tis-verif-secureboot-uefi-ca-2023
Silent install package for tis-verif-secureboot-uefi-ca-2023
13-2
tis-verif-secureboot-uefi-ca-2023
Description:
tis-verif-secureboot-uefi-ca-2023 package forces the Secure Boot update to Windows UEFI CA 2023, verifies that the UEFI bootloader actually uses this certificate, and reports a detailed status in the WAPT audit.
Goals:
- Force the Secure Boot update via the AvailableUpdates registry value and the Windows scheduled task.
- Check the actual Secure Boot state on the machine.
- Verify that the EFI bootloader in use is signed with the 2023 certificate.
- Report the resulting state in the WAPT audit (verif-secureboot-uefi-ca-2023).
Result
The detailed result will be available in the “Audit data” tab. Here is an example:
{
"SecureBootUEFI": true,
"SignerName": "Microsoft Windows",
"SingerFingerPrint": "xxxxx",
"ConfidenceLevel": "Under Observation - More Data Needed",
"UEFICA2023Error": "0",
"AvailableUpdates": "0",
"UEFICA2023Status": "InProgress",
"WindowsUEFICA2023Capable": "2",
"CA_2023_in_SecureBootUEFI_DB": true
}
- package: tis-verif-secureboot-uefi-ca-2023
- name: tis-verif-secureboot-uefi-ca-2023
- version: 13-2
- maintainer: Simon Fonteneau, Kevin Cherel
- licence: ©
- target_os: windows
- architecture: all
- signature_date:
- size: 8.68 Ko
package : tis-verif-secureboot-uefi-ca-2023
version : 13-2
architecture : all
section : base
priority : optional
name : tis-verif-secureboot-uefi-ca-2023
categories :
maintainer : Simon Fonteneau, Kevin Cherel
description : Ce script permet de contrôler que le démarrage sécurisé est activé et que le certificat Windows UEFI CA 2023 est bien présent dans la base UEFI.
depends :
conflicts :
maturity : PROD
locale :
target_os : windows
min_wapt_version :
sources :
installed_size :
impacted_process :
description_fr :
description_pl : Ten skrypt sprawdza, czy funkcja Secure Boot jest włączona oraz czy certyfikat Windows UEFI CA 2023 jest obecny w bazie UEFI.
description_de : Dieses Skript überprüft, ob Secure Boot aktiviert ist und ob das Zertifikat Windows UEFI CA 2023 in der UEFI-Datenbank vorhanden ist.
description_es : Este script verifica que Secure Boot esté habilitado y que el certificado Windows UEFI CA 2023 esté presente en la base de datos UEFI.
description_pt : Este script verifica se o Secure Boot está ativado e se o certificado Windows UEFI CA 2023 está presente na base de dados UEFI.
description_it : Questo script verifica che Secure Boot sia abilitato e che il certificato Windows UEFI CA 2023 sia presente nel database UEFI.
description_nl : Dit script controleert of Secure Boot is ingeschakeld en of het certificaat Windows UEFI CA 2023 aanwezig is in de UEFI-database.
description_ru : Этот скрипт проверяет, включена ли функция Secure Boot и присутствует ли сертификат Windows UEFI CA 2023 в базе данных UEFI.
