----------------------- PS C:\> # ================== MOUNT ESP ================== PS C:\> mountvol S: /S PS C:\> PS C:\> # ================== SECURE BOOT STATUS ================== PS C:\> try { >> Confirm-SecureBootUEFI >> } catch { >> Write-Host "Unable to query Secure Boot state" >> } True PS C:\> PS C:\> # ================== STATE MACHINE (AvailableUpdates) ================== PS C:\> $sb = Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot" PS C:\> $sb.AvailableUpdates 0 PS C:\> PS C:\> # ================== SERVICING STATE ================== PS C:\> $svc = Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing" PS C:\> $svc | Select-Object UEFICA2023Status, WindowsUEFICA2023Capable, ConfidenceLevel UEFICA2023Status WindowsUEFICA2023Capable ConfidenceLevel ---------------- ------------------------ --------------- Updated 2 No Data Observed - Action Required PS C:\> PS C:\> # ================== BOOT MANAGER (ESP - REAL BOOT) ================== PS C:\> $espSig = Get-AuthenticodeSignature "S:\EFI\Microsoft\Boot\bootmgfw.efi" PS C:\> $espSig | Format-List SignerCertificate : [Subject] CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US [Issuer] CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US [Serial Number] 330000059B7ABC51A19E71241800000000059B [Not Before] 4/16/2026 8:09:15 PM [Not After] 10/17/2026 8:09:15 PM [Thumbprint] DC91E564D5BC1E3A8E02D6A8508682ABEA8A2443 TimeStamperCertificate : [Subject] CN=Microsoft Time-Stamp Service, OU=nShield TSS ESN:A935-03E0-D947, OU=Microsoft America Operations, O=Microsoft Corporation, L=Redmond, S=Washington, C=US [Issuer] CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US [Serial Number] 3300000227D5C083C3B12E572D000100000227 [Not Before] 2/19/2026 7:40:04 PM [Not After] 5/17/2027 8:40:04 PM [Thumbprint] 231F3AAD84FC0ED060DC903300EB1E7894888C2A Status : Valid StatusMessage : Signature verified. Path : S:\EFI\Microsoft\Boot\bootmgfw.efi SignatureType : Catalog IsOSBinary : True PS C:\> PS C:\> # ================== BOOT MANAGER (WINDOWS COPY) ================== PS C:\> $winSig = Get-AuthenticodeSignature "$env:SystemRoot\Boot\EFI\bootmgfw.efi" PS C:\> $winSig | Format-List SignerCertificate : [Subject] CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US [Issuer] CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US [Serial Number] 330000059B7ABC51A19E71241800000000059B [Not Before] 4/16/2026 8:09:15 PM [Not After] 10/17/2026 8:09:15 PM [Thumbprint] DC91E564D5BC1E3A8E02D6A8508682ABEA8A2443 TimeStamperCertificate : [Subject] CN=Microsoft Time-Stamp Service, OU=nShield TSS ESN:A935-03E0-D947, OU=Microsoft America Operations, O=Microsoft Corporation, L=Redmond, S=Washington, C=US [Issuer] CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US [Serial Number] 3300000227D5C083C3B12E572D000100000227 [Not Before] 2/19/2026 7:40:04 PM [Not After] 5/17/2027 8:40:04 PM [Thumbprint] 231F3AAD84FC0ED060DC903300EB1E7894888C2A Status : Valid StatusMessage : Signature verified. Path : C:\WINDOWS\Boot\EFI\bootmgfw.efi SignatureType : Catalog IsOSBinary : True PS C:\> PS C:\> # ================== HASH COMPARISON ================== PS C:\> Get-FileHash "S:\EFI\Microsoft\Boot\bootmgfw.efi","$env:SystemRoot\Boot\EFI\bootmgfw.efi" | >> Select-Object Path, Hash Path Hash ---- ---- S:\EFI\Microsoft\Boot\bootmgfw.efi 200D1E3A6A0DE342A5091654C0E62A434E38D467ADD78057B60A1FDBFC8EF101 C:\WINDOWS\Boot\EFI\bootmgfw.efi 456DE3C04EA6A39B03964181E23A725E9A27A1097D79D02355CBA0A061BD96C1 PS C:\> PS C:\> # ================== SCHEDULED TASK STATUS ================== PS C:\> Get-ScheduledTaskInfo -TaskName "Secure-Boot-Update" -TaskPath "\Microsoft\Windows\PI\" | >> Select-Object LastRunTime, LastTaskResult LastRunTime LastTaskResult ----------- -------------- 6/26/2026 6:49:43 PM 0 PS C:\> PS C:\> # ================== BOOT