- Notifications
You must be signed in to change notification settings - Fork9
cjee21/Check-UEFISecureBootVariables
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
PowerShell scripts to check the UEFI KEK, DB and DBX Secure Boot variables as well as scripts for other Secure Boot related items.
Important
The DBX checking inCheck UEFI PK, KEK, DB and DBX is UEFI architecture dependent. The script attempts to detect the installed Windows architecture and assumes that the UEFI architecture matches (this should be the case on officially supported systems[*]). If this is not the case or the detection fails, the DBX check results will be invalid.
Warning
Disabling Secure Boot should be avoided. If Windows is booted when Secure Boot is turned off, all the Secure Boot and UEFI-related configurations are reset[*]. This may include the deletion of UEFI variables for LSA protection[*], SkuSiPolicy.p7b[*] and SBAT[*], requiring them to be set/updated again.
Obtain a copy of the contents of this repository fromhttps://github.com/cjee21/Check-UEFISecureBootVariables/archive/refs/heads/main.zip and extract all contents from the ZIP file.
Alternatively, using Git, clone this repository with the following command:
git clone https://github.com/cjee21/Check-UEFISecureBootVariables.git
If using Git, the cloned copy can be updated by running the following commands while inCheck-UEFISecureBootVariables folder.
git fetchgit reset --hard origin/main
Right-clickCheck UEFI PK, KEK, DB and DBX.cmd andRun as administrator.
Example output:
If the Secure Boot variables were accidentally reset to default in the UEFI/BIOS settings for example, it is possible to make Windows re-apply the DBX updates that Windows had previously applied. Right-clickApply DBX update.cmd andRun as administrator. Wait for awhile. The DBX updates should be applied after that.
Note
There should be no need to do this manually as Windows Update will automatically do it from January 2026 onwards. Many manufacturers have also included 2023 certs in the latest UEFI updates and Windows will install 2023 CA signed Boot Manager if 2023 cert is present in the DB.
Right-clickApply 2023 KEK, DB and bootmgfw update.cmd andRun as administrator. Wait for a while. The Windows UEFI CA 2023 cert and Microsoft Corporation KEK 2K CA 2023 cert will be applied to DB and KEK respectively. The Microsoft Option ROM UEFI CA 2023 and Microsoft UEFI CA 2023 certs will also be applied to the DB if the Microsoft Corporation UEFI CA 2011 cert is present there. It may be needed to restart Windows and runStart-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update" to complete the Boot Manager update.
Right-clickApply revocations.cmd andRun as administrator. Wait for awhile. The DBX should be updated and the Windows Production PCA 2011 cert added to it. The latest SVN will be written to the DBX as well. The SBAT will be written to the 605DAB50-E046-4300-ABB6-3DD810DD8B23:SbatLevel UEFI variable when Windows is restarted. SbatLevel is a Boot Services variable that cannot be checked from within Windows.
Important
Make sure you know what you are doing before attempting this. It may cause some things to be no longer bootable on your system.
The bits inHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\AvailableUpdates DWORD control what updates are to be applied by Windows. The updates are applied withStart-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update" which normally also automatically runs every 12 hours.
The following are the possible bit values that are currently known.
| Bit | Usage |
|---|---|
| 0x0002 | Apply DBX updates. |
| 0x0004 | Apply the Microsoft Corporation KEK 2K CA 2023 to the KEK. |
| 0x0020 | Apply Microsoft-signed revocation policy (SkuSiPolicy.p7b) |
| 0x0040 | Apply the Windows UEFI CA 2023 to the DB. |
| 0x0080 | Apply the Windows Production PCA 2011 to the DBX. |
| 0x0100 | Apply the boot manager, signed by the Windows UEFI CA 2023, to the boot partition. |
| 0x0200 | Apply Secure Version Number (SVN) update to the firmware. |
| 0x0400 | Apply Secure Boot Advanced Targeting (SBAT) update to the firmware. |
| 0x0800 | Apply the Microsoft Option ROM UEFI CA 2023 to the DB. |
| 0x1000 | Apply the Microsoft UEFI CA 2023 to the DB. |
| 0x4000 | This bit modifies the behavior of the 0x0800 and 0x1000 bits to only apply the Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023 if the DB already has the Microsoft Corporation UEFI CA 2011. |
Important
Please carefully read and understandHow to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932,Secure Boot Certificate updates: Guidance for IT professionals and organizations as well asRegistry key updates for Secure Boot: Windows devices with IT-managed updates before attempting to manually modify the registry to apply updates. It is also recommended to read the other resources listed above these in the references section.
