How to check if your Secure Boot certs are updated. (three methods)

Ghot · Nov 24, 2025

Method One

Download cjee21's files, attached to the bottom of this post.

1. Save the file to your desktop.
2. Extract the contents to your desktop.
3. Open: Check-UEFISecureBootVariables-main
4. Right click: Check UEFI PK, KEK, DB and DBX.cmd ...and choose: Run as administrator.

Your results should look something like this...

5. If you don't get the same results, starting with the: Secure Boot status: Enabled line, and down,
then post a screenshot of your results at the end of this topic.

Include info like: computer specs and whether or not your hardware was compatible with Windows 11.

cjee21's files...

Ghot · Nov 24, 2025

Method Two...

1. Download the script at the bottom of this post.
2. Extract the Check-SecureBootCerts.ps1 script and place it on your desktop.
3. Go to: C:\Users\your account name\Desktop and right click Desktop and choose: Open in Terminal
4. In the powershell window that pops up, type the following...

5. Set-ExecutionPolicy unrestricted <------ So the script can run.

Then...

6. .\Check-SecureBootCerts.ps1 and hit the ENTER key.

You should get a result similar to this...

Then...

7. Set-ExecutionPolicy restricted <------ To return to the more secure state.

Here is the script... credit to @garlin

Ghot · Nov 24, 2025

Method Three...

1. Download SecureBoot-CA-2023-Updates.zip at the bottom of the first post in the following topic...

Finding the UEFI's DBX SVN number using PowerShell

As part of the upcoming Secure Boot CA 2023 updates, you will not be able to roll back to an older Windows Boot Manager (without first disabling Secure Boot). To block older versions of the Boot Manager, a Secure Version Number (SVN) will be written to the UEFI's DBX variable. Any Boot Manager...

www.elevenforum.com

Credit to @garlin

2. Open the ZIP file and place Check_UEFI-CA2023.ps1 on your desktop.
3. Go to: C:\Users\your account name\Desktop and right click Desktop and choose: Open in Terminal
4. In the powershell window that pops up, type the following...

5. Set-ExecutionPolicy unrestricted <------ So the script can run.

Then...

6. .\Check_UEFI-CA2023.ps1 and hit the ENTER key.

You should get a result similar to this...

Then...

7. Set-ExecutionPolicy restricted <------ To return to the more secure state.

NOTE: See the link just above for explanation and usage of the other scripts in the download.

===========================================================================
===========================================================================

How to UPDATE your Secure Boot certs...

Secure boot update HowTo

i have put this together as i had problems updating 2 desktops and 3 laptops. which have now all had their Secure Boot Certs updated to the new 2023 secure boot cert also the other post about this were getting very long and confusing. this is in two parts. part A and part B. edit by me. please...

www.elevenforum.com

Credit to @XxXxX for the How to Update topic.

--------------------------------------------------------------------------------------------------------------------------------

How to do the SVN Update...

Open Terminal (Admin), and run the following two commands, one at a time.

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x200 /f

Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Credit to @hader for this.

--------------------------------------------------------------------------------------------------------------------------------

More Information...

Act now: Secure Boot certificates expire in June 2026

UPDATE: https://www.elevenforum.com/t/updating-microsoft-secure-boot-keys-before-expiration-in-june-2026.22477/ Windows IT Pro Blog: Prepare for the first global large-scale certificate update to Secure Boot. The Microsoft certificates used in Secure Boot are the basis of trust for operating...

www.elevenforum.com

Frequently asked questions about the Secure Boot update process - Microsoft Support

support.microsoft.com

fg2001gf11F · Nov 24, 2025

Ghot said:
Here is the topic about how to UPDATE your Secure Boot certs...

Secure boot update HowTo

i have put this together as i had problems updating 2 desktops and 3 laptops. which have now all had their Secure Boot Certs updated to the new 2023 secure boot cert also the other post about this were getting very long and confusing. this is in two parts. part A and part B. edit by me. please...

www.elevenforum.com

Credit to @XxXxX for the How to Update topic.

Done all that, still shows BootManager [ ] is BANNED.

3 Different systems.

Ghot · Nov 24, 2025

fg2001gf11F said:
still shows BootManager [ ] is BANNED.

