Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

garlin · 2026-06-10T10:05:52-0400

ryan190123 said:
-TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
I dont have this task? thoughts?

Run this command to check on your Secure Boot task:

Code:

>powershell -f C:\Windows\SecureBoot\ExampleRolloutScripts\Enable-SecureBootUpdateTask.ps1 check

========================================
 Secure Boot Update Task Enabler
========================================

Task: \Microsoft\Windows\PI\Secure-Boot-Update

Checking: Y50-70
  State: Ready

========================================
 Summary
========================================
Total Checked: 1
Enabled:


ComputerName : Y50-70
TaskExists   : True
TaskState    : Ready
IsEnabled    : True
LastRunTime  :
NextRunTime  :
Error        :

Presuming you have a different result, then recreate the missing task:

Code:

powershell -f C:\Windows\SecureBoot\ExampleRolloutScripts\Enable-SecureBootUpdateTask.ps1 create
powershell -f C:\Windows\SecureBoot\ExampleRolloutScripts\Enable-SecureBootUpdateTask.ps1 enable

xiojin · 2026-06-10T10:34:41-0400

Got the 2x June win10 updates, ran the check uefi script, it told me to disable bitlocker protectors for 3 reboot , to run regedit and task commands, svn updated successfully. Perfect!

anchamp65 · 2026-06-10T11:02:25-0400

garlin said:

Run this command to check on your Secure Boot task:

Code:

>powershell -f C:\Windows\SecureBoot\ExampleRolloutScripts\Enable-SecureBootUpdateTask.ps1 check

========================================
 Secure Boot Update Task Enabler
========================================

Task: \Microsoft\Windows\PI\Secure-Boot-Update

Checking: Y50-70
  State: Ready

========================================
 Summary
========================================
Total Checked: 1
Enabled:


ComputerName : Y50-70
TaskExists   : True
TaskState    : Ready
IsEnabled    : True
LastRunTime  :
NextRunTime  :
Error        :

Presuming you have a different result, then recreate the missing task:

Code:

powershell -f C:\Windows\SecureBoot\ExampleRolloutScripts\Enable-SecureBootUpdateTask.ps1 create
powershell -f C:\Windows\SecureBoot\ExampleRolloutScripts\Enable-SecureBootUpdateTask.ps1 enable

Must be run as admin
Ran it on mine without admin and it was reporting task did not exist
With admin, it exist and taskstate is ready

garlin · 2026-06-10T11:12:42-0400

I guess MS is sloppy and doesn't bother checking if you're an Admin or not. My scripts do, and then re-launch themselves as Admin.

Anyone working for MS should know how this works. :think:

anchamp65 · 2026-06-10T11:32:52-0400

You probably never heard this before, but you should work for MS...

garlin · 2026-06-10T11:40:46-0400

Why? I'm sure someone in MS management thinks an AI can do this job.

nikki605 · 2026-06-10T11:51:13-0400

garlin said:
Why? I'm sure someone in MS management thinks an AI can do this job.

LOL

anchamp65 · 2026-06-10T12:09:10-0400

garlin said:
Why? I'm sure someone in MS management thinks an AI can do this job.

garlin · 2026-06-10T12:36:35-0400

Moore's Law is often misquoted as "computing power doubles every 18 months".

When I used to work, my favorite thing to share with recent hires was Garlin's Corollary to Moore's Law:

Every 18 months, you have the power to inflict twice as many mistakes as you did before.

anchamp65 · 2026-06-10T12:51:05-0400

garlin said:
Moore's Law is often misquoted as "computing power doubles every 18 months".

When I used to work, my favorite thing to share with recent hires was Garlin's Corollary to Moore's Law:

Every 18 months, you have the power to inflict twice as many mistakes as you did before.

Some humor for today, but I'll stop after this one, otherwise we'll side track this thread
One of my favorite Dilbert...

PS: early in my carreer I tried management, then decided to go the architecture track and never looked back !
And like I always said, I'd rather manage a 1000 computers then 5 humans...

garlin said:
When I used to work.......

I'm also retired...

hottroc · 2026-06-10T14:20:31-0400

garlin said:
Secure Boot certs will work on all PC's regardless of CPU technology, they're just signed arrays of bytes used to authenticate boot files. Some BIOS'es are reported to have known bugs when using custom keys (anything that's not a factory default).

