Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

garlin said:

Functionally it's not any different from creating your own privately-issued PK, and self-signing the pre-signed cert files that MS provides. If you had the same technical expertise and the right signing tools, you could do this yourself.

What Mosby accomplishes is the convenience of have an one-stop self-signing tool that works from a bootable USB. That's handy.

But with any crypto tool, you always have ask if your tools are secure. The source code for Mosby is available on GitHub for everyone to examine, but you might need to be a subject matter expert to fully understand the code. My approach is to use the MS-provided files, which are provided for PC vendors to use if they like. In my script, it's very transparent where we're downloading the keys from, and how it's installed.

Transparency is a big driver on how my scripts are done.

The Windows OEM Devices PK has already been used as an official mitigation for the "DO NOT TRUST - AMI Test" PK flaw. So there's previous precedent.

You can get into endless arguments over which approach is better (self-signed vs OEM delivery). But the Windows OEM Devices certs bundle is pre-packaged so it's known to work if you can get it correctly deployed. It doesn't change, so it's a more predictable outcome when dealing with Q&A. As you can tell, I can spend most of my day working with actual users.

Users can choose which way they want to replace their PK. But my update script will also take care of the Windows side of things (like dealing with a new version of the boot manager or SkuSiPolicy).

Click to expand...

Makes perfect sense. Now that I've used both methods, I do find your scripts be quicker and easier to get the job done. With Mosby I guess I counted on the fact that someone that understands the topic far better than I do would be spreading the word if Mosby was compromised. Of course, that could be a fallacy in my thinking! However, it's not like MSC hasn't stumbled with some of their software releases as well...

SURPRISE ! SURPRISE !!!

A friends computer on which I never updated any of the certs manually and never force anything
Well MS a applied the SkuSiPolicy on it !!!
The friend has 2 computers, 1 for personal use and 1 for work, which I maintain for him
I never apply any custom tweaking like OOShutUp or service tweaking on firends computers or people that ask for my help
And that friend is in no way capable of doing any of this stuf by himself
For him a computer is something he has to use for email and web access but has no pleasure what so ever doing it
So there pretty much clean MS installs...

Well it seems MS does some times apply SkuSiPolicy !!!
And it did on the 4 years old personal computer, not on the 1 year old work one, go figure...

garlin said:

Run the check script with -Verbose. You need to see the version numbers.

When the boot manager gets replaced you get a triple whammy:

- new boot manager​

- new SVN​

- new SkuSiPolicy (because they probably replaced winload.efi at the same time)​

If you don't line up a new boot manager and winload.efi (from applying the Monthly Update), then it will fail a security check. On paper, the Secure Boot task is supposed to correctly update, but I don't know if MS has extra paranoia checking that makes it avoid some update actions.

My update script just compares the SecureBootUpdates folder files, and does the right things (when used with the -Revoke option).

Click to expand...

I guess mine got out of step after the Tuesday June update. So, I had to apply the Required Actions. I think I am all good again.

So I've successfully updated 3 Dell laptops and one Asus Desktop but I am having an issus with my wifes old Dell desktop.... I think it's a Optiplex 3050.
This PC lets me replace the KEK cert however when I reboot the PC it does get installed. None of the other Dells would allow this, they rejected the cert. If I delete all the keys and reboot I still get the same thing. So there is something about this PC that's wierd. Once it boots it takes 30 mins before the WiFi card connects to the router and gives me internet conectivity. To my knowledge this happened after a MS Update in April. I've run the scannow and DISM utilities and everything comes up roses. I won't be near this PC for another 9 days... Any insight is welecome! We're on a much needed RV trip...LOL

S C:\SecureBoot-CA-2023-Updates.v2026.05.31> ./Check_UEFI-CA2023.ps1 -audit
Secure Boot: OFF (Audit Report runs as ON)
Virtualization Based Security: OFF
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
Microsoft Windows PCA 2010

EFI Files
---------
Boot File [Windows UEFI CA 2023] will be UNTRUSTED
Registry: "WindowsUEFICA2023Capable" = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.


AUDIT REPORT
============
1. Secure Boot is DISABLED
2. [Microsoft Corporation KEK 2K CA 2023] is missing from UEFI KEK
3. [Production PCA 2011] is missing from UEFI DBX
4. Windows BootMgr SVN is missing from UEFI DBX


REQUIRED ACTION
===============

Run the command:
Update_UEFI-CA2023.ps1 -Revoke

Finish the UEFI steps to manually add the [KEK CA 2023] cert, if the script provided instructions.

