[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023’<\/p>\n\n\n\n
I found that in the BIOS of those laptops under “Security\\Secure Boot” the “Platform Mode” was “Setup Mode” and the “Secure Boot Mode” was “Custom Mode”. After I hit “Restore Factory Keys” it changed to “User Mode” (for Platform Mode) and “Standard Mode” (for Secure Boot Mode). Then the Secure Boot Certficates 2026 updated without any problems.<\/p>\n\n\n\n
<#\n.SYNOPSIS\n PowerShell script to detect the status of the UEFI 2023 CA certificate update process for SecureBoot on Windows devices and output the status for reporting in Microsoft Endpoint Manager\/Intune Proactive Remediations.\n.DESCRIPTION\n This PowerShell script is deployed as a detection script using Remediations in Microsoft Endpoint Manager\/Intune.\n.LINK\n https:\/\/support.microsoft.com\/en-us\/topic\/registry-key-updates-for-secure-boot-windows-devices-with-it-managed-updates-a7be69c9-4634-42e1-9ca1-df06f43f360d#bkmk_how_keys_work_together\n https:\/\/docs.microsoft.com\/en-us\/mem\/analytics\/proactive-remediations\n.NOTES\n Version: 1.2\n Creation Date: 2026-01-28\n Last Updated: 2026-02-10\n Author: Harris Bowman\n Repository: https:\/\/github.com\/harris-bowman\/RemediationScripts\n Requires Local Admin Privileges: Yes\n#>\n\n$path = 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecureBoot\\Servicing'\n$log = \"\"\n\n$keyItem = Get-Item -Path $Path\n$UEFICA2023StatusVal = $keyItem.GetValue('UEFICA2023Status', $null)\n$UEFICA2023ErrorVal = $keyItem.GetValue('UEFICA2023Error', $null)\n\n$value = Get-ItemPropertyValue -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecureBoot\\' -Name 'AvailableUpdates' -ErrorAction SilentlyContinue\nif ($null -eq $value) {\n $log += \"AvailableUpdates is not set. \"\n} else {\n $AUKeyHex = ('0x{0:X}' -f $value)\n $log += \"AvailableUpdates=$AUKeyHex. \"\n}\n\nif (!(Test-Path $Path)) {\n Write-Host \"SecureBoot Servicing registry not present.\"\n exit 1\n} elseif ($null -eq $UEFICA2023StatusVal) {\n Write-Host \"UEFICA2023Status key not present. \"\n exit 1\n} else {\n \n if ((Get-ItemProperty -Path $path -Name 'UEFICA2023Status' -ErrorAction SilentlyContinue).UEFICA2023Status -eq \"NotStarted\") {\n $log += \"The update has not yet run. \"\n } elseif ((Get-ItemProperty -Path $path -Name 'UEFICA2023Status' -ErrorAction SilentlyContinue).UEFICA2023Status -eq \"InProgress\") {\n $log += \"The update is actively in progress. \"\n } elseif (((Get-ItemProperty -Path $path -Name 'UEFICA2023Status' -ErrorAction SilentlyContinue).UEFICA2023Status -eq \"Updated\") -and (([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'))) {\n $log += \"The update has completed successfully! \"\n Write-Host $log\n exit 0\n }\n\n if ($null -eq $UEFICA2023ErrorVal) {\n $log += \"UEFICA2023Error value not present. \"\n Write-Host $log\n exit 1\n } elseif ((Get-ItemProperty -Path $path -Name 'UEFICA2023Error' -ErrorAction SilentlyContinue).UEFICA2023Error -ne 0) {\n $errCode = (Get-ItemProperty -Path $path -Name 'UEFICA2023Error' -ErrorAction SilentlyContinue).UEFICA2023Error\n $valHex = ('0x{0:X}' -f $errCode)\n $errCodeEvent = (Get-ItemProperty -Path $path -Name 'UEFICA2023ErrorEvent' -ErrorAction SilentlyContinue).UEFICA2023ErrorEvent\n $valHexEvent = ('0x{0:X}' -f $errCode)\n $log += \"Error: $errCode (Hex: $valHex.) - ErrorEvent: $errCodeEvent (Hex: $valHexEvent.) \"\n Write-Host $log\n exit 1\n } else {\n Write-Host $log\n exit 1\n }\n\n}<\/code><\/pre>\n\n\n\n
