Viewing the Secure Boot High Confidence Database with PowerShell

A couple of days ago Microsoft published a new article in their New Secure Boot certificates documentation called A Closer Look at the High Confidence Database. According to Microsoft,

The High Confidence Database reflects Microsoft’s assessment of which device and firmware configurations are ready to receive Secure Boot certificate updates based on observed servicing and reliability signals.

Without going in to too much detail, if the device bucket Microsoft has assigned to a device is in the High Confidence database, they have received enough servicing data from devices in that bucket to be confident it will successfully receive the Secure Boot certificate updates.

In the Secure Boot registry, there is a BucketHash value and a ConfidenceLevel value under HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing:

Microsoft list the various confidence classifications in their documentation:

However, to date, in my own environment I have only ever seen two of these classifications appear on any of our devices: Under Observation – More Data Needed, and No Data Observed – Action Required. Even these classifications seem inconsistent, for example some devices are showing either of these two classifications yet actually, they’ve already installed the new certs and the boot manager has been updated! I haven’t yet seen any device assigned the High Confidence classification in the registry.

Since Microsoft published more data on the High Confidence database, I decided to have a peek at it and see if any of our devices are actually in this database.

There are two ‘copies’ of the database – one in GitHub which supposedly will be updated twice a month with the security and preview LCUs, and the other on the local client in the %SystemRoot%\System32\SecureBootUpdates folder. The former is for IT teams and OEMs, while the latter is used by the servicing process. It should be pointed out that the published version of the database is not a database in the true sense, just a bunch of entries in CSV or json files.

The client-side version just contains the bucket hashes, grouped into json files by vendor, along with some metadata files. This version actually contains hashes for devices in either the High Confidence or Under Observation classifications.

The GitHub version contains 16 CSV files, each of which contains considerably more data on each bucket, including device info and firmware versions, which is useful if you want to know what device configuration each bucket represents.

Since we have no devices yet reporting a High Confidence classification (even though we do have devices that have updated), I put together the following PowerShell script that will read all the bucket hashes in the local copy of the database and check whether the hash of the device it’s running on is in the database. It does require PowerShell 7 due to the way the json files are created and the lack of any ‘AsHashTable’ parameter in the ConvertFrom-Json cmdlet in PowerShell 5. I should add the disclaimer that the local copy of the database is intended to be used by the Secure Boot certificate servicing and not for general parsing by an IT admin, even though we’re doing exactly that 🙂

	############################################################################################################################
	## PowerShell script to determine the Secure Boot certificate update confidence level of a device based on the local copy ##
	## of the High Confidence database provided by Microsoft. ##
	############################################################################################################################

	#Requires -RunAsAdministrator
	#Requires -Version 7

	# Check that the BucketConfidenceData CAB file exists in the specified directory
	$confidenceCab = Get-ChildItem –Path $env:SystemRoot\System32\SecureBootUpdates –Filter *.cab –ErrorAction SilentlyContinue
	if ($confidenceCab.count -gt 1)
	{
	$cabFile = $confidenceCab \| Sort-Object LastWriteTime –Descending \| Select-Object –First 1 \| Select-Object –ExpandProperty FullName
	}
	elseif ($confidenceCab.count -eq 1)
	{
	$cabFile = $confidenceCab.FullName
	}
	else
	{
	Write-Warning "No BucketConfidenceData CAB file found in the specified directory."
	exit
	}

	# Expand the CAB file to a temporary directory
	try
	{
	if (Test-Path –Path $env:TEMP\ConfidenceData)
	{
	Remove-Item –Path $env:TEMP\ConfidenceData –Recurse –Force
	}
	# Create the temporary directory
	$null = New-Item –Path $env:TEMP\ConfidenceData –ItemType Directory
	# Expand the CAB file
	$null = expand.exe -F:* $cabFile $env:TEMP\ConfidenceData 2>&1
	}
	catch
	{
	throw "Failed to expand the CAB file. Error: $_"
	}

	# Get json file list from the extracted CAB file
	$allJsonFiles = Get-ChildItem –Path $env:TEMP\ConfidenceData –Filter .json –Recurse –ErrorAction SilentlyContinue \| where-object { $_.Name -notlike "BucketConfidence.json" }
	if ($allJsonFiles.count -eq 0)
	{
	Write-Warning "No JSON files found in the extracted CAB file."
	Remove-Item $env:TEMP\ConfidenceData –Recurse –Force –ErrorAction SilentlyContinue
	exit
	}

	# Get the database metadata from the BucketConfidenceMetadata.json file
	$metadataFilePath = Join-Path –Path $env:TEMP\ConfidenceData –ChildPath "BucketConfidenceMetadata.json"
	if (Test-Path –Path $metadataFilePath)
	{
	$metadataContent = Get-Content –Path $metadataFilePath –Raw \| ConvertFrom-Json –AsHashtable
	#$knownOEMs = $metadataContent.KnownOEMs
	$header = $metadataContent.Header
	$timestamp = $header.Timestamp.ToString("yyyy-MMM-dd")
	$version = $header.Version
	}
	else
	{
	Write-Warning "BucketConfidenceMetadata.json file not found in the extracted CAB file."
	}

