Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

botus · Wednesday at 6:22 PM

garlin said:
The verbose mode is triggered by adding "-Verbose" to the end of whatever you used to run the check script in the first place.

Either:
.\Check_UEFI-CA2023.ps1 -Verbose
.\Check-UEFI.bat -Verbose

Both the GitHub and post #1 version of the ZIP file should have the full set of both .ps1 and .bat scripts.

thanks, got it to run on the old laptop, which turns out to be an Acer (not Asus)

garlin said:
The overriding problem is I don't see the KEK CA 2023 applied (which is the most important cert in this migration). Without the KEK CA 2023 in place, having a CA 2023 boot manager is untrusted.

Can you run the check script using -Verbose added to the command line?

Factory Default UEFI PK Cert
----------------------------
(NONE)

UEFI PK Cert
------------
Acer
Manual update of [KEK CA 2023] is REQUIRED.

Factory Default UEFI KEK Certs
------------------------------
(NONE)

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Acer

Factory Default UEFI DB Certs
-----------------------------
(NONE)

need to try on the dell tomorrow (its in a different location) and will report back - thanks for your tools and help

garlin · Wednesday at 6:27 PM

For your Acer, you might want to repeat what you have done before -- but with Secure Boot enabled. Some BIOS'es are reportedly weird and they want Secure Boot enabled if you're playing around with their certs. I don't know if that makes a difference on your model.

viatorastrorum · Wednesday at 7:09 PM

First of all, I hope everyone here on the forum is doing well, and I imagine you are all moving forward with the opportunity to update your 2023 certificates.

I want to express my gratitude to this forum, especially to Garlin, Kepler, TheVisitor, and the rest...I have been reading Garlin's thread so I could update my own PCs, and you all have helped me tremendously—especially Garlin's scripts. Thank you, Garlin, for your help to the community. I will keep reading this thread to continue enriching myself with such valuable help.

botus · Thursday at 1:45 PM

garlin said:
The overriding problem is I don't see the KEK CA 2023 applied (which is the most important cert in this migration). Without the KEK CA 2023 in place, having a CA 2023 boot manager is untrusted.

Can you run the check script using -Verbose added to the command line?

so a bit late - but the verbose script on that dell

Windows 10 22H2 (19045.7417)

Secure Boot: ON
Virtualization Based Security: OFF
BitLocker on (C:) OFF

BIOS Firmware
-------------
Dell Inc. Inspiron 3668
Version: 1.18.0
Date: 2021-10-05

Factory Default UEFI PK Cert
----------------------------
Dell Inc. UEFI Platform Key

UEFI PK Cert
------------
Dell Inc. UEFI Platform Key
Manual update of [KEK CA 2023] is REQUIRED.

Factory Default UEFI KEK Certs
------------------------------
Microsoft Corporation KEK CA 2011

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011

Factory Default UEFI DB Certs
-----------------------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

Factory Default UEFI DBX Certs
------------------------------
Microsoft Windows PCA 2010
EFI_CERT_SHA256_GUID Signatures: 13

UEFI DBX Certs
--------------
Microsoft Windows PCA 2010
Windows BootMgr SVN is MISSING.
EFI_CERT_SHA256_GUID Signatures: 13

UEFI Variables
--------------
SBAT (Linux only): sbat,1,2024010900 / shim,4 / grub,3 / grub.debian,4

EFI Files
---------
Boot File [Windows UEFI CA 2023] is UNTRUSTED
\\.\HarddiskVolume1\EFI\Microsoft\Boot\bootmgfw.efi
File Version: 28000.342, SVN 9.0

Registry: "WindowsUEFICA2023Capable" = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

REQUIRED ACTION
===============

Run the command:
Update_UEFI-CA2023.ps1 -Revoke

Finish the UEFI steps to manually add the [KEK CA 2023] cert, if the script provided instructions.

PS C:\WINDOWS\system32>

I believe I did the revoke bit (but it was instant the other day ???), and trying to manually add I found these

Browse the system drive's EFI partition
- Enter the <EFI> folder
- Enter the <Certs> sub-folder

Find the file "Microsoft Corporation KEK 2K CA 2023.der". Add this certificate.
If you encounter an error, try the file "Microsoft Corporation KEK 2K CA 2023.crt".

but it didn't like either format

got tied up and used time on investigating why my mothers kitchen floor heating was on flat out when its already 27C ambient outside - this will have to be tomorrow now. look forward to being told what I did wrong

garlin · Thursday at 1:58 PM

Some Dells have a BIOS that doesn't accept certificate files in the .der or .crt format. They want the .auth format, which we don't support because that assumes you own a Platform Key and can sign the file (and we're not Dell).

