Skip to main content

Boot Environment Audit

Summary

This script audits a Windows device's boot environment and security posture, then stores the results in a custom table for reporting and compliance tracking. It checks:

  • Secure Boot Status: Verifies Secure Boot is enabled and that the Windows UEFI CA 2023 security certificate is properly installed—essential for preventing unauthorized firmware modifications.
  • Boot Configuration: Detects unauthorized boot loaders or network boot options that could indicate security misconfigurations.
  • Windows Recovery Environment: Confirms WinRE is available for emergency repairs.
  • Firmware Readiness: Compares your device's BIOS version against manufacturer minimums to ensure it supports modern security standards.
  • Available Driver Updates: Counts pending driver updates from your device manufacturer (Dell, HP, Lenovo, or other vendors).
  • Cumulative Updates: Identifies the latest installed Windows security patch and verifies your device has the November 2025 cumulative update or newer (required for CA 2023 Secure Boot certificate support).
  • Telemetry Configuration: Determines if Windows diagnostic data collection is enabled or disabled.

Dependencies

Sample Run

First Run

Run the script with the SetEnvironment parameter set to 1 after import to create the custom table pvl_boot_environment_details.

Image1

Regular Execution

Image2

User Parameters

NameExampleRequiredDescription
SetEnvironment1First Run OnlyIf set to 1 it will create the custom table pvl_boot_environment_details.

Global Variables

NameExampleRequiredDescription
Debug
  • False
  • True
FalseWhen True, enables informational logging; when False (default), informational logs are suppressed to avoid adding entries to the h_scripts table. Set to True to assist with troubleshooting.

Output

Changelog

2026-05-06

  • Initial version of the document