----------------------- PS C:\> # ================== MOUNT ESP ================== PS C:\> mountvol S: /S PS C:\> PS C:\> # ================== SECURE BOOT STATUS ================== PS C:\> try { >> Confirm-SecureBootUEFI >> } catch { >> Write-Host "Unable to query Secure Boot state" >> } True PS C:\> PS C:\> # ================== VERIFY 2023 CERTIFICATES ================== PS C:\> # Confirms firmware has required CA/KEK entries PS C:\> PS C:\> [Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI kek).bytes) -match 'KEK 2K CA 2023' True PS C:\> [Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023' True PS C:\> [Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Microsoft UEFI CA 2023' True PS C:\> [Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Option ROM UEFI CA 2023' True PS C:\> PS C:\> # ================== CURRENT STATE ================== PS C:\> $sb = Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot" PS C:\> $sb.AvailableUpdates 0 PS C:\> PS C:\> $svc = Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing" PS C:\> $svc | Select-Object UEFICA2023Status, WindowsUEFICA2023Capable, ConfidenceLevel UEFICA2023Status WindowsUEFICA2023Capable ConfidenceLevel ---------------- ------------------------ --------------- Updated 2 No Data Observed - Action Required PS C:\> PS C:\> # ================== FORCE BOOT MANAGER STEP ================== PS C:\> reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot" /v AvailableUpdates /t REG_DWORD /d 0x0100 /f The operation completed successfully. PS C:\> PS C:\> # ================== RUN SECURE BOOT UPDATE TASK ================== PS C:\> schtasks /run /tn "\Microsoft\Windows\PI\Secure-Boot-Update" SUCCESS: Attempted to run the scheduled task "\Microsoft\Windows\PI\Secure-Boot-Update". PS C:\> PS C:\> # ================== WAIT ================== PS C:\> Start-Sleep -Seconds 5 PS C:\> PS C:\> # ================== TASK STATUS ================== PS C:\> Get-ScheduledTaskInfo -TaskName "Secure-Boot-Update" -TaskPath "\Microsoft\Windows\PI\" | Select-Object LastRunTime, LastTaskResult LastRunTime LastTaskResult ----------- -------------- 6/26/2026 6:45:43 PM 0 PS C:\> PS C:\> # ================== BOOT STEP EVENTS ================== PS C:\> Get-WinEvent -FilterHashtable @{ >> LogName='System' >> Id=1799,1797 >> } -ErrorAction SilentlyContinue | >> Sort-Object TimeCreated | >> Select-Object TimeCreated, Id, Message PS C:\> PS C:\> # ================== BOOT MANAGER (ESP - REAL BOOT) ================== PS C:\> Get-AuthenticodeSignature "S:\EFI\Microsoft\Boot\bootmgfw.efi" | Format-List SignerCertificate : [Subject] CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US [Issuer] CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US [Serial Number] 330000059B7ABC51A19E71241800000000059B [Not Before] 4/16/2026 8:09:15 PM [Not After] 10/17/2026 8:09:15 PM [Thumbprint] DC91E564D5BC1E3A8E02D6A8508682ABEA8A2443 TimeStamperCertificate : [Subject] CN=Microsoft Time-Stamp Service, OU=nShield TSS ESN:A935-03E0-D947, OU=Microsoft America Operations, O=Microsoft Corporation, L=Redmond, S=Washington, C=US [Issuer] CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US [Serial Number] 3300000227D5C083C3B12E572D000100000227 [Not Before] 2/19/2026 7:40:04 PM [Not After] 5/17/2027 8:40:04 PM [Thumbprint] 231F3AAD84FC0ED060DC903300EB1E7894888C2A Status : Valid StatusMessage : Signature verified. Path : S:\EFI\Microsoft\Boot\bootmgfw.efi SignatureType : Catalog IsOSBinary : True PS C:\> # ================== BOOT MANAGER (WINDOWS COPY) ================== PS C:\> Get-AuthenticodeSignature "$env:SystemRoot\Boot\EFI\bootmgfw.efi" | Format-List SignerCertificate : [Subject] CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US [Issuer] CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US [Serial Number] 330000059B7ABC51A19E71241800000000059B [Not Before] 4/16/2026 8:09:15 PM [Not After] 10/17/2026 8:09:15 PM [Thumbprint] DC91E564D5BC1E3A8E02D6A8508682ABEA8A2443 TimeStamperCertificate : [Subject] CN=Microsoft Time-Stamp Service, OU=nShield TSS ESN:A935-03E0-D947, OU=Microsoft America Operations, O=Microsoft Corporation, L=Redmond, S=Washington, C=US [Issuer] CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US [Serial Number] 3300000227D5C083C3B12E572D000100000227 [Not Before] 2/19/2026 7:40:04 PM [Not After] 5/17/2027 8:40:04 PM [Thumbprint] 231F3AAD84FC0ED060DC903300EB1E7894888C2A Status : Valid StatusMessage : Signature verified. Path : C:\WINDOWS\Boot\EFI\bootmgfw.efi SignatureType : Catalog IsOSBinary : True PS C:\> PS C:\> # ================== HASH COMPARISON ================== PS C:\> Get-FileHash "S:\EFI\Microsoft\Boot\bootmgfw.efi","$env:SystemRoot\Boot\EFI\bootmgfw.efi" | Select-Object Path, Hash Path Hash ---- ---- S:\EFI\Microsoft\Boot\bootmgfw.efi 200D1E3A6A0DE342A5091654C0E62A434E38D467ADD78057B60A1FDBFC8EF101 C:\WINDOWS\Boot\EFI\bootmgfw.efi 456DE3C04EA6A39B03964181E23A725E9A27A1097D79D02355CBA0A061BD96C1 PS C:\> PS C:\> # ================== BITLOCKER STATE ================== PS C:\> C:\Windows\System32\manage-bde.exe -status C: BitLocker Drive Encryption: Configuration Tool version 10.0.26100 Copyright (C) 2013 Microsoft Corporation. All rights reserved. Volume C: [] [OS Volume] Size: 237.45 GB BitLocker Version: None Conversion Status: Fully Decrypted Percentage Encrypted: 0.0% Encryption Method: None Protection Status: Protection Off Lock Status: Unlocked Identification Field: None Key Protectors: None Found PS C:\> PS C:\> # ================== RESTART ================== PS C:\> Restart-Computer -----------------------