PowerShell scripts to check the UEFI KEK, DB and DBX Secure Boot variables.
Important
The DBX checking in this script is made for x64 and arm64 systems. If you are using an x86 or arm system, it is necessary to replace the *.bin files with ones for your system architecture and edit their filenames in the PowerShell script (Check UEFI PK, KEK, DB and DBX.ps1) accordingly. The *.bin files for various architectures can be obtained from github.com/microsoft/secureboot_objects.
Obtain a copy of the contents of this repository from https://github.com/cjee21/Check-UEFISecureBootVariables/archive/refs/heads/main.zip and extract all contents from the ZIP file.
Alternatively, using Git, clone this repository with the following command:
git clone https://github.com/cjee21/Check-UEFISecureBootVariables.git
Right-click Check UEFI PK, KEK, DB and DBX.cmd and Run as administrator.
Example output:
If the Secure Boot variables were accidentally reset to default in the UEFI/BIOS settings for example, it is possible to make Windows re-apply the DBX updates that Windows had previously applied. Double-click Apply DBX update (restart required).reg and add the changes to the registry then restart Windows and wait for awhile. The DBX updates should be applied after that.
Note
Using the .reg file will reset all other changes made to the registry bits. See Registry bits for applying Secure Boot updates below.
Windows February 13, 2024 cumulative update includes the ability to apply the Windows UEFI CA 2023 certificate to UEFI Secure Boot Allowed Signature Database (DB). To do so, double-click Apply DB update (restart required).reg and add the changes to the registry then restart Windows and wait for awhile. The DB updates should be applied after that. For more information, refer to KB5036210 and Evolving the Secure Boot Ecosystem.
Note
Using the .reg file will reset all other changes made to the registry bits. See Registry bits for applying Secure Boot updates below.
The bits in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\AvailableUpdates DWORD control what updates are to be applied by Windows. The updates are applied usually upon restart or with Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update" which also automatically runs every 12 hours.
The following are the possible bit values that are currently known.
| Bit | Usage |
|---|---|
| 0x0002 | Apply DBX updates. |
| 0x0004 | Apply the Microsoft Corporation KEK 2K CA 2023 to the KEK. |
| 0x0020 | Apply Microsoft-signed revocation policy (SkuSiPolicy.p7b) |
| 0x0040 | Apply the Windows UEFI CA 2023 to the DB. |
| 0x0080 | Apply the Windows Production PCA 2011 to the DBX. |
| 0x0100 | Apply the boot manager, signed by the Windows UEFI CA 2023, to the boot partition. |
| 0x0200 | Apply Secure Version Number (SVN) update to the firmware. |
| 0x0400 | Apply Secure Boot Advanced Targeting (SBAT) update to the firmware. |
| 0x0800 | Apply the Microsoft Option ROM UEFI CA 2023 to the DB. |
| 0x1000 | Apply the Microsoft UEFI CA 2023 to the DB. |
| 0x4000 | This bit modifies the behavior of the 0x0800 and 0x1000 bits to only apply the Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023 if the DB already has the Microsoft Corporation UEFI CA 2011. |
Important
Please carefully read and understand How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932, Secure Boot Certificate updates: Guidance for IT professionals and organizations as well as Registry key updates for Secure Boot: Windows devices with IT-managed updates before attempting to manually modify the registry to apply updates. It is also recommended to read the other resources listed above these in the references section.
Double-click Show Secure Boot update events.cmd to display all the Secure Boot DB and DBX variable update events. Refer to KB5016061 for details on interpreting the events.
To view the current Windows Secure Boot state, right-click Check Windows state.cmd and Run as administrator. The output will be similar to the following:
Checking for Administrator permission...
Running as administrator - continuing execution...
Windows version: 25H2 (Build 26200.7171)
UEFISecureBootEnabled : 1
AvailableUpdates : 0x0000
UEFICA2023Status : NotStarted
WindowsUEFICA2023Capable : Windows UEFI CA 2023 cert is in DB, system is starting from 2023 signed boot manager
bootmgfw signature CA : Windows UEFI CA 2023
Press any key to continue . . .
To display all the UEFI Secure Boot variables in readable format, right-click Show UEFI PK, KEK, DB and DBX.cmd and Run as administrator. All certificates in the PK, KEK and DB variables as well as all hashes in the DBX variable will be displayed.
- Windows Secure Boot Key Creation and Management Guidance
- Get-SecureBootUEFI
- Microsoft guidance for applying Secure Boot DBX update (KB4575994)
- KB5016061: Secure Boot DB and DBX variable update events
- KB5036210: Deploying Windows UEFI CA 2023 certificate to Secure Boot Allowed Signature Database (DB)
- How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932
- Windows Secure Boot certificate expiration and CA updates
- Secure Boot Certificate updates: Guidance for IT professionals and organizations
- Registry key updates for Secure Boot: Windows devices with IT-managed updates
- Guidance for blocking rollback of Virtualization-based Security (VBS) related security updates
- Windows will apply a Secure Boot Advanced Targeting (SBAT) update to block vulnerable Linux boot loaders
- Check-Dbx.ps1
- Get-UEFIDatabaseSignatures.ps1
- Only the latest DBX update is needed (1)
- Only the latest DBX update is needed (2)
- UEFI Revocation List File
- Microsoft - Secure Boot Objects
- Evolving the Secure Boot Ecosystem
- Update the dbx database to add back the same dbx entries as the cumulative update applied
