<# *********************************************************************************************************************************************** Script Name: Secure Boot Certificate Update Created by : Deepak Kumar Email : Date :09/10/2025 ************************************************************************************************************************************************ Purpose: To update the required secure boot certificates in the firmwre. This will help to include MicCorKEKCA2023.crt, MicCorOpRomUEFICA2023.crt, MicCorUEFICA2023.crt and MicWinUEFICA2023.crt to system firmwre. These certicates needs to be added to the system Firmware before udating the BIOS(which started carrying these new secure boot certicates) This Scipt should be used for Dell 16G servers. Important things to be noted before running this script. 1. Path of the folder where all the required certificate file is stored. 2. Before running this script user need to change the ExecutionPolicy as unrestricted. #To reset the ExecutionPolicy, this command needs to be removed later once this script is signed. Set-ExecutionPolicy Unrestricted -Scope LocalMachin 3.User must have administrative rights before running this script. 4.Bitlocker should not be enabled on the target machine. 5.System must be restarted, once secure boot certificate update is successful. #> # All required certificates should be available at this path. [string]$SecureBootCertPath="*" #New Secure boot Certificate Files [string]$MicCorKEKCA2023="MicCorKEKCA2023.crt" [string]$MicCorOpRomUEFICA2023="MicCorOpRomUEFICA2023.crt" [string]$MicCorUEFICA2023="MicCorUEFICA2023.crt" [string]$MicWinUEFICA2023="MicWinUEFICA2023.crt" #Platform Specific Signer Files - These file names to modified with actula file name (if required) [string]$PlatKEKCA2023SignBin="16G_Kek2023_signed.bin.p7" [string]$PlatMicCorOpRomUEFICA2023SignBin="16G_OpRom2023_signed.bin.p7" [string]$PlatCorUEFICA2023SignBin="16G_MicUEFICA2023_signed.bin.p7" [string]$PlatMicWinUEFICA2023SignBin="16G_Win2023_signed.bin.p7" #[string]$MicCorKEKCA2023Path="*" #[string]$MicCorOpRomUEFICA2023Path="*" #[string]$MicCorUEFICA2023Path="*" #[string]$MicWinUEFICA2023Path="*" #To capture Log [String]$SecureBootCertUpdateLog="SecureBootUpdateLog.txt" #To clear the global error array $Error.Clear() # Timestamp $timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss" Add-Content -Path $SecureBootCertUpdateLog -Value "`n[$timestamp] Starting SecureBoot Certificate Update...." #Bitlocker needs to Disable on the system before running this Script #'Get-BitLockerVolume' command will work when Bitlocker feature is installed on the Target Machine #($v = Get-BitLockerVolume -MountPoint $env:SystemDrive) -and ($v.ProtectionStatus -eq 'On' -or $v.ProtectionStatus -eq 1) <# if(($BitlockerFeature = Get-WindowsFeature Bitlocker) -and ($BitlockerFeature.InstallState -eq 'Installed')) { if (($BitLocker = Get-BitLockerVolume) -and ($BitLocker.ProtectionStatus -eq 'On' -or $BitLocker.ProtectionStatus -eq 1)) { Write-Output "BitLocker is enabled, Bitlocker needs to be disabled before updating the secure boot certificates." Add-Content -Path $SecureBootCertUpdateLog -Value "[$timestamp] BitLocker is enabled, Bitlocker needs to be disabled before updating the secure boot certificates." return } else { Add-Content -Path $SecureBootCertUpdateLog -Value "[$timestamp] BitLocker is not enabled" } } #> if (($BitlockerFeature = Get-WindowsFeature Bitlocker) -and ($BitlockerFeature.InstallState -eq 'Installed')) { $BitLockerVolumes = Get-BitLockerVolume $EncryptedVolumes = @() foreach ($volume in $BitLockerVolumes) { if ($volume.ProtectionStatus -eq 'On' -or $volume.ProtectionStatus -eq 1) { $EncryptedVolumes += $volume.MountPoint } } if ($EncryptedVolumes.Count -gt 0) { Write-Output "BitLocker is enabled on the following volumes: $($EncryptedVolumes -join ', '). Disable BitLocker before updating the secure boot certificates." Add-Content -Path $SecureBootCertUpdateLog -Value "[$timestamp] BitLocker is enabled on volumes: $($EncryptedVolumes -join ', '). Disable BitLocker before updating the secure boot certificates." return } else { Add-Content -Path $SecureBootCertUpdateLog -Value "[$timestamp] BitLocker is not enabled on any volume." } } # Check if the current user is in the Administrators group $IsAdmin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) if (-not $IsAdmin) { Write-Output "User does NOT have administrative rights." Add-Content -Path $SecureBootCertUpdateLog -Value "[$timestamp] User does NOT have administrative rights." return } else { Add-Content -Path $SecureBootCertUpdateLog -Value "[$timestamp] Use has administrative rights." } #User need to provide the path where all required certificate is placed. $SecureBootCertPath = Read-Host "Enter the folder path which contains the new secure Boot certificate" if (-not (Test-Path $SecureBootCertPath)) { Write-Output "'$SecureBootCertPath' does not exist." Add-Content -Path $SecureBootCertUpdateLog -Value "[$timestamp] SecureBoot update failed. $SecureBootCertPath does not exist" return } else { #Change the current location where all the required certicates are available. Set-Location -Path $SecureBootCertPath #Write-Output "Changed location to: $(Get-Location)" Add-Content -Path $SecureBootCertUpdateLog -Value "[$timestamp] current location is changed to $(Get-Location)" } ##################################################################################### # Check required Certificate is available at the required folder or not ##################################################################################### if ((-not (Test-Path $MicCorKEKCA2023)) -or (-not (Test-Path $PlatKEKCA2023SignBin))) { Write-Output "File '$MicCorKEKCA2023' does not exists in folder '$SecureBootCertPath'." Add-Content -Path $SecureBootCertUpdateLog -Value "[$timestamp] SecureBoot update failed. File '$MicCorKEKCA2023'or $PlatKEKCA2023SignBin does not exists in folder '$SecureBootCertPath'" return } if ((-not (Test-Path $MicCorOpRomUEFICA2023)) -or (-not (Test-Path $PlatMicCorOpRomUEFICA2023SignBin))) { Write-Output "File '$MicCorOpRomUEFICA2023' does not exists in folder '$SecureBootCertPath'." Add-Content -Path $SecureBootCertUpdateLog -Value "[$timestamp] SecureBoot update failed. File '$MicCorOpRomUEFICA2023' or $PlatMicCorOpRomUEFICA2023SignBin does not exists in folder '$SecureBootCertPath'" return } if ((-not (Test-Path $MicCorUEFICA2023)) -or (-not (Test-Path $PlatCorUEFICA2023SignBin))) { Write-Output "File '$MicCorUEFICA2023' does not exists in folder '$SecureBootCertPath'." Add-Content -Path $SecureBootCertUpdateLog -Value "[$timestamp] SecureBoot update failed. File '$MicCorUEFICA2023' or $PlatCorUEFICA2023SignBin does not exists in folder '$SecureBootCertPath'" return } if ((-not(Test-Path $MicWinUEFICA2023)) -or (-not(Test-Path $PlatMicWinUEFICA2023SignBin))) { Write-Output "File '$MicWinUEFICA2023' does not exists in folder '$SecureBootCertPath'." Add-Content -Path $SecureBootCertUpdateLog -Value "[$timestamp] SecureBoot update failed. File '$MicWinUEFICA2023' or $PlatMicWinUEFICA2023SignBin does not exists in folder '$SecureBootCertPath'" return } ##################################################################################### # Append Microsoft Corporation KEK 2K CA 2023 certificate to existing KEK database ##################################################################################### try { $ObjectFromFormat = ( Format-SecureBootUEFI -Name KEK -SignatureOwner 77fa9abd-0359-4d32-bd60-28f4e78f784b -Time 2025-05-16T13:30:00Z -CertificateFilePath $MicCorKEKCA2023 -FormatWithCert -AppendWrite -ContentFilePath .\Kek2023_unsigned.bin -SignableFilePath .\Kek2023_ToSign.bin ) $ObjectFromFormat | Set-SecureBootUEFI -ContentFilePath .\Kek2023_unsigned.bin -SignedFilePath $PlatKEKCA2023SignBin -AppendWrite # Log output Add-Content -Path $SecureBootCertUpdateLog -Value "[$timestamp] SecureBoot KEK update completed successfully." } catch { Write-Output $Error[0] Add-Content -Path $SecureBootCertUpdateLog -Value "[$timestamp]:$Error[0] 'SecureBoot KEK update failed'." rm .