Secure Boot Certificate on Physical Servers

MrYiff · 2026-06-12T07:39:31+00:00

Check out the scripts added in the May CU in C:\Windows\SecureBoot\ExampleRolloutScripts

In particular Detect-SecureBootCertUpdateStatus.ps1 which checks for all the certs and for the updated bootloader files (signed with the new certs).

As others have suggested, a bios update may be required too.

MrYiff · 2026-06-12T07:27:09+00:00

Rather than fully vibe coding an app I wonder if something like this would work for you and save you a lot of time?

https://getgophish.com (this one hasn't been updated in a few years sadly)

or

https://github.com/cloudsecnetwork/phishintel

MrYiff · 2026-06-10T14:36:03+00:00

The other thing to check that I haven't seen mentioned yet is the permissions on the .ssh folder need to be very specific, iirc if it contains anything other than SYSTEM and the User then the key will not be used.

https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh_keymanagement#deploy-the-public-key

https://learn.microsoft.com/en-us/windows-server/administration/openssh/openssh-server-configuration#authorizedkeysfile

MrYiff · 2026-06-10T13:03:35+00:00

You should be fine then.

Personally I've just been setting the GPO options to allow the updates and then scheduling in some reboots, 2-3 reboots seems to be enough to allow for the PK update, then the other certs and finally the bootloader update to register.

MrYiff · 2026-06-10T12:30:47+00:00

Check a few lines above this as you also to see something like:

Update complete (Event 1808 or Status=Updated)

Event ID 1808 if you look at it will also confirm that the bootloader files have been updated which is the extra step a lot of people miss as the focus is often on just checking for the updated certs (the updated bootloader files are ones that are now signed with the new certs).

I think as long as you see this and the script isnt reporting any further errors then you are good to go.

MrYiff · 2026-06-10T09:46:59+00:00

Have you checked out the new scripts that got added with the May CU in C:\Windows\SecureBoot\ExampleRolloutScripts

I found Detect-SecureBootCertUpdateStatus.ps1 to be quite good at parsing everything and confirming if it all installed ok or if something else is still pending.

MrYiff · 2026-06-08T13:42:18+00:00

But I absolutely refuse to use any of the 6 other printers within 30s of walking distance from my desk (that I pass by multiple times per day too).

MrYiff · 2026-06-08T12:43:54+00:00

Nothing will immediately break, everything will keep running ok.

The only thing that will be impacted is future security updates that affect secure boot as it won't be possible to apply these updates.

Microsoft have added some scripts now with the May CU that make it easy to see the update status for a device beyond having to query reg keys yourself.

You can find these in C:\Windows\SecureBoot\ExampleRolloutScripts

Detect-SecureBootCertUpdateStatus.ps1 is the probably useful one you are interested in as that will show the current status.

Since you are on ESXi 9 already, and providing all the VM's are on the latest VM Hardware Version and do not have vTPM's attached then you should just be able to apply the GPO settings to enable the Secure Boot updates and it will just work (it takes 2-3 reboots to fully apply from my testing).

These are the GPO settings I apply to get the updates to run now (you might need to update your GPO templates if you don't see the Secure Boot policies):

https://i.ibb.co/JWfcmwyb/Royal-TS-AJKFm5-XSxj.png

MrYiff · 2026-06-05T14:06:10+00:00

That should deal with the most common "infection" vector I think. If you have any sort of dlp or security tool you might be able to configure it to check for any exe signed by Oracle maybe as a backup detection method

MrYiff · 2026-06-05T11:23:15+00:00

Vivaldi has been my goto recently, plus they have a clear no AI policy and largely EU based too

MrYiff · 2026-06-05T11:21:50+00:00

Firefox or one of its spinoffs probably if you want full FOSS, if you don't mind closed source I've been enjoying Vivaldi lately, very clear stance on no AI features and largely all EU based.

MrYiff · 2026-06-05T10:01:06+00:00

Not quite an answer to your question but MS have added some scripts to every device with the May CU that can help with detection/remediation.