It may just mean that Disk 2 and Disk 3 are NOT bootable.
Are they External Disks? Or maybe they are not set as bootable in the BIOS?
Or maybe they are non-bootable partitions?

I don't know the answers to this.
Thanks to a lack of reliable information, we're ALL new at this. ^^

hdmi · Nov 24, 2025

GitHub - cjee21/Check-UEFISecureBootVariables: PowerShell scripts to check the UEFI KEK, DB and DBX Secure Boot variables as well as scripts for other Secure Boot related items.

PowerShell scripts to check the UEFI KEK, DB and DBX Secure Boot variables as well as scripts for other Secure Boot related items. - cjee21/Check-UEFISecureBootVariables

github.com

Scott · Nov 24, 2025

I like the script from @garlin
Double clikable and puts a UEFI_report.txt file on your desktop.

Did you manually update your Secure Boot Keys ?

Not sure why my output looks different to everyone else's after running @Sheikh's script. Especially where it's referenced as EFI not UEFI So EFI preceded UEFI. I get it. I get that I am also probably out of luck. PS C:\Users\XXXXX> powershell -nop -ep bypass -f...

www.elevenforum.com

Ghot · Nov 24, 2025

Scott said:
I like the script...

Same results as the check in post #1.

hdmi · Nov 25, 2025

Ghot said:
I can't figure out how to get that one to run.
If I use the .cmd version I just get errors. I rt clicked and chose: Run as Admin. No joy.
Same with the .ps1 version.

I got the .ps1 version to run, but the PS window closes so fast I can't read it.

What errors? This is what I got:

Here is an explanation of how to interpret the output of this script: Clarification Regarding the Script Output · Issue #8 · cjee21/Check-UEFISecureBootVariables

fg2001gf11F · Nov 25, 2025

What about this one on the bootable USB?
The remote server returned an error: (404) Not Found

garlin · Nov 25, 2025

That's because abbodi1406's entire GitHub got banned (last week).

Replace:

Code:

            Invoke-WebRequest -UseBasicParsing -Uri 'https://github.com/abbodi1406/BatUtil/raw/refs/heads/master/uup-converter-wimlib/bin/7z.exe' -OutFile $7Z_exe
            Invoke-WebRequest -UseBasicParsing -Uri 'https://github.com/abbodi1406/BatUtil/raw/refs/heads/master/uup-converter-wimlib/bin/7z.dll' -OutFile $7Z_dll

With:

Code:

            Invoke-WebRequest -UseBasicParsing -Uri 'https://github.com/ollm/7zip-bin-full/raw/refs/heads/main/win/x64/7z.exe' -OutFile $7Z_exe
            Invoke-WebRequest -UseBasicParsing -Uri 'https://github.com/ollm/7zip-bin-full/raw/refs/heads/main/win/x64/7z.dll' -OutFile $7Z_dll

The problem is the script needs a copy of 7z.exe (not 7zr.exe) to list a WIM file's contents. 7z.exe isn't available as a standalone executable, you're required to run the installer to extract it. abbodi's archived version was trustful because everyone uses the same files when they run the UUP dump scripts.

I had to dig around for someone else's copy of 7z.exe (also hosted on GitHub). No, you can't use the UUP dump's archive since it's provided as a .7z file, and their build script downloads 7zr.exe to extract it, before you can the 7z.exe inside the archive.

Quandary · Nov 25, 2025

Quick help needed. Seems like I had locked down my system, and not sure how to enable this.

suatcini54 · Nov 25, 2025

You must use the file in command prompt as admin

powershell -nop -ep bypass -f Path-to-the-script\Check_EFIBootFile.ps1

such as %userprofile%\Desktop\Check_EFIBootfile.ps1 if the file is on your desktop

Hope this helps

badrobot · Nov 25, 2025

I am assuming the update is only required for older builds? I just re-built my PC (AM5) a few weeks ago which means my motherboard already include the updated 2023 Secure Boot certificates in the UEFI firmware?

suatcini54 · Nov 25, 2025

badrobot said:
I am assuming the update is only required for older builds? I just re-built my PC (AM5) a few weeks ago which means my motherboard already include the updated 2023 Secure Boot certificates in the UEFI firmware?