PS C:\SecureBoot-CA-2023-Updates.v2026.05.31>

On my HP Z440, i deleted the secure cert keys in the bios and ran the update script. That did not get me anywhere. I then reset the factory default certs in the bios, and ran Update_UEFI.bat -revoke. That worked and this time I got the dbx updates that gave me problems before: so, it confirmed your assumption Garlin that the dbx was corrupt as the computer became a lot faster, after switching it on to the point where it started to load windows 11.
The update script did tell me to manually add certs in the bios, and then reboot, buit I found no possibility to do so. So, I rebooted without manually adding anything.

However, since then, I have secure boot enabled in the bios, but when windows 11 is started, it finds no secure boot. When I look at the check_uefi.bat -verbose, I get this:

.\check-UEFI.bat -Verbose
PowerShell 7.6.2
Windows 11 25H2 (26200.8655)

Secure Boot: OFF
Virtualization Based Security: ON
BitLocker on (C:) OFF

BIOS Firmware
-------------
Hewlett-Packard HP Z440 Workstation
Version: M60 v02.62
Date: 2024-01-04

Factory Default UEFI PK Cert
----------------------------
Hewlett-Packard UEFI Secure Boot Platform Key

UEFI PK Cert
------------
(NONE)

Factory Default UEFI KEK Certs
------------------------------
Microsoft Corporation KEK CA 2011
Hewlett-Packard UEFI Secure Boot Key Exchange Key

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

Factory Default UEFI DB Certs
-----------------------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Hewlett-Packard UEFI Secure Boot DB Key

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

Factory Default UEFI DBX Certs
------------------------------
(NONE)
EFI_CERT_SHA256_GUID Signatures: 14

UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 9.0
EFI_CERT_SHA256_GUID Signatures: 447

UEFI Variables
--------------
Credential Guard: ON
SBAT (Linux only): sbat,1,2024010900 / shim,4 / grub,3 / grub.debian,4

EFI Files
---------
Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
\\.\HarddiskVolume1\EFI\Microsoft\Boot\bootmgfw.efi
File Version: 28000.342, SVN 9.0

Registry: "WindowsUEFICA2023Capable" = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

SkuSiPolicy.p7b is CURRENT.
\\.\HarddiskVolume1\EFI\Microsoft\Boot\SkuSiPolicy.p7b
Version: 3.0.0.15


STATUS REPORT
-------------
Registry: "UEFICA2023Status" = Updated

SUCCESS: UPDATES ARE FINISHED.
UEFI CA 2023 certs are present, PCA 2011 cert is revoked.

PS C:\Users\admin\Downloads\SecureBoot-CA-2023-Updates.v2026.06.08> .\Check-DBX.bat -Verbose
PowerShell 7.6.2
SUCCESS: Matched 289/289 EFI signatures from "dbxupdate.bin"
SUCCESS: Matched 3/3 SVN signatures from "DBXUpdate2024.bin"
SUCCESS: Matched 3/3 SVN signatures from "DBXUpdateSVN.bin"

I assume the problem is the UEFI PK cert being empty. It was populated before. How can I populate this again, or can I do something else?
I have now found out that if I want to get full bios admin access, I will need to open up my HP Z440, and re-add the jumper om the mainboard (which I took out to easily access the bios.). Do you think this may become necessary?

LeeElectrode said:

So I've successfully updated 3 Dell laptops and one Asus Desktop but I am having an issus with my wifes old Dell desktop.... I think it's a Optiplex 3050.
This PC lets me replace the KEK cert however when I reboot the PC it does get installed. None of the other Dells would allow this, they rejected the cert. If I delete all the keys and reboot I still get the same thing. So there is something about this PC that's wierd. Once it boots it takes 30 mins before the WiFi card connects to the router and gives me internet conectivity. To my knowledge this happened after a MS Update in April. I've run the scannow and DISM utilities and everything comes up roses. I won't be near this PC for another 9 days... Any insight is welecome! We're on a much needed RV trip...LOL

S C:\SecureBoot-CA-2023-Updates.v2026.05.31> ./Check_UEFI-CA2023.ps1 -audit
Secure Boot: OFF (Audit Report runs as ON)
Virtualization Based Security: OFF
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
Microsoft Windows PCA 2010

EFI Files
---------
Boot File [Windows UEFI CA 2023] will be UNTRUSTED
Registry: "WindowsUEFICA2023Capable" = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.


AUDIT REPORT
============
1. Secure Boot is DISABLED
2. [Microsoft Corporation KEK 2K CA 2023] is missing from UEFI KEK
3. [Production PCA 2011] is missing from UEFI DBX
4. Windows BootMgr SVN is missing from UEFI DBX


REQUIRED ACTION
===============

Run the command:
Update_UEFI-CA2023.ps1 -Revoke

Finish the UEFI steps to manually add the [KEK CA 2023] cert, if the script provided instructions.

PS C:\SecureBoot-CA-2023-Updates.v2026.05.31>

Click to expand...

Also I can enable or disable Secure boot at will.