Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

Klaver7 · May 19, 2026

I get the same result, not woried

gunrunnerjohn · May 19, 2026

garlin said:
The closest feature I've found to Windows recognizing you've revoked CA 2011 is Security Center reporting "No further updates are required".

Yep, the security center seems happy with all my updates.

garlin said:
3P is the MS shorthand for Third Party cert (Microsoft UEFI CA 2023 for Linux). MS informs the OEM's that 3P is optional, but why does their script flag it as required?

OK, that makes sense, I was confused about 3P, that clears a lot of that up. I agree that I don't see how that's required, I sure don't require the 2011 cert for anything I'm doing.

KevTech · May 19, 2026

garlin said:
The closest feature I've found to Windows recognizing you've revoked CA 2011 is Security Center reporting "No further updates are required".

gunrunnerjohn said:
Yep, the security center seems happy with all my updates.

I don't think Security center is reporting that 2011 is revoked as I have not revoked 2011 but security center says nothing more needed.
Unless "no further certificate changes are needed and "No further updates are required" are not the same thing.

KevTech · May 19, 2026

garlin said:
The closest feature I've found to Windows recognizing you've revoked CA 2011 is Security Center reporting "No further updates are required".

Or is this what you are referring to?

garlin · May 19, 2026

This one line of PS code explains why MS is calling out the Microsoft UEFI CA 2011 cert:

Code:

Write-Host "  [3P] Microsoft Corporation UEFI CA 2011 (db):      $(if ($ThirdParty2011CAPresent) { 'Present - 3P 2023 certs required' } else { 'Not Present - 3P 2023 certs not required' })" -ForegroundColor $(if ($ThirdParty2011CAPresent) { 'Cyan' } else { 'Green' })

Translation:
Windows found the Microsoft UEFI CA 2011 cert in your DB, and therefore the Secure Boot task must install the matching CA 2023 version of the same cert(s).

I would have changed the report summary to read:

Code:

=== Certificate Update Summary ===
  [1P] Microsoft Corporation KEK 2K CA 2023 (KEK):   Updated
  [1P] Windows UEFI CA 2023 (db):                    Updated
  [3P] Microsoft Corporation UEFI CA 2011 (db):      Present
  [3P] Microsoft UEFI CA 2023 (db):                  Updated - required by [3P] 2011 cert
  [3P] Microsoft Option ROM UEFI CA 2023 (db):       Updated - required by [3P] 2011 cert
===================================

hottroc · May 20, 2026

garlin said:
Can you boot with Secure Disabled, and run the check script to see what's going on?

Code:

Check-UEFI.bat -Verbose

Sorry about the delay, I was away from home yesterday. So the only way to disable SB in my bios is to turn Boot Mode from "Windows UEFI" to "Other OS".

So I did that and then ran the check script, then the update script, then added the PK per the readme, rebooted (still in "Other OS") then ran the check script again. See all those results below. Hope this helps.

I think if I turn Boot Mode back to "Windows UEFI" to turn SB back on again it will probably crash as it did before. Would clearing the TPM be necessary?

BEFORE:

Code:

 .\Check_UEFI-CA2023.ps1 -Verbose
Windows 11 25H2 (26200.8457)

Secure Boot: OFF
Virtualization Based Security: OFF
BitLocker on (C:) OFF

BIOS Firmware
-------------
    PC Specialist LTD Intel Z370
    Version: 2101
    Date: 2024-01-19

Factory Default UEFI PK Cert
----------------------------
    ASUSTeK MotherBoard PK Certificate

UEFI PK Cert
------------
    (NONE)

Factory Default UEFI KEK Certs
------------------------------
    Microsoft Corporation KEK CA 2011
    Canonical Ltd. Master Certificate Authority
    ASUSTeK MotherBoard KEK Certificate

UEFI KEK Certs
--------------
    (NONE)

Factory Default UEFI DB Certs
-----------------------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Canonical Ltd. Master Certificate Authority
    ASUSTeK MotherBoard SW Key Certificate
    ASUSTeK Notebook SW Key Certificate

UEFI DB Certs
-------------
    (NONE)

Factory Default UEFI DBX Certs
------------------------------
    (NONE)
    EFI_CERT_SHA256_GUID Signatures: 77

