has been a fair influx of people asking why their machines suddenly have Secure Boot violations, or other issues related to this.

You would assume that Microsoft, taking charge of the process would avoid that kind of problems, but reality tells otherwise.

I really hope their way of handling things for the rest of the people really solves this, because we are gonna see an armaggedon of unbootable devices (unless they disable Secure Boot) because they couldn't handle this properly.

I'm glad I saw this thread and @garlin is the guy that helps us all, with that huge patience of his, otherwise, I would be borderline becoming insane lol.
 

My Computers My Computers

System One System Two

  • At a glance

    Windows 11 Pro 25H2AMD Ryzen 5 5600G @ 3.9/4.4Ghz2 x 16 GB DDR4 Kingston Fury Beast 3200 MhzAMD Radeon RX 6600 XT MSI Mech 2X OC Edition ...
    OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built PC
    CPU
    AMD Ryzen 5 5600G @ 3.9/4.4Ghz
    Motherboard
    MSI B550M-PRO-WiFi Ver. 1.4
    Memory
    2 x 16 GB DDR4 Kingston Fury Beast 3200 Mhz
    Graphics Card(s)
    AMD Radeon RX 6600 XT MSI Mech 2X OC Edition 8 GB
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    Samsung C50Rx 27" LED / HP S2031 20" LCD
    Screen Resolution
    1920 x 1080 px / 1600 x 900 px
    Hard Drives
    WD Blue SN570 NVME M.2 SSD [1 TB] -- External Drives: - WD Scorpion Blue 250 GB 5400 RPM (Data Backup) - Hitachi 500 GB 5400 RPM (Software / ISOs Backup) - Toshiba MQ01ABD100 1 TB 5400 RPM (OS Images) - HGST TravelStar 7K1000 1 TB, 7200 RPM USB 3.0 - ADATA SU800 2TB SSD USB 3.0
    PSU
    Corsair RM750e 750W Fully Modular
    Case
    Naceb Hydra NA-1602
    Cooling
    Naceb Orpheus x 3 (Front) + Naceb Cepheus 1200 RPM Max (Rear) + ThemalRight Assasin X 90 SE (CPU)
    Keyboard
    Logitech MK470 Wireless
    Mouse
    Logitech MK470 Wireless
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - VMs: WMware Player - Windows 8.1 Pro x64 / Windows 11 Pro
    - Wacom Intuos Pro Small Tablet PTH-460

  • At a glance

    Windows 11 Pro 25H2AMD Ryzen 7 7730U @ 2.0/4.5 Ghz2 x 16 GB Kingston Fury Impact DDR4 3200 MhzRadeon (tm) Graphics Vega 8 (512 MB)
    Operating System
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    HP Pavilion 15-eh3000la (80M53LA)
    CPU
    AMD Ryzen 7 7730U @ 2.0/4.5 Ghz
    Motherboard
    HP 8BC7
    Memory
    2 x 16 GB Kingston Fury Impact DDR4 3200 Mhz
    Graphics card(s)
    Radeon (tm) Graphics Vega 8 (512 MB)
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    AU Optronics
    Screen Resolution
    1920 x 1080 px (125% size)
    Hard Drives
    WD Blue SN570 1TB NVME M.2 Drive
    PSU
    45 Watt Charger
    Cooling
    Laptop Cooling Pad
    Keyboard
    Free Wolf Foldable Portable Keyboard
    Mouse
    Free Wolf Wireless Mouse
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - 41mWh battery.
    - Wacom Intuos Pro Small Tablet PTH-460
DarkShadowMD said:
You would assume that Microsoft, taking charge of the process would avoid that kind of problems, but reality tells otherwise.

I really hope their way of handling things for the rest of the people really solves this, because we are gonna see an armaggedon of unbootable devices (unless they disable Secure Boot) because they couldn't handle this properly.
Click to expand...
MS is in charge of carrying out the update process. But the ultimate burden falls on the OEM's to provide an updated BIOS release, or provide a signed KEK file to MS for a live update. MS has to play a delicate game. They can't call out the OEM's for being flakes, that's bad for business.

