Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

Ingenon · May 16, 2026

Lenovo T460, no longer supported by Lenovo, no updated BIOS available. Trying to avoid having secure boot disabled on a working Windows 11 with all updates installed laptop.

Code:

Boot into UEFI, Disabled Secure Boot, Reset to Setup Mode, Clear All Secure Boot Keys.

Download latest version of script from GitHub. Unzip files to c:\temp. Open Terminal (Admin). Enter cd \temp.

Enter powershell -nop -ep bypass -f  Check_UEFI-CA2023.ps1, get the following:

Secure Boot: OFF
Virtualization Based Security: OFF
BitLocker on (C:) OFF

UEFI is in Setup Mode (NO CERTS)

EFI Files
---------
    Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
    Registry: "WindowsUEFICA2023Capable" = 0
        [Windows UEFI CA 2023] not in UEFI DB.


REQUIRED ACTION
===============

OPTION 1:  To install [UEFI CA 2023] certs

        Update_UEFI-CA2023.ps1


OPTION 2:  To install [UEFI CA 2023] certs and REVOKE the [PCA 2011] cert

        Update_UEFI-CA2023.ps1 -Revoke

Enter  powershell -nop -ep bypass -f  Update_UEFI-CA2023.ps1 -Revoke, get the following:

Downloading "edk2-x64-secureboot-binaries.zip" from GitHub.
Successfully wrote "Default3PDb.bin" to UEFI db.
Successfully wrote "DefaultDbx.bin" to UEFI dbx.
Successfully wrote "DefaultKek.bin" to UEFI KEK.
ERROR: Failed to write "DefaultPk.bin" to UEFI PK.
Wrong signature for this UEFI variable.

Boot into UEFI, Enabled Secure Boot.

Enter powershell -nop -ep bypass -f  Check_UEFI-CA2023.ps1, get the following:

Secure Boot: OFF
Virtualization Based Security: OFF
BitLocker on (C:) OFF

UEFI PK Cert
------------
    (NONE)

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011
    Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Microsoft Option ROM UEFI CA 2023
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023

UEFI DBX Certs
--------------
    (NONE)

EFI Files
---------
    Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
    Registry: "WindowsUEFICA2023Capable" = 2
        [Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.


REQUIRED ACTION
===============

MANUAL UPDATE of the BIOS is required.

Enter the BIOS menu, and search for User or Custom Mode option of updating the UEFI PK or KEK keys.
If your BIOS doesn't support this feature, select Setup Mode to clear all certs.

IMPORTANT: Disable Windows Hello PIN before clearing certs.

OPTION 1:

        Update_UEFI-CA2023.ps1


OPTION 2:  To REVOKE the [PCA 2011] cert

        Update_UEFI-CA2023.ps1 -Revoke

It looks to me like the Update_UEFI-CA2023.ps1 -Revoke does not update the UEFI PK, and it looks like my Lenovo needs this updated in order to secure boot with updated certificates. How do I fix this?

suatcini54 · May 16, 2026

Capricornus said:
Looking at this link https://support.hp.com/us-en/document/ish_9642671-9641393-16 my HP Z440 workstation is not on the list of HP machines with Sure Start security. So, something else seems to be going on.

Before I ran your scripts on the Z440, the device security in the settings of win 11 did say: secure boot is on, but secure boot certificate updates paused because of a known Issue .............
Could it be related to this? I have not been able to find out what the known Issue is. I will continue to search for it.

You may wish to read the article from HP regarding Secure Boot and MS Certificate update matters: https://support.hp.com/my-en/document/ish_13070353-13070429-16

suatcini54 · May 16, 2026

suatcini54 said:
You may wish to read the article from HP regarding Secure Boot and MS Certificate update matters: https://support.hp.com/my-en/document/ish_13070353-13070429-16

You may also look into this forum post on HP site: https://h30434.www3.hp.com/t5/Busin...rtificates-in-pre-2018-HP/m-p/9655302#M190719

But you must be very careful if you want to apply the certs. I read several people bricked their PCs.

I applied the method delineated in there to my HP EliteBook 840 G5 from M/Y 2018 and I was successful. My notebook has the HP PK 2017 and it accepted MS KEK CA 2023 and the rest was easy.

garlin · May 16, 2026

Ingenon said:
Lenovo T460, no longer supported by Lenovo, no updated BIOS available. Trying to avoid having secure boot disabled on a working Windows 11 with all updates installed laptop.