audit_schedule :
editor :
keywords :
licence : ©
homepage :
package_uuid : 395ed891-34c8-4001-9b0e-3d63b5d0d59b
valid_from :
valid_until :
forced_install_on :
changelog :
min_os_version :
max_os_version :
icon_sha256sum : 03c0491e556f63f98f6ca32ec6beb1894fac54fb804d53e6086e4a26c0ac7491
signer : Tranquil IT
signer_fingerprint: 8c5127a75392be9cc9afd0dbae1222a673072c308c14d88ab246e23832e8c6bb
signature_date : 2026-03-05T12:05:21.000000
signed_attributes : package,version,architecture,section,priority,name,categories,maintainer,description,depends,conflicts,maturity,locale,target_os,min_wapt_version,sources,installed_size,impacted_process,description_fr,description_pl,description_de,description_es,description_pt,description_it,description_nl,description_ru,audit_schedule,editor,keywords,licence,homepage,package_uuid,valid_from,valid_until,forced_install_on,changelog,min_os_version,max_os_version,icon_sha256sum,signer,signer_fingerprint,signature_date,signed_attributes
signature : ytwSxRAG2pQQ+V1wePLR/uodjwl463GuwboWD/Cd/wvq3ziuTpkIe7ijVVB9d7hjm838XtecZAS2KP9NBKMrdryohEr40xPmRCMfJEIezhythegRTA6wPRLwPyxv+gmCI2yB+LrI4aPx1GTCIBW1TcoMt1m3jFdmWhS3swKKnWZfd+m3FjN2MO5GJDiqbEVCiK/Hij9Y0OlocCAxQDhTqQTYprvLczG4G8eZMXPWqDxj0Z70aVIXXM4IkoGzQaGJ2caSW2cuuHxEMrKTOwWn+IdrXG8Iq6FzsCTssi9Yh7n85PHVCrr+0GE9qMTNWux+zUE76y3tWb0inz7g7EGYUA==# -*- coding: utf-8 -*-
from setuphelpers import *
import os
import shutil
import ctypes
import waptlicences
from ctypes import wintypes
kernel32 = ctypes.WinDLL("kernel32", use_last_error=True)
FindFirstVolumeW = kernel32.FindFirstVolumeW
FindFirstVolumeW.argtypes = [wintypes.LPWSTR, wintypes.DWORD]
FindFirstVolumeW.restype = wintypes.HANDLE
FindNextVolumeW = kernel32.FindNextVolumeW
FindNextVolumeW.argtypes = [wintypes.HANDLE, wintypes.LPWSTR, wintypes.DWORD]
FindNextVolumeW.restype = wintypes.BOOL
FindVolumeClose = kernel32.FindVolumeClose
FindVolumeClose.argtypes = [wintypes.HANDLE]
FindVolumeClose.restype = wintypes.BOOL
GetVolumeInformationW = kernel32.GetVolumeInformationW
GetVolumeInformationW.argtypes = [
wintypes.LPCWSTR, # lpRootPathName
wintypes.LPWSTR, wintypes.DWORD, # lpVolumeNameBuffer, nVolumeNameSize
ctypes.POINTER(wintypes.DWORD), # lpVolumeSerialNumber
ctypes.POINTER(wintypes.DWORD), # lpMaximumComponentLength
ctypes.POINTER(wintypes.DWORD), # lpFileSystemFlags
wintypes.LPWSTR, wintypes.DWORD, # lpFileSystemNameBuffer, nFileSystemNameSize
]
GetVolumeInformationW.restype = wintypes.BOOL
SetVolumeMountPointW = kernel32.SetVolumeMountPointW
SetVolumeMountPointW.argtypes = [wintypes.LPCWSTR, wintypes.LPCWSTR] # mountPoint, volumeName
SetVolumeMountPointW.restype = wintypes.BOOL
DeleteVolumeMountPointW = kernel32.DeleteVolumeMountPointW
DeleteVolumeMountPointW.argtypes = [wintypes.LPCWSTR] # mountPoint
DeleteVolumeMountPointW.restype = wintypes.BOOL
def install():
registry_set(HKEY_LOCAL_MACHINE,r'SYSTEM\CurrentControlSet\Control\SecureBoot','AvailableUpdates',64)
run_task(r'\Microsoft\Windows\PI\Secure-Boot-Update')
def audit():
result={}
try:
result['SecureBootUEFI'] = run_powershell('Confirm-SecureBootUEFI')
except:
result['SecureBootUEFI'] = False
list_key = ["UEFICA2023Status","WindowsUEFICA2023Capable","UEFICA2023Error","ConfidenceLevel"]
for u in list_key :
result[u] = registry_readstring(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing", u)
result["AvailableUpdates"] = registry_readstring(HKEY_LOCAL_MACHINE,r"SYSTEM\CurrentControlSet\Control\SecureBoot","AvailableUpdates")
mount_dir = r"C:\_esp_mount"
mkdirs(mount_dir)
candidates = []
for vol in iter_volumes():
fs = get_fs_type(vol)
if fs and fs.upper() == "FAT32":
candidates.append(vol)
name_sign = ""
finger_sing = ""
for vol in candidates:
try:
mount_volume_to_dir(vol, mount_dir)
p1 = os.path.join(mount_dir, "EFI", "Boot", "bootx64.efi")
name_sign, finger_sing = waptlicences.check_msi_signature(p1)
finally:
unmount_dir(mount_dir)
if os.path.isdir(mount_dir) and not os.listdir(mount_dir):
os.rmdir(mount_dir)
result['SignerName'] = name_sign
result['SingerFingerPrint'] = finger_sing
try:
result['CA_2023_in_SecureBootUEFI_DB'] = run_powershell(r"[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'")
except:
result['CA_2023_in_SecureBootUEFI_DB'] = False
WAPT.write_audit_data_if_changed("verif-secureboot-uefi-ca-2023", "verif-secureboot-uefi-ca-2023", result)
if registry_readstring(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing", "WindowsUEFICA2023Capable") == '2':
print("The certificate is present and the PC is already booting with the new 2023-signed boot manager.")
