I know your script does it, and I fully trust your script !!!
I've used and still do on 5 other computers, 3 old laptops and 2 VMs, I never wait for MS on those
I'm just worried that in 12 or 18 months if you move on to something else, if I'm still relying on your script but you stop updating it and it no longer works, I'll be stuck...
Assuming everyone's finished with
Secure Boot certs, the only future changes will be unscheduled releases of the DBX EFI signatures and a new boot manager.
The update script is agnostic, it really doesn't care about what version is present on your PC or pushed out in the SecureBootUpdates folder. It performs a comparison of the DBX file contents and determines if any updates are needed.
- Does the DBXUpdate.bin contain EFI signatures missing in the current DBX?
- Does the DBXUpdateSVN.bin contain a higher SVN?
- Does the EFI boot manager not match the current version in \Windows\Boot\EFI_EX?
- Do you have a SkuSiPolicy file on the EFI and does it match the SecureBootUpdates version?
The only risk is MS does something stupid like changing the binary file formats for "Legacy" and non-Legacy versions. I have no idea why they decided it was necessary to use a proprietary, MS-only encoding scheme where they added extra header bytes. There's an existing UEFI standards spec already for the file format.
MS was nice enough to answer my posted question to them in short order, but unless they do something stupid again, the update scripts should function without my tweaking. In fact the update script was probably the 2nd easiest script to write because it's functionality is so limited. Most of it is safety logic to prevent the script from doing bad things.
In comparison, the check script has to accommodate all sorts of weird and random PC conditions.