UEFI DBX Certs
--------------
    (NONE)
    Windows BootMgr SVN is MISSING.
    EFI_CERT_SHA256_GUID Signatures: 0

UEFI Variables
--------------
    Credential Guard: ON
    SBAT (Linux only): sbat,1,2025051000 / shim,4 / grub,5 / grub.proxmox,2

EFI Files
---------
    Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
        \\.\HarddiskVolume4\EFI\Microsoft\Boot\bootmgfw.efi
        File Version: 28000.322

    Registry: "WindowsUEFICA2023Capable" = 0
        [Windows UEFI CA 2023] not in UEFI DB.


REQUIRED ACTION
===============

OPTION 1:  To install [UEFI CA 2023] certs

        Update_UEFI-CA2023.ps1


OPTION 2:  To install [UEFI CA 2023] certs and REVOKE the [PCA 2011] cert

        Update_UEFI-CA2023.ps1 -Revoke



PS C:\Users\james\Downloads\SecureBoot-CA-2023-Updates> .\Update_UEFI-CA2023.ps1
Downloading "edk2-x64-secureboot-binaries.zip" from GitHub.
Successfully wrote "Default3PDb.bin" to UEFI db.
Successfully wrote "DefaultDbx.bin" to UEFI dbx.
Successfully wrote "DefaultKek.bin" to UEFI KEK.
Successfully wrote "DefaultPk.bin" to UEFI PK.

REQUIRED ACTION
---------------
Please follow the README_UEFI.TXT instructions, for installing the PK cert from BIOS.

Restart Windows, for UEFI updates to take effect.

Then AFTER:

Code:

.\check_UEFI-CA2023.ps1 -Verbose
Windows 11 25H2 (26200.8457)

Secure Boot: OFF
Virtualization Based Security: OFF
BitLocker on (C:) OFF

BIOS Firmware
-------------
    PC Specialist LTD Intel Z370
    Version: 2101
    Date: 2024-01-19

Factory Default UEFI PK Cert
----------------------------
    ASUSTeK MotherBoard PK Certificate

UEFI PK Cert
------------
    Windows OEM Devices PK

Factory Default UEFI KEK Certs
------------------------------
    Microsoft Corporation KEK CA 2011
    Canonical Ltd. Master Certificate Authority
    ASUSTeK MotherBoard KEK Certificate

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011
    Microsoft Corporation KEK 2K CA 2023

Factory Default UEFI DB Certs
-----------------------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Canonical Ltd. Master Certificate Authority
    ASUSTeK MotherBoard SW Key Certificate
    ASUSTeK Notebook SW Key Certificate

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Microsoft Option ROM UEFI CA 2023
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023

Factory Default UEFI DBX Certs
------------------------------
    (NONE)
    EFI_CERT_SHA256_GUID Signatures: 77

UEFI DBX Certs
--------------
    (NONE)
    Windows BootMgr SVN is MISSING.
    EFI_CERT_SHA256_GUID Signatures: 431

UEFI Variables
--------------
    Credential Guard: ON
    SBAT (Linux only): sbat,1,2025051000 / shim,4 / grub,5 / grub.proxmox,2

EFI Files
---------
    Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
        \\.\HarddiskVolume4\EFI\Microsoft\Boot\bootmgfw.efi
        File Version: 28000.322, SVN 8.0

    Registry: "WindowsUEFICA2023Capable" = 2
        [Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.


REQUIRED ACTION
===============
To REVOKE the [PCA 2011] cert, run the commands:

    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x282 /f
    powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

garlin · May 20, 2026

hottroc said:
Sorry about the delay, I was away from home yesterday. So the only way to disable SB in my bios is to turn Boot Mode from "Windows UEFI" to "Other OS".

So I did that and then ran the check script, then the update script, then added the PK per the readme, rebooted (still in "Other OS") then ran the check script again. See all those results below. Hope this helps.

I think if I turn Boot Mode back to "Windows UEFI" to turn SB back on again it will probably crash as it did before.

A few really old BIOS'es don't have a "Custom Mode", instead they provide "Other OS". Which is intended for Linux users to install a non-factory set of keys. We're installed the Windows OEM Devices keys, which are official (from MS), but non-factory.