return "OK"
elif registry_readstring(HKEY_LOCAL_MACHINE, r"SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing", "WindowsUEFICA2023Capable") == '1':
print("The certificate is present in the Secure Boot database.")
return "WARNING"
else:
print("The registry key is missing or incorrect.")
return "ERROR"
def _raise_last_error(msg):
err = ctypes.get_last_error()
raise OSError(err, f"{msg} (WinError={err})")
def iter_volumes():
buf = ctypes.create_unicode_buffer(1024)
h = FindFirstVolumeW(buf, len(buf))
if h == wintypes.HANDLE(-1).value or h == 0:
_raise_last_error("FindFirstVolumeW failed")
try:
while True:
vol = buf.value # like \\?\Volume{GUID}\
yield vol
ok = FindNextVolumeW(h, buf, len(buf))
if not ok:
break
finally:
FindVolumeClose(h)
def get_fs_type(volume_guid_path):
fs_buf = ctypes.create_unicode_buffer(64)
name_buf = ctypes.create_unicode_buffer(256)
serial = wintypes.DWORD()
max_comp = wintypes.DWORD()
flags = wintypes.DWORD()
ok = GetVolumeInformationW(
volume_guid_path,
name_buf, len(name_buf),
ctypes.byref(serial),
ctypes.byref(max_comp),
ctypes.byref(flags),
fs_buf, len(fs_buf),
)
if not ok:
return None
return fs_buf.value
def mount_volume_to_dir(volume_guid_path, mount_dir):
mp = mount_dir
if not mp.endswith("\\"):
mp += "\\"
os.makedirs(mp, exist_ok=True)
ok = SetVolumeMountPointW(mp, volume_guid_path)
if not ok:
_raise_last_error(f"SetVolumeMountPointW failed for {volume_guid_path}")
def unmount_dir(mount_dir):
mp = mount_dir
if not mp.endswith("\\"):
mp += "\\"
ok = DeleteVolumeMountPointW(mp)
if not ok:
_raise_last_error(f"DeleteVolumeMountPointW failed for {mount_dir}")23c2932a05f8f36f1e887858e8d33f723853ca93a6d75f98d00328f9669d76f6 : WAPT/README.md
40635cdc05ef6c9b30134b4e7b891b7b0057eb29c26352714d104a68bc2de3d9 : WAPT/README_fr.md
38d056ab130f7bf7c481c12636a4e9959de36561d3dfcbe54c6e3571bc0c1dc3 : WAPT/certificate.crt
1c0ecc35bc0628795e57a5f0d22c80973a2bdd421ae17fd82d35c63371b04c44 : WAPT/control
03c0491e556f63f98f6ca32ec6beb1894fac54fb804d53e6086e4a26c0ac7491 : WAPT/icon.png
375857428450cb12e5241778e18d2008f53b9aca1c1c07232538ccdc59658f7d : luti.json
5e26f8b3e8fc2185c07dcc50f1b38662d2dc3e0b6fb58eabf244fc5b44d0c4ea : setup.py