	# Extract the confidence data
	$highConfidenceBuckets = [System.Collections.Generic.List[object]]::new()
	$underObservationBuckets = [System.Collections.Generic.List[object]]::new()
	foreach ($file in $allJsonFiles)
	{
	try
	{
	$confidenceData = Get-Content –Path $file.FullName –Raw \| ConvertFrom-Json –AsHashtable
	$OEMEntries = $confidencedata.OEMEntries.Keys
	foreach ($OEM in $OEMEntries)
	{
	$deviceConfidenceData = $confidencedata.OEMEntries["$OEM"]
	if ($deviceConfidenceData)
	{
	if ($null -ne $confidencedata.OEMEntries["$OEM"]["High Confidence"])
	{
	$highConfidenceBuckets.AddRange($confidencedata.OEMEntries["$OEM"]["High Confidence"])
	}
	if ($null -ne $confidencedata.OEMEntries["$OEM"]["Under Observation – More Data Needed"])
	{
	$underObservationBuckets.AddRange($confidencedata.OEMEntries["$OEM"]["Under Observation – More Data Needed"])
	}
	}
	}
	}
	catch
	{
	Write-Error "Failed to read or parse the confidence data from file $($file.Name). Error: $_"
	Remove-Item $env:TEMP\ConfidenceData –Recurse –Force –ErrorAction SilentlyContinue
	Exit
	}
	}

	# Get the BucketHash and ConfidenceLevel values from the registry for this device
	$bucketHash = Get-ItemProperty –Path HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing –Name BucketHash –ErrorAction SilentlyContinue \| Select –ExpandProperty BucketHash
	$confidenceLevel = Get-ItemProperty –Path HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing –Name ConfidenceLevel –ErrorAction SilentlyContinue \| Select –ExpandProperty ConfidenceLevel

	if ($bucketHash)
	{
	$DeviceInHighConfidenceDatabase = $highConfidenceBuckets -contains $bucketHash
	$DeviceInUnderObservationDatabase = $underObservationBuckets -contains $bucketHash
	}
	else
	{
	Write-Warning "BucketHash registry value not found. Unable to determine the device's bucket."
	}

	# Cleanup
	Remove-Item $env:TEMP\ConfidenceData –Recurse –Force –ErrorAction SilentlyContinue

	[PSCustomObject]@{
	Hostname = [System.Net.Dns]::GetHostName()
	BucketHash = $bucketHash
	RegistryConfidenceLevel = $confidenceLevel
	InHighConfidenceDatabase = $DeviceInHighConfidenceDatabase
	InUnderObservationDatabase = $DeviceInUnderObservationDatabase
	DatabaseTimestamp = $timestamp
	DatabaseVersion = $version
	}

view raw Get-SecureBootHighConfidenceDatabase.ps1 hosted with ❤ by GitHub

The script will populate two variables, $highConfidenceBuckets and $underObservationBuckets and check whether the device is in either one.

In my case, my Windows 365 Cloud PC is not high confidence, but under observation. Which is interesting, since it has already installed the new certs and updated the boot manager!

I also uploaded all the High Confidence and Under Observation bucket hashes into our SQL inventory database and ran a check on the bucket hashes of all our devices, and sure enough, not one single device has a High Confidence classification! The vast majority were, however, in the Under Observation list. Hmmm.

Ok, so since the timestamp on the local copy of the HC database is January 25th, I decided to also check against the High Confidence database published in GitHub, which is more recent. Probably Microsoft doesn’t want us doing this with PowerShell, but hey-ho 🙂 The following script downloads all the CSV files from GitHub and extracts all the bucket hashes into the $allBucketHashes variable (all 1.5 million of them!)

	############################################################################################################
	## Downloads the secure boot high confidence database from GitHub and uploads into our Inventory database ##
	############################################################################################################

	$highConfidenceDirectory = "C:\Temp\HighConfidenceBuckets"
	# Create the directory if it doesn't exist
	if (-not (Test-Path –Path $highConfidenceDirectory))
	{
	$null = New-Item –ItemType Directory –Path $highConfidenceDirectory
	}

	$ProgressPreference = 'SilentlyContinue'
	1..16 \| foreach {
	$Url = "https://github.com/microsoft/secureboot_objects/raw/refs/heads/main/HighConfidenceBuckets/HighConfidenceBuckets_part$_.csv"
	$FileName = "HighConfidenceBuckets_part$_.csv"
	Write-Host "Downloading $FileName"
	try
	{
	Invoke-WebRequest –Uri $URL –OutFile "$highConfidenceDirectory\$FileName" –ErrorAction Stop
	}
	catch
	{
	Write-Host "Failed to download $FileName`: $_" –ForegroundColor Red
	}
	}

	$downloadedFiles = Get-ChildItem –Path $highConfidenceDirectory –Filter "HighConfidenceBuckets_part*.csv"
	$allBucketHashes = [System.Collections.Generic.List[object]]::new()
	foreach ($file in $downloadedFiles)
	{
	Write-Host "Processing $($file.Name)"
	try
	{
	$csvRows = Import-CSV –Path $file.FullName
	$allBucketHashes.AddRange($csvRows.BA_BucketId)
	}
	catch
	{
	Write-Host "Failed to process $($file.Name)`: $_" –ForegroundColor Red
	}
	}

	Write-Host "Total bucket hashes collected: $($allBucketHashes.Count)" –ForegroundColor Green

	Remove-Item –Path $highConfidenceDirectory –Recurse –Force –ErrorAction SilentlyContinue

view raw Get-SecureBootHighConfidenceDatabaseGitHub.ps1 hosted with ❤ by GitHub

I took these hashes and also uploaded those to our inventory database, and guess what? I got 1 single match in the High Confidence database out of all our nearly 8,000 managed devices! Which actually sucked on two levels:

Just one, I mean really?!
Turns out, that device didn’t even have Secure Boot enabled anyway!

I was kind of hoping to get a list of devices that are High Confidence that I could go ahead and install the new certs on ahead of Microsoft’s LCU servicing, but alas not! Still, at least we have some insights into what the High Confidence database actually looks like and how to read it.

Share this:

Published by Trevor Jones