Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

garlin · May 27, 2026

UPDATE: 2026-05-27

[BUG] Hotfix for bad comparison of boot manager's SVN version

garlin · May 27, 2026

FIREMEDIC2700 said:
well hopefully i am good till i die . but wait this is microsoft lol. what do u think master garlin

Screen 1 is fully updated and revoked.

Screen 2 hasn't finished revocation. Run:

Code:

.\Update-UEFI.bat -Revoke

FIREMEDIC2700 · May 27, 2026

garlin said:
Screen 1 is fully updated and revoked.

Screen 2 hasn't finished revocation. Run:

Code:

.\Update-UEFI.bat -Revoke

screen 1 is ur version screen 2 is another version called bo script. which one should i go by lol . and there is a 3 rd one i use and it looks very diffrent

HuntyFtw · May 27, 2026

geekdom said:
After you log into the BIOS, you can access Secure Boot (enable or disable Secure Boot under Boot) and modify Secure Boot settings (under Security). The key was setting the BIOS password first.

Secure Boot Mode was fixed at Standard. After I erased Secure Boot settings and rebooted, Secure Boot Mode showed Custom.

Rebooted to BIOS?

geekdom · May 27, 2026

HuntyFtw said:
Rebooted to BIOS?

I rebooted my computer, used Advanced Startup to enter the BIOS, and viewed Secure Boot Mode.

garlin · May 27, 2026

FIREMEDIC2700 said:
screen 1 is ur version screen 2 is another version called bo script. which one should i go by lol . and there is a 3 rd one i use and it looks very diffrent

"Bo Script" is a really outdated version from a few months ago. It shouldn't be used since the script has improved a lot since then.

DarkShadowMD · May 27, 2026

garlin said:
UPDATE: 2026-05-27

[BUG] Hotfix for bad comparison of boot manager's SVN version

I think I got why the SBAT gives an error when reading in my laptop...
I added the OptOut parameter, and the script is looking for the SbatLevel parameter, which doesn't exist since I opted out.

Just to let you know in case you need to revisit that. I also tried today to remove the OptOut key and update SBAT with your script, but nothing happens, SBAT registry keeps itself blank in despite to set AvailableUpdates to 0x400, so I returned the OptOut value so event viewer doesn't add errors each reboot. I tried reseting the Secure Boot values to default and doing the revocation all over again with your script, but nothing happens with SBAT even using the parameter.

Nothing important, but maybe helps in improving the script :)

garlin · May 27, 2026

Here's a confession: My update script can't actually set the SBAT variable, it's a restricted operation limited to the Secure Boot task. So I'm calling the task with AvailableUpdates=0x400.

What I've found in browsing the Event Logs, is the task won't apply the SBAT under two conditions:

- you're opted out

- Secure Boot is disabled (there's a specific TPM-WMI warning to the effect of "can't apply SBAT because Secure Boot is off")

The task should be applying the SBAT when you're in a revoke situation. I have seen PC's report the SBAT when the old version of the update script didn't touch the setting. I wouldn't worry too much about a missing SBAT, it's there just in case you run Linux.

Real Linux users get mad because Windows is writing the SBAT, instead of Linux. Which is why the OptOut setting is provided.

gunrunnerjohn · May 27, 2026

garlin said:
Missing a ')' on the line. I should probably not post before having my caffeine in the morning.

That one works a lot better.

DarkShadowMD · May 27, 2026

garlin said:
Here's a confession: My update script can't actually set the SBAT variable, it's a restricted operation limited to the Secure Boot task. So I'm calling the task with AvailableUpdates=0x400.

What I've found in browsing the Event Logs, is the task won't apply the SBAT under two conditions:

- you're opted out
- Secure Boot is disabled (there's a specific TPM-WMI warning to the effect of "can't apply SBAT because Secure Boot is off")

The task should be applying the SBAT when you're in a revoke situation. I have seen PC's report the SBAT when the old version of the update script didn't touch the setting. I wouldn't worry too much about a missing SBAT, it's there just in case you run Linux.

Real Linux users get mad because Windows is writing the SBAT, instead of Linux. Which is why the OptOut setting is provided.

Welp, I'll just leave the optout setting then.

