MicrosoftWhat about the final phase: Secure Boot Version Number? The scripts I've seen don't include a check to confirm FirmwareSVN, BootManagerSVN, and StagedSVN are all consistent. There's a built-in PowerShell cmdlet Get-SecureBootSVN which will check and provide a ComplianceStatus property. This would be good to incorporate into Microsoft's Sample Secure Boot Inventory Script:
https://support.microsoft.com/topic/sample-secure-boot-inventory-data-collection-script-d02971d2-d4b5-42c9-b58a-8527f0ffa30b
MicrosoftMy suggestion is to think about this in terms of how Microsoft is phasing the ecosystem forward:
Each of these stages takes time to roll out broadly. Enterprises can choose to move faster, based on their own readiness and risk posture.
From an SVN perspective, this becomes more relevant once devices are fully operating in the 2023 trust chain.
The new pattern is that when a security fix is made in the 2023-signed boot manager, the SVN is incremented in the boot manager, and a corresponding DBX update with that same SVN is published. Applying that DBX update in firmware enforces a minimum allowed SVN and helps protect against rollback to vulnerable boot manager versions.
That protection only works if all bootable media in the environment is updated to use a boot manager at or above the enforced SVN. Otherwise, older media may fail to boot, even though the device itself will continue to boot normally with an updated boot manager.
Customers who want to validate their current state can use the built-in Get-SecureBootSVN PowerShell cmdlet, which reports FirmwareSVN, BootManagerSVN, and StagedSVN along with a ComplianceStatus. This is useful for checking alignment once an organization begins managing SVN-based protections.
So, while SVN consistency checks are valuable, they are best viewed as a validation step after establishing the 2023 baseline, which is the current priority of the guidance and sample scripts.