<#\n.SYNOPSIS\n PowerShell script to apply the settings and trigger the UEFI 2023 CA certificate update process for SecureBoot on Windows devices.\n.DESCRIPTION\n This PowerShell script is deployed as a remediation script using Remediations in Microsoft Endpoint Manager\/Intune. It will set the following, and Exit 0 if all are completed successfully:\n - The SecureBoot registry path is created if it doesn't exist.\n - The HighConfidenceOptOut value is set to 0\n - The MicrosoftUpdateManagedOptIn value is set to 1.\n - The AvailableUpdates value:\n -If it doesn't exist, set to 0x5944.\n -If it exists and is set to 0, set to 0x5944.\n -If it exists and is set to 0x400, the update is stuck at the boot manager stage without\n the CA 2023 cert having been written to the DB first. Reset to 0x5944 to restart the\n full sequence.\n -If it exists and is not set to 0 or 0x400, leave it alone as this suggests the update\n is already in progress or has completed, and we don't want to interfere with that.\n\n The Detection script to pair with this is: https:\/\/github.com\/harris-bowman\/RemediationScripts\/blob\/main\/Detect_SecureBootRegKeys.ps1\n.LINK\n https:\/\/support.microsoft.com\/en-us\/topic\/registry-key-updates-for-secure-boot-windows-devices-with-it-managed-updates-a7be69c9-4634-42e1-9ca1-df06f43f360d#bkmk_how_keys_work_together\n https:\/\/docs.microsoft.com\/en-us\/mem\/analytics\/proactive-remediations\n.NOTES\n Version: 1.4\n Creation Date: 2026-01-28\n Last Updated: 2026-05-08\n Author: Harris Bowman (modified by PA)\n Repository: https:\/\/github.com\/harris-bowman\/RemediationScripts\n Requires Local Admin Privileges: Yes\n\n Changelog:\n 1.4 - Added handling for AvailableUpdates = 0x400 (stuck at boot manager stage).\n Devices in this state have skipped the cert-into-DB step and will loop on\n Event ID 1796 (0x800700c1) indefinitely. Reset to 0x5944 to restart the\n full cert + boot manager sequence.\n#>\n\n$Path = 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecureBoot\\'\n$log = \"\"\n$value = $null\n\n#Safeguard if certificates are already installed:\nif ((Get-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecureBoot\\Servicing' -Name 'UEFICA2023Status' -ErrorAction SilentlyContinue).UEFICA2023Status -eq \"Updated\" -and (([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'))) {\n Write-Host \"SecureBoot updates already installed successfully. No remediation needed.\"\n exit 0\n}\n\n#Check the registry key SecureBoot exists.\nif (!(Test-Path $Path)) {\n New-Item -Path $Path -Force\n $log += \"SecureBoot registry path created. \"\n}\n$keyItem = Get-Item -Path $Path\n\n$value = $keyItem.GetValue('HighConfidenceOptOut', $null)\nif ($null -eq $value) {\n #If HighConfidenceOptOut doesn't exist, create it and set to 0.\n New-ItemProperty -Path $Path -Name 'HighConfidenceOptOut' -PropertyType DWord -Value 0 -Force\n} elseif ($value -ne 0) {\n #If HighConfidenceOptOut exists but is not set to 0, set it to 0.\n Set-ItemProperty -Path $Path -Name 'HighConfidenceOptOut' -Value 0 -Force\n $log += \"Configured HighConfidenceOptOut to 0. \"\n} \n\n$value = $keyItem.GetValue('MicrosoftUpdateManagedOptIn', $null)\nif ($null -eq $value) {\n #If MicrosoftUpdateManagedOptIn doesn't exist, create it and set to 1.