Solved garlin's PowerShell scripts for updating Secure Boot CA 2023


botus said:
boot to BIOS secure boot off, expert key mode on,
delete all pk keys
select KEK delete all KEK keys
what idiot writes - delete all keys - when he actually means delete the selected keys !!!!
left expert on, reboot to windows
ran update-UEFI.bat
Click to expand...
Basically there's two different approaches to manual updates:

1. Manually enrolling KEK CA 2023 (by itself). Most Dells have a BIOS quirk where they cannot accept the DER-encoded cert file and only expect an ESL file (raw bytes exported from the UEFI variable). That's how a lot of Dells are implemented. Other vendors, and some other Dell models don't have this restriction.

Normally if you tell me you have a certain model Dell, I expect it wants the ESL file which we cannot provide. ESL files (for the KEK) must be signed by the PK's key holder (or Dell). Dell doesn't want to support this PC, so this option is useless.

2. Barring manual KEK key enrollment, we wipe out all the keys so we can replace them with a new set. Technically you could just delete the PK at a bare minimum, but my instructions are to delete all the keys so we don't end up with some weird UEFI variables glitch (it's happened before on other PC's).

We don't need to perform both options for all cases. You try the first option, and if it fails we move to the second. But we already know the first option never works on specific Dell's. Sorry if that whole thing sounds confusing.

Anyway, you're done on adding CA 2023 certs. Revocation has not happened, and you can wait for Windows to revoke CA 2011 later this year, or follow the commands to finish it now.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
garlin said:
Basically there's two different approaches to manual updates:

1. Manually enrolling KEK CA 2023 (by itself). Most Dells have a BIOS quirk where they cannot accept the DER-encoded cert file and only expect an ESL file (raw bytes exported from the UEFI variable). That's how a lot of Dells are implemented. Other vendors, and some other Dell models don't have this restriction.

Normally if you tell me you have a certain model Dell, I expect it wants the ESL file which we cannot provide. ESL files (for the KEK) must be signed by the PK's key holder (or Dell). Dell doesn't want to support this PC, so this option is useless.

2. Barring manual KEK key enrollment, we wipe out all the keys so we can replace them with a new set. Technically you could just delete the PK at a bare minimum, but my instructions are to delete all the keys so we don't end up with some weird UEFI variables glitch (it's happened before on other PC's).

We don't need to perform both options for all cases. You try the first option, and if it fails we move to the second. But we already know the first option never works on specific Dell's. Sorry if that whole thing sounds confusing.

Anyway, you're done on adding CA 2023 certs. Revocation has not happened, and you can wait for Windows to revoke CA 2011 later this year, or follow the commands to finish it now.
Click to expand...


thanks very much - its happy - do I need to leave expert key mode on or off - now complete it will behave off ?

Sorted.webp
 

My Computer My Computer

At a glance

Win11
OS
Win11
You keep Expert (or Custom) Mode enabled, because you have chosen not to use the factory certs (which don't support the new KEK).
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
I have a Dell 2017 XPS-15 model 9560 with the latest bios (1.21.0 from 2021). I was having problems with deleting all keys part. I finally got it to work with going to custom mode and then rebooting and going into bios again and then deleting the keys. It wouldn't work without the reboot between the steps.
 

My Computer My Computer

At a glance

windows 11 Home13 Gen I732GigIntel UHD
OS
windows 11 Home
Computer type
PC/Desktop
Manufacturer/Model
Lenovo All In One
CPU
13 Gen I7
Memory
32Gig
Graphics Card(s)
Intel UHD
Screen Resolution
1920 1080
Hard Drives
1TB
Antivirus
Defender
Br0die said:
I have a Dell 2017 XPS-15 model 9560 with the latest bios (1.21.0 from 2021). I was having problems with deleting all keys part. I finally got it to work with going to custom mode and then rebooting and going into bios again and then deleting the keys. It wouldn't work without the reboot between the steps.
Click to expand...
I have heard that story too. Sometimes you have reboot once or twice (or reset and get back into the BIOS screens).
Each BIOS can have its weird quirks. There are some BIOS'es where you can only makes changes if Secure Boot is always on. 🤷‍♂️

