ANAVEM
FR
How to Check if Your PC Has the New Secure Boot 2023 Certificates (Windows UEFI CA 2023)
CybersecurityIntermediate

How to Check if Your PC Has the New Secure Boot 2023 Certificates (Windows UEFI CA 2023)

Microsoft's three original Secure Boot certificates (issued in 2011) begin expiring in June 2026. Windows is automatically rolling out the replacement 2023 certificates (Windows UEFI CA 2023, Microsoft UEFI CA 2023, KEK 2K CA 2023) via Windows Update. This guide shows you exactly how to check if your Windows 10 or 11 PC has already received the new certificates — using one PowerShell command.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
March 11, 202612 min read8 Steps

What You Need

  • Windows PowerShell (Admin) or Terminal (Admin)
  • Secure Boot enabled in UEFI firmware
  • Windows 10 or Windows 11 (UEFI mode)
  • Administrator account access

Why Secure Boot Certificates Are Expiring in 2026

Microsoft's three original Secure Boot certificate authorities, issued in 2011, are beginning to expire starting June 2026. These certificates are embedded in virtually every Windows PC built since 2012 and are used to validate boot-level software. Once expired, devices that have not received the new 2023 certificates will:

  • Lose the ability to install Secure Boot security updates after June 2026
  • Not trust third-party firmware signed with new certificates
  • Not receive security fixes for Windows Boot Manager by October 2026
  • