Checking for updated TPM Secure Boot Certificates

[Mike Leone]

I'm curious as to how everyone is checking on the status of updated TPM Secure Boot Certificates. I came across this new Powershell CMDLET (run as administyrator):

> get-help  Confirm-SecureBootUEFI

NAME
    Confirm-SecureBootUEFI

SYNOPSIS
    Confirms that Secure Boot is enabled by checking the Secure Boot status on the local computer.


SYNTAX
    Confirm-SecureBootUEFI [<CommonParameters>]


DESCRIPTION
    The Confirm-SecureBootUEFI cmdlet confirms that Secure Boot is enabled by checking the Secure Boot status on a UEFI computer.

    If the computer supports Secure Boot and Secure Boot is enabled, this cmdlet returns $True.

    If the computer supports Secure Boot and Secure Boot is disabled, this cmdlet returns $False.

--------------------------

Great!  And on my privileged VM, it does show TRUE, so I do have them on that Win 11 VM.

And I see the green tick on "Secure Boot" in "Device Security" on my VM.

So I decided to write this Powershell script: (we don't use Intune)

(this is just a snippet, there's more checking to see if the computer can be contacted, etc)

$AllMemberServers = Get-ADComputer -Filter * -SearchBase "OU=Priv_VMs,OU=Privileged_Accounts,OU=ISM,DC=wrk,DC=ads,DC=pha,DC=phila,DC=gov" -Properties Name | Sort-Object -Property Name | Select-Object -ExpandProperty Name
ForEach ($MemberServer in $AllMemberServers) {
   $Check_for_TPM_certificates = $FALSE
    IF (Test-Connection -ComputerName $MemberServer -Count 1 -Quiet) {
        Invoke-Command -ComputerName $MemberServer -ScriptBlock {
             $Check_for_TPM_certificates = Confirm-SecureBootUEFI
          }

But the result ( $Check_for_TPM_certificates )  seems to come back FALSE, even on ones that show TRUE if I log directly onto the host and run the same Powershell command ... 

Perhaps because the command must be run as ADMIN? 

What am I missing here? The script should show TRUE when it runs on my priv VM, but even there this script shows FALSE, even though the command (Confirm-SecureBootUEFI) shows TRUE if I just run the command in an elevated Powershell session.

--

Mike. Leone, <mailto:tur...@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

[Wright, John M]

This is what I used:

 

Install-Module -Name UEFIv2

Import-Module -Name UEFIv2

(Get-UEFISecureBootCerts db).signature

 

--

John Wright

IT Support Specialist

1800 Old Bluegrass Avenue, Louisville, KY 40215

502.708.9953

Please submit IT requests to Hazelwoo...@bluegrass.org

24 Hour Helpline 1.800.928.8000

  

CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.

 

From: ntpowe...@googlegroups.com <ntpowe...@googlegroups.com> On Behalf Of Mike Leone
Sent: Thursday, May 14, 2026 2:40 PM
To: NTPowershell Mailing List <ntpowe...@googlegroups.com>
Subject: [ntpowershell] Checking for updated TPM Secure Boot Certificates

 

EXTERNAL EMAIL - This email was sent by a person from outside your organization. Exercise caution when clicking links, opening attachments or taking further action, before validating its authenticity.

Secured by Check Point

--
You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/ntpowershell/CAHBr%2B%2BhAVotJnVTqzENV48GYX1TDXWwEmq59VwUSfi9uiS8YTA%40mail.gmail.com.

[Mike Leone]

On Thu, May 14, 2026 at 2:43 PM Wright, John M <John....@newvista.org> wrote:

This is what I used:

 

Install-Module -Name UEFIv2

Import-Module -Name UEFIv2

(Get-UEFISecureBootCerts db).signature

You did all that remotely? And you had this module in a location available to all hosts, so it could be installed and imported?

 

To view this discussion visit https://groups.google.com/d/msgid/ntpowershell/SN7PR12MB67148EC4F2C962230823EEA291072%40SN7PR12MB6714.namprd12.prod.outlook.com.

[Wright, John M]

I didn’t do it remotely.  I’m not sure why it would make a difference.  Can’t you connect with Remote Management?

 

The module is in Powershell Gallery.

To view this discussion visit https://groups.google.com/d/msgid/ntpowershell/CAHBr%2B%2BhKeO6Uv_88m25fpD3kHBRTXTfhm85SKJ7vkO7OHcQ3Hw%40mail.gmail.com.

[Mike Leone]

 On Thu, May 14, 2026, 3:48 PM Wright, John M <John....@newvista.org> wrote:

I didn’t do it remotely.  I’m not sure why it would make a difference.  Can’t you connect with Remote Management?

I want to run a script and check everything, there are many machines. That command only executes locally, apparently.

 

The module is in Powershell Gallery.