\n New-ItemProperty -Path $Path -Name 'MicrosoftUpdateManagedOptIn' -PropertyType DWord -Value 1 -Force\n} elseif ($value -ne 1) {\n #If MicrosoftUpdateManagedOptIn exists but is not set to 1, set it to 1.\n Set-ItemProperty -Path $Path -Name 'MicrosoftUpdateManagedOptIn' -Value 1 -Force\n $log += \"Configured MicrosoftUpdateManagedOptIn to 1. \"\n} \n\n$val = $keyItem.GetValue('AvailableUpdates', $null)\nif ($null -eq $val) {\n #If AvailableUpdates doesn't exist, create it and set to 0x5944.\n New-ItemProperty -Path $Path -Name 'AvailableUpdates' -PropertyType DWord -Value 0x5944 -Force\n $log += \"Configured AvailableUpdates to 0x5944 (key didn't exist.). \"\n #Start the Scheduled Task to kick off the update process.\n Start-ScheduledTask -TaskName \"\\Microsoft\\Windows\\PI\\Secure-Boot-Update\" -ErrorAction SilentlyContinue\n $log += \"Attempted to start Scheduled Task. \"\n} elseif (0 -eq $val) {\n #If AvailableUpdates exists but is set to 0, set it to 0x5944.\n Set-ItemProperty -Path $Path -Name 'AvailableUpdates' -Value 0x5944 -Force\n $log += \"Configured AvailableUpdates to 0x5944 (was 0). \"\n #Start the Scheduled Task to kick off the update process.\n Start-ScheduledTask -TaskName \"\\Microsoft\\Windows\\PI\\Secure-Boot-Update\" -ErrorAction SilentlyContinue\n $log += \"Attempted to start Scheduled Task. \"\n} elseif (0x400 -eq $val) {\n #If AvailableUpdates is 0x400, the device is stuck at the boot manager update stage without\n #the Windows UEFI CA 2023 cert having been written to the Secure Boot DB first.\n #This causes a recurring Event ID 1796 (0x800700c1) on every boot.\n #Reset to 0x5944 to restart the full cert + boot manager sequence from the beginning.\n Set-ItemProperty -Path $Path -Name 'AvailableUpdates' -Value 0x5944 -Force\n $log += \"Configured AvailableUpdates to 0x5944 (was stuck at 0x400 - boot manager stage without cert). \"\n #Start the Scheduled Task to kick off the update process.\n Start-ScheduledTask -TaskName \"\\Microsoft\\Windows\\PI\\Secure-Boot-Update\" -ErrorAction SilentlyContinue\n $log += \"Attempted to start Scheduled Task. \"\n} else {\n #If AvailableUpdates exists and is not 0 or 0x400, leave it alone as this suggests\n #the update is already in progress or has completed, and we don't want to interfere with that.\n $valHex = ('0x{0:X}' -f $val)\n $log += \"AvailableUpdates present but set to $valHex, Leaving alone. \"\n}\n\n$log = \"SecureBoot registry keys configured successfully: \" + $log\nWrite-Host $log\nexit 0<\/code><\/pre>\n\n\n\n
<#\n.SYNOPSIS\n PowerShell script to detect the settings needed to trigger the UEFI 2023 CA certificate update process for SecureBoot on Windows devices.\n.DESCRIPTION\n This PowerShell script is deployed as a detection script using Remediations in Microsoft Endpoint Manager\/Intune. It will Exit 1 (Remediation Needed) if any of the following are true:\n - The SecureBoot registry path doesn't exist.\n - The HighConfidenceOptOut value is not set to 0.\n - The MicrosoftUpdateManagedOptIn value is not set to 1.\n - The AvailableUpdates value doesn't exist, is set to 0, or is set to 0x400 (stuck at\n boot manager stage without the CA 2023 cert having been written to the DB first).