You should first check if your install media has the Windows UEFI CA 2023 certificate.

Then you should check if you have the 2023 certificates in your motherboard firmware.

Then it is up to you to revoke the CA 2011 certificates, which means critical certs are placed in UEFI DBX certs section.

badrobot · Nov 25, 2025

suatcini54 said:
Windows UEFI CA 2023 certificate

suatcini54 said:
You should first check if your install media has the Windows UEFI CA 2023 certificate.

View attachment 154243

Then you should check if you have the 2023 certificates in your motherboard firmware.

Then it is up to you to revoke the CA 2011 certificates, which means critical certs are placed in UEFI DBX certs section.

View attachment 154245

The Windows install media doesn’t carry the Secure Boot CA, it only carries signed bootloaders that match the trusted keys in UEFI.
It is not part of the Windows installation meda, it resides in the UEFI firmware of the motherboard.
So if the UEFI doesn’t trust the bootloader signature, Windows won’t boot. Windows update will take care of the bootloader signature update.

garlin · Nov 25, 2025

badrobot said:
The Windows install media doesn’t carry the Secure Boot CA, it only carries signed bootloaders that match the trusted keys in UEFI.
It is not part of the Windows installation meda, it resides in the UEFI firmware of the motherboard.
So if the UEFI doesn’t trust the bootloader signature, Windows won’t boot. Windows update will take care of the bootloader signature update.

This is wrong. Since April 2024, C:\Windows\System32\SecureBootUpdates contains copies of the new cert's (except for the KEK, which is supposed to be provided by the motherboard vendor).

W11 24H2 and 25H2 ISO's already have the correct files. They've been quietly hiding for a while, because MS was afraid of forcing an early migration.

The instructions which have you change the AvailableUpdates flags, and run the scheduled task (or just wait a long time) are supposed to install the signed CA files from the SecureBootUpdates folder. Most of the time it should work, unless your vendor is behind on providing a new KEK.

Some vendors are still plugging away, ASUS recently checked in more KEK updates to the MS Secure Boot Objects repo this month.

badrobot · Nov 25, 2025

garlin said:
This is wrong. Since April 2024, C:\Windows\System32\SecureBootUpdates contains copies of the new cert's (except for the KEK, which is supposed to be provided by the motherboard vendor).

W11 24H2 and 25H2 ISO's already have the correct files. They've been quietly hiding for a while, because MS was afraid of forcing an early migration.

The instructions which have you change the AvailableUpdates flags, and run the scheduled task (or just wait a long time) are supposed to install the signed CA files from the SecureBootUpdates folder. Most of the time it should work, unless your vendor is behind on providing a new KEK.

Some vendors are still plugging away, ASUS recently checked in more KEK updates to the MS Secure Boot Objects repo this month.

Yeah, you are talking about certs only for bootloaders. The root certs are in UEFI firmware which need to match for Windows to boot up.

Quandary · Nov 25, 2025

suatcini54 said:
You must use the file in command prompt as admin

powershell -nop -ep bypass -f Path-to-the-script\Check_EFIBootFile.ps1

such as %userprofile%\Desktop\Check_EFIBootfile.ps1 if the file is on your desktop

Hope this helps

Thanks, that worked. I had previously tried it as admin, but without the parameters you provided.

wabbit · Nov 25, 2025

Here is what I have on my system 1. in which the CA 2023 cert is already on the system. No manual updates were done. I used the BoScript batch file posted earlier on this thread.

Notice the last line on the usb drive which says process was aborted. Wonder why this could be?

How to check if your Secure Boot certs are updated. (three methods)

Well-known member

Attachments

My Computers

Well-known member

Attachments

My Computers

Well-known member

How to UPDATE your Secure Boot certs...​

How to do the SVN Update...​

More Information...​

My Computers

Well-known member

My Computer

Well-known member

My Computers

Jack of all trades – master of none

My Computers

Well-known member

Attachments

My Computers

Well-known member

My Computers

Jack of all trades – master of none

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

How to UPDATE your Secure Boot certs...

How to do the SVN Update...

More Information...