Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

[INFORMATION] Secure Boot : Windows UEFI CA 2023 Update

MoKiChU
Level 40

‎10-23-2025 08:37 AM - last edited 2 weeks ago

Hi everyone,

MoKiChU_1-1761233314470.png
https://support.microsoft.com/topic/1db237d8-9f3b-4218-9515-3e0a32729685
https://support.microsoft.com/topic/a7be69c9-4634-42e1-9ca1-df06f43f360d

- Secure Boot Windows UEFI CA 2023 Updater | Download : Link

Check/Update Process :

Check Windows UEFI CA 2023 Update Status/Capable : Right click on "Check.cmd" > Run as administrator

Windows UEFI CA 2023 Update Status :

NotStarted – The update has not yet run.
InProgress – The update is actively in progress.
Updated – The update has completed successfully.

Windows UEFI CA 2023 Update Capable :

0x0  Windows UEFI CA 2023 certificate is not in the DB (or key does not exist).
0x1  Windows UEFI CA 2023 certificate is in the DB.
0x2  Windows UEFI CA 2023 certificate is in the DB and the system is starting from the 2023 signed boot manager.

Update Windows UEFI CA 2023 :

- Right click on "1-Setup.cmd" > Run as administrator > Close the command prompt window
- Right click on "2-Update.cmd" > Run as administrator > Close the command prompt window
Right click on "Check.cmd" > Run as administrator > Check that Windows UEFI CA 2023 Update Status is InProgress > Close the command prompt window > Wait 5 minutes then restart your PC
Right click on "Check.cmd" > Run as administrator > Check that Windows UEFI CA 2023 Update Status is InProgress > Close the command prompt window > Wait 5 minutes then restart your PC
- Right click on "Check.cmd" > Run as administrator :

- If the Windows UEFI CA 2023 Update Status is still InProgress : Right click on "2-Update.cmd" > Run as administrator > Close the command prompt window > Wait 5 minutes then restart your PC (redo as much as necessary)
- If the Windows UEFI CA 2023 Update Status is Updated and the Windows UEFI CA 2023 Update Capable is 0x2 : Right click on "3-Cleanup.cmd" > Run as administrator > Close the command prompt window > Done. 


OS requirements : Windows 10 build 19044.6456/19045.6456 or more recent | Windows 11 build 26100.6899/26200.6899 or more recent.

[INDEX] All My Drivers/Firmware/Software Threads
[ALTERNATIVE INDEX] All My Drivers/Firmware/Software Threads
668 Views
53 REPLIES 53

FusionminerX1
Level 8
In response to hader

‎12-07-2025 01:20 PM

I fixed it . I didnt restart my pc for the changes to update

hader
Level 9
In response to FusionminerX1

‎12-09-2025 04:04 AM

I also wondered if a reboot was needed. I thought the main purpose of a reboot was to trigger that scheduled task to do it's task. As it seems it was not necessary if you called the task yourself a couple (maybe once) times. Nice to know. Thanks. You solved the issue.

0 Kudos

ROGobrdap8tuqcl
Level 7

‎12-14-2025 05:03 AM

Run the scripts in order (1-Setup → 2-Update → Check → 3-Cleanup) as admin, repeating updates and restarts until Check.cmd shows Updated and Capable = 0x2. Requires Windows 10 ≥19044.6456 or Windows 11 ≥26100.6899.

0 Kudos

hader
Level 9

a month ago - last edited a month ago

It does not stop there I am afraid. After this it is advisable to download the zipfile at this location: https://github.com/cjee21/Check-UEFISecureBootVariables/tree/main (under Code) unpack it and run (CMD as admin)  "Check UEFI PK, KEK, DB and DBX.cmd" If the result shows red crosses in the default sections; ignore them. The current values are those that are important. They should contain all Green checkmarks. 
If not. Run the program where you see red crosses

In PK, KEK, DB or bootmgfw: "Apply 2023 KEK, DB and bootmgfw update.cmd"
In DBX:" Apply DBX update.cmd" 
And run " Check UEFI PK, KEK, DB and DBX.cmd"  again.
In case the last 3 lines (version numbers) shows None the run the following commands with Powershell as admin;

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x200 /f
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

If there are all Green checkmarks inside the Default sections of PK, KEK and DB. You're OK.
If the DBX said " Successful.." You're OK.
If the versions of the last three lines says; 7.0, 3.0, 3.0 then with the above (OK results) and these results your are finished. 
(It is possible that the first line says 5.0 instead of 7.0 then that means you are not sitting on the latest build of Windows. When you will it will say 7.0 also)

 

MrAgapiGC
Level 17
In response to hader

a month ago

then you do it wrong. But 25h2 last version was ms make it permanent. but ok. 