Double-clickShow Secure Boot update events.cmd to display all the Secure Boot DB and DBX variable update events. Refer toKB5016061 for details on interpreting the events.
To view the current Windows Secure Boot state, right-clickCheck Windows state.cmd andRun as administrator. The output will be similar to the following:
Checking for Administrator permission...Running as administrator - continuing execution...Windows version: 25H2 (Build 26200.7462)UEFISecureBootEnabled : 1AvailableUpdates : 0x0000UEFICA2023Status : NotStartedWindowsUEFICA2023Capable : Windows UEFI CA 2023 cert is in DB, system is starting from 2023 signed boot managerbootmgfw version : 10.0.26100.30227 (WinBuild.160101.0800)bootmgfw signature CA : Windows UEFI CA 2023bootmgfw SVN : 7.0bootmgr version : 10.0.26100.30227 (WinBuild.160101.0800)bootmgr signature CA : Microsoft Windows Production PCA 2011bootmgr SVN : 7.0memtest version : 10.0.26100.1 (WinBuild.160101.0800)memtest signature CA : Microsoft Windows Production PCA 2011Press any key to continue . . .To display all the UEFI Secure Boot variables in readable format, right-clickShow UEFI PK, KEK, DB and DBX.cmd andRun as administrator. All certificates in the PK, KEK and DB variables as well as all hashes in the DBX variable will be displayed.
Check EFI file info.cmd can be used to check and display various information of EFI and EXE files. A file path can be passed to it via CLI, a file can be dropped on it or a path may be provided to it when prompted. It can be used to check bootable media for example. Various information will be displayed as in the example below:
Path to EFI file: D:\efi\boot\bootx64.efiFilePath : D:\efi\boot\bootx64.efiMachine : x64Subsystem : EFI ApplicationSubsystemVersion : 1.0File Information:OriginalFilename : bootmgr.exeFileDescription : Boot ManagerProductName : Microsoft® Windows® Operating SystemComments :CompanyName : Microsoft CorporationFileName : D:\efi\boot\bootx64.efiFileVersion : 10.0.26100.30227 (WinBuild.160101.0800)ProductVersion : 10.0.26100.30227IsDebug : FalseIsPatched : FalseIsPreRelease : FalseIsPrivateBuild : FalseIsSpecialBuild : FalseLanguage : English (United States)LegalCopyright : © Microsoft Corporation. All rights reserved.LegalTrademarks :PrivateBuild :SpecialBuild :FileVersionRaw : 10.0.26100.30227ProductVersionRaw : 10.0.26100.30227Signature Certificate:Subject : CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=USIssuer : CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=USThumbprint : FACDE3D80E99AFCC15E08AC5A69BD22785287F79FriendlyName :NotBefore : 20/6/2025 2:11:43 AMNotAfter : 18/6/2026 2:11:43 AMExtensions : {System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid, System.Security.Cryptography.Oid...}BOOTMGRSECURITYVERSIONNUMBER: 7.0Press any key to continue . . .- Windows Secure Boot Key Creation and Management Guidance
- Get-SecureBootUEFI
- Microsoft guidance for applying Secure Boot DBX update (KB4575994)
- KB5016061: Secure Boot DB and DBX variable update events
- KB5036210: Deploying Windows UEFI CA 2023 certificate to Secure Boot Allowed Signature Database (DB)
- How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932
- Windows Secure Boot certificate expiration and CA updates
- Secure Boot Certificate updates: Guidance for IT professionals and organizations
- Registry key updates for Secure Boot: Windows devices with IT-managed updates
- Guidance for blocking rollback of Virtualization-based Security (VBS) related security updates
- Windows will apply a Secure Boot Advanced Targeting (SBAT) update to block vulnerable Linux boot loaders
- Check-Dbx.ps1
- Get-UEFIDatabaseSignatures.ps1
- Only the latest DBX update is needed (1)
- Only the latest DBX update is needed (2)
- UEFI Revocation List File
- Microsoft - Secure Boot Objects
- Evolving the Secure Boot Ecosystem
- Update the dbx database to add back the same dbx entries as the cumulative update applied
About
PowerShell scripts to check the UEFI KEK, DB and DBX Secure Boot variables as well as scripts for other Secure Boot related items.
Topics
Resources
Uh oh!
There was an error while loading.Please reload this page.