So MS and the OEM's do this ridiculous dance where they pretend they don't know the update process will fail, because you don't have a supported BIOS. It's kinda of utterly stupid.

But the reality is MS will never stop Windows from working because you can't enable Secure Boot. There's a lot of legitimate reasons for enterprise (paid) customers needing to run some legacy HW device with an "insecure" driver. And therefore can't run Secure Boot.

The problem will come from your FPS game which is plagued by online cheaters. To battle the cheats, the game publishers want to enable Secure Boot and Virtualization Based Security (which requires SB) as the first line of defense to block cheat code. MS isn't going to force you to run Secure Boot, they will undoubtedly keep nagging you every chance they get... but your games is what pushes users to embrace Secure Boot.

No Secure Boot = no games protected by anti-cheats.

A game doesn't need Secure Boot to run. A game plagued by cheaters wants Secure Boot for help. It's harder for cheaters to get signed code that passes Code Integrity rules.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
SaliesBuzz said:
Factory Default UEFI PK Cert
----------------------------
DO NOT TRUST - AMI Test PK
Click to expand...
The whole idea of secure boot is just that, booting up securely and without signed certificates starting from the PK, the system is vulnerable.

You could update the Platform Key (PK) yourself to the Microsoft PK, more info here.

I had the same 'DO NOT TRUST - AMI Test PK' key on my GEEKOM mini PC, and used the above to update my PC.

EDIT: ! this was before I stumbled on Garlin's powershell scripts that also updates the PK! 😉
 
Last edited:

My Computer My Computer

At a glance

windows 11 pro
OS
windows 11 pro
Computer type
PC/Desktop
Manufacturer/Model
geekom a5 5800h 170W PSU
The AMI Test PK is a valid signed PK, except it's widely believed that its private signing key was leaked (since it's part of the reference materials for all OEM's who license the same BIOS) and therefore malicious actors can create their own validated KEK certs to apply on the affected PC's.

If you delete all certs and go into Setup Mode, the update script will install the complete set of MS certs. Including the Microsoft PK, or more properly the "Windows OEM Devices" PK.

The CERT script will take care of the PK, but doesn't address the KEK CA 2023 which needs to be updated. Strangely enough, MS has provided a signed KEK CA 2023 for AMI Test PK machines. Even though everyone knows it's not secure. :facepalm:

Code: 
    "9a3056b5260f628645b4d9ac61aebd8060305c3e": {
        "KEKUpdate": "AMI/KEKUpdate_AMI_PK1.bin",
        "Certificate": {
            "serial_number": "ea01f2fb64c48b8f4390e52d69123b85",
            "issued_to": "CN=DO NOT TRUST - AMI Test PK",
            "issued_by": "CN=DO NOT TRUST - AMI Test PK"
        }
    },
    "a773113bafaf5129aa83fd0912e95da4fa555f91": {
        "KEKUpdate": "AMI/KEKUpdate_AMI_PK2.bin",
        "Certificate": {
            "serial_number": "e4126c1da6b1d49f4194e0fe365059c9",
            "issued_to": "CN=DO NOT TRUST - AMI Test PK",
            "issued_by": "CN=DO NOT TRUST - AMI Test PK"
        }
    },
    "6592a50636faf8be9ae74f0f7f8bd744fa44b329": {
        "KEKUpdate": "ASUS/KEKUpdate_ASUS_PK1.bin",
        "Certificate": {
            "serial_number": "55fbef878123008447170bb3cd873af4",
            "issued_to": "CN=DO NOT TRUST - AMI Test PK",
            "issued_by": "CN=DO NOT TRUST - AMI Test PK"
        }
    },
    "2b6ccde909230f89447d8a583d03a432d686faee": {
        "KEKUpdate": "AMI/KEKUpdate_AMI_PK4.bin",
        "Certificate": {
            "serial_number": "f73d2e3c9364aeb04c8395fdf7ed32a7",
            "issued_to": "CN=DO NOT TRUST - AMI Test PK",
            "issued_by": "CN=DO NOT TRUST - AMI Test PK"
        }
    },
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
garlin said:
MS is in charge of carrying out the update process. But the ultimate burden falls on the OEM's to provide an updated BIOS release, or provide a signed KEK file to MS for a live update. MS has to play a delicate game. They can't call out the OEM's for being flakes, that's bad for business.

