cjee21 · jcoester · Jun 7, 2026 · Jun 7, 2026 · Jun 7, 2026 · Jun 7, 2026
diff --git a/dbx_bin/arm_DBXUpdate_2025-02-25.bin → dbx_bin/DBXUpdate_v1.4.0_2025-02-25_arm.bin b/dbx_bin/arm_DBXUpdate_2025-02-25.bin → dbx_bin/DBXUpdate_v1.4.0_2025-02-25_arm.bin
diff --git a/dbx_bin/arm64_DBXUpdate_2025-02-25.bin → ...bin/DBXUpdate_v1.4.0_2025-02-25_arm64.bin b/dbx_bin/arm64_DBXUpdate_2025-02-25.bin → ...bin/DBXUpdate_v1.4.0_2025-02-25_arm64.bin
diff --git a/dbx_bin/x64_DBXUpdate_2025-10-14.bin → ...bin/DBXUpdate_v1.6.0_2025-10-14_amd64.bin b/dbx_bin/x64_DBXUpdate_2025-10-14.bin → ...bin/DBXUpdate_v1.6.0_2025-10-14_amd64.bin
diff --git a/dbx_bin/x86_DBXUpdate_2025-10-14.bin → dbx_bin/DBXUpdate_v1.6.0_2025-10-14_x86.bin b/dbx_bin/x86_DBXUpdate_2025-10-14.bin → dbx_bin/DBXUpdate_v1.6.0_2025-10-14_x86.bin
diff --git a/dbx_bin/x64_DBXUpdate_2023-03-14.bin b/dbx_bin/x64_DBXUpdate_2023-03-14.bin
diff --git a/dbx_bin/x64_DBXUpdate_2023-05-09.bin b/dbx_bin/x64_DBXUpdate_2023-05-09.bin
diff --git a/dbx_bin/x64_DBXUpdate_2025-01-14.bin b/dbx_bin/x64_DBXUpdate_2025-01-14.bin
diff --git a/dbx_bin/x64_DBXUpdate_2025-06-11.bin b/dbx_bin/x64_DBXUpdate_2025-06-11.bin
diff --git a/ps/Check UEFI PK, KEK, DB and DBX.ps1 b/ps/Check UEFI PK, KEK, DB and DBX.ps1
@@ -17,30 +17,35 @@ if (-not ((Test-Path -Path "$PSScriptRoot\Check-Dbx-Simplified.ps1" -PathType Le
     Break
 }
 
+do {
 # Print computer info
 Import-Module $PSScriptRoot\Get-SystemOverview.psm1 -Force
 Show-DeviceOverview
 Write-Host
 
 # Check architecture
-$IsArm = $false
-$Is64bit = $true
-try {
-    $cpuArch = (Get-CimInstance -ClassName Win32_Processor -ErrorAction Stop).Architecture
-    # 0 = x86, 9 = x64, 5 = ARM, 12 = ARM64
-    if ($cpuArch -eq 5 -or $cpuArch -eq 12) {
-        $IsArm = $true
-    }
-    # Windows and UEFI bit-ness should always match on officially supported installs
-    # since UEFI doesn't support cross-platform boot as of https://learn.microsoft.com/en-us/windows/deployment/windows-deployment-scenarios-and-tools#windows-support-for-uefi
-    $Is64bit = [Environment]::Is64BitOperatingSystem
-} catch {
+$arch = (Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing\DeviceAttributes").OSArchitecture
+
+# Previous architecture check as fallback
+if (-not $arch) {
     $IsArm = $false
     $Is64bit = $true
-    Write-Warning "Unable to determine system architecture, proceeding with defaults (x64).`n"
-    $cpuArch = 9 # default x64
-}
-$arch = if ($Is64bit -and $cpuArch -eq 9) { # CPU arch x64
+    try {
+        $cpuArch = (Get-CimInstance -ClassName Win32_Processor -ErrorAction Stop).Architecture
+        # 0 = x86, 9 = x64, 5 = ARM, 12 = ARM64
+        if ($cpuArch -eq 5 -or $cpuArch -eq 12) {
+            $IsArm = $true
+        }
+        # Windows and UEFI bit-ness should always match on officially supported installs
+        # since UEFI doesn't support cross-platform boot as of https://learn.microsoft.com/en-us/windows/deployment/windows-deployment-scenarios-and-tools#windows-support-for-uefi
+        $Is64bit = [Environment]::Is64BitOperatingSystem
+    } catch {
+        $IsArm = $false
+        $Is64bit = $true
+        Write-Warning "Unable to determine system architecture, proceeding with defaults (x64).`n"
+        $cpuArch = 9 # default x64
+    }
+    $arch = if ($Is64bit -and $cpuArch -eq 9) { # CPU arch x64
         "amd64"
     } elseif ($Is64bit -and $cpuArch -eq 12) { # CPU arch ARM64
         "arm64"
@@ -51,8 +56,7 @@ $arch = if ($Is64bit -and $cpuArch -eq 9) { # CPU arch x64
     } else { # any other unsupported CPU architecture
         "unsupported"
     }
-
-Write-Host "Detected $(Resolve-ArchName($arch)) UEFI architecture. Ensure that this is correct for valid DBX results.`n"
+}
 
