Event details
Using PowerShell, this is how we're detecting if the devices have updated their Secure Boot certificates. Is this valid code? Is there better code we should be using?
# Detect if 2023 KEK certificate is installed
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI kek).bytes) -match 'Microsoft Corporation KEK 2K CA 2023'
# Detect if 2023 DB (Windows) certificate is installed
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
# Detect if 2023 DB (Third Party) certificates are installed
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Microsoft UEFI CA 2023'
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Microsoft Option ROM UEFI CA 2023'
# Detect if boot files are signed by 2023 certificate
$efiPartition = Get-Partition | Where-Object {$_.GptType -eq "{C12A7328-F81F-11D2-BA4B-00A0C93EC93B}"}
Add-PartitionAccessPath -DiskNumber $efiPartition.DiskNumber -PartitionNumber $efiPartition.PartitionNumber -AccessPath "S:"
$efiBootmgfw = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection
$efiBootmgfw.Import("S:\EFI\Microsoft\Boot\bootmgfw.efi", $null, 'DefaultKeySet')
($efiBootmgfw | ? {$_.Subject -eq 'CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US'}) -ne $null
Remove-PartitionAccessPath -DiskNumber $efiPartition.DiskNumber -PartitionNumber $efiPartition.PartitionNumber -AccessPath "S:"
MicrosoftHi Bryant_Kintner​, Our sample script for this task is published at Sample Secure Boot Inventory Data Collection script - Microsoft Support. We recommend using this as an example to use or start from being careful to test and validate in your environment (and with the caveats listed in the scripts NOTES section). Be sure to sign the script with your own signing cert as well.