UPDATE EVENTS (1799 / 1797) ================== PS C:\> $bootEvents = Get-WinEvent -FilterHashtable @{LogName='System'; Id=1799,1797} -ErrorAction SilentlyContinue PS C:\> PS C:\> if ($bootEvents) { >> $bootEvents | Sort-Object TimeCreated | Format-Table TimeCreated, Id, LevelDisplayName, Message -AutoSize -Wrap >> } else { >> Write-Host "NO EVENTS FOUND -> Boot Manager update step (0x0100) was NOT executed" >> } NO EVENTS FOUND -> Boot Manager update step (0x0100) was NOT executed PS C:\> PS C:\> # ================== FULL SECURE BOOT PIPELINE EVENTS ================== PS C:\> Get-WinEvent -FilterHashtable @{ >> LogName = 'System' >> Id = 1032,1033,1034,1036,1037,1042,1043,1044,1045, >> 1795,1796,1797,1798,1799,1800, >> 1801,1802,1803,1804,1805,1806,1807,1808 >> } -ErrorAction SilentlyContinue | >> Sort-Object TimeCreated | >> Format-Table TimeCreated, Id, LevelDisplayName, Message -AutoSize -Wrap TimeCreated Id LevelDisplayName Message ----------- -- ---------------- ------- 5/29/2026 12:45:48 PM 1042 Error You cannot uninstall language en-US because the language is the system installed UI language. 5/29/2026 12:45:52 PM 1801 Error Secure Boot certificates have been updated but are not yet applied to the device firmware. Review the published guidance to complete the update and ensure full protection. This device signature information is included here. DeviceAttributes: FirmwareManufacturer:Dell Inc.;FirmwareVersion:1.14.0;OEMManufacturerName:Dell Inc.;OEMModelSKU:0CFF;OSArchitecture:amd64; BucketId: a5db44dd58d82343b1e6575efce12d0c32f5ca51c6cb14d3445ed34dfcfd972e BucketConfidenceLevel: Under Observation - More Data Needed UpdateType: For more information, please see https://go.microsoft.com/fwlink/?linkid=2301018. 5/29/2026 12:45:53 PM 1034 Information Secure Boot Dbx update applied successfully 5/29/2026 12:55:57 PM 1801 Error Secure Boot certificates have been updated but are not yet applied to the device firmware. Review the published guidance to complete the update and ensure full protection. This device signature information is included here. DeviceAttributes: FirmwareManufacturer:Dell Inc.;FirmwareVersion:1.14.0;OEMManufacturerName:Dell Inc.;OEMModelSKU:0CFF;OSArchitecture:amd64; BucketId: a5db44dd58d82343b1e6575efce12d0c32f5ca51c6cb14d3445ed34dfcfd972e BucketConfidenceLevel: Under Observation - More Data Needed UpdateType: For more information, please see https://go.microsoft.com/fwlink/?linkid=2301018. 6/11/2026 12:52:34 PM 1801 Error Secure Boot certificates have been updated but are not yet applied to the device firmware. Review the published guidance to complete the update and ensure full protection. This device signature information is included here. DeviceAttributes: FirmwareManufacturer:Dell Inc.;FirmwareVersion:1.15.1;OEMManufacturerName:Dell Inc.;OEMModelSKU:0CFF;OSArchitecture:amd64; BucketId: 0ac8e4d8b8d74cc9180f783d2e6a58f4399ef5825b72d665c8078695e09ac51e BucketConfidenceLevel: No Data Observed - Action Required UpdateType: For more information, please see https://go.microsoft.com/fwlink/?linkid=2301018. 6/16/2026 12:02:10 AM 1801 Error Secure Boot certificates have been updated but are not yet applied to the device firmware. Review the published guidance to complete the update and ensure full protection. This device signature information is included here. DeviceAttributes: FirmwareManufacturer:Dell Inc.;FirmwareVersion:1.15.1;OEMManufacturerName:Dell Inc.;OEMModelSKU:0CFF;OSArchitecture:amd64; BucketId: 0ac8e4d8b8d74cc9180f783d2e6a58f4399ef5825b72d665c8078695e09ac51e BucketConfidenceLevel: No Data Observed - Action Required UpdateType: For more information, please see https://go.microsoft.com/fwlink/?linkid=2301018. 