Ingenon said:
It looks to me like the Update_UEFI-CA2023.ps1 -Revoke does not update the UEFI PK, and it looks like my Lenovo needs this updated in order to secure boot with updated certificates. How do I fix this?

There's several options available, going from a less intrusive fix to a complete replacement of the factory certs.

1. The update script will copy the KEK CA 2023 cert as a DER-encoded file to the EFI partition. You can see if your Lenovo's UEFI supports a "Custom Mode". Within the Custom Mode, you can try enrolling new keys from a file provided on an USB drive. Instead of a requiring an USB drive, the script copies it to the EFI partition (which is already formatted as FAT32).

Look for KEK key management, find the option to add a new key. Search the listed disk volumes for one which has a "Certs" folder underneath. Browse the Certs folder for the KEK CA 2023 cert file and import it.

Restart Windows. And run the update script again, it should resume and finish the updates.

2. If you don't have a KEK key management option, you will need to delete all (factory) keys. This clears out all of the UEFI certs, and allows a new set of replacement certs (Windows OEM Devices) to be installed. Don't pick this option unless the first one doesn't work.

Delete all the factory keys. Restart Windows.
Run the update script again, it should resume and finish the updates.

man00 · May 16, 2026

garlin said:
April 2026's Monthly Update bumped the SVN from 7.0 to 8.0

I can tell you're using an older version of the check script (please download the latest from post #1).

When the SVN needs updating, "AvailableUpdates = 0x200" is correct. What's wrong is the description "To revoke the [PCA 2011] cert". This was fixed a month ago not report "PCA 2011 cert" when it really should mention the SVN needs updating.

I''m using the bat file (Check-UEFI.bat) created on Thursday, ‎March ‎12, ‎2026, ‏‎10:19:36 PM
I was never able to run those ps1 scripts

Ingenon · May 16, 2026

garlin said:
There's several options available, going from a less intrusive fix to a complete replacement of the factory certs.

1. The update script will copy the KEK CA 2023 cert as a DER-encoded file to the EFI partition. You can see if your Lenovo's UEFI supports a "Custom Mode". Within the Custom Mode, you can try enrolling new keys from a file provided on an USB drive. Instead of a requiring an USB drive, the script copies it to the EFI partition (which is already formatted as FAT32).

Look for KEK key management, find the option to add a new key. Search the listed disk volumes for one which has a "Certs" folder underneath. Browse the Certs folder for the KEK CA 2023 cert file and import it.

Restart Windows. And run the update script again, it should resume and finish the updates.

2. If you don't have a KEK key management option, you will need to delete all (factory) keys. This clears out all of the UEFI certs, and allows a new set of replacement certs (Windows OEM Devices) to be installed. Don't pick this option unless the first one doesn't work.

Delete all the factory keys. Restart Windows.
Run the update script again, it should resume and finish the updates.

Thanks for the reply!

Option 1 is not possible, because the Lenovo UEFI does not have KEK key file management option. And I already have the latest BIOS.

Option 2 is a repeat of what I already did. I tried it again, in UEFI setting the following:
Secure Boot [Disabled]
Restore Factory Keys [Enter] - done
Reset to Setup Mode [Enter] - done
Clear All Secure Boot Keys [Enter] - done
UEFI showed Secure Boot State as follows:
Platform Mode - Setup Mode
Secure Boot Mode - Custom Mode

Code:

PS C:\Users\Admin> cd \temp
PS C:\temp> powershell -nop -ep bypass -f Update_UEFI-CA2023.ps1
Downloading "edk2-x64-secureboot-binaries.zip" from GitHub.
Successfully wrote "Default3PDb.bin" to UEFI db.
Successfully wrote "DefaultDbx.bin" to UEFI dbx.
Successfully wrote "DefaultKek.bin" to UEFI KEK.
ERROR: Failed to write "DefaultPk.bin" to UEFI PK.
Wrong signature for this UEFI variable.

ERROR: Failed to write "DefaultPk.bin" to UEFI PK.
Wrong signature for this UEFI variable
How do I fix this?

suatcini54 · May 16, 2026

@Ingenon If PK was not installed due to signature violation, did the other certificates not continue to install properly ? In my notebook PC I had the same issue that PK did not install due to signature violation but the other certs installed correctly and I now have full secure boot coverage.

garlin · May 16, 2026

man00 said:
I''m using the bat file (Check-UEFI.bat) created on Thursday, ‎March ‎12, ‎2026, ‏‎10:19:36 PM
I was never able to run those ps1 scripts

That's an older version of the script. Same features, but fixed the wording.