For this model, you final option is to find the option to Delete All Keys. This puts the PC into Setup Mode, when a new set of replacement certs can be installed. The new certs are provided by MS as the "Windows OEM Devices" certs, where MS provides a ready-to-go replacement.

1. Delete All Keys
2. Confirm Secure Boot is disabled.
3. R estart Windows. Run the update script, which should recognize the UEFI is in Setup Mode.

riverofwind · Thursday at 5:47 PM

@garlin Hi Garlin, I booted into BIOS, disabled secure boot, then enabled custom mode, then cleared the keys, however when I boot back into Windows the Update_UEFI-CA2023 script run with -Revoke still says Please try Setup Mode. Did I miss something?
Thanks!

garlin · Thursday at 5:48 PM

Can you copy the output from:

Code:

Check-UEFI.bat -Verbose

riverofwind · Thursday at 5:53 PM

@garlin Thx here 'tis:

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell A rock-solid marvel

Windows 10 22H2 (19045.7417)

Secure Boot: OFF
Virtualization Based Security: OFF
BitLocker on (C:) OFF

BIOS Firmware
-------------
Dell Inc. OptiPlex 7050
Version: 1.27.0
Date: 2023-09-17

Factory Default UEFI PK Cert
----------------------------
Dell Inc. Platform Key

UEFI PK Cert
------------
Dell Inc. Platform Key
[KEK CA 2023] Update is available from Dell or Microsoft.

Factory Default UEFI KEK Certs
------------------------------
Microsoft Corporation KEK CA 2011
Dell Inc. Key Exchange Key

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Dell Inc. Key Exchange Key

Factory Default UEFI DB Certs
-----------------------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Dell Inc. UEFI DB

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Dell Inc. UEFI DB

Factory Default UEFI DBX Certs
------------------------------
Microsoft Windows PCA 2010
EFI_CERT_SHA256_GUID Signatures: 77

UEFI DBX Certs
--------------
Microsoft Windows PCA 2010
Windows BootMgr SVN is MISSING.
EFI_CERT_SHA256_GUID Signatures: 77

UEFI Variables
--------------
SBAT (Linux only): sbat,1,2024010900 / shim,4 / grub,3 / grub.debian,4

EFI Files
---------
Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
\\.\HarddiskVolume4\EFI\Microsoft\Boot\bootmgfw.efi
File Version: 28000.342, SVN 9.0

Registry: "WindowsUEFICA2023Capable" = 0
[Windows UEFI CA 2023] not in UEFI DB.

REQUIRED ACTION
===============

OPTION 1: DO NOTHING AND WAIT. Windows will apply the UEFI updates (PC has supported BIOS).

OPTION 2: To install [UEFI CA 2023] certs WITHOUT REVOKING the [PCA 2011] cert, run the commands:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5844 /f powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

OPTION 3: To install [UEFI CA 2023] certs and REVOKE the [PCA 2011] cert, run the commands:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5ac6 /f powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

garlin · Thursday at 5:56 PM

Your Dell PK (Platform Key) didn't actually get deleted. Which means the Delete All Keys step didn't work. Try again.

1. Make sure you switch from Standard Mode to Custom Mode.
2. Delete All Keys

riverofwind · Thursday at 6:22 PM

@garlin Oops I reset the keys instead of deleting them. I successfully got it into setup mode. I then ran Update_UEFI-CA2023 /Revoke and it succeeded and said follow README_UEFI instructions for installing PK Cert from BIOS. However when I tried I got error replacing key make sure key is properly formatted with signature list and initialization headers. And in addition there was no updates folder in the efi folder for the Microsoft Corporation KEK 2K CA 2023.der file. Can we do anything or is this computer not fixable? Thanks again!

garlin · Thursday at 6:25 PM

Reset implies you want to restore the factory defaults. We cannot add the KEK while the factory PK is installed. Therefore we need to Delete All Keys, so our new certs can be installed.

When you run the check script, do you finally see a KEK CA 2023 listed?

riverofwind · Thursday at 6:27 PM

@garlin I delete the keys before trying the previously mentioned steps, sorry I didn't clarify that. Here's the check script output:

Secure Boot: OFF
Virtualization Based Security: OFF
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 9.0

EFI Files
---------
Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.

