Skip to content

Get-SecureBootSVN can report the wrong FirmwareSVN value #27058

New issue
New issue
Open
Open
Get-SecureBootSVN can report the wrong FirmwareSVN value#27058
Labels
Needs-TriageThe issue is new and needs to be triaged by a work group.
@garlin-cant-code

Description

@garlin-cant-code
garlin-cant-code
opened on Mar 18, 2026

Prerequisites

Steps to reproduce

KB5077241 (Feb 2026 Preview) introduced the Get-SecureBootSVN cmdlet, but it can return two different answers for the FirmwareSVN, depending on which Windows BootMgr SVN appears last in the UEFI's Secure Boot DBX variable.

For example, the DBX update files from \Windows\System32\SecureBootUpdates are intended to be deployed in this order:

  1. DBXUpdate2024.bin - This file contains both the Production CA 2011 cert for revocation, and Windows BootMgr SVN 2.0
  2. DBXUpdateSVN.bin - This file updates the Windows BootMgr SVN number to 7.0

(Get-SecureBootSVN).FirmwareSVN will return 7.0 in this order. If you apply DBXUpdateSVN.bin and DBXUpdate2024.bin in the reverse order, the cmdlet returns 2.0 instead!

Isn't Windows boot manager supposed to check for the highest available SVN number found in the DBX variable, and not the last SVN found. Otherwise I can easily break Secure Boot's anti-rollback by appending a lower SVN (ie. SVN 0.0) to the DBX after all other Windows updates have been applied.

Please confirm with the Windows Secure Boot team that PS is incorrectly reporting this value, as it's causing confusion with users. Same behavior on PS 5.1.

SVN_Order.zip

Expected behavior

PS C:\Users\GARLIN\Downloads> .\SVN_Order.ps1
BootMgr SVN 2.0
CDMgr SVN 2.0
WDS SVN 2.0
BootMgr SVN 7.0
CDMgr SVN 3.0
WDS SVN 3.0

FirmwareSVN : 7.0

Actual behavior

BootMgr SVN 7.0
CDMgr SVN 3.0
WDS SVN 3.0
BootMgr SVN 2.0
CDMgr SVN 2.0
WDS SVN 2.0

FirmwareSVN : 2.0

Error details



Environment data


Name                           Value
----                           -----
PSVersion                      7.5.5
PSEdition                      Core
GitCommitId                    7.5.5
OS                             Microsoft Windows 10.0.26200
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0


Visuals


No response
Metadata
Metadata
Assignees
No one assigned
    Labels
    Needs-TriageThe issue is new and needs to be triaged by a work group.
    Type
    No type
    Projects
    No projects
    Milestone
    No milestone
    Relationships
    None yet
    Development
    No branches or pull requests
    Issue actions