So MS and the OEM's do this ridiculous dance where they pretend they don't know the update process will fail, because you don't have a supported BIOS. It's kinda of utterly stupid.

But the reality is MS will never stop Windows from working because you can't enable Secure Boot. There's a lot of legitimate reasons for enterprise (paid) customers needing to run some legacy HW device with an "insecure" driver. And therefore can't run Secure Boot.

The problem will come from your FPS game which is plagued by online cheaters. To battle the cheats, the game publishers want to enable Secure Boot and Virtualization Based Security (which requires SB) as the first line of defense to block cheat code. MS isn't going to force you to run Secure Boot, they will undoubtedly keep nagging you every chance they get... but your games is what pushes users to embrace Secure Boot.

No Secure Boot = no games protected by anti-cheats.

A game doesn't need Secure Boot to run. A game plagued by cheaters wants Secure Boot for help. It's harder for cheaters to get signed code that passes Code Integrity rules.
Click to expand...
It's funny because you basically install malware (Denuvo or anything that requests Kernel access.) to combat malware or cheaters.

I want to see gamer faces when their system start showing a secure boot violation because Microsoft forgot to tell people they need a BIOS update to keep Secure Boot working as usual.

Personally, I turn off VBS because I need nested virtualization in my VM's, sometimes you need to play with stuff in Linux that requires Virtualization inside the VM as well... (Winapps, I'm looking at you ¬¬). I had it enabled before, no difference in performance (Like some gamers claim), but playing with Virtual Machines really ask you something in return lol. I still like Secure boot enabled... one never knows when it will come in handy...

I really hope this dance stops and they get serious, because I wouldn't like to be in their shoes when all those PC's stop booting... and nobody likes an angry gamer not able to play their shooter mess :V

Oh, almost forgot to tell... seems you need to update your boot media EVEN if you use Reflect X latest version (8843 or 8846 IIRC), because the WinPE built for the USB using this version partially updates the boot manager, but in a way where the script still says you have the SVN 8.0, but CA 2023 doesn't appear (Says 2011 is just not allowed). To get fully compliant, you need to run the update script for bootmedia, or do the usual partition mount, bootfile copy to the USB, unmount and call it a day... I know because I'm trying the 30 day trial and had to do this.
 
Last edited:

My Computers My Computers

System One System Two

  • At a glance

    Windows 11 Pro 25H2AMD Ryzen 5 5600G @ 3.9/4.4Ghz2 x 16 GB DDR4 Kingston Fury Beast 3200 MhzAMD Radeon RX 6600 XT MSI Mech 2X OC Edition ...
    OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built PC
    CPU
    AMD Ryzen 5 5600G @ 3.9/4.4Ghz
    Motherboard
    MSI B550M-PRO-WiFi Ver. 1.4
    Memory
    2 x 16 GB DDR4 Kingston Fury Beast 3200 Mhz
    Graphics Card(s)
    AMD Radeon RX 6600 XT MSI Mech 2X OC Edition 8 GB
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    Samsung C50Rx 27" LED / HP S2031 20" LCD
    Screen Resolution
    1920 x 1080 px / 1600 x 900 px
    Hard Drives
    WD Blue SN570 NVME M.2 SSD [1 TB] -- External Drives: - WD Scorpion Blue 250 GB 5400 RPM (Data Backup) - Hitachi 500 GB 5400 RPM (Software / ISOs Backup) - Toshiba MQ01ABD100 1 TB 5400 RPM (OS Images) - HGST TravelStar 7K1000 1 TB, 7200 RPM USB 3.0 - ADATA SU800 2TB SSD USB 3.0
    PSU
    Corsair RM750e 750W Fully Modular
    Case
    Naceb Hydra NA-1602
    Cooling
    Naceb Orpheus x 3 (Front) + Naceb Cepheus 1200 RPM Max (Rear) + ThemalRight Assasin X 90 SE (CPU)
    Keyboard
    Logitech MK470 Wireless
    Mouse
    Logitech MK470 Wireless
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - VMs: WMware Player - Windows 8.1 Pro x64 / Windows 11 Pro
    - Wacom Intuos Pro Small Tablet PTH-460