The solution is to leave the system in "Other OS" and not worry about it. Move on to the revocation steps, or wait for Windows to do it later this year.

hottroc · May 20, 2026

garlin said:
A few really old BIOS'es don't have a "Custom Mode", instead they provide "Other OS". Which is intended for Linux users to install a non-factory set of keys. We're installed the Windows OEM Devices keys, which are official (from MS), but non-factory.

The solution is to leave the system in "Other OS" and not worry about it. Move on to the revocation steps, or wait for Windows to do it later this year.

But if I leave it in "Other OS" mode then Secure Boot is not enabled, which is the point of updating the keys. The BIOS is from early 2024, not mega old.

garlin · May 20, 2026

If I understand this ASUS chart, you need to end up in row #5.

Secure Boot State in BIOS	OS Type	Secure Boot Mode	Key Management	Secure Boot State in operating system
User	Other OS	Customer	Default	Off
User	Other OS	Standard	N/A	Off
Setup	Other OS	Customer	Clear Secure Boot Keys	Off
Setup	Windows UEFI mode	Customer	Clear Secure Boot Keys	Off
User <--	Windows UEFI mode	Customer <--	Default	On <--
User	Windows UEFI mode	Standard	N/A	On

hottroc · May 20, 2026

garlin said:
If I understand this ASUS chart, you need to end up in row #5.

Secure Boot State in BIOS OS Type Secure Boot Mode Key Management Secure Boot State in operating system
User Other OS Customer Default Off
User Other OS Standard N/A Off
Setup Other OS Customer Clear Secure Boot Keys Off
Setup Windows UEFI mode Customer Clear Secure Boot Keys Off
User <-- Windows UEFI mode Customer <-- Default On <--
User Windows UEFI mode Standard N/A On

Err, yes, I guess so. How? (The state is User automatically if Keys are present it seems. OS type in UEFI mode will not boot with keys. There is no Customer/Standard setting, Key Management is per your scripts and there is no separate SB on/off setting).

(And also thank you so much for your time and effort, really appreciated).

anchamp65 · May 20, 2026

hottroc said:
Err, yes, I guess so. How? (The state is User automatically if Keys are present it seems. OS type in UEFI mode will not boot with keys. There is no Customer/Standard setting, Key Management is per your scripts and there is no separate SB on/off setting).

(And also thank you so much for your time and effort, really appreciated).

If possible, take pictures with your cell phone of the screens and available options in the BIOS and post them here

Because the chart Garlin gave you I beleive is from this Asus web page of 2023: How to enable or disable Secure Boot
Your BIOS is probably older then the screen shots provided on the web page
Yes the BIOS version shows 2024, but your CPU, Intel Z370 is from late 2017
So Asus motherboard is probably just as old
Therefore, factory installed BIOS and options are of the year the motherboard was built
With an update of 2024 applied, but the options of the factory BIOS mostly stay the same over the year
Manufacturer make their BIOS evolve over the years so screens in the BIOS change over the years

PS: you might know all of this, if so, sorry, just trying to help

hottroc · May 20, 2026

anchamp65 said:
If possible, take pictures with your cell phone of the screens and available options in the BIOS and post them here

Because the chart Garlin gave you I beleive is from this Asus web page of 2023: How to enable or disable Secure Boot
Your BIOS is probably older then the screen shots provided on the web page
Yes the BIOS version shows 2024, but your CPU, Intel Z370 is from late 2017
So Asus motherboard is probably just as old
Therefore, factory installed BIOS and options are of the year the motherboard was built
With an update of 2024 applied, but the options of the factory BIOS mostly stay the same over the year
Manufacturer make their BIOS evolve over the years so screens in the BIOS change over the years

PS: you might know all of this, if so, sorry, just trying to help

Thanks. My bios is identical in appearance to the link you provided. Mine is a Z390E Gaming so maybe a little later but the bios looks the same. And from that link I can tell that my secure boot mode is "Customer" so SB should be ON, basically I have tried all those settings to turn on Secure boot and it fails to boot when it's on. Does this help at all:

Code:

