Using PowerShell, this is how we're detecting if the devices have updated their Secure Boot certificates. Is this valid code? Is there better code we should be using?

# Detect if 2023 KEK certificate is installed

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI kek).bytes) -match 'Microsoft Corporation KEK 2K CA 2023'

# Detect if 2023 DB (Windows) certificate is installed

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'

# Detect if 2023 DB (Third Party) certificates are installed

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Microsoft UEFI CA 2023'

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Microsoft Option ROM UEFI CA 2023'

# Detect if boot files are signed by 2023 certificate

$efiPartition = Get-Partition | Where-Object {$_.GptType -eq "{C12A7328-F81F-11D2-BA4B-00A0C93EC93B}"}

Add-PartitionAccessPath -DiskNumber $efiPartition.DiskNumber -PartitionNumber $efiPartition.PartitionNumber -AccessPath "S:"

$efiBootmgfw = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection

$efiBootmgfw.Import("S:\EFI\Microsoft\Boot\bootmgfw.efi", $null, 'DefaultKeySet')

($efiBootmgfw | ? {$_.Subject -eq 'CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US'}) -ne $null

Remove-PartitionAccessPath -DiskNumber $efiPartition.DiskNumber -PartitionNumber $efiPartition.PartitionNumber -AccessPath "S:"