Repository files navigation

PowerShell scripts to check the UEFI KEK, DB and DBX Secure Boot variables.

Right-clickCheck UEFI KEK, DB and DBX.cmd andRun as administrator.

Example output:

If the Secure Boot variables were accidentally reset to default in the UEFI/BIOS settings for example, it is possible to make Windows re-apply the DBX updates that Windows had previously applied. Double-clickApply DBX update (restart required).reg and add the changes to the registry then restart Windows and wait for awhile. The DBX updates should be applied after that.

Windows February 13, 2024 cumulative update includes the ability to apply the Windows UEFI CA 2023 certificate to UEFI Secure Boot Allowed Signature Database (DB). To do so, double-clickApply DB update (restart required).reg and add the changes to the registry then restart Windows and wait for awhile. The DB updates should be applied after that. For more information, refer toKB5036210 andEvolving the Secure Boot Ecosystem.

Double-clickShow Secure Boot update events.cmd to display all the Secure Boot DB and DBX variable update events. Refer toKB5016061 for details on interpreting the events.

To display all the UEFI Secure Boot variables in readable format, right-clickShow UEFI PK, KEK, DB and DBX.cmd andRun as administrator. All certificates in the PK, KEK and DB variables as well as all hashes in the DBX variable will be displayed.

• Windows Secure Boot Key Creation and Management Guidance
• Get-SecureBootUEFI
• Microsoft guidance for applying Secure Boot DBX update (KB4575994)
• KB5016061: Secure Boot DB and DBX variable update events
• KB5036210: Deploying Windows UEFI CA 2023 certificate to Secure Boot Allowed Signature Database (DB)
• Check-Dbx.ps1
• Get-UEFIDatabaseSignatures.ps1
• Only the latest DBX update is needed (1)
• Only the latest DBX update is needed (2)
• UEFI Revocation List File
• Microsoft - Secure Boot Objects
• Evolving the Secure Boot Ecosystem
• Update the dbx database to add back the same dbx entries as the cumulative update applied