Please review the Disclaimer Page & Explanation & user risk agreement before executing any scripts or utilising the code provided on this site.
Main menu contains scripts, disclaimers and documentation. Plus as a bonus, the code for embedded a copy text button into Google sites.
⚠️ Important Safety Warnings (Read Before Proceeding)
Back Up Your Data: If you are concerned about your files, always back up your data before making changes to system firmware.
I have used this script without any concerns on we over 100 laptops or PCs, but you need to weigh up any risks before proceeding.
BitLocker Precaution: If BitLocker encryption is enabled on your PC, you must disable it temporarily or, at the very least, ensure you have your 48-digit BitLocker Recovery Key on hand before updating your BIOS. A recovery key is a 48-digit numerical password used to unlock your Windows device if the system detects an unauthorized security change. (Note: Older PCs are unlikely to have BitLocker enabled, but it is always best to check).
Disclaimer: Use this code at your own risk. The notes below were generated by AI, so please review them carefully. Feel free to run the code through ChatGPT, Gemini, or any other AI tool to independently verify its integrity before executing it. You can also personalize the script by injecting specific details about your current PC or computer fleet.
Step 1: Check Your BIOS Ensure you have updated your system BIOS, or are confident that you already have the latest manufacturer driver installed, before running this script.
Step 2: Open PowerShell as Administrator Open the Windows Start Menu, search for PowerShell, right-click it, and select Run as administrator (elevated privileges).
Step 3: Copy the Code Use the blue "Copy" button on the right side of the code block below to copy the script to your clipboard.
Step 4: Paste and Run Right-click inside your open PowerShell window to paste the code, then press ENTER to execute the script.
If you are using any of these scripts with a fleet of PCs and on production PCs. Please take the time to verify the code, make any adjustments that might be tailored to your needs. It will be obvious that I was working primarily with HP laptops and desktops, however the corefunctions shoud be the same.
There is no harm in running this script, if your Certs have already been updated, it will just output that information.
This automation utility streamlines the manual multi-step process required to apply the modern Windows UEFI CA 2023 certificate and DBX update baseline. Because modifying firmware variables and temporary boot configurations impacts full-disk encryption, the wizard executes according to strict platform safety stages.
1. Context Assessment & Self-Elevation
Upon execution, the script verifies the runtime token security context. Interfacing with low-level hardware abstractions requires high integrity tokens. If the execution environment lacks these permissions, the utility requests elevation via the User Account Control (UAC) subsystem using the RunAs verb.
2. Environment Audit (Step 1)
The script queries the physical Non-Volatile RAM (NVRAM) and the local serving configurations:
Get-SecureBootUEFI db: Directly checks if the physical motherboard firmware recognizes the modern Windows UEFI CA 2023 certificate hash.
WindowsUEFICA2023Capable Registry Key: Identifies the current staging phase of the operating system (Phase 0, Phase 1, or Phase 2). If both the firmware key and Phase 2 status are confirmed, the script terminates early to avoid redundant operations.
3. Cryptographic Guardrail Management (Step 3)
Modifying the Secure Boot state or updating the DBX database changes the platform boot configuration. When full-disk encryption is active, these firmware-level changes normally trigger a BitLocker recovery event upon the next boot because the system detects a potential tampering attempt.
Remediation: The script automatically queries Get-BitLockerVolume. If protection is enabled, it invokes Suspend-BitLocker with a -RebootCount 2 restriction. This temporarily clears the decryption constraints for the next two reboots, allowing the hardware modifications to settle without locking the operator out of the volume.
4. Kernel Flags & Servicing Triggers (Steps 4 & 5)
To force Windows to attempt a firmware update during the hardware initialization phase, specific staging variables must exist in the Windows registry:
Registry Staging: The script writes 22852 (hexadecimal 0x5944) to the AvailableUpdates DWORD under HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot. This indicates to the servicing stack that the asset is prepared for deployment.
Task Firing: It immediately triggers the native scheduled task (\Microsoft\Windows\PI\Secure-Boot-Update), forcing the operating system to parse the update files and prepare them for the physical motherboard write sequence during the next boot phase.
To ensure users understand the lifecycle of this utility, you can display the following execution sequence on your page:
Extraction: Download and extract the .zip package entirely to a local folder.
Initial Run: Execute the script with administrative privileges. Confirm the deployment matrix to suspend the protector and stage the registry keys.
First Reboot: Allow the system to restart. During this phase, the motherboard registers the new certificate configuration.
Verification Run: Once back in the OS, execute the script a second time. The script will analyze the new baseline and guide you through the final reboots needed to advance the operating system to full compliance (Phase 2).