Solved garlin's PowerShell scripts for updating Secure Boot CA 2023


Well, Garlin is the last word on this subject, and I would not want to speak for him. But it looks pretty good to me.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2 26200.8655
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell Tower Plus EBT2250, DOB: 06/15/2025
    CPU
    Intel® Core™ Ultra 7 265 1.8GHz to 5.3GHz (Arrow Lake)
    Motherboard
    Dell Inc. 02D3NT A00 (U3E1)
    Memory
    SK Hynix 32GB DDR5 5600 Desktop RAM UDIMM Non-ECC PC5-5600B
    Graphics Card(s)
    Dell NVIDIA® GeForce RTX™ 4060 8GB GDDR6 & (iGPU) Integrated Intel® UHD Graphics
    Sound Card
    Chipset Realtek High-Definition Audio with Dolby Atmos
    Monitor(s) Displays
    Dell Ultra Sharp U2515H 25-Inch Screen LED-Lit
    Screen Resolution
    2560 X 1440
    Hard Drives
    Samsung (NVMe PM9C1a 1024GB) M.2 PCIe NVMe Solid State Drive (OS), with Samsung Piccolo (S4LY022) 6-Core 4 Channel Controller.

    Samsung T7 500GB SSD, USB-C External Drive
    PSU
    Dell 460W
    Case
    Dell Tower Plus EBT 2250
    Cooling
    Fan
    Keyboard
    Dell Wired Keyboard - KB216
    Mouse
    Logitech M510
    Internet Speed
    Intel Killer E3100G 2.5 Gigabit Ethernet Controller
    Browser
    Microsoft Edge
    Antivirus
    Microsoft Windows Security
    Other Info
    The Samsung NVMe PM9C1a 1024GB SSD does not use a Phison NAND controller. Instead, it uses Samsung's in-house developed Piccolo (S4LY022) 6-Core 4 Channel Controller. The PM9C1a utilizes a controller built using Samsung's 5-nanometer process and seventh-generation V-NAND technology. 🤔
  • Operating System
    Windows 11 Pro 25H2 26200.8655
    Computer type
    Laptop
    Manufacturer/Model
    Dell Inspiron 15 7000 (7591) 2-in-1, DOB: 11/30/2019
    CPU
    10th Generation Intel Core i7-10510U Processor (8MB Cache, up to 4.9 GHz) Comet Lake
    Motherboard
    Dell 0NNW5N
    Memory
    16GB DDR4 RAM
    Graphics card(s)
    NVIDIA® GeForce® MX250 with 2GB GDDR5 graphics memory
    Sound Card
    Chipset Realtek ALC3254 🤔🤣
    Monitor(s) Displays
    Dell 15.6-inch UHD Truelife Touch Narrow Border WVA Display with Active Pen support
    Screen Resolution
    3840 x 2160
    Hard Drives
    Intel NVME 512GB SSD with 32GB Intel Optane Memory, M.2 80mm PCIe 3.0 RAID

    SanDisk 256GB Extreme microSDXC UHS-I Memory Card
    PSU
    Dell 4-Cell Battery, 68 Whr (Integrated), 90 Watt AC Adapter
    Case
    Dell Inspiron 15 7000 2-in-1 (7591)
    Cooling
    Standard Dell Case Fan & Havit HV-F2056 USB Powered (3 Fans) Laptop Cooling Pad.
    Keyboard
    Dell
    Mouse
    Logitech Wireless Mouse M650L
    Internet Speed
    Wireless/Wired connectivity (WiFi 6 - 802.11 ax)
    Browser
    Microsoft Edge
    Antivirus
    Microsoft Windows Security
    Other Info
    From Dell: 512GB NVME Solid State Drive accelerated by 32GB Intel Optane Memory are the fastest as compared to NAND SSDs. Intel Optane H10 with SSD offers speedy storage and accelerates opening your programs.
I'll see, but Garlin is indeed the undisputed expert on the subject. Thanks anyway. Best regards.
 

My Computer

System One

  • OS
    windows 11 25H2
    Computer type
    Laptop
    Manufacturer/Model
    ASUS Vivobook 15 (X1504)
    Motherboard
    Intel Alder Lake-P PCH
    Memory
    24GB
    Graphics Card(s)
    iris xe
    Sound Card
    realtek
    Screen Resolution
    1920X1080
    Hard Drives
    Samsung SSD 990 PRO 1TB
    Browser
    edge
    Antivirus
    eset anti virus
Thierry 83200 said:
Hello,
After running Garlin's latest script, here's what I get. Am I on the right track, or have I missed something? Regards1781622053194.webp
Click to expand...

As others have said, @garlin is the man, but given what I see in your display, that's what you're supposed to see if everything is updated. I get the same report on all my machines that I've fully updated.
 

