PowerShell scripts to check the UEFI KEK, DB and DBX Secure Boot variables as well as scripts for other Secure Boot related items.
Important
The DBX checking in Check UEFI PK, KEK, DB and DBX is made for x64 and arm64 systems. If you are using an x86 or arm system, it is necessary to replace the *.bin files with ones for your system architecture and edit their filenames in the PowerShell script (Check UEFI PK, KEK, DB and DBX.ps1) accordingly. The *.bin files for various architectures can be obtained from github.com/microsoft/secureboot_objects.
Obtain a copy of the contents of this repository from https://github.com/cjee21/Check-UEFISecureBootVariables/archive/refs/heads/main.zip and extract all contents from the ZIP file.
Alternatively, using Git, clone this repository with the following command:
git clone https://github.com/cjee21/Check-UEFISecureBootVariables.git
If using Git, the cloned copy can be updated by running the following commands while in Check-UEFISecureBootVariables folder.
git fetch
git reset --hard origin/main
Right-click Check UEFI PK, KEK, DB and DBX.cmd and Run as administrator.
Example output:
If the Secure Boot variables were accidentally reset to default in the UEFI/BIOS settings for example, it is possible to make Windows re-apply the DBX updates that Windows had previously applied. Right-click Apply DBX update.cmd and Run as administrator. Wait for awhile. The DBX updates should be applied after that.
Right-click Apply DBX update.cmd and Run as administrator. Wait for a while. The Windows UEFI CA 2023 cert and Microsoft Corporation KEK 2K CA 2023 cert will be applied to DB and KEK respectively. The Microsoft Option ROM UEFI CA 2023 and Microsoft UEFI CA 2023 certs will also be applied to the DB if the Microsoft Corporation UEFI CA 2011 cert is present there. It may be needed to restart Windows and run Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update" to complete the Boot Manager update.
Right-click Apply revocations.cmd and Run as administrator. Wait for awhile. The DBX should be updated and the Windows Production PCA 2011 cert added to it. The latest SVN will be written to the DBX as well. The SBAT will be written to the 605DAB50-E046-4300-ABB6-3DD810DD8B23:SbatLevel UEFI variable when Windows is restarted. SbatLevel is a Boot Services variable that cannot be checked from within Windows.
Important
Make sure you know what you are doing before attempting this. It may cause some things to be no longer bootable on your system.
The bits in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\AvailableUpdates DWORD control what updates are to be applied by Windows. The updates are applied with Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update" which normally also automatically runs every 12 hours.
The following are the possible bit values that are currently known.
| Bit | Usage |
|---|---|
| 0x0002 | Apply DBX updates. |
| 0x0004 | Apply the Microsoft Corporation KEK 2K CA 2023 to the KEK. |
| 0x0020 | Apply Microsoft-signed revocation policy (SkuSiPolicy.p7b) |
| 0x0040 | Apply the Windows UEFI CA 2023 to the DB. |
| 0x0080 | Apply the Windows Production PCA 2011 to the DBX. |
| 0x0100 | Apply the boot manager, signed by the Windows UEFI CA 2023, to the boot partition. |
| 0x0200 | Apply Secure Version Number (SVN) update to the firmware. |
| 0x0400 | Apply Secure Boot Advanced Targeting (SBAT) update to the firmware. |
| 0x0800 | Apply the Microsoft Option ROM UEFI CA 2023 to the DB. |
| 0x1000 | Apply the Microsoft UEFI CA 2023 to the DB. |
| 0x4000 | This bit modifies the behavior of the 0x0800 and 0x1000 bits to only apply the Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023 if the DB already has the Microsoft Corporation UEFI CA 2011. |
Important
Please carefully read and understand How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932, Secure Boot Certificate updates: Guidance for IT professionals and organizations as well as Registry key updates for Secure Boot: Windows devices with IT-managed updates before attempting to manually modify the registry to apply updates. It is also recommended to read the other resources listed above these in the references section.
Double-click Show Secure Boot update events.cmd to display all the Secure Boot DB and DBX variable update events. Refer to KB5016061 for details on interpreting the events.
