{"id":705,"date":"2026-03-13T10:48:09","date_gmt":"2026-03-13T07:48:09","guid":{"rendered":"https:\/\/www.notsayfam.com\/?p=705"},"modified":"2026-04-22T08:48:03","modified_gmt":"2026-04-22T05:48:03","slug":"%f0%9f%9a%a8-sistem-yoneticileri-icin-son-cagri-secure-boot-2023-sertifika-rotasyonu","status":"publish","type":"post","link":"https:\/\/www.notsayfam.com\/?p=705","title":{"rendered":"\ud83d\udea8 Sistem Y\u00f6neticileri \u0130\u00e7in Son \u00c7a\u011fr\u0131: Secure Boot 2023 Sertifika G\u00fcncelleme \u0130\u015flemleri"},"content":{"rendered":"\n

Microsoft’un 10 y\u0131ll\u0131k Secure Boot sertifikalar\u0131 Haziran 2026<\/strong>‘dan itibaren emekli olmaya ba\u015fl\u0131yor. E\u011fer sunucular\u0131n\u0131zda manuel tetikleme yapmad\u0131ysan\u0131z, “Enforcement Phase” (Zorunlu Uygulama) a\u015famas\u0131nda boot sorunlar\u0131 ya\u015faman\u0131z an meselesi.<\/p>\n\n\n\n

A\u015fa\u011f\u0131daki rehber ile mevcut durumunuzu sorgulayabilir ve gerekli bir i\u015flem varsa a\u015fa\u011f\u0131daki y\u00f6ntemler ile aksiyon alabilirsiniz.<\/p>\n\n\n\n

\ud83d\udd0d 1. Ad\u0131m: Durum Analizi (Durumu G\u00f6steren Script)<\/h3>\n\n\n\n

Bu PowerShell beti\u011fi; sistemin modunu, Secure Boot durumunu ve sertifikalar\u0131n g\u00fcncelli\u011fini kontrol ederek size net bir “Aksiyon Gerekli mi?” raporu sunar:<\/p>\n\n\n\n

PowerShell scripti y\u00f6netici olarak \u00e7al\u0131\u015ft\u0131rman\u0131z gerekiyor. <\/p>\n\n\n\n