  • At a glance

    Windows 11 Pro 25H2AMD Ryzen 7 7730U @ 2.0/4.5 Ghz2 x 16 GB Kingston Fury Impact DDR4 3200 MhzRadeon (tm) Graphics Vega 8 (512 MB)
    Operating System
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    HP Pavilion 15-eh3000la (80M53LA)
    CPU
    AMD Ryzen 7 7730U @ 2.0/4.5 Ghz
    Motherboard
    HP 8BC7
    Memory
    2 x 16 GB Kingston Fury Impact DDR4 3200 Mhz
    Graphics card(s)
    Radeon (tm) Graphics Vega 8 (512 MB)
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    AU Optronics
    Screen Resolution
    1920 x 1080 px (125% size)
    Hard Drives
    WD Blue SN570 1TB NVME M.2 Drive
    PSU
    45 Watt Charger
    Cooling
    Laptop Cooling Pad
    Keyboard
    Free Wolf Foldable Portable Keyboard
    Mouse
    Free Wolf Wireless Mouse
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - 41mWh battery.
    - Wacom Intuos Pro Small Tablet PTH-460
Screenshot 2026-05-07 012043.webp

Next noobish question from yours truly :unsure:
garlin said:
There are three scripts in the release:
  1. Check_UEFI-CA2023.ps1
    Checks the current state of your UEFI certs, and the boot files for Windows and any bootable DVD or USB media. The script can provide an Audit Report, listing what steps need to be completed to be in compliance with the CA 2023 update, and what commands to run.

  2. Update_UEFI-CA2023.ps1
    Updates the UEFI certs and boot files for Windows and any bootable USB media. You have the option to only install the UEFI CA 2023 certs, and not revoke the PCA 2011 cert; or to complete the entire process in one pass.

  3. Check_DBXUpdate.bin.ps1
    Compares any submitted DBXUpdate.bin file against the current UEFI DBX variable, and informs you if there are any EFI or SVN signatures that need to be installed.
Click to expand...
I have several bootable ISO's on a Ventoy stick (Windows installers, PE's, Macrium Recovery, Mini-Tool Part Mgr, etc...)what would be the correct procedure to update all that apply? Do I need to mount each ISO, run the script with the -BootMedia flag, recreate the ISO's & replace each one in Ventoy? Or will the script auto-magically update all if I simply mount the Ventoy stick? Forgive me if this has been asked & answered.

TIA & cheers!
 

My Computer My Computer

At a glance

Win10 Pro lx64 19045.7184 (extended sec updts)Intel Core i7-6700HQ CPU @ 2.60GHz16gb DDR4Intel HD Graphics 530 (Skylake-H GT2) RealTek...
OS
Win10 Pro lx64 19045.7184 (extended sec updts)
Computer type
Laptop
Manufacturer/Model
MSI PE60 6QE
CPU
Intel Core i7-6700HQ CPU @ 2.60GHz
Motherboard
MSI MS-16J5
Memory
16gb DDR4
Graphics Card(s)
Intel HD Graphics 530 (Skylake-H GT2) RealTek ALC899
Sound Card
Intel Skylake PCH-H - High Definition Audio
Screen Resolution
1920x1080
Hard Drives
Samsung SSD 850 EVO M.2 250GB
HGST HTS721010A9E6301TB 7200 RPM
Samsung PSSD T9 USB SSD
Browser
Chrome
Antivirus
Defender
Other Info
Intel Dual Band Wireless-AC 3165
Qualcomm/Atheros AR8161/8165 PCI-E Gigabit Ethernet Controller
UrthBoundMisfit said:
View attachment 170729

Next noobish question from yours truly :unsure:

I have several bootable ISO's on a Ventoy stick (Windows installers, PE's, Macrium Recovery, Mini-Tool Part Mgr, etc...)what would be the correct procedure to update all that apply? Do I need to mount each ISO, run the script with the -BootMedia flag, recreate the ISO's & replace each one in Ventoy? Or will the script auto-magically update all if I simply mount the Ventoy stick? Forgive me if this has been asked & answered.

