Untitled

avatar
unknown
plain_text
3 days ago
5.1 kB
176
Indexable
# update_sb_certs.ps1
# Triggers the Microsoft Secure Boot update task (AvailableUpdates=0x5944)
# Logs to %TEMP%\SecureBootUpdate.log
# Intended to run under SYSTEM via management tooling.

$LogDir  = '"$env:TEMP'
$LogFile = Join-Path $LogDir 'SecureBootUpdate.log'

# Exit codes
$EXIT_OK              = 0
$EXIT_NOT_UEFI         = 3
$EXIT_SECUREBOOT_OFF   = 4
$EXIT_TASK_MISSING     = 5
$EXIT_GENERIC_FAILURE  = 1

function Write-Log {
    param(
        [Parameter(Mandatory)][string]$Message,
        [ValidateSet('INFO','WARN','ERROR')][string]$Level = 'INFO'
    )
    $ts = Get-Date -Format 'yyyy-MM-dd HH:mm:ss.fff'
    Add-Content -Path $LogFile -Value "$ts [$Level] $Message" -Encoding UTF8
}

function Get-SecureBootState {
    try {
        $csb = Confirm-SecureBootUEFI
        return [pscustomobject]@{ IsUefi=$true; SecureBootEnabled=[bool]$csb; Source='Confirm-SecureBootUEFI'; Error=$null }
    } catch {
        $msg = $_.Exception.Message

        if ($msg -match 'not supported|cmdlet is not supported|requires UEFI') {
            return [pscustomobject]@{ IsUefi=$false; SecureBootEnabled=$false; Source='Confirm-SecureBootUEFI (not supported)'; Error=$msg }
        }

        try {
            $sbStatePath = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\State'
            $p = Get-ItemProperty -Path $sbStatePath -Name UEFISecureBootEnabled -ErrorAction Stop
            $enabled = ($p.UEFISecureBootEnabled -eq 1)
            return [pscustomobject]@{ IsUefi=$true; SecureBootEnabled=$enabled; Source='Registry UEFISecureBootEnabled'; Error=$msg }
        } catch {
            return [pscustomobject]@{ IsUefi=$null; SecureBootEnabled=$null; Source='Unknown'; Error=$msg }
        }
    }
}

try {
    if (-not (Test-Path $LogDir)) {
        New-Item -Path $LogDir -ItemType Directory -Force | Out-Null
    }

    Write-Log "Starting Secure Boot 2023 certificate/boot manager update trigger (AvailableUpdates=0x5944)."

    $sbState = Get-SecureBootState
    Write-Log ("SB Check Source: {0}" -f $sbState.Source)
    if ($sbState.Error) { Write-Log ("SB Check Note: {0}" -f $sbState.Error) 'WARN' }

    if ($sbState.IsUefi -eq $false) {
        Write-Log "System does not appear to be booted in UEFI mode. Cannot proceed." 'ERROR'
        exit $EXIT_NOT_UEFI
    }
    if ($sbState.SecureBootEnabled -eq $false) {
        Write-Log "Secure Boot is not enabled/active. Cannot proceed." 'ERROR'
        exit $EXIT_SECUREBOOT_OFF
    }
    if (($sbState.IsUefi -eq $null) -or ($sbState.SecureBootEnabled -eq $null)) {
        Write-Log "Unable to reliably determine UEFI/Secure Boot state. Failing to avoid false success." 'ERROR'
        exit $EXIT_GENERIC_FAILURE
    }

    $regPath = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot'
    if (-not (Test-Path $regPath)) { throw "Registry path not found: $regPath" }

    # Optional: short-circuit if already done
    $svcPath = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing'
    if (Test-Path $svcPath) {
        $svc = Get-ItemProperty -Path $svcPath -ErrorAction SilentlyContinue
        if ($svc.UEFICA2023Status -eq 'Updated' -and (($null -eq $svc.UEFICA2023Error) -or ($svc.UEFICA2023Error -eq 0))) {
            Write-Log "UEFICA2023Status is already Updated; nothing to do."
            exit $EXIT_OK
        }
    }

    # Correct task identification: TaskPath + TaskName
    $taskPath = '\Microsoft\Windows\PI\'
    $taskName = 'Secure-Boot-Update'

    $task = Get-ScheduledTask -TaskPath $taskPath -TaskName $taskName -ErrorAction SilentlyContinue
    if (-not $task) {
        Write-Log "Scheduled task not found: $taskPath$taskName" 'ERROR'
        exit $EXIT_TASK_MISSING
    }

    # Set AvailableUpdates to 0x5944
    New-ItemProperty -Path $regPath -Name 'AvailableUpdates' -PropertyType DWord -Value 0x5944 -Force | Out-Null
    $actual = (Get-ItemProperty -Path $regPath -Name 'AvailableUpdates' -ErrorAction Stop).AvailableUpdates
    Write-Log ("Set AvailableUpdates to 0x{0:X}" -f $actual)

    # Trigger the scheduled task
    Write-Log "Starting scheduled task: $taskPath$taskName"
    Start-ScheduledTask -TaskPath $taskPath -TaskName $taskName -ErrorAction Stop
    Write-Log "Scheduled task started."

    # Snapshot status
    if (Test-Path $svcPath) {
        $svc = Get-ItemProperty -Path $svcPath -ErrorAction SilentlyContinue
        if ($null -ne $svc.UEFICA2023Status) { Write-Log "UEFICA2023Status: $($svc.UEFICA2023Status)" }
        if ($null -ne $svc.UEFICA2023Error)  { Write-Log "UEFICA2023Error: $($svc.UEFICA2023Error)" }
        if ($null -ne $svc.WindowsUEFICA2023Capable) { Write-Log "WindowsUEFICA2023Capable: $($svc.WindowsUEFICA2023Capable)" }
    }

    Write-Log "Completed trigger run. Reboot may be required; task may need to run again post-reboot."
    exit $EXIT_OK
}
catch {
    Write-Log $_.Exception.Message 'ERROR'
    Write-Log $_.ScriptStackTrace 'ERROR'
    exit $EXIT_GENERIC_FAILURE
}
Editor is loading...
Leave a Comment