$Firmware = Get-ComputerInfo -Property \"BiosFirmwareType\"\n\nif ($Firmware.BiosFirmwareType -ne \"Uefi\") {\n    Write-Host \"[!] Sistem Legacy BIOS. G\u00fcvenli \u00f6ny\u00fckleme kullan\u0131lm\u0131yor, i\u015fleme gerek yok.\" -ForegroundColor Yellow\n} else {\n    if (-not (Confirm-SecureBootUEFI)) {\n        Write-Host \"[!] Sistem UEFI ama Secure Boot KAPALI. Gelecekte a\u00e7\u0131lacaksa m\u00fcdahale gerekir.\" -ForegroundColor Gray\n    } else {\n        # Sertifika ve Reg Kontrolleri\n        $dbBytes = (Get-SecureBootUEFI db -ErrorAction SilentlyContinue).bytes\n        $kekBytes = (Get-SecureBootUEFI KEK -ErrorAction SilentlyContinue).bytes\n\n        $dbMatch = $false\n        $kekMatch = $false\n\n        # Byte dizisi bo\u015f gelmezse e\u015fle\u015fme kontrol\u00fc yap (Hatalar\u0131 \u00f6nlemek i\u00e7in)\n        if ($dbBytes) { $dbMatch = [System.Text.Encoding]::ASCII.GetString($dbBytes) -match 'Windows UEFI CA 2023' }\n        if ($kekBytes) { $kekMatch = [System.Text.Encoding]::ASCII.GetString($kekBytes) -match 'Microsoft Corporation KEK 2K CA 2023' }\n        \n        $regPath = \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecureBoot\\Servicing\"\n        $regStatus = (Get-ItemProperty -Path $regPath -ErrorAction SilentlyContinue).UEFICA2023Status\n        $regCapable = (Get-ItemProperty -Path $regPath -ErrorAction SilentlyContinue).WindowsUEFICA2023Capable\n\n        # --- B\u0130LG\u0130LEND\u0130RME \u00d6ZET\u0130 ---\n        Write-Host \"`n--- Sistem Durum \u00d6zeti ---\" -ForegroundColor Cyan\n        \n        if ($dbMatch) { Write-Host \"DB      : $dbMatch -> Windows g\u00fcncellemeyi y\u00fcklemi\u015f demektir.\" }\n        else { Write-Host \"DB      : $dbMatch\" }\n        \n        if ($kekMatch) { Write-Host \"KEK     : $kekMatch -> BIOS deste\u011fi mevcut.\" }\n        else { Write-Host \"KEK     : $kekMatch\" }\n\n        Write-Host \"Status  : $regStatus\"\n        Write-Host \"Capable : $regCapable\"\n        Write-Host \"--------------------------`n\" -ForegroundColor Cyan\n\n        # YEN\u0130 MANTIKSAL KONTROLLER\n        \n        # 1. Durum: Capable 2 ise (Zaten G\u00fcncel)\n        if ($regCapable -eq 2) {\n            Write-Host \"[\u2713] Sistem TAMAMEN G\u00dcNCEL. Herhangi bir i\u015flem yapman\u0131za gerek yok.\" -ForegroundColor Green\n        }\n        # 2. Durum: DB true, KEK true ve Status InProgress ise\n        elseif ($dbMatch -and $kekMatch -and $regStatus -eq 'InProgress') {\n            Write-Host \"[i] L\u00fctfen birka\u00e7 dakika bekleyip tekrar kontrol edin.\" -ForegroundColor Yellow\n        }\n        # 3. Durum: Capable 1 ancak Status NotStarted ise (Windows Update Patch'i eksik)\n        elseif ($regCapable -eq 1 -and $regStatus -eq 'NotStarted') {\n            Write-Host \"[X] \u0130\u015fletim sistemine patch y\u00fckledi\u011finize emin olunuz!\" -ForegroundColor Red\n            Write-Host \"    Update yap\u0131lmayan sunucularda task'\u0131 \u00e7al\u0131\u015ft\u0131rsak da olmuyor.\" -ForegroundColor Red\n        }\n        # 4. Durum: DB false ise\n        elseif (-not $dbMatch) {\n            Write-Host \"[X] \u0130\u015fletim sistemi g\u00fcncel de\u011fil. A\u015fa\u011f\u0131daki komutlar\u0131 \u00e7al\u0131\u015ft\u0131r\u0131n:\" -ForegroundColor Red\n            Write-Host \"`n    reg add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Secureboot \/v AvailableUpdates \/t REG_DWORD \/d 0x5944 \/f\" -ForegroundColor Cyan\n            Write-Host \"`n    Start-ScheduledTask -TaskName `\"\\Microsoft\\Windows\\PI\\Secure-Boot-Update`\"\" -ForegroundColor Cyan\n            Write-Host \"\" \n        }\n        # 5. Durum: DB true ancak KEK false ise\n        elseif ($dbMatch -and -not $kekMatch) {\n            Write-Host \"[X] BIOS UEFI g\u00fcncel de\u011fil.\" -ForegroundColor Red\n            Write-Host \"    Sanal makine (VM) ise kapat\u0131p nvram dosyas\u0131n\u0131 silerek deneyebilirsiniz.\" -ForegroundColor Yellow\n        }\n        # 6. Durum: Capable 1 ancak Status InProgress de\u011filse (NotStarted durumu yukar\u0131da elendi\u011fi i\u00e7in buraya d\u00fc\u015fmez)\n        elseif ($regCapable -eq 1 -and $regStatus -ne 'InProgress') {\n            Write-Host \"[!] L\u00fctfen registry de\u011ferlerini girip sonra start \u00e7al\u0131\u015ft\u0131r\u0131n\u0131z.\" -ForegroundColor Yellow\n            Write-Host \"`n    reg add HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Secureboot \/v AvailableUpdates \/t REG_DWORD \/d 0x5944 \/f\" -ForegroundColor Cyan\n            Write-Host \"`n    Start-ScheduledTask -TaskName `\"\\Microsoft\\Windows\\PI\\Secure-Boot-Update`\"\" -ForegroundColor Cyan\n            Write-Host \"\"\n        }\n        # 7. Durum: Di\u011fer ara durumlar\n        else {\n            Write-Host \"[i] G\u00fcncelleme s\u00fcreci arka planda devam ediyor olabilir veya yeniden ba\u015flatma bekleniyor.\" -ForegroundColor Magenta\n        }\n    }\n}\n\n\n\n\n<\/code><\/pre>\n\n\n\n
\n\n\n\n
\ud83d\udcc5 Neden \u015eimdi? Kritik Sertifika Takvimi<\/h3>\n\n\n\n
S\u00fcresi Dolan Sertifika<\/strong><\/td>Son Kullanma<\/strong><\/td>Yeni Sertifika (2023)<\/strong><\/td>Konum<\/strong><\/td>Ama\u00e7<\/strong><\/td><\/tr><\/thead>
Microsoft KEK CA 2011<\/td>Haziran 2026<\/strong><\/td>Microsoft KEK 2K CA 2023<\/td>KEK<\/td>DB ve DBX imzalar\u0131n\u0131 do\u011frular.<\/td><\/tr>
MS Windows PCA 2011<\/td>Ekim 2026<\/strong><\/td>Windows UEFI CA 2023<\/td>DB<\/td>Windows Bootloader imzalar.<\/td><\/tr>
Microsoft UEFI CA 2011<\/td>Haziran 2026<\/strong><\/td>Microsoft UEFI CA 2023<\/td>DB<\/td>3. parti bootloader & EFI app.<\/td><\/tr>
Microsoft UEFI CA 2011<\/td>Haziran 2026<\/strong><\/td>MS Option ROM UEFI 2023<\/td>DB<\/td>3. parti Option ROM imzalar.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n
\n\n\n\n
\ud83d\udee0\ufe0f 2. Ad\u0131m: Uygulama ve H\u0131zland\u0131rma<\/h3>\n\n\n\n
E\u011fer sisteminiz g\u00fcncel de\u011filse, a\u015fa\u011f\u0131daki ad\u0131mlar\u0131 s\u0131ras\u0131yla uygulay\u0131n:<\/p>\n\n\n\n
Birinci y\u00f6ntem olarak a\u015fa\u011f\u0131daki registry de\u011ferini girerek 2 kez reboot edebilirsiniz.<\/p>\n\n\n\n
Set-ItemProperty -Path \"HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecureBoot\" -Name \"AvailableUpdates\" -Value 0x1 -Type DWord<\/code><\/pre>\n\n\n\n
Di\u011fer y\u00f6ntem olarak 1 reboot ile yapmak i\u00e7in a\u015fa\u011f\u0131daki i\u015flemler izlenebilir.<\/p>\n\n\n\n
    \n
  1. Registry ile de\u011fi\u015fikli\u011fe zorlamak:<\/strong>\n