PowerShell scripts to check the UEFI KEK, DB and DBX Secure Boot variables.
Important
The DBX checking in this script is made for x64 systems. If you are using an x86, arm or arm64 system, it is necessary to replace the *.bin files with ones for your system architecture and edit their filenames in the PowerShell script (Check UEFI KEK, DB and DBX.ps1) accordingly. The *.bin files for various architectures can be obtained from uefi.org/revocationlistfile.
Right-click Check UEFI KEK, DB and DBX.cmd and Run as administrator.
Example output (without text formatting/colour):
Checking for Administrator permission...
Running as administrator — continuing execution...
14 February 2024
Manufacturer: System manufacturer
Model: System model
BIOS: American Megatrends International, LLC., 2.0, 2.0, ALASKA - 1
Windows version: 23H2 (Build 22631.3155)
Current UEFI KEK
√ Microsoft Corporation KEK CA 2011
X Microsoft Corporation KEK 2K CA 2023
Default UEFI KEK
√ Microsoft Corporation KEK CA 2011
X Microsoft Corporation KEK 2K CA 2023
Current UEFI DB
√ Microsoft Windows Production PCA 2011
√ Microsoft Corporation UEFI CA 2011
√ Windows UEFI CA 2023
X Microsoft UEFI CA 2023
Default UEFI DB
√ Microsoft Windows Production PCA 2011
√ Microsoft Corporation UEFI CA 2011
X Windows UEFI CA 2023
X Microsoft UEFI CA 2023
Current UEFI DBX (only the latest one is needed to be secure)
2023-03-14: SUCCESS: 220 successes detected
2023-05-09: FAIL: 151 failures, 220 successes detected
Press any key to continue . . .Note
This script only checks for known Microsoft certificates in the KEK and DB and will not show any other certificates even if they are present. To view all certificates that are present, see Viewing all the UEFI Secure Boot variables below.
If the Secure Boot variables were accidentally reset to default in the UEFI/BIOS settings for example, it is possible to make Windows re-apply the DBX updates that Windows had previously applied. Double-click Apply DBX update (restart required).reg and add the changes to the registry then restart Windows and wait for awhile. The DBX updates should be applied after that.
Windows February 13, 2024 cumulative update includes the ability to apply the Windows UEFI CA 2023 certificate to UEFI Secure Boot Allowed Signature Database (DB). To do so, double-click Apply DB update (restart required).reg and add the changes to the registry then restart Windows and wait for awhile. The DB updates should be applied after that. For more information, refer to KB5036210 and Evolving the Secure Boot Ecosystem.
Double-click Show Secure Boot update events.cmd to display all the Secure Boot DB and DBX variable update events. Refer to KB5016061 for details on interpreting the events.
To display all the UEFI Secure Boot variables in readable format, right-click Show UEFI PK, KEK, DB and DBX.cmd and Run as administrator. All certificates in the PK, KEK and DB variables as well as all hashes in the DBX variable will be displayed.
- Windows Secure Boot Key Creation and Management Guidance
- Get-SecureBootUEFI
- Microsoft guidance for applying Secure Boot DBX update (KB4575994)
- KB5016061: Secure Boot DB and DBX variable update events
- KB5036210: Deploying Windows UEFI CA 2023 certificate to Secure Boot Allowed Signature Database (DB)
- Check-Dbx.ps1
- Get-UEFIDatabaseSignatures.ps1
- Only the latest DBX update is needed (1)
- Only the latest DBX update is needed (2)
- UEFI Revocation List File
- Evolving the Secure Boot Ecosystem
- Update the dbx database to add back the same dbx entries as the cumulative update applied