Registry: "WindowsUEFICA2023Capable" = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

STATUS REPORT
-------------
Registry: "UEFICA2023Status" = Updated

SUCCESS: UPDATES ARE FINISHED.
UEFI CA 2023 certs are present, PCA 2011 cert is revoked.

gunrunnerjohn · Thursday at 6:31 PM

riverofwind said:
@garlin I delete the keys before trying the previously mentioned steps, sorry I didn't clarify that. Here's the check script output:

Looks like another happy customer.

garlin · Thursday at 6:34 PM

Congrats! You made the finish line.

riverofwind · Thursday at 6:38 PM

@garlin Just flipped secure boot back on, all systems are go! Thanks so much!

Ngu_2038 · Friday at 7:02 AM

Hi. Apologies if this has already been asked. Does BitLocker need to be disabled for 3 reboots? I've found that our workstations appear usable after 1 reboot after running the update script. Is that baked in protection in case of the update taking place at the same time as other windows updates?

Dirtyflash · Friday at 7:37 AM

Ngu_2038 said:
Hi. Apologies if this has already been asked. Does BitLocker need to be disabled for 3 reboots? I've found that our workstations appear usable after 1 reboot after running the update script. Is that baked in protection in case of the update taking place at the same time as other windows updates?

I've followed this thread from inception, never seen any mention of having to reboot 3 times for BitLocker. I do have to ask, where did you get that advice from?

Ngu_2038 · Friday at 8:13 AM

Dirtyflash said:
I've followed this thread from inception, never seen any mention of having to reboot 3 times for BitLocker. I do have to ask, where did you get that advice from?

In the Update_UEFI-CA2023.ps1 script, the script checks whether Bitlocker is running and if it is using Device Guard. If both are enabled then it suspends BitLocker for two reboots (reboot count set to 3). Device guard is running on our workstations so that might be where our workflows differ. The first restart after running the script leaves BitLocker suspended until Windows is restarted twice more. All the certificate updating work on the models I have been testing seems to be done after the first restart so the other 2 for this model may not be required. I was just seeking clarification or if there are situations where re-enabling BitLocker after a check of the certs and a single reboot may result in issues. My aim is to keep the BitLocker protection disabled for the minimum amount of time as these are shared workstations.

garlin · Friday at 9:24 AM

When I first wrote the update script (Nov 2025), I found this guidance from KB5012170: Security update for Secure Boot DBX:

Issue Next step

If BitLocker Group Policy Configure TPM platform validation profile for native UEFI firmware configurations is enabled and PCR7 is selected by policy, it may result in the update failing to install.

To view the PCR7 binding status, run the Microsoft System Information (Msinfo32.exe) tool with administrative permissions.

To workaround this issue, do one of the following before you deploy this update:

On a device that does not have Credential Gard enabled, run following command from an Administrator command prompt to suspend BitLocker for 1 restart cycle:

Manage-bde –Protectors –Disable C: -RebootCount 1

Then, deploy the update and restart the device to resume the BitLocker protection.
On a device that has Credential Guard enabled, run the following command from an Administrator command prompt to suspend BitLocker for 2 restart cycles:

Manage-bde –Protectors –Disable C: -RebootCount 3

Then, deploy the update and restart the device to resume the BitLocker protection.

At the time (and still today), I find it hard to decipher the MS docs on how to properly diagnose some of the advanced policy settings.

So I just got paranoid and threw in the 3 reboot count. Thinking it's better not to unexpectedly lock the user out of the system because they weren't ready to provide a BitLocker PIN or recovery file on USB. Now it could be we (or your setup) really doesn't need to be suspended for that many cycles.

My focus is on the core Secure Boot changes, so I frankly never tested the exact settings outlined in the KB.

But it sounds like you're technical enough to edit the script and experiment on one or two systems. I presume you know or already have the recovery keys available on an USB, in case Windows asks for the BitLocker credentials after a restart. The script could be changed to look for the exact policy condition listed in the KB, but I'd rather be safe than sorry if my logic is wrong.

botus · Friday at 10:58 AM

garlin said:
Your Dell PK (Platform Key) didn't actually get deleted. Which means the Delete All Keys step didn't work. Try again.

1. Make sure you switch from Standard Mode to Custom Mode.
2. Delete All Keys

thanks for tolerating my attempts... tried to do as asked it didn't work - circles

try again

boot to BIOS secure boot off, expert key mode on,
delete all pk keys
select KEK delete all KEK keys
what idiot writes - delete all keys - when he actually means delete the selected keys !!!!
left expert on, reboot to windows
ran update-UEFI.bat

got

Downloading "edk2-x64-secureboot-binaries.zip" from GitHub.
Successfully wrote "Default3PDb.bin" to UEFI db.
Successfully wrote "DefaultDbx.bin" to UEFI dbx.
Successfully wrote "DefaultKek.bin" to UEFI KEK.
Successfully wrote "DefaultPk.bin" to UEFI PK.