\n\n The Remediation script to pair with this is: https:\/\/github.com\/harris-bowman\/RemediationScripts\/blob\/main\/Remediate_SecureBootRegKeys.ps1\n.LINK\n https:\/\/support.microsoft.com\/en-us\/topic\/registry-key-updates-for-secure-boot-windows-devices-with-it-managed-updates-a7be69c9-4634-42e1-9ca1-df06f43f360d#bkmk_how_keys_work_together\n https:\/\/docs.microsoft.com\/en-us\/mem\/analytics\/proactive-remediations\n.NOTES\n Version: 1.3\n Creation Date: 2026-01-28\n Last Updated: 2026-05-08\n Author: Harris Bowman (modified by PA)\n Repository: https:\/\/github.com\/harris-bowman\/RemediationScripts\n Requires Local Admin Privileges: Yes\n\n Changelog:\n 1.3 - Added detection for AvailableUpdates = 0x400 (stuck at boot manager stage).\n Devices in this state loop on Event ID 1796 (0x800700c1) indefinitely and\n require remediation to reset to 0x5944.\n#>\n\n$Path = 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecureBoot\\'\n$log = \"\"\n$fail = $false\n\n#Safeguard if certificates are already installed.\nif ((Get-ItemProperty -Path 'HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecureBoot\\Servicing' -Name 'UEFICA2023Status' -ErrorAction SilentlyContinue).UEFICA2023Status -eq \"Updated\" -and (([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'))) {\n Write-Host \"SecureBoot updates already installed successfully. No remediation needed.\"\n exit 0\n}\n\n#Check the registry key SecureBoot exists.\nif (!(Test-Path $Path)) {\n $log += \"SecureBoot registry path not found. \"\n $fail = $true\n}\n\n#Check if HighConfidenceOptOut is not set to 0.\nif ((Get-ItemProperty -Path $Path -Name 'HighConfidenceOptOut' -ErrorAction SilentlyContinue).HighConfidenceOptOut -ne 0) {\n $log += \"HighConfidenceOptOut is not set to 0. \"\n $fail = $true\n}\n\n#Check if MicrosoftUpdateManagedOptIn is not set to 1.\nif ((Get-ItemProperty -Path $Path -Name 'MicrosoftUpdateManagedOptIn' -ErrorAction SilentlyContinue).MicrosoftUpdateManagedOptIn -ne 1) {\n $log += \"MicrosoftUpdateManagedOptIn is not set to 1. \"\n $fail = $true\n}\n\n#Check if AvailableUpdates doesn't exist, is set to 0, or is stuck at 0x400.\n$value = Get-ItemPropertyValue -Path $Path -Name 'AvailableUpdates' -ErrorAction SilentlyContinue\nif ($null -eq $value) {\n $log += \"AvailableUpdates is not set. \"\n $fail = $true\n} elseif ($value -eq 0) {\n $log += \"AvailableUpdates is set to 0. \"\n $fail = $true\n} elseif ($value -eq 0x400) {\n $log += \"AvailableUpdates is stuck at 0x400 (boot manager stage without cert in DB). \"\n $fail = $true\n}\n\n#If any of the above checks have set $fail to true: Remediation is needed, we Write-Host $log to send the report back to Intune Remediations and Exit 1.\n#If not, we Write-Host the current key values to send the report back to Intune Remediations and Exit 0.\nif ($fail) {\n $log = \"Remediation Needed: \" + $log\n Write-Host $log\n exit 1\n} else {\n $hkOO = (Get-ItemProperty -Path $Path -Name 'HighConfidenceOptOut' -ErrorAction SilentlyContinue).HighConfidenceOptOut\n $mkMUI = (Get-ItemProperty -Path $Path -Name 'MicrosoftUpdateManagedOptIn' -ErrorAction SilentlyContinue).MicrosoftUpdateManagedOptIn\n $auKey = (Get-ItemProperty -Path $Path -Name 'AvailableUpdates' -ErrorAction SilentlyContinue).AvailableUpdates\n $auKeyvalHex = ('0x{0:X}' -f $auKey)\n Write-Host \"All SecureBoot registry keys are correctly configured: HighConfidenceOptOut: $hkOO MicrosoftUpdateManagedOptIn: $mkMUI AvailableUpdates: $auKeyvalHex\"\n exit 0\n}<\/code><\/pre>\n\n\n\n
![\"Comment](\"https:\/\/cf.preview.redd.it\/bitlocker-recovery-prompt-on-every-reboot-after-uefi-ca-v0-jkj9rlltu3vg1.png?width=546&format=png&auto=webp&s=706a228ccd5797d63274906e4e8a96c50c173c5b\")
<\/a><\/figure>\n\n\n\n