Probably I would suggest then for the script to read this key and skip SBAT for systems that opted out... just a personal thing because seeing an error in red can make others panic or think something is wrong when it isn't.

hottroc · May 27, 2026

anchamp65 said:
Ok so now run Update_UEFI-CA2023.ps1

And if I remember correctly the last time you were in that state, the update script will tell you at the end to load the PK from the BIOS. If I also remember correctly, I think you had loaded the PK "WindowsOEMDevicesPK.der", since in your case your manufacturer, PC Specialist LTD, has not provided MS with a PK.

Then run the check script with "-verbose -audit" again, and hopefully it will tell you that all you need to do is run the update with "-revoke" or wait for MS to do it later.

Please see the result below after running the update script and manually loading the PK per instructions. However note that Secure Boot is Disabled. If I enable it I get the boot failure.

Code:

.\check_UEFI-CA2023.ps1 -Verbose -audit
Windows 11 25H2 (26200.8457)

Secure Boot: OFF (Audit Report runs as ON)
Virtualization Based Security: OFF
BitLocker on (C:) OFF

BIOS Firmware
-------------
    PC Specialist LTD Intel Z370
    Version: 2101
    Date: 2024-01-19

Factory Default UEFI PK Cert
----------------------------
    ASUSTeK MotherBoard PK Certificate

UEFI PK Cert
------------
    Windows OEM Devices PK

Factory Default UEFI KEK Certs
------------------------------
    Microsoft Corporation KEK CA 2011
    Canonical Ltd. Master Certificate Authority
    ASUSTeK MotherBoard KEK Certificate

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011
    Microsoft Corporation KEK 2K CA 2023

Factory Default UEFI DB Certs
-----------------------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Canonical Ltd. Master Certificate Authority
    ASUSTeK MotherBoard SW Key Certificate
    ASUSTeK Notebook SW Key Certificate

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Microsoft Option ROM UEFI CA 2023
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023

Factory Default UEFI DBX Certs
------------------------------
    (NONE)
    EFI_CERT_SHA256_GUID Signatures: 77

UEFI DBX Certs
--------------
    (NONE)
    Windows BootMgr SVN is MISSING.
    EFI_CERT_SHA256_GUID Signatures: 431

UEFI Variables
--------------
    Credential Guard: ON
    SBAT (Linux only): sbat,1,2025051000 / shim,4 / grub,5 / grub.proxmox,2

EFI Files
---------
    Windows Boot Manager [Windows UEFI CA 2023] will be ALLOWED.
        \\.\HarddiskVolume4\EFI\Microsoft\Boot\bootmgfw.efi
        File Version: 28000.326, SVN 8.0

    Registry: "WindowsUEFICA2023Capable" = 2
        [Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.


AUDIT REPORT
============
1.  Secure Boot is DISABLED
2.  [Production PCA 2011] is missing from UEFI DBX
3.  DBX Updates are missing from UEFI DBX
4.  Windows BootMgr SVN is missing from UEFI DBX


REQUIRED ACTION
===============
To REVOKE the [PCA 2011] cert, run the commands:

    reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x282 /f
    powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

garlin · May 27, 2026

I'm not sure why your PC doesn't accept the current settings. They're exactly right. Other than trying to reflash the BIOS (which sometimes works) to reset the BIOS.

geekdom · May 27, 2026

geekdom said:
I rebooted my computer, used Advanced Startup to enter the BIOS, and viewed Secure Boot Mode.

If Secure Boot settings were erased, reboot into your computer after viewing Secure Boot Mode in the BIOS and update the certificates.

otnert · May 27, 2026

garlin said:
Are you using the 32-bit version of PowerShell? There was a fix for "cannot find any specified files" a few releases back.

I think I am, in powershell when I run: [System.Environment]::Is64BitProcess, it comes back True.

I'm now using the latest file from SecureBoot-CA-2023-Updates.v2026.05.27 :

The error only occurs if I run the batch file Check-UEFI.bat (Run as Admin),
if I use.. right click windows key, Terminal(Admin), I don't get the error but then it falters after the SBAT section?

edit... installed PowerShell 7.6.2 getting the same

EB2XR6 · May 28, 2026

I updated my system successfully with many thanks to Garlin.
There is an updated Motherboard Bios to fix a DDR5 vulnerability.
I have updated the Bios previously but I am wondering if the Certificate Upgrades may cause boot issues if I flash the Bios?

garlin · May 28, 2026

EB2XR6 said:
I updated my system successfully with many thanks to Garlin.
There is an updated Motherboard Bios to fix a DDR5 vulnerability.
I have updated the Bios previously but I am wondering if the Certificate Upgrades may cause boot issues if I flash the Bios?

