Created
March 13, 2026 20:19
-
-
Save SMSAgentSoftware/a97f002333bd6521222381c2be7ea4e2 to your computer and use it in GitHub Desktop.
PowerShell script to determine the Secure Boot certificate update confidence level of a device based on the local copy of the High Confidence database provided by Microsoft.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ############################################################################################################################ | |
| ## PowerShell script to determine the Secure Boot certificate update confidence level of a device based on the local copy ## | |
| ## of the High Confidence database provided by Microsoft. ## | |
| ############################################################################################################################ | |
| #Requires -RunAsAdministrator | |
| #Requires -Version 7 | |
| # Check that the BucketConfidenceData CAB file exists in the specified directory | |
| $confidenceCab = Get-ChildItem -Path $env:SystemRoot\System32\SecureBootUpdates -Filter *.cab -ErrorAction SilentlyContinue | |
| if ($confidenceCab.count -gt 1) | |
| { | |
| $cabFile = $confidenceCab | Sort-Object LastWriteTime -Descending | Select-Object -First 1 | Select-Object -ExpandProperty FullName | |
| } | |
| elseif ($confidenceCab.count -eq 1) | |
| { | |
| $cabFile = $confidenceCab.FullName | |
| } | |
| else | |
| { | |
| Write-Warning "No BucketConfidenceData CAB file found in the specified directory." | |
| exit | |
| } | |
| # Expand the CAB file to a temporary directory | |
| try | |
| { | |
| if (Test-Path -Path $env:TEMP\ConfidenceData) | |
| { | |
| Remove-Item -Path $env:TEMP\ConfidenceData -Recurse -Force | |
| } | |
| # Create the temporary directory | |
| $null = New-Item -Path $env:TEMP\ConfidenceData -ItemType Directory | |
| # Expand the CAB file | |
| $null = expand.exe -F:* $cabFile $env:TEMP\ConfidenceData 2>&1 | |
| } | |
| catch | |
| { | |
| throw "Failed to expand the CAB file. Error: $_" | |
| } | |
| # Get json file list from the extracted CAB file | |
| $allJsonFiles = Get-ChildItem -Path $env:TEMP\ConfidenceData -Filter *.json -Recurse -ErrorAction SilentlyContinue | where-object { $_.Name -notlike "BucketConfidence*.json" } | |
| if ($allJsonFiles.count -eq 0) | |
| { | |
| Write-Warning "No JSON files found in the extracted CAB file." | |
| Remove-Item $env:TEMP\ConfidenceData -Recurse -Force -ErrorAction SilentlyContinue | |
| exit | |
| } | |
| # Get the database metadata from the BucketConfidenceMetadata.json file | |
| $metadataFilePath = Join-Path -Path $env:TEMP\ConfidenceData -ChildPath "BucketConfidenceMetadata.json" | |
| if (Test-Path -Path $metadataFilePath) | |
| { | |
| $metadataContent = Get-Content -Path $metadataFilePath -Raw | ConvertFrom-Json -AsHashtable | |
| #$knownOEMs = $metadataContent.KnownOEMs | |
| $header = $metadataContent.Header | |
| $timestamp = $header.Timestamp.ToString("yyyy-MMM-dd") | |
| $version = $header.Version | |
| } | |
| else | |
| { | |
| Write-Warning "BucketConfidenceMetadata.json file not found in the extracted CAB file." | |
| } | |
| # Extract the confidence data | |
| $highConfidenceBuckets = [System.Collections.Generic.List[object]]::new() | |
| $underObservationBuckets = [System.Collections.Generic.List[object]]::new() | |
| foreach ($file in $allJsonFiles) | |
| { | |
| try | |
| { | |
| $confidenceData = Get-Content -Path $file.FullName -Raw | ConvertFrom-Json -AsHashtable | |
| $OEMEntries = $confidencedata.OEMEntries.Keys | |
| foreach ($OEM in $OEMEntries) | |
| { | |
| $deviceConfidenceData = $confidencedata.OEMEntries["$OEM"] | |
| if ($deviceConfidenceData) | |
| { | |
| if ($null -ne $confidencedata.OEMEntries["$OEM"]["High Confidence"]) | |
| { | |
| $highConfidenceBuckets.AddRange($confidencedata.OEMEntries["$OEM"]["High Confidence"]) | |
| } | |
| if ($null -ne $confidencedata.OEMEntries["$OEM"]["Under Observation - More Data Needed"]) | |
| { | |
| $underObservationBuckets.AddRange($confidencedata.OEMEntries["$OEM"]["Under Observation - More Data Needed"]) | |
| } | |
| } | |
| } | |
| } | |
| catch | |
| { | |
| Write-Error "Failed to read or parse the confidence data from file $($file.Name). Error: $_" | |
| Remove-Item $env:TEMP\ConfidenceData -Recurse -Force -ErrorAction SilentlyContinue | |
| Exit | |
| } | |
| } | |
| # Get the BucketHash and ConfidenceLevel values from the registry for this device | |
| $bucketHash = Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing -Name BucketHash -ErrorAction SilentlyContinue | Select -ExpandProperty BucketHash | |
| $confidenceLevel = Get-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing -Name ConfidenceLevel -ErrorAction SilentlyContinue | Select -ExpandProperty ConfidenceLevel | |
| if ($bucketHash) | |
| { | |
| $DeviceInHighConfidenceDatabase = $highConfidenceBuckets -contains $bucketHash | |
| $DeviceInUnderObservationDatabase = $underObservationBuckets -contains $bucketHash | |
| } | |
| else | |
| { | |
| Write-Warning "BucketHash registry value not found. Unable to determine the device's bucket." | |
| } | |
| # Cleanup | |
| Remove-Item $env:TEMP\ConfidenceData -Recurse -Force -ErrorAction SilentlyContinue | |
| [PSCustomObject]@{ | |
| Hostname = [System.Net.Dns]::GetHostName() | |
| BucketHash = $bucketHash | |
| RegistryConfidenceLevel = $confidenceLevel | |
| InHighConfidenceDatabase = $DeviceInHighConfidenceDatabase | |
| InUnderObservationDatabase = $DeviceInUnderObservationDatabase | |
| DatabaseTimestamp = $timestamp | |
| DatabaseVersion = $version | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment