Tag: SecureBoot

Simplified Fix Secure Boot Script for Easy VM Updates

I recently created 3 version of a FixSecureBoot script — a lightweight alternative inspired by the excellent work of haz-ard-9, the author of FixSecureBootBulk.ps1. Their script is powerful and absolutely the right choice if you rely on BitLocker or need a fully automated, safety‑first workflow.

However, at roughly 3,000 lines of code, the original script is understandably complex. It includes many checks and safeguards, which are great for production environments but made it harder for me to fully understand what was happening under the hood. I wanted something simpler, easier to read, and tailored to my own workflow.

So I took the time to study the original script, copied only the parts I needed, and built a much more compact version that gives me exactly the result I want — which show the verification step that every thing is correct updated.

What My Script Does

Here’s the full sequence of actions my simplified script performs:

1.Shuts down the VM
2.Creates a snapshot
3.Enables UEFI Setup Mode
4.Clears VMRAM (for older VMs)
5.Upgrades virtual hardware if the VM is below version 21 (vSphere 8)
6.Starts the VM and waits for VMware Tools
7.Checks that the guest OS is fully online
8.Downloads the required certificates (only once)
9.Uploads the two certificates to the VM if not exist
10.Installs the new boot certificates
11.Shuts down the VM and clears Setup Mode
12.Boots the VM and sets AvailableUpdates to 0x5944 (certs ready for install)
13.Reboots until AvailableUpdates becomes 0x4100 (may require multiple reboots)
14.Reboots and runs Secure-Boot-Update again
15.Reboots and runs Secure-Boot-Update again, then checks for Event ID 1808 (if found, everything is good)

I’ve tested this workflow successfully on:

 Windows 11 (23H2, 24H2, 25H2)
 Windows Server 2016, 2019, 2022, and 2025

Downloads
** link the links for downloading the original files from Microsoft Github page.

WindowsOEMDevicesPK.der
microsoft corporation kek 2k ca 2023.der

Rename microsoft corporation kek 2k ca 2023.der to kek2023.der

.

Current Limitation: Packer Integration

CLEAN PACKER BUILD IS NOT SAFE!! AFTER THE BUILD YOU NEED TO RUN FIX SECURE BOOT!!

I don’t yet have a complete fix for integrating this into a full Packer build. For now, I simply pre‑stage the certificates:

Build file:

provisioner “file” {

source = “./setup/SecurebootCert/”

destination = “C:/Windows/Temp”

}

I have build three versions:

Fix_Secure_Boot_Manual.ps1
Fix_Secure_Boot_Single.ps1
Fix_Secure_Boot_Multi.ps1

If you want a script that’s easier to read, easier to modify, and still gets the job done (as long as you’re not using BitLocker), this simplified version might be exactly what you need.

Let me know if you want me to share the script itself or write a follow‑up post about how it works internally.
.

.

Template Check if al ready Updated

If VM check if al ready updated

.

Run Script full from Template
.

Pages: Page 1, Page 2
Translate »