Solved garlin's PowerShell scripts for updating Secure Boot CA 2023


Hello,

Running an old Dell XPS 8700. Right now, it's Windows 10, but will be upgrading eventually to Windows 11 for compatibility with my main computer. Had some real problems when Microsoft released the Secure Boot update task back in early December (froze the system on every boot until I did a fresh install). Then, when it started running every 11 hours; well, the system files kept getting shredded. I finally disabled the task and started looking at your Powershell scripts. No joy with these, I'm afraid. I get a partial update, but not KEK or PK. I had a couple of questions.
1) I have disabled the Microsoft task. When I run the Update_UEFI-CA2023.ps1 script, it just hangs -- actually the system freezes and I have to do a hard shutdown. I'm pretty sure this is for a different reason (see question #2), but I wanted to double-check that your script would not have issues with the Microsoft Secure-Boot task being disabled in Task Scheduler.

2) The freeze/hang issue has been documented in other forums as being caused by the old NVIDIA graphics cards that these systems came with. Apparently, they are 'signed' with 2011 certificates. I still have to remove the card and test your script again, but wondered if you had any thoughts on this?

Other than that, I agree with the others who have posted. While I have not been able to update, your script has not shredded the system files in the way that the Microsoft task has. And while my system did 'freeze', there was no damage to the system files upon restart after the hard shutdown.

Again, any thoughts on the above would be appreciated.
 

Attachments

  • Check_UEFI-CA2023-Script.webp
    Check_UEFI-CA2023-Script.webp
    58.6 KB · Views: 0
Last edited:

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell XPS 8700
lilyb88 said:
1) I have disabled the Microsoft task. When I run the Update_UEFI-CA2023.ps1 script, it just hangs -- actually the system freezes and I have to do a hard shutdown. I'm pretty sure this is for a different reason (see question #2), but I wanted to double-check that your script would not have issues with the Microsoft Secure-Boot task being disabled in Task Scheduler.
Click to expand...
For applying the certs and updating the boot manager, my script doesn't need the Secure Boot task. But for enabling the SBAT and UEFI lock on SkuSkiSpolicy, it calls the task since those are reserved security operations that only the task can do.

lilyb88 said:
2) The freeze/hang issue has been documented in other forums as being caused by the old NVIDIA graphics cards that these systems came with. Apparently, they are 'signed' with 2011 certificates. I still have to remove the card and test your script again, but wondered if you had any thoughts on this?
Click to expand...
You're probably hitting the very serious bug with your GPU having an older signed ROM, and it's not authorized once CA 2011 is banned. This is a known issue in the NVIDIA community, you will find lots of threads on this exact problem.

There's no real good answer, except to hope someone has figured out how to hack your GPU's ROM to re-sign them. Or you will have to swap out the GPU (unless you're stuck with integrated graphics). It's one of those problems where nobody thought about this possibility 15 years ago.

Everyone was thinking about the motherboard's security, and not considering it for GPU's. If you can't find a workaround from the NVIDIA forums, you're screwed and need to leave Secure Boot disabled. It's not ideal, but you have to balance which is more important to you, running this PC or having less system protection.
 

My Computer

System One

  • OS
    Windows 7
garlin said:
For applying the certs and updating the boot manager, my script doesn't need the Secure Boot task. But for enabling the SBAT and UEFI lock on SkuSkiSpolicy, it calls the task since those are reserved security operations that only the task can do.


You're probably hitting the very serious bug with your GPU having an older signed ROM, and it's not authorized once CA 2011 is banned. This is a known issue in the NVIDIA community, you will find lots of threads on this exact problem.

There's no real good answer, except to hope someone has figured out how to hack your GPU's ROM to re-sign them. Or you will have to swap out the GPU (unless you're stuck with integrated graphics). It's one of those problems where nobody thought about this possibility 15 years ago.

Everyone was thinking about the motherboard's security, and not considering it for GPU's. If you can't find a workaround from the NVIDIA forums, you're screwed and need to leave Secure Boot disabled. It's not ideal, but you have to balance which is more important to you, running this PC or having less system protection.
Click to expand...
Thanks for the quick response. Good to know about the SBAT and "UEFI lock". As it turns out, I can run quite comfortably on the Intel i7's graphic, so I'll be trying to maintain the Secure Boot, but remove the graphics card. After I've done that, I'll give your script a go again with the Microsoft task enabled.

Now that I am retired, I hate to throw out stuff that still works, when I have time to keep it humming. I plan to turn the XPS into my 'graphics' machine for creating genealogical pictures and watching my old movies. So, ultimately, it needn't be internet secure, and I can consider going back to the legacy boot instead of UEFI if need be; or consider spending the money on a supported graphics card.

It's all good. Thanks again.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Dell XPS 8700
You must log in or register to reply here.

Latest Support Threads

Latest Tutorials

Back
Top Bottom