Detect-SecureBootCA2023SCCM

1.0.0

Detect-SecureBootCA2023SCCM.ps1

                                <#PSScriptInfo

.VERSION 1.0.0

.GUID 7f2b1f8c-9b66-4c8f-8e4a-12d4b9f0c3a1

.AUTHOR Mert Efe Kanlikilic

.COMPANYNAME mertefekanlikilic.com

.COPYRIGHT (c) 2026 Mert Efe Kanlikilic. All rights reserved.

.TAGS SecureBoot Windows11 SCCM ConfigMgr ConfigurationManager ComplianceBaseline SecureBootCertificate UEFI

.LICENSEURI https://github.com/kanlikilicmertefe

.PROJECTURI https://mertefekanlikilic.com

.ICONURI

.EXTERNALMODULEDEPENDENCIES

.REQUIREDSCRIPTS

.EXTERNALSCRIPTDEPENDENCIES

.RELEASENOTES

Initial release for SCCM / Configuration Manager Configuration Item discovery.

#>

<#

.SYNOPSIS

    Detects Secure Boot CA 2023 servicing state for SCCM / Configuration Manager Compliance Baselines.

.DESCRIPTION

    This discovery script evaluates the Secure Boot CA 2023 certificate update status on Windows 11 devices.

    It reads UEFI servicing registry values and returns a single string output suitable for SCCM CI rules.

    Possible return values:

        Compliant

        PendingRemediation

        PendingRestart

        ManualReview

        NotApplicable

    Recommended SCCM CI configuration:

        Setting type : Script

        Data type    : String

        Rule         : Equals "Compliant"

.NOTES

    Author  : Mert Efe Kanlikilic

    Website : https://mertefekanlikilic.com

    Run as  : SYSTEM

    Host    : 64-bit Windows PowerShell

    This script intentionally outputs only one value.

    Do not add logging or additional Write-Output statements when using it in SCCM.

#>

# --- Script starts here ---

$ServicingKey = "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing"

# Check Secure Boot availability

try {

    $secureBootEnabled = Confirm-SecureBootUEFI -ErrorAction Stop

}

catch {

    Write-Output "NotApplicable"

    return

}

if (-not $secureBootEnabled) {

    Write-Output "NotApplicable"

    return

}

# Read UEFI servicing registry values

try {

    $servicingState = Get-ItemProperty -Path $ServicingKey -ErrorAction Stop

    $status  = [string]$servicingState.UEFICA2023Status

    $capable = [int]$servicingState.WindowsUEFICA2023Capable

}

catch {

    Write-Output "PendingRemediation"

    return

}

# Evaluate state

switch ($status) {

    "Updated" {

        if ($capable -eq 2) {

            Write-Output "Compliant"

        }

        else {

            Write-Output "ManualReview"

        }

        return

    }

    "InProgress" {

        Write-Output "PendingRestart"

        return

    }

    "NotStarted" {

        Write-Output "PendingRemediation"

        return

    }

    default {

        Write-Output "ManualReview"

        return

    }

}