windows-powershell-docs
windows-powershell-docs copied to clipboard
Unexpected behavior of Set-SecureBootUEFI with the -ContentFilePath parameter
I'm using the following commands to add a new key to my Secure Boot db:
$CurrentTime=Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ";Format-SecureBootUEFI -Name db -SignatureOwner 12345678-1234-1234-1234-123456789abc -FormatWithCert -Certificate .\dbKey.cer -ContentFilePath .\FormattedContent.bin -SignableFilePath GeneratedFileToSign.bin -Time $CurrentTime -AppendWrite
.\signtool.exe sign /fd sha256 /p7 .\ /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /a /f PrivateKey.pfx /p thePassword GeneratedFileToSign.bin
Set-SecureBootUEFI -ContentFilePath .\FormattedContent.bin -SignedFilePath GeneratedFileToSign.bin.p7
The first two commands succeeds but Set-SecureBootUEFI
unexpectedly produces the following prompt:
Supply values for the following parameters:
Name:
Shouldn't it be able to obtain the name from FormattedContent.bin
? This behavior isn't described anywhere in the documentation and is contrary to the behavior shown in example 2 where the command succeeds without any further prompt.
I entered db
, and then it prompted:
Time:
Again this should have been obtained from FormattedContent.bin
, and the behavior isn't documented anywhere.
When I repeated everything in the same session with a slight modification, Set-SecureBootUEFI
succeeds immediately as expected:
$CurrentTime=Get-Date -Format "yyyy-MM-ddTHH:mm:ssZ";$ObjectFromFormat=Format-SecureBootUEFI -Name db -SignatureOwner 12345678-1234-1234-1234-123456789abc -FormatWithCert -Certificate .\dbKey.cer -SignableFilePath GeneratedFileToSign.bin -Time $CurrentTime -AppendWrite
.\signtool.exe sign /fd sha256 /p7 .\ /p7co 1.2.840.113549.1.7.1 /p7ce DetachedSignedData /a /f PrivateKey.pfx /p thePassword GeneratedFileToSign.bin
$ObjectFromFormat | Set-SecureBootUEFI -SignedFilePath GeneratedFileToSign.bin.p7
The only different between the two sets of commands is that the first outputs the formatted data to a file which is then supplied as a parameter to Set-SecureBootUEFI
while the second outputs the formatted data to a PowerShell object which is then piped to Set-SecureBootUEFI
. Functionally both are identical and it is puzzling why they have different behavior.
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: a83acc83-8bbf-c983-57bc-6a025330ae5d
- Version Independent ID: a732c541-8e27-4068-0d0c-2c0f17f0a334
- Content: Set-SecureBootUEFI (SecureBoot)
- Content Source: docset/winserver2022-ps/secureboot/Set-SecureBootUEFI.md
- Product: w10
- Technology: windows
- GitHub Login: @JasonGerend
- Microsoft Alias: jgerend
@e0i I believe this is also a doc issue because the 1st set of commands above corresponds to example 2 in the doc, but the actual behaviour of Set-SecureBootUEFI
is different from what's shown in the example.
This repository is for PowerShell core documentation. You seem to be looking for support, which we can't provide here.
I suggest you try posting your issue with context in one of the available community support forums.