.\Detect-SecureBootCertUpdateStatus.ps1
Hostname: *******
Collection Time: 05/20/2026 22:49:57
Secure Boot Enabled: False
High Confidence Opt Out: Not Set
Microsoft Update Managed Opt In: Not Set
Available Updates: 0x0
Available Updates Policy: Not Set
Windows UEFI CA 2023 Status: Updated
UEFI CA 2023 Error: None
UEFI CA 2023 Error Event: Not Available
OEM Manufacturer Name: PC Specialist LTD
OEM Model System Family: Intel Z370 Systems
OEM Model Number: Intel Z370
Firmware Version: 2101
Firmware Release Date: 01/19/2024
OS Architecture: AMD64
Can Attempt Update After: 04/03/2026 10:23:10
Latest Event ID: 1808
Bucket ID: f276b099f95015f705b3a59929920b9967094a55404fcd69935a6458a43b3536
Confidence: High Confidence
Event 1801 Count: 0
Event 1808 Count: 30
Update complete (Event 1808 or Status=Updated) - skipping error analysis
OS Version: 10.0.26200
Last Boot Time: 05/20/2026 21:42:52
Baseboard Manufacturer: ASUSTeK COMPUTER INC.
Baseboard Product: ROG STRIX Z390-E GAMING
SecureBoot Update Task: Ready (Enabled: True)
WinCS Key F3*******02: Applied

=== Certificate Update Summary ===
  [1P] Windows UEFI CA 2023 (db):                   Updated
  [1P] Microsoft Corporation KEK 2K CA 2023 (KEK):   Updated
  [3P] Microsoft Corporation UEFI CA 2011 (db):      Present - 3P 2023 certs required
  [3P] Microsoft UEFI CA 2023 (db):                  Updated
  [3P] Microsoft Option ROM UEFI CA 2023 (db):       Updated
===================================

mx5 · May 20, 2026

Thank you sir, got my 2023 certs back with your scripts

anchamp65 · May 20, 2026

hottroc said:
Thanks. My bios is identical in appearance to the link you provided. Mine is a Z390E Gaming so maybe a little later but the bios looks the same. And from that link I can tell that my secure boot mode is "Customer" so SB should be ON, basically I have tried all those settings to turn on Secure boot and it fails to boot when it's on. Does this help at all:

Sorry for insisting, can you provide screen shots from BIOS:

Current settings
Secure Boot Mode options when Other OS is selected
Secure Boos Mode options when Windows UEFI mode is selected
Key Management options when Windows UEFI mode is selected

Also, do you remember what BIOS version you had before updating it to the 01/19/2024 ?
Or at least tell us if it was from many years prior do 2024...

@garlin let's wait for these answers, but I'm starting to lean towards a BIOS that might have some attributes that have changed over time and now some setting(s) is/are stuck to a certain value and no way of changing it because latest BIOS version has changed how this attribute is configured. I've seen this a few times in the past if BIOS upgrade skipped multiple versions. So maybe another case of resetting BIOS to factory defaults.

garlin · May 20, 2026

hottroc said:
Thanks. My bios is identical in appearance to the link you provided. Mine is a Z390E Gaming so maybe a little later but the bios looks the same. And from that link I can tell that my secure boot mode is "Customer" so SB should be ON, basically I have tried all those settings to turn on Secure boot and it fails to boot when it's on.

Maybe it's never going to be properly supported if you believe this post:
https://zentalk.asus.com/t5/motherb...-update-for-rog-strix-z390-e-bios/td-p/498418

hottroc said:
Does this help at all:

No. There's nothing in the MS script that helps you fix this problem.

anchamp65 · May 20, 2026

garlin said:
Maybe it's never going to be properly supported if you believe this post:
https://zentalk.asus.com/t5/motherb...-update-for-rog-strix-z390-e-bios/td-p/498418

Yup, not too promising !

But I still want to see what he sees in the BIOS and how many versions were skipped
Depending on what he comes back with, maybe a factory reset of the BIOS could get it unstuck
Even with that thread you found, that Asus BIOS is capable of key management, so there might still be hope

@hottroc If Secure Boot is absolutely impossible to acheive with certs 2023, then disabling Secure Boot and blocking boot from other then the current Windows boot disk and adding a BIOS password complexe enought will prevent booting from USB or CD (if any CD Slot present). Not ideal, but still more secure when Secure Boot can't be used.

Secure Boot only makes the boot process more secure and has not effect on your security level once into Windows.
@garlin correct me if I'm wrong here on Secure Boot having no effect once boot process if complete.

suatcini54 · May 20, 2026

@hottroc My Asus M/B BIOS (from late 2014) has the APPEND function to add certificates manually. Did you try it if you have it ?

Prepare a USB flash disk formatted in FAT32 file system. Place Microsoft KEK 2K CA 2023 certificate with .crt extension on it and insert it to a USB 2.0 port. You can put the other certificates on the USB, too. My M/B did not accept .der extension certificate.

Go to KEK Management page in BIOS and select Append Default KEK. Select No when asked. You will get a list of drives to choose from. USB drive is the easiest to find among other drives listed. Select the MS KEK certificate and O.K. the selection.

You may install all the certificates in any section including the DBX certificates section as long as you have the APPEND function.

No need to say: Whatever you do, do it at your own risk.

Hope this helps.

garlin · May 20, 2026

anchamp65 said:
Secure Boot only makes the boot process more secure and has not effect on your security level once into Windows.
@garlin correct me if I'm wrong here on Secure Boot having no effect once boot process if complete.

No. The point of Secure Boot is only allowing boot files by trusted signers to work. For Black Lotus, MS discovered the old boot manager allowed a specific exploit to work. They closed the security hole, but that didn't prevent unpatched versions from being secretly installed on your Windows. The boot manager exists as a ordinary file on the EFI partition.

The unpatched boot files are still valid, but not the ones you want to authorize. MS's solution was to ban the PCA 2011 cert, and stop trusting an entire generation of Windows boot files dating back several years. The fixed boot managers would only be signed by CA 2023.

The boot manager is the program that launches winload.efi. So it could be possible to launch another program in winload's place or a tainted version that corrupts the startup environment. If you can't confirm the first link in a chain is good, then the entire security chain is suspect.

anchamp65 · May 21, 2026

garlin said:
No. The point of Secure Boot is only allowing boot files by trusted signers to work. For Black Lotus, MS discovered the old boot manager allowed a specific exploit to work. They closed the security hole, but that didn't prevent unpatched versions from being secretly installed on your Windows. The boot manager exists as a ordinary file on the EFI partition.

The unpatched boot files are still valid, but not the ones you want to authorize. MS's solution was to ban the PCA 2011 cert, and stop trusting an entire generation of Windows boot files dating back several years. The fixed boot managers would only be signed by CA 2023.

The boot manager is the program that launches winload.efi. So it could be possible to launch another program in winload's place or a tainted version that corrupts the startup environment. If you can't confirm the first link in a chain is good, then the entire security chain is suspect.

So, yes, the whole Secure Boot process only happens during the boot process.

But your point is that if the computer becomes compromised by either a security hole discovered in the official MS boot files, or by an attack that can come from many sources (download, click bate, email, corrupted software, etc...) then the computer is no longer booting reliably if Secure Boot was disabled.

And therefore, if Secure Boot is disabled, user could be blindly booting to an unreliable OS.

Basically, it's like going back to times before Secure Boot ever existed, but in a world where sources of getting a computer compromised has increased tenfold.

Thanks for further explaining it

garlin · May 21, 2026

UPDATE: 2026-05-21

1. Remove illegal characters from log filenames
2. Report DB/DBX certs missing their validated KEK as "UNTRUSTED" instead of "BANNED"
3. Check_UEFI-CA2023.ps1 should report FileVersion using the FileVersionRaw attribute

Updated README_UEFI.TXT with @suatcini54's instructions on temporarily disabling HP Sure Start
Renamed the ZIP file with a version number, per @Ed Tittel.

Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

Member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

New member

My Computer

Well-known member

My Computer

New member

My Computer

Well-known member

My Computer

New member

My Computer

Member

My Computer

New member

My Computer

Member

My Computer

Member

My Computer

Well-known member

My Computer

Member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Member

My Computer

Well-known member

My Computer