Getting error when attempting to execute the command to check the Secure Boot certificate

I attempted to check the state of the secure boot certificate on a system I work on using the PS command "[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ’Windows UEFI CA 2023’". However on this system I received an error indicating that "Get-SecureBootUEFI variable is currently undefined". This makes no sense. I have two identical systems which have had the certificate updated with the April 2nd Tuesday updates. I am wondering if there is an underlying issue with the system and that it might be a good idea to do a repair installation on it. Any thoughts?

JohnD

Run this in Powershell under Admin: Confirm-SecureBootUEFI


The status is also available by running msinfo32 in CMD

Your command didn't return anything on either of my windows 11 computers with the lastest releases applied

johnpd said:

I attempted to check the state of the secure boot certificate on a system I work on using the PS command "[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ’Windows UEFI CA 2023’". However on this system I received an error indicating that "Get-SecureBootUEFI variable is currently undefined". This makes no sense. I have two identical systems which have had the certificate updated with the April 2nd Tuesday updates. I am wondering if there is an underlying issue with the system and that it might be a good idea to do a repair installation on it. Any thoughts?

Click to expand...

A repair install won't fix the problem, your UEFI variables may be corrupted. The best thing to do is reset to factory defaults, and allow Windows to try again.

1. Enter the BIOS menu, disable Secure Boot mode if it was enabled.
2. Select the UEFI option to reset to factory keys (just the UEFI menu, not reset the whole BIOS).
3. Restart Windows.
4. Wait a day, for the Secure Boot update task to detect you don't have the KEK CA 2023 certificate and re-install it again.
5. Once you see the message that it reinstalled KEK, re-enable Secure Boot.

Occasionally writing to the UEFI variables can be glitchy with some BIOS'es. You didn't state your PC's model.

OK I found that two systems had Secure Boot turned off. Don’t know why. I turned it on on both computers. The newer one had the upgraded certificate and it now displays the status as updated. The other one does not have the updated certificate yet. I will check for a few days to see if it gets picked up.

Thanks for your help.
JohnD

Some BIOS'es can be weird in that you can't read the Secure Boot certs when it's disabled. Other PC's don't care, and will always allow you to read them. It's probably a vendor thing on older PC's.

My Lenovo laptop has everything installed, but still showing old as using the old certificate. I know it is there, but not being picked up in Device Security. What can I run. I have rebooted several times. Here is the information:

Data from the Check-UEFI.bat:
Secure Boot: ON
Virtualization Based Security: OFF
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
(NONE)

EFI Files
---------
Disk 0: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

Reg Info
----------

You have most of the CA 2023 certs, except for the Option ROM (which by its name, is optional and may be needed for certain graphics cards if they have signed firmware).

If you run "Update-UEFI.bat", it will copy the Option ROM for you. This should get you a green check mark in Windows Security Center after rebooting.

Make sure you have the latest versions of the scripts from the ZIP file in post #1 of this thread:

Windows Security Center requires a restart to have any Secure Boot changes be reflected in the score.

No go. Here are the results from the two "Check" jobs.