My Computers

System One System Two

  • OS
    Win 11 Pro 25H2, Build 26200.8655
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14500
    Motherboard
    Gigabyte B760M G P WIFI
    Memory
    64GB DDR4
    Graphics Card(s)
    GeForce RTX 4060
    Sound Card
    Chipset Realtek
    Monitor(s) Displays
    LG 45" Ultragear, Acer 24" 1080p
    Screen Resolution
    5120x1440, 1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 3D NAND NVMe M.2 SSD (O/S)
    Silicon Power 2TB US75 NVMe PCIe Gen4 M.2 2280 SSD (backup)
    Crucial BX500 2TB 3D NAND (2nd backup)
    Seagate 4TB Ironwolf, rotating HDD archive files
    External off-line backup Drives: 2 NVMe 4TB drives in external enclosures
    PSU
    Thermaltake Toughpower GF3 750W
    Case
    LIAN LI LANCOOL 216 E-ATX PC Case
    Cooling
    Lots of fans!
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
  • Operating System
    Win 11 Pro 25H2, Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14400
    Motherboard
    Gigabyte B760M DS3H AX
    Memory
    32GB DDR5
    Graphics card(s)
    Intel 700 Embedded GPU
    Sound Card
    Realtek Embedded
    Monitor(s) Displays
    27" HP 1080p
    Screen Resolution
    1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 eD NAND PCIe SSD
    Samsung EVO 990 2TB NVMe Gen4 SSD
    Samsung 2TB SATA SSD
    PSU
    Thermaltake Smart BM3 650W
    Case
    Okinos Micro ATX Case
    Cooling
    Fans
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
You're all correct that @Thierry 83200's PC is done, including with revocation.

1. The easiest way to know if you're finished:
Code: 
SUCCESS: UPDATES ARE FINISHED
UEFI CA 2023 certs are present, PCA 2011 cert is revoked.

2. SkuSiPolicy.p7b is only mentioned if VBS is enabled. The policy file doesn't matter when VBS isn't enabled.
 

My Computer

System One

  • OS
    Windows 7
Thank you all so much, you're doing a wonderful job and it's fortunate that there are still people like you whose skills far exceed the average. Best regards.
 

My Computer

System One

  • OS
    windows 11 25H2
    Computer type
    Laptop
    Manufacturer/Model
    ASUS Vivobook 15 (X1504)
    Motherboard
    Intel Alder Lake-P PCH
    Memory
    24GB
    Graphics Card(s)
    iris xe
    Sound Card
    realtek
    Screen Resolution
    1920X1080
    Hard Drives
    Samsung SSD 990 PRO 1TB
    Browser
    edge
    Antivirus
    eset anti virus
Hi garlin, thanks for the scripts - and I have to say, you sticking will those struggling to complete, offering support and tweaks to help out is incredible - a very rare thing in today's messed up world - thank you very much

grabbed the latest package - late on the 15th - two machines with asus motherboards appear to be happy-ish - one is on win 11, the other on win 10 but not offered Win 11 update - yet all certs and all bios setup seems to be the same as the similar era machine (and yes all stuff on and hardware OK)

but now for the real fun - an old asus laptop is saying a new UEFI CA 2023 cert is there but its un-trusted - do it manually, but if I remember someone locked down the bios security and I can't get at things.... so that's looking difficult

and a Dell inspiron desktop 3688 is doing exactly the same - I've started to understand what I'm trying to do and got brave enough to delete all keys in bios and did as stated, found new cert in efi but wont play ball - if I go round again I end up in a loop

clear keys and it won't boot in secure boot - loops into a dell hardware test feature - cancel that back into bios and try to boot same loop - go back in bios turn off secure boot - windows boots happily and again round the houses - I see the update script switches to trusted but - try to do bios next steps manually and cert ends up not trusted again

an observation I noticed this month - BOTH those last two machines (I guess before d day and the old certs expire) were both booting and doing stuff in secure boot happily - with Windows security showing all green - then after June MS patch Tuesday updates both the same machines now show the yellow warning here

Win Security.webp


and this info when you check out the offending yellow item

secure boot.webp

after looping around I have update status back to square one

revoke script and or delete all keys in BIOS achieved nothing (as far as I understood stuff)
can't add new certs manually on the dell - I end up back here

Dell 3688 2023 certs after MS june updates.webp

any ideas or next steps appreciated
 

My Computer

System One

  • OS
    Win11
botus said:
but now for the real fun - an old asus laptop is saying a new UEFI CA 2023 cert is there but its un-trusted - do it manually, but if I remember someone locked down the bios security and I can't get at things.... so that's looking difficult

and a Dell inspiron desktop 3688 is doing exactly the same - I've started to understand what I'm trying to do and got brave enough to delete all keys in bios and did as stated, found new cert in efi but wont play ball - if I go round again I end up in a loop
Click to expand...
Before the June 2026 update, Security Center gave you a green checkmark for simply enabling Secure Boot mode.