REQUIRED ACTION
---------------
Please follow the README_UEFI.TXT instructions, for installing the PK cert from BIOS.

Restart Windows, for UEFI updates to take effect.

PS C:\WINDOWS\system32>

rebooted into BIOS secure boot still off, expert key mode still on, go to add KEK certs from EFI folder and have 3 this round with another file ending .crt this time

try to load
Microsoft Corporation KEK 2K CA 2023.kek
wrong format

try to load
Microsoft Corporation KEK 2K CA 2023.der
wrong format

third time lucky ? nope !

try to load
Microsoft Corporation KEK 2K CA 2023.crt
wrong format

gave up

reboot to windows ran check-UEFI.bat

got

SUCCESS: NO UPDATES ARE REQUIRED.

PS C:\WINDOWS\system32>

confused ??????????????

re ran with verbose

got

Windows 10 22H2 (19045.7417)

Secure Boot: OFF
Virtualization Based Security: OFF
BitLocker on (C:) OFF

BIOS Firmware
-------------
Dell Inc. Inspiron 3668
Version: 1.18.0
Date: 2021-10-05

Factory Default UEFI PK Cert
----------------------------
Dell Inc. UEFI Platform Key

UEFI PK Cert
------------
Windows OEM Devices PK

Factory Default UEFI KEK Certs
------------------------------
Microsoft Corporation KEK CA 2011

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

Factory Default UEFI DB Certs
-----------------------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

Factory Default UEFI DBX Certs
------------------------------
Microsoft Windows PCA 2010
EFI_CERT_SHA256_GUID Signatures: 13

UEFI DBX Certs
--------------
(NONE)
Windows BootMgr SVN is MISSING.
EFI_CERT_SHA256_GUID Signatures: 431

UEFI Variables
--------------
SBAT (Linux only): sbat,1,2024010900 / shim,4 / grub,3 / grub.debian,4

EFI Files
---------
Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
\\.\HarddiskVolume1\EFI\Microsoft\Boot\bootmgfw.efi
File Version: 28000.342, SVN 9.0

Registry: "WindowsUEFICA2023Capable" = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

REQUIRED ACTION
===============
To REVOKE the [PCA 2011] cert, run the commands:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x282 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

PS C:\WINDOWS\system32>

Ahh, this is likely where I was just before above (but didn't see that status)

REQUIRED ACTION
===============
To REVOKE the [PCA 2011] cert, run the commands:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x282 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

PS C:\WINDOWS\system32>

as I ran revoke and lost the lot in this earlier bit of fun

ran

PS C:\WINDOWS\system32> Update_UEFI-CA2023.ps1 -Revoke
>> Code:
>>
>> Successfully appended "dbxupdate.bin" to UEFI DBX.
>> Successfully appended "DBXUpdate2024.bin" to UEFI DBX.
>> Successfully appended "DBXUpdateSVN.bin" (SVN 7.0) to UEFI DBX.
>> Deployed SkuSiPolicy.p7b (for VBS).
>>
>> REQUIRED ACTION
>> ---------------
>> Restart Windows, for UEFI updates to take effect.

still need to turn off expert mode and enable secure boot - but I don't get how adding nothing worked re KEK certs

Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

Well-known member

My Computer My Computer

At a glance

Well-known member

My Computer My Computer

At a glance

Member

My Computer My Computer

At a glance

Well-known member

My Computer My Computer

At a glance

Well-known member

My Computer My Computer

At a glance

New member

My Computer My Computer

At a glance

Well-known member

My Computer My Computer

At a glance

New member

My Computer My Computer

At a glance

Well-known member

My Computer My Computer

At a glance

New member

My Computer My Computer

At a glance

Well-known member

My Computer My Computer

At a glance

New member

My Computer My Computer

At a glance

Well-known member

My Computers My Computers

At a glance

At a glance

Well-known member

My Computer My Computer

At a glance

New member

My Computer My Computer

At a glance

New member

My Computer My Computer

At a glance

Well-known member

My Computer My Computer

At a glance

New member

My Computer My Computer

At a glance

Well-known member

My Computer My Computer

At a glance

Well-known member

My Computer My Computer

At a glance

My Computer

My Computer

My Computer

My Computer

My Computer

My Computer

My Computer

My Computer

My Computer

My Computer

My Computer

My Computer

My Computers

My Computer

My Computer

My Computer

My Computer

My Computer

My Computer

My Computer