We don't allow the servers access to the Internet, so the Gallery is out. I do keep a local repository, I could publish the module to it, then install the module as you do, on each that way, in the script block. After registering the local repository, of course .

I'll look into it, thanks 

To view this discussion visit https://groups.google.com/d/msgid/ntpowershell/SN7PR12MB671441615BFDD10D65E0BDF691072%40SN7PR12MB6714.namprd12.prod.outlook.com.

[Wright, John M]

For the remote query of numerous machines, you can wrap it like this:

 

Foreach ($c in $computers)

{

Invoke-command -computername $c -scriptblock { foo }

To view this discussion visit https://groups.google.com/d/msgid/ntpowershell/CAHBr%2B%2BgCuEPKGa9XYF-WR8u-tNdZjTX_jZbK-j0gMiJPZgVeRQ%40mail.gmail.com.

[Wright, John M]

Well, and you’ll have to add some lines to pull down the module and install it, etc., of course.

 

--

John Wright

IT Support Specialist

1800 Old Bluegrass Avenue, Louisville, KY 40215

502.708.9953

Please submit IT requests to Hazelwoo...@bluegrass.org

24 Hour Helpline 1.800.928.8000

  

CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.

 

[Mike Leone]

On Thu, May 14, 2026 at 4:21 PM Wright, John M <John....@newvista.org> wrote:

For the remote query of numerous machines, you can wrap it like this:

 

Foreach ($c in $computers)

{

Invoke-command -computername $c -scriptblock { foo }

}

 

This is what I am doing. LOL ... see my original message. That is what is not working. Always shows false, even when I run the command locally and get a TRUE.

[Mike Leone]

On Thu, May 14, 2026 at 4:21 PM Wright, John M <John....@newvista.org> wrote:

Well, and you’ll have to add some lines to pull down the module and install it, etc., of course.

I know ...

I have this, in my personal profile:

# Connect to local repository, so that we can load modules, in case they are not installed locally
$LocalRepoLocation = "\\DC1FIL020\netadmin\PHA_PS_Internal_Repository"
$LocalRepoName     = "PHA Internal PSRepository"
$NuGetLocation = "\\DC1FIL020\netadmin\PHA_PS_Internal_Repository\nuget"
$LocalNuGetLocation = "C:\Program Files\PackageManagement\ProviderAssemblies"
# $ModuleName = "PSWindowsUpdate"


 Write-Host -ForegroundColor Green "Checking PHA Internal PSRepository registered .."  -NoNewLine
IF ((Get-PSRepository | Where {$_ -match "Internal"} ) -eq $null ) {
        Write-Host -fore Green "---- Internal Repository not present"
Write-Host -ForegroundColor Green "Copying, then Installing PackageProvider"
# Copy files NuGet Package from network to local machine
$FileExists = Test-Path $LocalNuGetLocation
IF ($FileExists -NE $True) {
Write-Host -ForegroundColor Green "Copying over the NuGet files"
Copy-Item -Path $NuGetLocation -Recurse -Destination $LocalNuGetLocation -Container
}
Import-PackageProvider -Name NuGet -RequiredVersion 2.855.208
Write-Host -ForegroundColor Green "Registering PSRepository"
        Register-PSRepository -Name $LocalRepoName -SourceLocation $LocalRepoLocation -InstallationPolicy Trusted
} ELSE {
       Write-Host -ForegroundColor Green "Internal PHA PSRepository already installed and configured"
}

I'd have to do something similar in the scriptblock. and I may need to update my nuget version, I haven't used this local repository for a while ..but I did copy these packages to that repository

PS P:\temp> Find-Module -Repository "PHA Internal PSRepository"

Version              Name                                Repository           Description
-------              ----                                ----------           -----------
4.2.6                NTFSSecurity                        PHA Internal PSRe... Windows PowerShell Module for managing file and folder security on NTFS volumes
3.0.1                Posh-SSH                            PHA Internal PSRe... Provide SSH and SCP functionality for executing commands against remote hosts.
2.1.1.2              PSWindowsUpdate                     PHA Internal PSRe... This module contain cmdlets to manage Windows Update Client.
3.0.0                UEFIv2                              PHA Internal PSRe... Module for interacting with UEFI from PowerShell

 

To view this discussion visit https://groups.google.com/d/msgid/ntpowershell/SN7PR12MB6714A0CEE7168F85C844986D91072%40SN7PR12MB6714.namprd12.prod.outlook.com.

[Wright, John M]

Sorry, I missed that because it was further down.  But I see the problem.

 

$Check_for_TMP_certificates is to to $FALSE.  Therefore if Confirm_SecureBootUEFI returns true, your comparison (=) amounts to this.

 

$FALSE = $TRUE

 

Which is false.  That’s the reason for the discrepancy.

