Event details
MicrosoftIf you have the latest updates on a device with Secure Boot enabled, you can see the history by running the following PowerShell command as an Administrator:
Get-SecureBootUEFI -Name dbx -Decoded
There are dates included.
Thank you. On the T5610, that appears to amount to 483 entries since 2018.
Since that is the dbx, that would be only the fixes of the kind I will not be receiving without an updated KEK.
Is there any way to get a number for the other type of fixes? These would be the fixes you described as "PCA2023(Windows UEFI CA 2023) - signs Windows boot loader updates - mainly security fixes."
Just wanted to follow up as I apply the custom keys to more machines.
We're a mostly Dell facility, and the Dell's seem to have no issue with Windows recognizing/utilizing the custom keys (and applying them thru Dell's own BIOS/UEFI, rather than a 3rd party utility). With the recent update, Secure Boot is even showing as cert-updated on the Dell machines within the Windows Security application. This is true going all the way back to the oldest machine I've tried (a Dell 9020).
We have a few HP's (z840 model), and the updates partially worked on them, but since they seem to be getting more flaky with age anyway, and we have so few of them, we've decided to retire them and replace with Dell 7810's.
Long story short, if you have Dell machines, you're probably in good shape if you can get your own custom keys made.
But I think I can reiterate - I think it would be really easy for MS to offer "custom" keys for people who wish to use them. They wouldn't have to offer any warranty, of course - "use at your own risk" - but it would save the lowly admin like me quite a few headaches.
Ok, I'll dig into a few of the dbx fixes and see if I can tell how big of a security risk they are in our environment. Thanks.
- Arden_White
Sorry, I don't know an easy way to find this.