Learn, Play Enjoy! We help and collaborate, NOT complain!
0 Kudos

hader
Level 9

a month ago

No. I am "not do it wrong" . It's a real check if Windows is full complaint in case of CA2023. This previous case should not had to been seen if MS not made a mistake (TPM-WMI errors kept appearing in the system logfiles since 6899) The CA2023 is fixed but there is more....This last info is additional. Normally this would be arranged by MS and their update proces. If you start this script it show you what is still not correct and will fix that. In the future MS will replace all signed files towards CA2023. As of now this is not the case. It is still pointing towards CA2011. This work is extra what MS will do in 2026. Look at forums. Some users in forums want to fix this also. (We are doing the work for them) Everybody that is not using secure boot can forget all this information. 

0 Kudos

thiagobr99
Level 7
In response to hader

4 weeks ago

I need help! I deleted the secure boot task (c:\windows\system32\tasks\PI and I need the file or the xml to import at scheduled tasks.

0 Kudos

hader
Level 9
In response to thiagobr99

4 weeks ago

@thiagobr99 wrote:

I need help! I deleted the secure boot task (c:\windows\system32\tasks\PI and I need the file or the xml to import at scheduled tasks.

Not very smart to delete that task, but here you go; This is the content of that XML file of that task in plain tekst. Just copy it into notepad, save it as an xml-file and import it at the right location. (PI) (Runs at startup and every 12 hours)

<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.6" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Source>Microsoft Corporation</Source>
<Date>2012-02-07T16:39:20</Date>
<Author>Microsoft Corporation</Author>
<Description>This task updates the Secure Boot variables.</Description>
<URI>\Microsoft\Windows\PI\Secure-Boot-Update</URI>
<SecurityDescriptor>O:BAG:BAD:P(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;LS)</SecurityDescriptor>
</RegistrationInfo>
<Triggers>
<BootTrigger>
<Repetition>
<Interval>PT12H</Interval>
<StopAtDurationEnd>false</StopAtDurationEnd>
</Repetition>
<Enabled>true</Enabled>
<Delay>PT5M</Delay>
</BootTrigger>
</Triggers>
<Principals>
<Principal id="LocalSystem">
<UserId>S-1-5-18</UserId>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>true</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
<UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT1H</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="LocalSystem">
<ComHandler>
<ClassId>{5014B7C8-934E-4262-9816-887FA745A6C4}</ClassId>
<Data>SBServicing</Data>
</ComHandler>
</Actions>
</Task>

0 Kudos

MrAgapiGC
Level 17
In response to hader

4 weeks ago

For now, the scrip works and has not trigger back and more with new bios. I done this for around 300 users since the deployment. and the last 2 windows 25h2 insatll , came updated. so no fix was needed. I make a screenshot and at the corner the today date and time. 

MrAgapiGC_0-1766782895810.png

 

 

Learn, Play Enjoy! We help and collaborate, NOT complain!
0 Kudos

hader
Level 9
In response to MrAgapiGC

4 weeks ago

Be aware. If you install Win11 25H2, 26200.XXXX, CA2023 is already incorporated. But if you are using Win11 24H2 26100.XXXX that's not always the case. The variables you show only says; The system is updated and does has the CA2023 certificate incorporated. But is does not tell you anything about the validity of the PK, KEK, DB and DBX and the SVN version status. (only the current UEFI values are important, not the default UEFI values!) 
To get the complete overview run the "Check UEFI PK, KEK, DB and DBX.cmd" script I mentioned earlier you are getting the complete overview about all things what has to do with that CA2023 certificate in one go. Red=not OK, Green: OK. The DBX is important. The Database underneath says when a certain certificate is rightly so revoked at a certain date. With your values you will see that inside the current UEFI value of the DB the CA2023 certificate is marked green. But there are also other certificates that has to be checked. That script will show you the status of all things about all certificates the Windows is using. It's advisable to run that script once in order to confirm that everything is OK. 

0 Kudos