Hello,

Could we get specific and precise requirements on the expected Secure Boot variables' states for each of the 4 steps of the revocation (adding CA 2023, replacing Boot Manager, revoking PCA 2011, updating SVN)?

For each of these steps, is the scheduled task expecting any specific state such as:
- Secure Boot variable update date (datetime of when the variable was initialised, eg. with: Set-SecureBootUEFI -Time ...)
- Secure Boot variable content: what is the minimum set of certificates/hashes required to start the 4-step update? Are there any more needed than MS KEK 2011 in KEK, MS Production PCA 2011 in DB and up-to-date hashes in DBX?
- Secure Boot variable content GUID: is there a hidden requirement for Microsoft certificates and DBX hashes to be under EFI signature lists with GUID 77fa9abd-0359-4d32-bd60-28f4e78f784b?
- SVN verification: When applying step 4, are there any other system changes than boot manager identifiers being added to the DBX? For example 01612B139DD5598843AB1C185C3CB2EB92000007000000000000000000000000 to ensure bootmgfw.efi with version 7.0.

I have seen strange behaviors of the DBX not being reachable anymore through GetFirmwareEnvironmentVariableA when MS certificates were not added with the previously mentioned GUID for example. I'd like to know if any requirements on the system are checked through the scheduled task but not documented online.

Thank you