I think it depends on which generation of BIOS was shipped with your Dell. Dell's FAQ lists at least five different screen layouts. If you're a fan of TV sci-fi, there are 5 different Cylons :think:
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
garlin said:
I have heard that story too. Sometimes you have reboot once or twice (or reset and get back into the BIOS screens).
Each BIOS can have its weird quirks. There are some BIOS'es where you can only makes changes if Secure Boot is always on. 🤷‍♂️

I think it depends on which generation of BIOS was shipped with your Dell. Dell's FAQ lists at least five different screen layouts. If you're a fan of TV sci-fi, there are 5 different Cylons :think:
Click to expand...
...said the joker to the thief...
 

My Computer My Computer

At a glance

win 11Intell Core i7 4900 MQDDR3 16 GB
OS
win 11
Computer type
Laptop
Manufacturer/Model
Dell Precision M4800
CPU
Intell Core i7 4900 MQ
Motherboard
Dell QT3YTY A00
Memory
DDR3 16 GB
garlin said:
But it sounds like you're technical enough to edit the script and experiment on one or two systems.
Click to expand...
Technical enough to be able to make assumptions but experienced enough to ask in case I’m making a big mistake! I’ve also seen the BitLocker information from Microsoft and I think a lot must be down to the vendors implementation. Different motherboards, different TPM, different firmware. You can’t write scripts for the smoothest scenario only and I have several manufacturers and models from each to update. Incidentally a large amount updated on their own between the 11th June and today. Maybe MS are getting more confident (or aggressive) changing systems to “High Confidence” as a number were models that showed the “Require more information” entry 8 days ago.
 

My Computer My Computer

At a glance

win11
OS
win11
Computer type
PC/Desktop
Ngu_2038 said:
Technical enough to be able to make assumptions but experienced enough to ask in case I’m making a big mistake! I’ve also seen the BitLocker information from Microsoft and I think a lot must be down to the vendors implementation. Different motherboards, different TPM, different firmware. You can’t write scripts for the smoothest scenario only and I have several manufacturers and models from each to update.
Click to expand...
That's the nobody wants to perform the actual QA, except for the poor IT admin who is stuck supporting these boxes in real life.

Ngu_2038 said:
Incidentally a large amount updated on their own between the 11th June and today. Maybe MS are getting more confident (or aggressive) changing systems to “High Confidence” as a number were models that showed the “Require more information” entry 8 days ago.
Click to expand...
In the June 2026 Secure Boot AMA, they said this update would re-assign most PC's from "More Data Needed" to "High Confidence", which would unblock a large wave of stragglers. For everyone else, you're kinda screwed because they admitted there might not be enough telemetry data to know.

Honestly, MS probably knew the true eligibility months ago. You can detect from the UEFI's KEKdefaults whether OEM support was already added, or cross-check the PK's thumbprint against their list of submitted KEK files to reasonably know if you have any chance for success.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
@garlin Hi Garlin thanks again for the help yesterday. I wanted to give some input - after running the Update script with -Revoke it said follow README_UEFI.txt for instructions. I then went on a wild goose chase trying to install the certs in BIOS but ended up only needing to turn secure boot back on since the certs were already installed (unless there's something I don't remember). Am I missing something? If not just an area that could use some improvement. Also I've done this on several computers so far and in Part A here UEFICA2023Status shows 'in progress' not 'updating.' Thanks.


20260618_150348.webp
 

My Computer My Computer

At a glance

Windows 11
OS
Windows 11
Computer type
PC/Desktop
You must log in or register to reply here.

Latest Support Threads

Latest Tutorials

Back
Top Bottom