\Kek2023_ToSign.bin rm .\Kek2023_unsigned.bin return } rm .\Kek2023_ToSign.bin rm .\Kek2023_unsigned.bin ##################################################################################### # Append Microsoft Option ROM UEFI CA 2023 certificate to existing DB database ##################################################################################### try { $ObjectFromFormat = ( Format-SecureBootUEFI -Name DB -SignatureOwner 77fa9abd-0359-4d32-bd60-28f4e78f784b -Time 2025-05-16T13:30:00Z -CertificateFilePath $MicCorOpRomUEFICA2023 -FormatWithCert -AppendWrite -ContentFilePath .\OpRom2023_unsigned.bin -SignableFilePath .\OpRom2023_ToSign.bin ) $ObjectFromFormat | Set-SecureBootUEFI -ContentFilePath .\OpRom2023_unsigned.bin -SignedFilePath $PlatMicCorOpRomUEFICA2023SignBin -AppendWrite # Log output Add-Content -Path $SecureBootCertUpdateLog -Value "[$timestamp] SecureBoot Microsoft Option Rom certificate update completed successfully." } catch { Write-Output $Error[0] Add-Content -Path $SecureBootCertUpdateLog -Value "[$timestamp] : $Error[0] SecureBoot SecureBoot Microsoft Option Rom certificate update failed." rm .\OpRom2023_ToSign.bin rm .\OpRom2023_unsigned.bin return } rm .\OpRom2023_ToSign.bin rm .\OpRom2023_unsigned.bin ##################################################################################### # Append Microsoft UEFI CA 2023 certificate to existing DB database ##################################################################################### try { $ObjectFromFormat = ( Format-SecureBootUEFI -Name DB -SignatureOwner 77fa9abd-0359-4d32-bd60-28f4e78f784b -Time 2025-05-16T13:30:00Z -CertificateFilePath $MicCorUEFICA2023 -FormatWithCert -AppendWrite -ContentFilePath .\Cor2023_unsigned.bin -SignableFilePath .\Cor2023_ToSign.bin ) $ObjectFromFormat | Set-SecureBootUEFI -ContentFilePath .\Cor2023_unsigned.bin -SignedFilePath $PlatCorUEFICA2023SignBin -AppendWrite # Log output Add-Content -Path $SecureBootCertUpdateLog -Value "[$timestamp] SecureBoot Microsoft UEFI CA 2023 certificate update completed successfully." } catch { Write-Output $Error[0] Add-Content -Path $SecureBootCertUpdateLog -Value "[$timestamp] : $Error[0] SecureBoot Microsoft UEFI CA 2023 certificate update failed." rm .\Cor2023_ToSign.bin rm .\Cor2023_unsigned.bin return } rm .\Cor2023_ToSign.bin rm .\Cor2023_unsigned.bin ##################################################################################### # Append Windows UEFI CA 2023 certificate to existing DB database ##################################################################################### try { $ObjectFromFormat = ( Format-SecureBootUEFI -Name DB -SignatureOwner 77fa9abd-0359-4d32-bd60-28f4e78f784b -Time 2025-05-16T13:30:00Z -CertificateFilePath $MicWinUEFICA2023 -FormatWithCert -AppendWrite -ContentFilePath .\Win2023_unsigned.bin -SignableFilePath .\Win2023_ToSign.bin ) $ObjectFromFormat | Set-SecureBootUEFI -ContentFilePath .\Win2023_unsigned.bin -SignedFilePath $PlatMicWinUEFICA2023SignBin -AppendWrite # Log output Add-Content -Path $SecureBootCertUpdateLog -Value "[$timestamp] SecureBoot Windows UEFI CA 2023 certificate update completed successfully." } catch { Write-Output $Error[0] Add-Content -Path $SecureBootCertUpdateLog -Value "[$timestamp] :$Error[0] SecureBoot Windows UEFI CA 2023 certificate update failed." rm .\Win2023_ToSign.bin rm .\Win2023_unsigned.bin return } rm .\Win2023_ToSign.bin rm .\Win2023_unsigned.bin Write-Output "Please Restart the system to make the update active." Write-Host "System MUST be restarted before updating the new BIOS" -ForegroundColor Red Add-Content -Path $SecureBootCertUpdateLog -Value "`n[$timestamp] Please Restart the system to make the update active.System MUST be restarted before updaing the new BIOS." Add-Content -Path $SecureBootCertUpdateLog -Value "`n[$timestamp] SecureBoot Cerificate Update Finished."