TIA & cheers!
Click to expand...
It fixes the boot manager of the USB drive, it can't fix the boot manager inside the ISO files contained on the USB drive.
Garlin's script will not even look at the ISO files.
 

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
anchamp65 said:
It fixes the boot manager of the USB drive, it can't fix the boot manager inside the ISO files contained on the USB drive.
Garlin's script will not even look at the ISO files.
Click to expand...
Yeah I just ran it w/ the -BootMedia flag, results:

Code: 
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

Welcome to WIN10
You are logged in as XXX
Today: 5/6/2026 9:58:15 PM
PowerShell 5 awaiting your commands.
PS C:\> cd C:\SecBoot
PS C:\SecBoot> .\Check_UEFI-CA2023.ps1 -BootMedia
Secure Boot: ON
Virtualization Based Security: OFF
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011
    Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Microsoft Option ROM UEFI CA 2023
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023

UEFI DBX Certs
--------------
    Microsoft Windows Production PCA 2011
    Windows BootMgr SVN 8.0

EFI Files
---------
    Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.

    Registry: WindowsUEFICA2023Capable = 2
        [Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

Bootable Media
--------------
    DVD Drive E:
    USB Drive G: "Ventoy"
    USB Drive H: "VTOYEFI"
        Boot File [Microsoft Corporation UEFI CA 2011] is ALLOWED.


STATUS REPORT
-------------
    Registry: UEFICA2023Status = Updated

    SUCCESS: UPDATES ARE FINISHED.
    UEFI CA 2023 certs are present, PCA 2011 cert is revoked.


PS C:\SecBoot>
PowerShell 7.6.1
PS C:\Windows\System32> cd c:\SecBoot
PS C:\SecBoot> .\Update_UEFI-CA2023.ps1 -BootMedia
    Copying EFI boot file to USB Drive H: "VTOYEFI"

SUCCESS: NO UPDATES ARE REQUIRED.PS
C:\SecBoot>
 

My Computer My Computer

At a glance

Win10 Pro lx64 19045.7184 (extended sec updts)Intel Core i7-6700HQ CPU @ 2.60GHz16gb DDR4Intel HD Graphics 530 (Skylake-H GT2) RealTek...
OS
Win10 Pro lx64 19045.7184 (extended sec updts)
Computer type
Laptop
Manufacturer/Model
MSI PE60 6QE
CPU
Intel Core i7-6700HQ CPU @ 2.60GHz
Motherboard
MSI MS-16J5
Memory
16gb DDR4
Graphics Card(s)
Intel HD Graphics 530 (Skylake-H GT2) RealTek ALC899
Sound Card
Intel Skylake PCH-H - High Definition Audio
Screen Resolution
1920x1080
Hard Drives
Samsung SSD 850 EVO M.2 250GB
HGST HTS721010A9E6301TB 7200 RPM
Samsung PSSD T9 USB SSD
Browser
Chrome
Antivirus
Defender
Other Info
Intel Dual Band Wireless-AC 3165
Qualcomm/Atheros AR8161/8165 PCI-E Gigabit Ethernet Controller
DarkShadowMD said:
Oh, almost forgot to tell... seems you need to update your boot media EVEN if you use Reflect X latest version (8843 or 8846 IIRC), because the WinPE built for the USB using this version partially updates the boot manager, but in a way where the script still says you have the SVN 8.0, but CA 2023 doesn't appear (Says 2011 is just not allowed). To get fully compliant, you need to run the update script for bootmedia, or do the usual partition mount, bootfile copy to the USB, unmount and call it a day... I know because I'm trying the 30 day trial and had to do this.
Click to expand...
I've got to figure what's the deal with Macrium boot media. It's not my main focus (getting Windows up to date), but Macrium not booting appears to be a serious trend. I guess I should allocate some time to look into it.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
On the latest Macrium X update (8843). I use the WINRE to make my rescue media. I still had to update the rescue media usb to add the ca 2023 certs. I still can't figure out why Macrium can't get the currrent ca 2023 bootloaders from the efi partition, so we aren't always making our rescue media boot with the ca 2023 certs.
 