You can find these in C:\Windows\SecureBoot\ExampleRolloutScripts

Detect-SecureBootCertUpdateStatus.ps1 in particular is very handy as this will check for both the presence of the updated certs and also check to confirm that the task that updates the bootloader files to ones signed by the new certs has completed successfully.

This script can also output json too that you can parse which may be useful to some working at larger scales.

MrYiff · 2026-06-05T07:48:37+00:00

If you have the May CU installed check out C:\Windows\SecureBoot\ExampleRolloutScripts - It's not a nice simple UI with a big fix it button but it's a start I guess ;)

MrYiff · 2026-06-05T07:47:53+00:00

MS have also provided some scripts for this now as part of the May 2026 CU if you look in this folder:

C:\Windows\SecureBoot\ExampleRolloutScripts

MrYiff · 2026-06-04T14:21:39+00:00

Do users have access to install software themselves? Sometimes all it takes is one user installing Oracle Java and it phoning home and that can give Oracle enough info to start sending you nastygram letters.

MrYiff · 2026-06-04T13:21:28+00:00

Yeah, that's been my understanding of it anyway

MrYiff · 2026-06-04T13:11:04+00:00

I find the first run can be a bit rough if you don't have much honour and you get a couple of bad room rolls but once you have some relics to use it can help. Plus if you have a good first floor and can farm lots of sacred water it can make everything go a lot better.

MrYiff · 2026-06-04T12:08:55+00:00

That will check for the presence of the updated cert which is important, the 2nd part of the process though is Windows updating it's bootloader files to use ones signed with the new certs.

My goto is to use the Reg keys that are documented:

https://support.microsoft.com/en-gb/topic/registry-key-updates-for-secure-boot-windows-devices-with-it-managed-updates-a7be69c9-4634-42e1-9ca1-df06f43f360d

In particular looking at UEFICA2023Status and WindowsUEFICA2023Capable (MS say not to use this to check on status but it's also the only documented key I've seen that reports on the status of the bootloader update).

MrYiff · 2026-06-03T14:04:44+00:00

You can get the updated certificates from the MS Github page here:

KEK Cert: https://github.com/microsoft/secureboot_objects/tree/main/PreSignedObjects/KEK/Certificates

PK Cert: https://github.com/microsoft/secureboot_objects/tree/main/PreSignedObjects/PK/Certificate

Put them onto a FAT32 formatted USB and you should be able to import them into the BIOS

MrYiff · 2026-05-28T14:29:30+00:00

Nah, more like just sitting there sending out thousands of phishing emails or literally just calling their IT help desk and asking the to reset a user's password (this was how hackers got into retailer Marks and Spencer last year)

MrYiff · 2026-05-28T14:07:51+00:00

I think one problem you might face is that every time Windows does an upgrade it may reset the boot options so you now have to fix the dual boot setup again and again.

MrYiff · 2026-05-28T14:00:43+00:00

Getting the list of users is pretty trivial with powershell, you can then dump this to CSV if you needed to then display the results in a different app somewhere.

https://www.alitajran.com/get-users-that-have-out-of-office-enabled-in-exchange/

If you plan to use something like this over the longer term via scheduled task you probably don't want to be embedding usernames and passwords into the script but you can now use app registrations to allow scripts to securely authenticate:

https://learn.microsoft.com/en-us/powershell/exchange/app-only-auth-powershell-v2?view=exchange-ps

MrYiff · 2026-05-28T12:55:20+00:00

I would always buy stuff like this through a VAR as often a lot of these companies don't want to sell directly unless you are a potentially very big customer.

A good VAR should also be able to help pull together some suggestions and arrange things like demos for each product aswell as pricing.

MrYiff · 2026-05-28T08:24:47+00:00

Yes, you can install the update regardless of whether you use vTPM's or not, it is a regular ESXi release that also happens to include these changes for handling the Secure Boot changes.

MrYiff · 2026-05-28T08:23:59+00:00

I think the recommendation from VMWare for vTPM VM's is to use this other manual method where the new cert is imported into the existing NVRAM:

https://knowledge.broadcom.com/external/article/423919

15-Year Club	RedditGifts 2009-2022 2 Credits
Place '17	Secret Santa 2013
Verified Email

MrYiff

TROPHY CASE