I have to make a "decision tree" to give the user a correct summary of what's missing. Sometimes it's mix & match, where you have one thing but not another. The old script just threw everything into one bucket "You haven't revoked the cert", which confuses people who already revoked PCA 2011. Now it should be able to report other instances without confusion (hopefully).

Ingenon · May 16, 2026

suatcini54 said:
@Ingenon If PK was not installed due to signature violation, did the other certificates not continue to install properly ? In my notebook PC I had the same issue that PK did not install due to signature violation but the other certs installed correctly and I now have full secure boot coverage.

I am glad that your notebook is working without the PK. The following is a full listing of commands entered and responses.

Code:

Boot into UEFI, Disabled Secure Boot, Reset to Setup Mode, Clear All Secure Boot Keys.

Download latest version of script from GitHub. Unzip files to c:\temp. Open Terminal (Admin).

PS C:\Users\Admin> cd \temp
PS C:\temp> powershell -nop -ep bypass -f Update_UEFI-CA2023.ps1
Downloading "edk2-x64-secureboot-binaries.zip" from GitHub.
Successfully wrote "Default3PDb.bin" to UEFI db.
Successfully wrote "DefaultDbx.bin" to UEFI dbx.
Successfully wrote "DefaultKek.bin" to UEFI KEK.
ERROR: Failed to write "DefaultPk.bin" to UEFI PK.
Wrong signature for this UEFI variable.
PS C:\temp> powershell -nop -ep bypass -f Update_UEFI-CA2023.ps1 -Revoke
Successfully appended "dbxupdate.bin" to UEFI DBX.
Successfully appended "DBXUpdate2024.bin" to UEFI DBX.
Successfully appended "DBXUpdateSVN.bin" (SVN 8.0) to UEFI DBX.

REQUIRED ACTION
---------------
Please follow the README_UEFI.TXT instructions, for installing the PK cert from BIOS.

Restart Windows, for UEFI updates to take effect.

PS C:\temp> powershell -nop -ep bypass -f Check_UEFI-CA2023.ps1
Secure Boot: OFF
Virtualization Based Security: OFF
BitLocker on (C:) OFF

UEFI PK Cert
------------
    (NONE)

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011
    Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Microsoft Option ROM UEFI CA 2023
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023

UEFI DBX Certs
--------------
    Microsoft Windows Production PCA 2011
    Windows BootMgr SVN 8.0

EFI Files
---------
    Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
    Registry: "WindowsUEFICA2023Capable" = 2
        [Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.


STATUS REPORT
-------------
    Registry: "UEFICA2023Status" = Updated

    SUCCESS: UPDATES ARE FINISHED.
    UEFI CA 2023 certs are present, PCA 2011 cert is revoked.

The Check_UEFI-CA2023.ps1is saying SUCCESS: UPDATES ARE FINISHED. But System Information is showing Secure Boot State Off after several Restarts with the UEFI set to Secure Boot Enabled. And the only issue I see is ERROR: Failed to write "DefaultPk.bin" to UEFI PK. Wrong signature for this UEFI variable. How do I fix this?

anchamp65 · May 16, 2026

man00 said:
I''m using the bat file (Check-UEFI.bat) created on Thursday, ‎March ‎12, ‎2026, ‏‎10:19:36 PM
I was never able to run those ps1 scripts

March ‎12, ‎2026, ‏‎10:19:36 PM... This is very old !

As suggested by Garlin, go to first post and download the latest zip file which if from May 14th, this thursday
To know if you have the latest zip, Garlin added a "version.txt" which tells the latest script dates.
The version.txt file also has a creation date that follows the date of publiction by Garlin, "May 14, 2026"

EDIT: I see Garlin already answered you...

garlin · May 16, 2026

This is a strange one. Assuming you cleared the factory PK (delete all keys), there shouldn't be an authentication error. Does this BIOS have a feature to manually install a new PK, or are your options limited to Factory/Delete All Keys?

Sometimes a glitchy UEFI is caused by a bad firmware update. Maybe you can see if you can reflash the same firmware again.

anchamp65 · May 16, 2026

garlin said:
Sometimes a glitchy UEFI is caused by a bad firmware update. Maybe you can see if you can reflash the same firmware again.

I was thinking the exact same thing
If BIOS was flashed a longtime ago, it could have become currupted over time
Reflashing it will fix any curruption

@garlin, once reflashed, will he have to redo the clear all certs, so rerun your update script ?