My Computers My Computers

System One System Two

  • At a glance

    Windows 11 Pro 25H2AMD Ryzen 9 7940HS32 GBRadeon 780M Graphics
    OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Geekom AX7 Pro
    CPU
    AMD Ryzen 9 7940HS
    Memory
    32 GB
    Graphics Card(s)
    Radeon 780M Graphics
    Monitor(s) Displays
    Dell S2425H 24"
    Screen Resolution
    1920 x 1080
    Hard Drives
    2 TB NVMe SSD
    Internet Speed
    100 Mbs
    Browser
    Microsoft Edge / Firefox
    Antivirus
    F-Secure Security Suite

  • At a glance

    Windows 11 Pro 25H212th Gen Intel Core i7-12700 processor (12-Co...16 GBIntel(R) UHD Graphics 770 with shared graphic...
    Operating System
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Inspiron 3910
    CPU
    12th Gen Intel Core i7-12700 processor (12-Core, 25M Cache, 2.1GHz to 4.8GHz)
    Motherboard
    Dell 0KHP4K
    Memory
    16 GB
    Graphics card(s)
    Intel(R) UHD Graphics 770 with shared graphics memory
    Monitor(s) Displays
    Dell 27" Monitor S2721DS,
    Screen Resolution
    QHD 2560 x 1440 @ 75 Hz
    Hard Drives
    1TB M.2, PCIe NVMe, SSD
    Internet Speed
    100 Mbps
    Browser
    Edge
    Antivirus
    F-Secure Security Suite
garlin said:
...but Macrium not booting appears to be a serious trend. I guess I should allocate some time to look into it.
Click to expand...
As I am using Macrium Free which is EOL, that would be greatly appreciated... when you have time. :hug:
 

My Computer My Computer

At a glance

Win10 Pro lx64 19045.7184 (extended sec updts)Intel Core i7-6700HQ CPU @ 2.60GHz16gb DDR4Intel HD Graphics 530 (Skylake-H GT2) RealTek...
OS
Win10 Pro lx64 19045.7184 (extended sec updts)
Computer type
Laptop
Manufacturer/Model
MSI PE60 6QE
CPU
Intel Core i7-6700HQ CPU @ 2.60GHz
Motherboard
MSI MS-16J5
Memory
16gb DDR4
Graphics Card(s)
Intel HD Graphics 530 (Skylake-H GT2) RealTek ALC899
Sound Card
Intel Skylake PCH-H - High Definition Audio
Screen Resolution
1920x1080
Hard Drives
Samsung SSD 850 EVO M.2 250GB
HGST HTS721010A9E6301TB 7200 RPM
Samsung PSSD T9 USB SSD
Browser
Chrome
Antivirus
Defender
Other Info
Intel Dual Band Wireless-AC 3165
Qualcomm/Atheros AR8161/8165 PCI-E Gigabit Ethernet Controller
UrthBoundMisfit said:
Bootable Media
--------------
DVD Drive E:
USB Drive G: "Ventoy"
USB Drive H: "VTOYEFI"
Boot File [Microsoft Corporation UEFI CA 2011] is ALLOWED.
Click to expand...
Ventoy's EFI partition provides a bootx64.efi, which is signed using a "Microsoft" and not "Windows" CA 2011.

MS only cares about banning Windows PCA 2011, and won't touch Microsoft UEFI CA 2011 (used by Linux). Instead it will try pushing out the SBAT, which the Linux equivalent of SVN, to ban older Linux boot files.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
garlin said:
I've got to figure what's the deal with Macrium boot media. It's not my main focus (getting Windows up to date), but Macrium not booting appears to be a serious trend. I guess I should allocate some time to look into it.
Click to expand...
Your script basically updates the boot manager in the USB so... unless you just wanna point out users they still need to do it even when updating their rescue media, there's nothing else to do, because this is Macrium's responsibility. The good part here is that your update script handles this, for convenience and less typing. 😉
 