Intel VMX wouldn't impact Secure Boot certs, but having VMX allows you to enable Virtualization Based Security (VBS). If you have VBS, then it will enforce a SkuSiPolicy if you have one deployed. You can try this first:

1. Disable Secure Boot mode.

2 . Restart Windows, check for an EFI copy of SkuSiPolicy.p7b and remove it:

Code:

mountvol S: /s dir S:\EFI\Microsoft\Boot\SkuSiPolicy.p7b del S:\EFI\Microsoft\Boot\SkuSiPolicy.p7b mountvol S: /d

3. Shutdown Windows. Enable Secure Boot mode.

The only protection that SkuSiPolicy adds (right now) is to prevent a downgrade attack of the winload.efi, by banning specific (older) versions of the file. The idea is an attacker could substitute a file version which has a known security hole.

Thanks for the suggestion. I followed your instruction and deleted the SkuSiPolicy file that was present but it made no difference, still won't boot with both Secure Boot and Virtualisation enabled. I've added the file back now by copying it from C:\Windows\System32\SecureBootUpdates. Any other ideas for me to try?

Also I get this, what does it mean please?:

Code:

get-SecureBootSVN

FirmwareSVN      : 0.0
BootManagerSVN   : 9.0
StagedSVN        : 9.0
ComplianceStatus : Not compliant (Staged SVN does not match firmware SVN)
BootManagerPath  : \\.\HarddiskVolume4\EFI\Microsoft\Boot\bootmgfw.efi

RJARRRPCGP · 2026-06-10T15:39:01-0400

hottroc said:
Thanks for the suggestion. I followed your instruction and deleted the SkuSiPolicy file that was present but it made no difference, still won't boot with both Secure Boot and Virtualisation enabled. I've added the file back now by copying it from C:\Windows\System32\SecureBootUpdates. Any other ideas for me to try?

Also I get this, what does it mean please?:

Code:

get-SecureBootSVN FirmwareSVN : 0.0 BootManagerSVN : 9.0 StagedSVN : 9.0 ComplianceStatus : Not compliant (Staged SVN does not match firmware SVN) BootManagerPath : \\.\HarddiskVolume4\EFI\Microsoft\Boot\bootmgfw.efi

I have the same thing, except the firmware SVN is 2.0.

garlin · 2026-06-10T15:46:18-0400

hottroc said:

Code:

get-SecureBootSVN

FirmwareSVN      : 0.0
BootManagerSVN   : 9.0
StagedSVN        : 9.0
ComplianceStatus : Not compliant (Staged SVN does not match firmware SVN)
BootManagerPath  : \\.\HarddiskVolume4\EFI\Microsoft\Boot\bootmgfw.efi

FirmwareSVN -> CA 2011 has never been revoked, because the DBXUpdate2024.bin file also contains a starting SVN (which is non-zero). You can't apply the revocation file without ending up with a SVN. Unless you imported a KEK certificate file from the BIOS screen.

In theory, no ban on CA 2011-signed boot files.

garlin · 2026-06-10T15:56:49-0400

RJARRRPCGP said:
I have the same thing, except the firmware SVN is 2.0.

Windows never applied the current SVN to the DBX.

FirmwareSVN = 2.0 is a marker that PCA 2011 was revoked using an older version of DBXUpdate2024.bin, which originally carried a starting SVN of 2.0. Later versions of the same file bumped the starting SVN to 5.0. Therefore we know roughly what time revocation happened.

Your revocation was probably last year or the beginning of this year, based on 2.0.

However, it appears that the Secure Boot task didn't auto-apply newer SVN's since the time you revoked the CA 2011. Your PC ignored Dec 2025, April 2026 and June 206 opportunities to bump the SVN. I'm beginning to think that's a deliberate design choice for safety (in order to prevent Windows from blocking itself from booting in case of an update error).

If you want to force SVN 9.0, run this command:

Code:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x200 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

nikki605 · 2026-06-10T16:16:22-0400

@garlin Back in December, I used Rufus to create Mosby keys needed on my old Lenovo M83 desktop. Today, after using your update script to successfully update 2 Macrium 8 Free and 2 Windows Recovery boot drives as I posted in another thread, I ran it to update the Rufus boot drive as shown here:

But when I tried to boot it, I got this error. Any idea why and how to fix it?

garlin · 2026-06-10T16:35:52-0400

I'm not sure about the error, it indicates the BCD is corrupted. My script will backup the BCD file and restore it after applying the boot folder updates.