 # Check for Secure Boot status
 Write-Host "Secure Boot status: " -NoNewLine
@@ -94,7 +98,7 @@ try {
 
 Write-Host ""
 Write-Host $bold'Default UEFI PK'$reset
-if ($IsArm) {
+if ($arch -match '^arm') {
     Write-Warning "Some ARM-based Windows devices can't retrieve default UEFI variables."
 }
 try {
@@ -184,7 +188,7 @@ Show-UEFICertOthers -SecureBootUEFIVar kek -KnownCerts $KEKCerts
 
 Write-Host ""
 Write-Host $bold'Default UEFI KEK'$reset
-if ($IsArm) {
+if ($arch -match '^arm') {
     Write-Warning "Some ARM-based Windows devices can't retrieve default UEFI variables."
 }
 $KEKCerts | ForEach-Object {
@@ -209,7 +213,7 @@ Show-UEFICertOthers -SecureBootUEFIVar db -KnownCerts $DBCerts
 
 Write-Host ""
 Write-Host $bold'Default UEFI DB'$reset
-if ($IsArm) {
+if ($arch -match '^arm') {
     Write-Warning "Some ARM-based Windows devices can't retrieve default UEFI variables."
 }
 $DBCerts  | ForEach-Object {
@@ -227,7 +231,7 @@ try {
     Break # No need to continue with remaining DBX-related checks of script if failed to obtain DBX data
 }
 
-$colWidth = 27
+$colWidth = 20
 function Show-CheckDBX {
     param(
         [Parameter(Mandatory)][string]$Label,
@@ -244,24 +248,42 @@ function Show-CheckDBX {
     }
 }
 
-# select the proper bin file for the DBX Update.
-# files are copied from https://github.com/microsoft/secureboot_objects/tree/main/PostSignedObjects/DBX
-if ($arch -eq "amd64") {
-  # Show-CheckDBX "2023-03-14         " "$PSScriptRoot\..\dbx_bin\x64_DBXUpdate_2023-03-14.bin"
-  # Show-CheckDBX "2023-05-09         " "$PSScriptRoot\..\dbx_bin\x64_DBXUpdate_2023-05-09.bin"
-  # Show-CheckDBX "2025-01-14 (v1.3.1)" "$PSScriptRoot\..\dbx_bin\x64_DBXUpdate_2025-01-14.bin"
-  # Show-CheckDBX "2025-06-11 (v1.5.1)" "$PSScriptRoot\..\dbx_bin\x64_DBXUpdate_2025-06-11.bin"
-    Show-CheckDBX "2025-10-14 (v1.6.0) [$($arch.ToUpper())]" "$PSScriptRoot\..\dbx_bin\x64_DBXUpdate_2025-10-14.bin"
-} elseif ($arch -eq "arm64") {
-    Show-CheckDBX "2025-02-25 (v1.4.0) [$($arch.ToUpper())]" "$PSScriptRoot\..\dbx_bin\arm64_DBXUpdate_2025-02-25.bin"
-} elseif ($arch -eq "x86") {
-    Show-CheckDBX "2025-10-14 (v1.6.0) [$($arch.ToUpper())]" "$PSScriptRoot\..\dbx_bin\x86_DBXUpdate_2025-10-14.bin"
-} elseif ($arch -eq "arm") {
-    Show-CheckDBX "2025-02-25 (v1.4.0) [$($arch.ToUpper())]" "$PSScriptRoot\..\dbx_bin\arm_DBXUpdate_2025-02-25.bin"
+# Read metadata (Date, Version, Arch) from bin file name
+function Get-DbxMetadata {
+    param([string]$name)
+
+    if ($name -notmatch '^DBXUpdate_([^_]+)_(\d{4}-\d{2}-\d{2})_([^.]+)\.bin$') { return $null }
+
+    return [pscustomobject]@{
+        Version = $matches[1]
+        Date    = [datetime]::ParseExact($matches[2], "yyyy-MM-dd", $null)
+        Arch    = $matches[3]
+        Name    = $name
+    }
+}
+
+# Published DBX bin for arch
+$dbxFolder = "$PSScriptRoot\..\dbx_bin"
+$publishedDBX = Get-ChildItem $dbxFolder -Filter "DBXUpdate_*.bin" |
+    ForEach-Object { Get-DbxMetadata $_.Name } |
+    Where-Object { $_ -ne $null -and $_.Arch -eq $arch } | 
+    Sort-Object Date -Descending | 
+    Select-Object -First 1
+if (-not $publishedDBX) { throw "No published DBX file found for architecture: $arch" }
+
+# Staged DBX bin
+$stagedPath = "C:\Windows\System32\SecureBootUpdates\dbxupdate.bin"
+$stagedDate = if (Test-Path $stagedPath) { (Get-Item $stagedPath).LastWriteTime } else { $null }
+
+# Check DBX against latest DBX revocations
+if ($stagedDate -and ($stagedDate -ge $publishedDBX.Date)) {
+    Show-CheckDBX ("Staged ({0})" -f $stagedDate.ToString('dd MMM yyyy')) $stagedPath
 } else {
-    Write-Warning "[$($arch.ToUpper())] architecture."
+    $label = "{0} ({1})" -f `
+        $publishedDBX.Version,
+        $publishedDBX.Date.ToString('dd MMM yyyy')
+    Show-CheckDBX $label "$dbxFolder\$($publishedDBX.Name)"
 }
-Show-CheckDBX "Current Windows staged" "C:\Windows\System32\SecureBootUpdates\dbxupdate.bin"
 