My Computers My Computers

System One System Two

  • At a glance

    Windows 11 Pro 25H2AMD Ryzen 5 5600G @ 3.9/4.4Ghz2 x 16 GB DDR4 Kingston Fury Beast 3200 MhzAMD Radeon RX 6600 XT MSI Mech 2X OC Edition ...
    OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built PC
    CPU
    AMD Ryzen 5 5600G @ 3.9/4.4Ghz
    Motherboard
    MSI B550M-PRO-WiFi Ver. 1.4
    Memory
    2 x 16 GB DDR4 Kingston Fury Beast 3200 Mhz
    Graphics Card(s)
    AMD Radeon RX 6600 XT MSI Mech 2X OC Edition 8 GB
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    Samsung C50Rx 27" LED / HP S2031 20" LCD
    Screen Resolution
    1920 x 1080 px / 1600 x 900 px
    Hard Drives
    WD Blue SN570 NVME M.2 SSD [1 TB] -- External Drives: - WD Scorpion Blue 250 GB 5400 RPM (Data Backup) - Hitachi 500 GB 5400 RPM (Software / ISOs Backup) - Toshiba MQ01ABD100 1 TB 5400 RPM (OS Images) - HGST TravelStar 7K1000 1 TB, 7200 RPM USB 3.0 - ADATA SU800 2TB SSD USB 3.0
    PSU
    Corsair RM750e 750W Fully Modular
    Case
    Naceb Hydra NA-1602
    Cooling
    Naceb Orpheus x 3 (Front) + Naceb Cepheus 1200 RPM Max (Rear) + ThemalRight Assasin X 90 SE (CPU)
    Keyboard
    Logitech MK470 Wireless
    Mouse
    Logitech MK470 Wireless
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - VMs: WMware Player - Windows 8.1 Pro x64 / Windows 11 Pro
    - Wacom Intuos Pro Small Tablet PTH-460

  • At a glance

    Windows 11 Pro 25H2AMD Ryzen 7 7730U @ 2.0/4.5 Ghz2 x 16 GB Kingston Fury Impact DDR4 3200 MhzRadeon (tm) Graphics Vega 8 (512 MB)
    Operating System
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    HP Pavilion 15-eh3000la (80M53LA)
    CPU
    AMD Ryzen 7 7730U @ 2.0/4.5 Ghz
    Motherboard
    HP 8BC7
    Memory
    2 x 16 GB Kingston Fury Impact DDR4 3200 Mhz
    Graphics card(s)
    Radeon (tm) Graphics Vega 8 (512 MB)
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    AU Optronics
    Screen Resolution
    1920 x 1080 px (125% size)
    Hard Drives
    WD Blue SN570 1TB NVME M.2 Drive
    PSU
    45 Watt Charger
    Cooling
    Laptop Cooling Pad
    Keyboard
    Free Wolf Foldable Portable Keyboard
    Mouse
    Free Wolf Wireless Mouse
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - 41mWh battery.
    - Wacom Intuos Pro Small Tablet PTH-460
DarkShadowMD said:
(Says 2011 is just not allowed)
Click to expand...
yup.
Code: 
Bootable Media
--------------
    DVD Drive E:
    DVD Drive I: "05_06_2026"
        Boot File [Production PCA 2011] is BANNED
 

My Computer My Computer

At a glance

Win10 Pro lx64 19045.7184 (extended sec updts)Intel Core i7-6700HQ CPU @ 2.60GHz16gb DDR4Intel HD Graphics 530 (Skylake-H GT2) RealTek...
OS
Win10 Pro lx64 19045.7184 (extended sec updts)
Computer type
Laptop
Manufacturer/Model
MSI PE60 6QE
CPU
Intel Core i7-6700HQ CPU @ 2.60GHz
Motherboard
MSI MS-16J5
Memory
16gb DDR4
Graphics Card(s)
Intel HD Graphics 530 (Skylake-H GT2) RealTek ALC899
Sound Card
Intel Skylake PCH-H - High Definition Audio
Screen Resolution
1920x1080
Hard Drives
Samsung SSD 850 EVO M.2 250GB
HGST HTS721010A9E6301TB 7200 RPM
Samsung PSSD T9 USB SSD
Browser
Chrome
Antivirus
Defender
Other Info
Intel Dual Band Wireless-AC 3165
Qualcomm/Atheros AR8161/8165 PCI-E Gigabit Ethernet Controller
UrthBoundMisfit said:
yup.
Code: 
Bootable Media
--------------
    DVD Drive E:
    DVD Drive I: "05_06_2026"
        Boot File [Production PCA 2011] is BANNED
Click to expand...
Yup, to not get a security violation trying to boot that media that should say [CA 2023] is ALLOWED. That only means PCA 2011 is banned, but you have no bootable media that uses the CA 2023 Cert.
 