MS previously announced that in June, the message would change to reflect that your PC isn't compliant. The reason is MS allowed the PC vendors a grace period of a few months to release last-minute BIOS updates.

Not sure about the Acer, but I have higher confidence that Dell is using a more conventional BIOS. Let's work on it.

1. Disable Secure Boot mode.
2. Reset to Secure Boot factory defaults (we want a known good starting point).
3. Check if we're in Custom mode, if not switch back to Custom mode.
4. Delete all keys.
5. Restart Windows. Run the update script.
6. Assuming the update script completed without errors, you should be able re-enable Secure Boot.
 

My Computer

System One

  • OS
    Windows 7
garlin said:
3. Check if we're in Custom mode, if not switch back to Custom mode.
Click to expand...
Custom mode... in bios ? there is an allow you to play mode tick box top left within secure boot features of the BIOS (not sure it ever said custom) but I see their instructions use the word custom (copy below) - and it says if you just reboot - it reloads dell defaults - so tick play mode, do your thing - reboot - immediately go back in BIOS secure boot features, and untick play mode - done it three times earlier been going in circles

Perform the following steps:​


  1. Press F2 to enter the BIOS
  2. Select Secure Boot
  3. Select Expert Key Management
  4. Check that the checkbox titled Enable Custom Mode
  5. Click the Reset All Key button
  6. Click Apply button
  7. Click Exit button (click OK to save if prompted)
  8. On the next boot, press F2 to enter BIOS
  9. Select Secure Boot
  10. Select Expert Key Management
  11. Clear the checkbox titled Enable Custom Mode
  12. Click Apply button
  13. Click Exit button (click OK to save if prompted)
from here P1 old asus and dell 3866.webp

to here

P5 Dell 3688 2023 certs after MS june updates.webp

and back when after win reboots OK - you reboot the PC again and re-enable secure boot - PC will now boot in secure boot happily but

you get untrusted

on the revoke bit - I'm confused how to apply (although I think it does ) if you just run this in the powershell window and reboot

Update_UEFI-CA2023.ps1 -Revoke


Code:


Successfully appended "dbxupdate.bin" to UEFI DBX.<br>Successfully appended "DBXUpdate2024.bin" to UEFI DBX.<br>Successfully appended "DBXUpdateSVN.bin" (SVN 7.0) to UEFI DBX.<br>Deployed SkuSiPolicy.p7b (for VBS).<br><br>REQUIRED ACTION<br>---------------<br>Restart Windows, for UEFI updates to take effect.

it competes instantaneously you paste the code ?


BIOS type 2

 
Last edited:

My Computer

System One

  • OS
    Win11
The overriding problem is I don't see the KEK CA 2023 applied (which is the most important cert in this migration). Without the KEK CA 2023 in place, having a CA 2023 boot manager is untrusted.

Can you run the check script using -Verbose added to the command line?
 

My Computer

System One

  • OS
    Windows 7
garlin said:
The overriding problem is I don't see the KEK CA 2023 applied (which is the most important cert in this migration). Without the KEK CA 2023 in place, having a CA 2023 boot manager is untrusted.

Can you run the check script using -Verbose added to the command line?
Click to expand...
thanks - but like the revoke bit - I need help to know how / where to add that extra (verbose or revoke) instruction

I was going to write an idiots experience - but life is in the way...

the scripts ending file extension .PS1 to me don't run ? but your bat files call them up and then .PS1 scripts run -

and what does the Clear-UEFI_Lock.bat - do - not tried as I have not seen any instructions as to why we have it ?
it could be I'm a dangerous idiot that part knows...

thanks for putting up with us !
 

My Computer

System One

  • OS
    Win11
Here's a simpler way (batch file calls the .ps1 for you):
Code: 
Check-UEFI.bat -Verbose
 

My Computer

System One

  • OS
    Windows 7
You downloaded the ZIP file from post #1? Includes the PS scripts and the matching batch files for them.

If your shell is PS instead of CMD, you need to a ".\" in front of the filename.
 

My Computer

System One

  • OS
    Windows 7
sorry - there is clearly a gap in my knowledge - I got your package 14 june 2026 - unless you updated it just now adding a new .bat file and the date is still saying the 14th - I'm out of my depth - I have no idea how to run what is written (by you) in post #2411
 

My Computer

System One

  • OS
    Win11
You must log in or register to reply here.

Latest Support Threads

Latest Tutorials

Back
Top Bottom