Solved garlin's PowerShell scripts for updating Secure Boot CA 2023

Celery:​

Yes, there are more ways to solve it.
But you don't have to write it to me, I'm technically proficient, write it to iFX_Legacy

fernando BARBA said:

ok, garlin, i will try as you advise and report the results
thank you very much for your help,
fernando

Click to expand...

Use O&O 10 Shutup Secure Boot Status tab to verify your 2023 Secure Boot certificates were installed and you're good to go.

@Celery, you have Rufus to simplify all of that.

But not everyone's using the "CA 2023" option, or realizing the key point: if the boot manager changes after a Monthly Update (like in June 2026), then you need to run MCT or UUP dump to get a newer image which matches the last time the boot manager (and SVN) changed.

Technically you could just copy the bare minimum files, but if there are security changes for Windows, you should get all of them.

@iFX_Legacy
Since my post in which I gave you detailed advice was deleted, I'll simplify it again.
The solution to your problem with SVN 7 is the current installation media with June Windows 11 25H2 26200.8655 or 26200.8737, because June Windows 11 has efi files with SVN 9.
= bootmgfw_EX.efi must be SVN 9 (install.wim/boot.wim)

NormanF said:

Use O&O 10 Shutup Secure Boot Status tab to verify your 2023 Secure Boot certificates were installed and you're good to go.

Click to expand...

O&O doesn't inform you about SVN, after the CA 2023 certs have been installed.
If you like the product so much, why don't you make a feedback suggestion to add this feature?



A PC can be updated to CA 2023, and yet fail the SVN test because of a mismatch over boot manager versions.

Users won't begin to experience issues with SVN until the CA 2011 revocation has been done. Which not everyone has elected to revoke, since MS hasn't made it mandatory yet.

garlin said:

O&O doesn't inform you about SVN, after the CA 2023 certs have been installed.
If you like the product so much, why don't you make a feedback suggestion to add this feature?

View attachment 175251

A PC can be updated to CA 2023, and yet fail the SVN test because of a mismatch over boot manager versions.

Users won't begin to experience issues with SVN until the CA 2011 revocation has been done. Which not everyone has elected to revoke, since MS hasn't made it mandatory yet.

Click to expand...

SVN isn't exposed to the end user. Microsoft is going to revoke the old certificates eventually and for the moment, while I have the 2023 installed, they haven't been activated yet.

There are reasons SVN isn't visible:

Why Microsoft hides SVN​

Three reasons:

A. Prevent rollback tampering​

If users could see or modify SVN, attackers could too.

B. OEM variability​

Different firmware vendors implement SVN differently.

C. Avoid support nightmares​

Imagine millions of users asking why their SVN is “wrong.”

Microsoft avoids this by hiding it.

Windows Security doesn't display it. Run this command as Admin:

FirmwareSVN <-- UEFI's current value
BootManagerSVN <-- boot manager's current value
StagedSVN <-- latest possible value from \Windows\System32\SecureBootUpdates\DBXUpdateSVN.bin, if you haven't applied revocation or recent Secure Boot updates

To check the boot file on an USB device:

Monika1491 said:

@iFX_Legacy
Since my post in which I gave you detailed advice was deleted, I'll simplify it again.
The solution to your problem with SVN 7 is the current installation media with June Windows 11 25H2 26200.8655 or 26200.8737, because June Windows 11 has efi files with SVN 9.
= bootmgfw_EX.efi must be SVN 9 (install.wim/boot.wim)

Click to expand...

Im saw the post before I went to bed and noticed it was gone today. Im assuming because it was linking to an unofficial site for iso images?

Im a little weary about scripts and using unknown downloads. Your overall diagnosis makes sense though.

Rufua simplifies all.those other operations, unless theres a reason I shouldn't use that... can I manually add the latest cumulative update to the last official.microsoft iso and then just use rufus?

I searched Google but it seems some of the articles referencing how to manually do this are a bit out of date... can you guide me through that?

Thank you again for your help.

garlin said:

@Celery, you have Rufus to simplify all of that.

But not everyone's using the "CA 2023" option, or realizing the key point: if the boot manager changes after a Monthly Update (like in June 2026), then you need to run MCT or UUP dump to get a newer image which matches the last time the boot manager (and SVN) changed.

Technically you could just copy the bare minimum files, but if there are security changes for Windows, you should get all of them.

Click to expand...

Thank you so much...this makes sense.

So does this mean that using the rufus check box for CA 2023 incorporates the certs but doesnt fix the SVN issue?

How does one do this? Im assuming this is the same solution as Monika mentioned? Injectinging the latest cumulative update into Microsoft iso? I haven't used MCT ot UUP dump before.

iFX_Legacy said:

Thank you so much...this makes sense.

So does this mean that using the rufus check box for CA 2023 incorporates the certs but doesnt fix the SVN issue?

How does one do this? Im assuming this is the same solution as Monika mentioned? Injectinging the latest cumulative update into Microsoft iso? I haven't used MCT ot UUP dump before.

Click to expand...

I would still use Rufus for everything except 2023 certs, simpler then command line or registry fixes.
Then use Garlin's check with -bootmedia and -noskip so it checks all install images
Then use Garlin's update with -bootmedia
And rerun check with -bootmedia and -noskip to see if they all got fixed

I would try this first...

I would test it myself, but no time to do all this today or this week-end...

iFX_Legacy said:

Thank you so much...this makes sense.

So does this mean that using the rufus check box for CA 2023 incorporates the certs but doesnt fix the SVN issue?

How does one do this? Im assuming this is the same solution as Monika mentioned? Injectinging the latest cumulative update into Microsoft iso? I haven't used MCT ot UUP dump before.

Click to expand...

There are two separate problems to solve:

1. The install image has a specific build number, usually representing the last Monthly Update that was integrated into the image. Some users take a base image, and manually apply the updates. Other users use MCT to get the latest monthly image, or have UUP dump create one. When you pick a specific build from UUP dump, it's applying a specific set of update files.

Rule of thumb is use the latest build as possible (unless you're concerned about recent bugs in the latest builds, and want to pick one or two builds behind for stability reasons).

Each install image will have some version of the boot manager and its matching SVN.

2. The install media needs a boot file which both passes the Secure Boot cert checks, and if the SVN is invoked, also has a boot file SVN equal or higher than the UEFI's SVN. If you use a tool like Rufus to write a different (newer) ISO to USB, it pulls from whatever current version you have available.

3. Because SVN represents a minimally allowed version, you can create an up-to-date USB which has SVN 9.0 files and boot it on another system, which BIOS hasn't been updated to SVN 9.0. Say it's stuck on UEFI SVN 7.0. 9 > 7.

What you can't do is build a SVN 7.0 USB, and boot that off a PC that has SVN 9.0 in the UEFI.

garlin said:

...it pulls from whatever current version you have available...

Click to expand...

So if it's built on a computer that has all latest boot loaders, therefore signed with 2023 CA and also SVN 9.0 compliant, the resulting ISO will have the correct boot loaders, correct ?

But would a tool like Rufus or Ventoy also make sure the files that the installation will copy on the computer on which Windows is being installed are also with the latest boot loader ?

That's why I suggested noskip, update bootmedia, check again still with noskip