My Computers My Computers

System One System Two

  • At a glance

    Windows 11 Pro 25H2AMD Ryzen 5 5600G @ 3.9/4.4Ghz2 x 16 GB DDR4 Kingston Fury Beast 3200 MhzAMD Radeon RX 6600 XT MSI Mech 2X OC Edition ...
    OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built PC
    CPU
    AMD Ryzen 5 5600G @ 3.9/4.4Ghz
    Motherboard
    MSI B550M-PRO-WiFi Ver. 1.4
    Memory
    2 x 16 GB DDR4 Kingston Fury Beast 3200 Mhz
    Graphics Card(s)
    AMD Radeon RX 6600 XT MSI Mech 2X OC Edition 8 GB
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    Samsung C50Rx 27" LED / HP S2031 20" LCD
    Screen Resolution
    1920 x 1080 px / 1600 x 900 px
    Hard Drives
    WD Blue SN570 NVME M.2 SSD [1 TB] -- External Drives: - WD Scorpion Blue 250 GB 5400 RPM (Data Backup) - Hitachi 500 GB 5400 RPM (Software / ISOs Backup) - Toshiba MQ01ABD100 1 TB 5400 RPM (OS Images) - HGST TravelStar 7K1000 1 TB, 7200 RPM USB 3.0 - ADATA SU800 2TB SSD USB 3.0
    PSU
    Corsair RM750e 750W Fully Modular
    Case
    Naceb Hydra NA-1602
    Cooling
    Naceb Orpheus x 3 (Front) + Naceb Cepheus 1200 RPM Max (Rear) + ThemalRight Assasin X 90 SE (CPU)
    Keyboard
    Logitech MK470 Wireless
    Mouse
    Logitech MK470 Wireless
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - VMs: WMware Player - Windows 8.1 Pro x64 / Windows 11 Pro
    - Wacom Intuos Pro Small Tablet PTH-460

  • At a glance

    Windows 11 Pro 25H2AMD Ryzen 7 7730U @ 2.0/4.5 Ghz2 x 16 GB Kingston Fury Impact DDR4 3200 MhzRadeon (tm) Graphics Vega 8 (512 MB)
    Operating System
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    HP Pavilion 15-eh3000la (80M53LA)
    CPU
    AMD Ryzen 7 7730U @ 2.0/4.5 Ghz
    Motherboard
    HP 8BC7
    Memory
    2 x 16 GB Kingston Fury Impact DDR4 3200 Mhz
    Graphics card(s)
    Radeon (tm) Graphics Vega 8 (512 MB)
    Sound Card
    Realtek High Definition Audio (Integrated)
    Monitor(s) Displays
    AU Optronics
    Screen Resolution
    1920 x 1080 px (125% size)
    Hard Drives
    WD Blue SN570 1TB NVME M.2 Drive
    PSU
    45 Watt Charger
    Cooling
    Laptop Cooling Pad
    Keyboard
    Free Wolf Foldable Portable Keyboard
    Mouse
    Free Wolf Wireless Mouse
    Internet Speed
    120 MB Symetrical
    Browser
    Firefox / Brave / Edge
    Antivirus
    Windows Defender
    Other Info
    - 41mWh battery.
    - Wacom Intuos Pro Small Tablet PTH-460
You must log in or register to reply here.

Latest Support Threads

Latest Tutorials

Back
Top Bottom