6/16/2026 12:02:10 AM 1034 Information Secure Boot Dbx update applied successfully 6/16/2026 11:43:11 AM 1801 Error Secure Boot certificates have been updated but are not yet applied to the device firmware. Review the published guidance to complete the update and ensure full protection. This device signature information is included here. DeviceAttributes: FirmwareManufacturer:Dell Inc.;FirmwareVersion:1.15.1;OEMManufacturerName:Dell Inc.;OEMModelSKU:0CFF;OSArchitecture:amd64; BucketId: 0ac8e4d8b8d74cc9180f783d2e6a58f4399ef5825b72d665c8078695e09ac51e BucketConfidenceLevel: No Data Observed - Action Required UpdateType: For more information, please see https://go.microsoft.com/fwlink/?linkid=2301018. 6/16/2026 12:16:22 PM 1044 Information Secure Boot DB update to install Microsoft Option ROM UEFI CA 2023 certificate applied successfully 6/16/2026 12:30:16 PM 1808 Information This device has updated Secure Boot CA/keys. This device signature information is included here. DeviceAttributes: FirmwareManufacturer:Dell Inc.;FirmwareVersion:1.15.1;OEMManufacturerName:Dell Inc.;OEMModelSKU:0CFF;OSArchitecture:amd64; BucketId: 0ac8e4d8b8d74cc9180f783d2e6a58f4399ef5825b72d665c8078695e09ac51e BucketConfidenceLevel: No Data Observed - Action Required UpdateType: Windows UEFI CA 2023 (DB), Option ROM CA 2023 (DB), 3P UEFI CA 2023 (DB), KEK 2023, Boot Manager (2023) For more information, please see https://go.microsoft.com/fwlink/?linkid=2301018. 6/16/2026 2:19:38 PM 1808 Information This device has updated Secure Boot CA/keys. This device signature information is included here. DeviceAttributes: FirmwareManufacturer:Dell Inc.;FirmwareVersion:1.15.1;OEMManufacturerName:Dell Inc.;OEMModelSKU:0CFF;OSArchitecture:amd64; BucketId: 0ac8e4d8b8d74cc9180f783d2e6a58f4399ef5825b72d665c8078695e09ac51e BucketConfidenceLevel: No Data Observed - Action Required UpdateType: Windows UEFI CA 2023 (DB), Option ROM CA 2023 (DB), 3P UEFI CA 2023 (DB), KEK 2023, Boot Manager (2023) For more information, please see https://go.microsoft.com/fwlink/?linkid=2301018. 6/22/2026 11:18:49 AM 1808 Information This device has updated Secure Boot CA/keys. This device signature information is included here. DeviceAttributes: FirmwareManufacturer:Dell Inc.;FirmwareVersion:1.15.1;OEMManufacturerName:Dell Inc.;OEMModelSKU:0CFF;OSArchitecture:amd64; BucketId: 0ac8e4d8b8d74cc9180f783d2e6a58f4399ef5825b72d665c8078695e09ac51e BucketConfidenceLevel: No Data Observed - Action Required UpdateType: Windows UEFI CA 2023 (DB), Option ROM CA 2023 (DB), 3P UEFI CA 2023 (DB), KEK 2023, Boot Manager (2023) For more information, please see https://go.microsoft.com/fwlink/?linkid=2301018. 6/26/2026 6:37:40 PM 1808 Information This device has updated Secure Boot CA/keys. This device signature information is included here. DeviceAttributes: FirmwareManufacturer:Dell Inc.;FirmwareVersion:1.15.1;OEMManufacturerName:Dell Inc.;OEMModelSKU:0CFF;OSArchitecture:amd64; BucketId: 0ac8e4d8b8d74cc9180f783d2e6a58f4399ef5825b72d665c8078695e09ac51e BucketConfidenceLevel: No Data Observed - Action Required UpdateType: Windows UEFI CA 2023 (DB), Option ROM CA 2023 (DB), 3P UEFI CA 2023 (DB), KEK 2023, Boot Manager (2023) For more information, please see https://go.microsoft.com/fwlink/?linkid=2301018. 6/26/2026 6:45:44 PM 1808 Information This device has updated Secure Boot CA/keys. This device signature information is included here. DeviceAttributes: FirmwareManufacturer:Dell Inc.;FirmwareVersion:1.15.1;OEMManufacturerName:Dell Inc.;OEMModelSKU:0CFF;OSArchitecture:amd64; BucketId: 0ac8e4d8b8d74cc9180f783d2e6a58f4399ef5825b72d665c8078695e09ac51e BucketConfidenceLevel: No Data Observed - Action Required UpdateType: Windows UEFI CA 2023 (DB), Option ROM CA 2023 (DB), 3P UEFI CA 2023 (DB), KEK 2023, Boot Manager (2023) For more information, please see https://go.microsoft.com/fwlink/?linkid=2301018. PS C:\> -----------------------