 

   $Check_for_TPM_certificates = $FALSE
    IF (Test-Connection -ComputerName $MemberServer -Count 1 -Quiet) {
        Invoke-Command -ComputerName $MemberServer -ScriptBlock {
             $Check_for_TPM_certificates = Confirm-SecureBootUEFI

 

--

John Wright

IT Support Specialist

1800 Old Bluegrass Avenue, Louisville, KY 40215

502.708.9953

Please submit IT requests to Hazelwoo...@bluegrass.org

24 Hour Helpline 1.800.928.8000

  

CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.

 

From: ntpowe...@googlegroups.com <ntpowe...@googlegroups.com> On Behalf Of Mike Leone
Sent: Thursday, May 14, 2026 4:26 PM
To: ntpowe...@googlegroups.com
Subject: Re: [ntpowershell] Checking for updated TPM Secure Boot Certificates

 

EXTERNAL EMAIL - This email was sent by a person from outside your organization. Exercise caution when clicking links, opening attachments or taking further action, before validating its authenticity.

Secured by Check Point

 

 

 

On Thu, May 14, 2026 at 4:21 PM Wright, John M <John....@newvista.org> wrote:

--

You received this message because you are subscribed to the Google Groups "ntpowershell" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntpowershell...@googlegroups.com.

To view this discussion visit https://groups.google.com/d/msgid/ntpowershell/CAHBr%2B%2BhNnoa7zG-XrUS6ANn%3DGHcqWKZEBvxifftV0fFi0xR9Dw%40mail.gmail.com.

[Wright, John M]

Doh!  Too early and not enough coffee.  It’s not a comparison.  That would be -eq.

 

Okay, fine.  Let me try running this and see what I get.

 

--

John Wright

IT Support Specialist

1800 Old Bluegrass Avenue, Louisville, KY 40215

502.708.9953

Please submit IT requests to Hazelwoo...@bluegrass.org

24 Hour Helpline 1.800.928.8000

  

CONFIDENTIALITY NOTICE: This message contains confidential information and is intended only for the individual(s) addressed in the message. If you are not the named addressee, you should not disseminate, distribute, or copy this e-mail. If you are not the intended recipient, you are notified that disclosing, distributing, or copying this e-mail is strictly prohibited.

 

To view this discussion visit https://groups.google.com/d/msgid/ntpowershell/SN7PR12MB6714766A0B4586E7C8C81EB191042%40SN7PR12MB6714.namprd12.prod.outlook.com.

[Wright, John M]

All right.  Try this.  It sets the value of the variable by setting it by the output of invoke-command rather than trying to set it within the script block.

 

For me, this returns True.  😊

 

   $script:Check_for_TPM_certificates = $FALSE

    IF (Test-Connection -ComputerName $Computer -Count 1 -Quiet) { $script:Check_for_TPM_certificates = Invoke-Command -ComputerName $Computer -ScriptBlock { Confirm-SecureBootUEFI }}

               

                $Check_for_TPM_certificates

To view this discussion visit https://groups.google.com/d/msgid/ntpowershell/SN7PR12MB6714B3F6B6AAF75887A8881091042%40SN7PR12MB6714.namprd12.prod.outlook.com.

[Mike Leone]

On Fri, May 15, 2026 at 7:43 AM Wright, John M <John....@newvista.org> wrote:

All right.  Try this.  It sets the value of the variable by setting it by the output of invoke-command rather than trying to set it within the script block.

 

For me, this returns True.  😊

 

   $script:Check_for_TPM_certificates = $FALSE

    IF (Test-Connection -ComputerName $Computer -Count 1 -Quiet) { $script:Check_for_TPM_certificates = Invoke-Command -ComputerName $Computer -ScriptBlock { Confirm-SecureBootUEFI }}

               

                $Check_for_TPM_certificates

Now get I get TRUE on all of them. I will have to double check, but that looks more right. I need to save the status, to later make and mail a report, but that seems to be the right track.

Thanks!

 

[Mike Leone]

Oh, and BTW ... THANKS! for pointing this out to:

$script:Check_for_TPM_certificates = Invoke-Command -ComputerName $MemberServer -ScriptBlock { Confirm-SecureBootUEFI }

I never set variables that way ($script: ....). I didn't even know you could use the "script" parameter like that. Learn something new from this list every day!

Thanks!

To view this discussion visit https://groups.google.com/d/msgid/ntpowershell/SN7PR12MB67145C20216B044B7383540391042%40SN7PR12MB6714.namprd12.prod.outlook.com.

[Michael B. Smith]

In a PowerShell session enter “help about_scopes”. There are several.

To view this discussion visit https://groups.google.com/d/msgid/ntpowershell/CAHBr%2B%2BgzcyiynMZZFkhoQajpPzNR_H74bULVNK%3D%3D3TVkpe_kHw%40mail.gmail.com.