Normally, flashing the BIOS should not change the current certs (which are stored in NVRAM).

A new BIOS can have a different set of factory default certs. But it can only go in one direction (factory certs added to NVRAM), but not in the other direction. If updating the BIOS corrupts the NVRAM, you can always reset to factory defaults and repeat the same update process you successfully performed the first time.

misar · May 28, 2026

(Repost from another thread)

I have two Acer laptops running 25H2 and with the InsydeH20 UEFI BIOS. Windows update did a partial certificate update but failed as the new KEK has not been provided by the OEM. Using garlin's manual suggestion I copied "microsoft corporation kek 2k ca 2023.der" to the EFI folder. The BIOS appears to have the option to add it but I cannot see the file to select it.

Will running garlin's update script perform the update using the Microsoft KEK?
If I wait is it likely that Windows will retry and eventually succeed using either an OEM or Microsoft KEK?

Garlin noted in the other thread: "In order to see the file, you should browse the listed disk devices for the cert file. If it's under a subfolder, you will have to change folders to find it." The BIOS option I used was "Select an UEFI file as trusted for executing". When I do that it lists HDD0 and hitting enter again appears to select <EFI>. That has a list of folders but no files. I have confirmed by browsing the partition that the .der file is in the EFI folder.

NormanF · May 28, 2026

Its only Microsoft KEKs. The OEM won't provide one if its out of support.

garlin · May 28, 2026

otnert said:
I'm now using the latest file from SecureBoot-CA-2023-Updates.v2026.05.27 :

The error only occurs if I run the batch file Check-UEFI.bat (Run as Admin),
if I use.. right click windows key, Terminal(Admin), I don't get the error but then it falters after the SBAT section?

edit... installed PowerShell 7.6.2 getting the same

What happens if you're in CMD (Admin), and you run:

Code:

powershell -ep bypass -f \path\Check_UEFI-CA2023.ps1 -Verbose
pwsh -ep bypass -f \path\Check_UEFI-CA2023.ps1 -Verbose

garlin · May 28, 2026

misar said:
(Repost from another thread)

I have two Acer laptops running 25H2 and with the InsydeH20 UEFI BIOS. Windows update did a partial certificate update but failed as the new KEK has not been provided by the OEM. Using garlin's manual suggestion I copied "microsoft corporation kek 2k ca 2023.der" to the EFI folder. The BIOS appears to have the option to add it but I cannot see the file to select it.

Will running garlin's update script perform the update using the Microsoft KEK?
If I wait is it likely that Windows will retry and eventually succeed using either an OEM or Microsoft KEK?

There are four ways to install a new KEK CA 2023:

1. OEM provides the CA 2023 certs in an updated BIOS (best solution).

2. OEM submits a signed KEK CA 2023 to MS, so it can be applied by Windows (next best solution).

3. User adds a KEK CA 2023 by manual key enrollment.

4. User enters Setup Mode by deleting all keys.

The update script tries to figure out which of those scenarios is workable.

Case 1: Script recognizes you have a supported BIOS, and applies any missing certs.

Case 2: Script tries to apply the submitted KEK CA 2023 file, from the MS GitHub for vendor submitted KEK files.

Case 3: Script determines neither 1 or 2 apply, copies the KEK cert file to the EFI partition, under a new "\EFI\Certs" folder. From the UEFI's manual KEK key management menu, navigate the presented disk volumes until you find an \EFI folder. Select the folder and drill down until you find the cert file inside. Apply the file, and restart Windows. Re-run the update script to finish the job.

Case 4: Your UEFI doesn't support manual enrollment, or refuses the key type (mostly Dell's). Then delete all Secure Boot keys from the UEFI menu, and run the update script.

It sounds like you're in Case 3. Rather than manually copy the cert file, run the update script. It will copy the cert file twice for you (one copy is named .der, and another is named .crt since some BIOS'es require a specific file extension).

Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

New member

My Computer

Well-known member

My Computer

Peaceful Citizen

My Computers

Well-known member

My Computer

Well-known member

My Computers

Peaceful Citizen

My Computers

New member

My Computer

Well-known member

My Computer

New member

My Computer

New member

Attachments

My Computer

Active member

My Computer

Well-known member

My Computer

New member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer