# Check-UEFIBootCertificate # # Script to Check for Certificates in PK, KEK, DB, and DBX to boot Windows after October 2026 # # Read Certifiates from PK, KEK, DB, and DBX # Check for Microsoft Windows Production PCA 2011 and Microsoft Windows Production PCA 2014 in DB # Check for Microsoft Corporation UEFI CA 2011 in KEK #Requires -RunAsAdministrator [Cmdletbinding()] param () Set-PSDebug -Strict function Convertfrom-UEFIBLOB { Param ( [byte[]]$blob ) $blobpointer = 0 $count = 0 while ($blobpointer -lt $blob.Length) { $count++ Write-Verbose "Processing sign List $count at offset $blobpointer" [Guid]$guid = [Byte[]]$blob[$blobpointer..($blobpointer + 15)] $signListSize = [BitConverter]::ToUInt32($blob, $blobpointer + 16) $signSize = [BitConverter]::ToUInt32($blob, $blobpointer + 24) $signCount = ($signListSize - 28) / $signSize $sigoffset = $blobpointer + 28 for ($i = 1; $i -le $signCount; $i++) { Write-Verbose " sign $($i):" $entry= [PSCustomObject][ordered] @{ Owner = [Guid][Byte[]]$blob[$sigoffset..($sigoffset+15)] Subject =$null Cert = $null Sign = $null Type = $guid } if ($guid -eq [guid]"c1c41626-504c-4092-aca9-41f936934328") { $entry.sign = ([Byte[]] $blob[($sigoffset+16)..($sigoffset+48-1)] ` | ForEach-Object {$_.ToString('X2')} ) -join '' $entry } elseif ($guid -eq [guid]"a5c059a1-94e4-4aa7-87b5-ab155c2bf072") { $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $certBytes = $blob[($sigoffset+16)..($sigoffset+16+$signSize-1)] $cert.Import([Byte[]]$certBytes) $entry.Subject = $cert.Subject $entry.Cert = $cert $entry } else { Write-Warning "Unable to decode EFI sign type: $guid" } $sigoffset = $sigoffset + $signSize } $blobpointer = $blobpointer + $signListSize } Write-Verbose "Finished processing $count sign lists" } Set-psdebug -strict Write-host "Check-UEFIBootCertificate:Start" $result = [pscustomobject] @{ PK = $null KEK = $null KEKStatus = $null DB = $null DBStatus = $null DBX = $null TotalStatus = [Int16]0 } Write-Host "Reading Platform Key (PK)" $result.PK=Convertfrom-UEFIBLOB -blob (Get-SecureBootUEFI -Name PK).bytes Write-Host "Reading Key Exchange Key (KEK)" $result.KEK=Convertfrom-UEFIBLOB -blob (Get-SecureBootUEFI -Name KEK).bytes Write-Host "Checking KEK for Microsoft Corporation KEK 2K CA 2023" if ($null -ne $result.KEK) { if ($result.KEK.Subject -match "CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US") { Write-Host "Microsoft Corporation KEK 2K CA 2023 is present in KEK" -ForegroundColor Green $result.KEKStatus = "OK" } else { Write-Host "Microsoft Corporation KEK 2K CA 2023 is not present in KEK" foregroundColor Red $result.KEKStatus = "MISSING" $result.TotalStatus += 4 } } else { Write-Host "KEK is empty or could not be read" -ForegroundColor Red $result.KEKStatus = "Empty" $result.TotalStatus += 8 } Write-host "Reading sign Database (DB)" $result.DB=Convertfrom-UEFIBLOB -blob (Get-SecureBootUEFI -Name DB).bytes if ($null -ne $result.DB) { if ($result.DB.Subject -match "CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US") { Write-Host "Windows UEFI CA 2023 is present in DB" -ForegroundColor green $result.DBStatus = "OK" } else { Write-Host "Windows UEFI CA 2023 is not present in DB" -ForegroundColor Red $result.DBStatus = "MISSING" $result.TotalStatus += 16 } } else { Write-Host "DB is empty or could not be read" -ForegroundColor Red $result.DBStatus = "Empty" $result.TotalStatus += 32 } Write-host "Reading sign Database (DB) and Forbidden sign Database (DBX)" $result.DBX=Convertfrom-UEFIBLOB -blob (Get-SecureBootUEFI -Name DBX).bytes $result Write-host "Check-UEFIBootCertificate:End Exit code: $($result.TotalStatus)" exit $result.TotalStatus