Since it's a Rufus-created Windows ISO drive, maybe you can try recreating it?

Dirtyflash · 2026-06-10T16:38:54-0400

nikki605 said:
@garlin Back in December, I used Rufus to create Mosby keys needed on my old Lenovo M83 desktop. Today, after using your update script to successfully update 2 Macrium 8 Free and 2 Windows Recovery boot drives as I posted in another thread, I ran it to update the Rufus boot drive as shown here:

View attachment 173962

But when I tried to boot it, I got this error. Any idea why and how to fix it?

View attachment 173963

There was no need to update the Mosby USB stick as it never boots the device, rather it only appends and amends the UEFI in the NVRAM.

hottroc · 2026-06-10T17:00:24-0400

garlin said:
FirmwareSVN -> CA 2011 has never been revoked, because the DBXUpdate2024.bin file also contains a starting SVN (which is non-zero). You can't apply the revocation file without ending up with a SVN. Unless you imported a KEK certificate file from the BIOS screen.

In theory, no ban on CA 2011-signed boot files.

Sorry that went over my head a little. So please just tell me what I should do? Or nothing? And would this be any factor in my boot problems? Thank you for your help btw, really appreciate your efforts.

jabbado · 2026-06-10T17:04:50-0400

I can't seem to get this to work. Running the UEFI update script said to disable secureboot, which I did. After that running the scripts gives this:

Check_UEFI-CA2023.ps1

Code:

Secure Boot: OFF
Virtualization Based Security: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Microsoft Option ROM UEFI CA 2023
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023

UEFI DBX Certs
--------------
    (NONE)

EFI Files
---------
    Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.

    Registry: "WindowsUEFICA2023Capable" = 2
        [Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

    [OPTIONAL] SkuSiPolicy.p7b (for VBS) is MISSING.


REQUIRED ACTION
===============

Run the command:
    Update_UEFI-CA2023.ps1 -Revoke

Finish the UEFI steps to manually add the [KEK CA 2023] cert, if the script provided instructions.

Then running Update_UEFI-CA2023.ps1 -Revoke

Code:

PS D:\SecureBoot-CA-2023-Updates.v2026.06.08> .\Update_UEFI-CA2023.ps1 -Revoke
ERROR: Failed to append "dbxupdate.bin" to UEFI DBX.
Wrong signature for this UEFI variable.

The -Audit option gives

Code:

AUDIT REPORT
============
1.  [Microsoft Corporation KEK 2K CA 2023] is missing from UEFI KEK
2.  [Production PCA 2011] is missing from UEFI DBX (DBXUpdate2024.bin)
3.  DBX Updates are missing from UEFI DBX (dbxupdate.bin)
4.  Windows BootMgr SVN is missing from UEFI DBX (DBXUpdateSVN.bin)

[OPTIONAL] SkuSiPolicy.p7b (for VBS) is missing from EFI

PS D:\SecureBoot-CA-2023-Updates.v2026.06.08> .\Check_DBXUpdate.bin.ps1
FAILED: Missing 11/289 EFI signatures from "dbxupdate.bin"
FAILED: Missing 3/3 SVN signatures from "DBXUpdate2024.bin"
FAILED: Missing 3/3 SVN signatures from "DBXUpdateSVN.bin"

Now when I go into bios to enroll KEK the certs folder in the EFI partition is empty
So what are my next step(s)?
This is an oldish Gigabyte Aorus 5 laptop, BTW.

Dirtyflash · 2026-06-10T17:16:09-0400

hottroc said:
Sorry that went over my head a little. So please just tell me what I should do? Or nothing? And would this be any factor in my boot problems? Thank you for your help btw, really appreciate your efforts.

In simple terms you need to do this: Update_UEFI-CA2023.ps1 -Revoke

Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

Well-known member

My Computer

Member

My Computer

Member

My Computer

Well-known member

My Computer

Member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Member

My Computer

Well-known member

My Computer

Member

My Computer

New member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

New member

My Computer

Well-known member

My Computer

Well-known member

My Computer