 Import-Module -Force "$PSScriptRoot\Get-SVNfromDBX.psm1"
 
@@ -278,25 +300,25 @@ $dbx_svns = @($dbx_list | Where-Object { $_.SignatureType -eq 'EFI_CERT_SHA256_G
 $dbx_hashes -= $dbx_svns
 
 $components = [ordered]@{
-    BootMgr = @{ Name="Windows BootMgr SVN"; JSON=$svn_bootmgr_latest }
-    CDBoot  = @{ Name="Windows CDBoot SVN"; JSON=$svn_cdboot_latest }
-    WDSMgFw = @{ Name="Windows WDSMgFw SVN"; JSON=$svn_wdsmgfw_latest }
+    BootMgr = @{ Name="FirmwareSVN BootMgr"; JSON=$svn_bootmgr_latest }
+    CDBoot  = @{ Name="FirmwareSVN CDBoot"; JSON=$svn_cdboot_latest }
+    WDSMgFw = @{ Name="FirmwareSVN WDSMgFw"; JSON=$svn_wdsmgfw_latest }
 }
 
-$svn_list = Get-SVNfromDBX $dbx_list
+$svn_firmware = Get-SVNfromDBX $dbx_list
 $StagedSVNbytes = [IO.File]::ReadAllBytes('C:\Windows\System32\SecureBootUpdates\DBXUpdateSVN.bin')
 $svn_staged = Get-SVNfromDBX (Get-UEFIDatabaseSignatures -BytesIn $StagedSVNbytes)
 
 foreach ($key in $components.Keys) {
     Write-Host -NoNewline "$($components[$key].Name.PadRight($colWidth)) : "
 
-    if (-not $svn_list.$key) {
+    if (-not $svn_firmware.$key) {
         Write-Host "Not applied" -ForegroundColor Red
         continue
     }
 
     $json       = $components[$key].JSON
-    $current    = $svn_list.$key.Version
+    $current    = $svn_firmware.$key.Version
     $staged     = $svn_staged.$key.Version
 
     $target = if ($json -ge $staged) { $json } else { $staged }
@@ -307,3 +329,8 @@ foreach ($key in $components.Keys) {
 }
 
 Write-Host ("Statistics".PadRight($colWidth) + " : $dbx_size Bytes, $dbx_hashes SHA256 hashes, $dbx_certs X.509 certs, $dbx_svns SVNs")
+
+Write-Host
+Read-Host "Press ENTER to refresh"
+
+} while ($true)
diff --git a/ps/Check-Dbx-Simplified.ps1 b/ps/Check-Dbx-Simplified.ps1
@@ -3,11 +3,11 @@
 
  $patchfile  = $args[0]
 
- if ($patchfile -eq  $null) {
+ if ($null -eq $patchfile) {
    Write-Host "Patchfile not specified!`n"
    Break
  }
- $patchfile = (gci -literalpath $patchfile).FullName
+ $patchfile = (Get-ChildItem -literalpath $patchfile).FullName
 
  Import-Module -Force "$PSScriptRoot\Get-UEFIDatabaseSignatures.psm1"
 
@@ -48,8 +48,6 @@
         Write-Information "!!! NOT FOUND`n$RequiredSig`n!!!`n"
         $failures++
     }
-    $i = $successes + $failures
-    Write-Progress -Activity 'Checking if all patches applied' -Status "Checking element $i of $requiredCount" -PercentComplete ($i/$requiredCount *100)
  }
 
  if ($failures -ne 0) {