@Ingenon you can get the latest BIOS here

https://pcsupport.lenovo.com/us/en/products/laptops-and-netbooks/thinkpad-t-series-laptops/thinkpad-t460/downloads/ds112122

You should be able to update from within Windows, if not there is an ISO that you can write to a USB drive and boot your PC with it
Don't forget to validate the checksum to make sure it properly downloaded before attempting to reflash your BIOS

Ingenon · May 16, 2026

garlin said:
This is a strange one. Assuming you cleared the factory PK (delete all keys), there shouldn't be an authentication error. Does this BIOS have a feature to manually install a new PK, or are your options limited to Factory/Delete All Keys?

Sometimes a glitchy UEFI is caused by a bad firmware update. Maybe you can see if you can reflash the same firmware again.

This BIOS is limited to Factory/Delete All Keys.
I have tried twice to reflash the BIOS, once while Windows was running, and the second time from a bootable USB, and both times the Lenovo installer says it is the same version as is already installed and gives me the option of Exit (only).

suatcini54 · May 16, 2026

Ingenon said:
I am glad that your notebook is working without the PK. The following is a full listing of commands entered and responses.

I have HP Platform Key. Therefore, I am not PKless. I continued with MS 2K KEK CA2023 cert and then other certs. These certs installed properly. No problems till now.

anchamp65 · May 16, 2026

Ingenon said:
This BIOS is limited to Factory/Delete All Keys.
I have tried twice to reflash the BIOS, once while Windows was running, and the second time from a bootable USB, and both times the Lenovo installer says it is the same version as is already installed and gives me the option of Exit (only).

In that case, same BIOS, you can use the full reset to factory in the BIOS, not the one for certs, the full BIOS reset.
It will force resetting all settings, therefore remove any corrupted settings you might have

garlin · May 16, 2026

Ingenon said:
This BIOS is limited to Factory/Delete All Keys.
I have tried twice to reflash the BIOS, once while Windows was running, and the second time from a bootable USB, and both times the Lenovo installer says it is the same version as is already installed and gives me the option of Exit (only).

I have a Lenovo Y50-70. You should have a BIOS option to allow down-level BIOS updates (like if you need to revert a bad update). Maybe you can flash one version back, and flash it forward again. I someone on this thread had cert issues until they reflashed it, and then everything worked.

If the PK was the only thing that wasn't written, it points to BIOS issues. Normally having a PK (of any kind) means having to authenticate each cert write, so the PK is added last so no authentication is required for all of the other cert categories.

anchamp65 · May 16, 2026

garlin said:
I have a Lenovo Y50-70. You should have a BIOS option to allow down-level BIOS updates (like if you need to revert a bad update). Maybe you can flash one version back, and flash it forward again. I someone on this thread had cert issues until they reflashed it, and then everything worked.

If the PK was the only thing that wasn't written, it points to BIOS issues. Normally having a PK (of any kind) means having to authenticate each cert write, so the PK is added last so no authentication is required for all of the other cert categories.

I would try a full factory reset of the BIOS before trying to downgrade the BIOS

anchamp65 · May 16, 2026

@garlin, weither @Ingenon does a full BIOS factory reset or goes with downgrade/upgrade of the BIOS, I think he will still need to redo the certs clear/reset before re-running your update script.

Yes / No ?

garlin · May 16, 2026

In my mind, if you can reflash the firmware, do that first.
Next reset to Factory again. Clear all certs.
Re-run the script.

The goal is to clear any leftover data in the NVRAM. Because tan authentication error indicates the UEFI thinks there's still old data sitting in one of the keys. When there is no PK present, or pre-existing NVRAM data for a variable, there is nothing to authenticate against. As soon as you install a PK, or append certs to a variable which already has an existing cert, signed bin files must be authenticated.

With the Windows OEM Devices file from MS, you get a complete set of certs from MS. Since MS created all the certs in the bundle, there can't be an auth error because something is incorrectly signed. All the files are from the same MS source.

anchamp65 · May 16, 2026

Factory reset of BIOS is just simpler then downgrade/upgrade
And I've used it multiple times on computers that were behave weirdly like not booting every time it's powered on
It's always worked for me

Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

New member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

New member

My Computers

Well-known member

My Computers

Well-known member

My Computer

New member

My Computers

Member

My Computer

Well-known member

My Computer

Member

My Computer

New member

My Computers

Well-known member

My Computers

Member

My Computer

Well-known member

My Computer

Member

My Computer

Member

My Computer

Well-known member

My Computer

Member

My Computer