To view the current Windows Secure Boot state, right-click Check Windows state.cmd and Run as administrator. The output will be similar to the following:
Checking for Administrator permission...
Running as administrator - continuing execution...
Windows version: 25H2 (Build 26200.7462)
UEFISecureBootEnabled : 1
AvailableUpdates : 0x0000
UEFICA2023Status : NotStarted
WindowsUEFICA2023Capable : Windows UEFI CA 2023 cert is in DB, system is starting from 2023 signed boot manager
bootmgfw version : 10.0.26100.30227 (WinBuild.160101.0800)
bootmgfw signature CA : Windows UEFI CA 2023
bootmgfw SVN : 7.0
bootmgr version : 10.0.26100.30227 (WinBuild.160101.0800)
bootmgr signature CA : Microsoft Windows Production PCA 2011
bootmgr SVN : 7.0
memtest version : 10.0.26100.1 (WinBuild.160101.0800)
memtest signature CA : Microsoft Windows Production PCA 2011
Press any key to continue . . .
To display all the UEFI Secure Boot variables in readable format, right-click Show UEFI PK, KEK, DB and DBX.cmd and Run as administrator. All certificates in the PK, KEK and DB variables as well as all hashes in the DBX variable will be displayed.
Check EFI file info.cmd can be used to check and display various information of EFI and EXE files. A file path can be passed to it via CLI, a file can be dropped on it or a path may be provided to it when prompted. It can be used to check bootable media for example. Various information will be displayed as in the example below:
Path to EFI file: D:\efi\boot\bootx64.efi
FilePath : D:\efi\boot\bootx64.efi
Machine : x64
Subsystem : EFI Application
SubsystemVersion : 1.0
File Information:
OriginalFilename : bootmgr.exe
FileDescription : Boot Manager
ProductName : Microsoft® Windows® Operating System
Comments :
CompanyName : Microsoft Corporation
FileName : D:\efi\boot\bootx64.efi
FileVersion : 10.0.26100.30227 (WinBuild.160101.0800)
ProductVersion : 10.0.26100.30227
IsDebug : False
IsPatched : False
IsPreRelease : False
IsPrivateBuild : False
IsSpecialBuild : False
Language : English (United States)
LegalCopyright : © Microsoft Corporation. All rights reserved.
LegalTrademarks :
PrivateBuild :
SpecialBuild :
FileVersionRaw : 10.0.26100.30227
ProductVersionRaw : 10.0.26100.30227
Signature Certificate:
Subject : CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Issuer : CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Thumbprint : FACDE3D80E99AFCC15E08AC5A69BD22785287F79
FriendlyName :
NotBefore : 20/6/2025 2:11:43 AM
NotAfter : 18/6/2026 2:11:43 AM
Extensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid,
System.Security.Cryptography.Oid...}
BOOTMGRSECURITYVERSIONNUMBER: 7.0
Press any key to continue . . .
- Windows Secure Boot Key Creation and Management Guidance
- Get-SecureBootUEFI
- Microsoft guidance for applying Secure Boot DBX update (KB4575994)
- KB5016061: Secure Boot DB and DBX variable update events
- KB5036210: Deploying Windows UEFI CA 2023 certificate to Secure Boot Allowed Signature Database (DB)
- How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932
- Windows Secure Boot certificate expiration and CA updates
- Secure Boot Certificate updates: Guidance for IT professionals and organizations
- Registry key updates for Secure Boot: Windows devices with IT-managed updates
- Guidance for blocking rollback of Virtualization-based Security (VBS) related security updates
- Windows will apply a Secure Boot Advanced Targeting (SBAT) update to block vulnerable Linux boot loaders
- Check-Dbx.ps1
- Get-UEFIDatabaseSignatures.ps1
- Only the latest DBX update is needed (1)
- Only the latest DBX update is needed (2)
- UEFI Revocation List File
- Microsoft - Secure Boot Objects
- Evolving the Secure Boot Ecosystem
- Update the dbx database to add back the same dbx entries as the cumulative update applied
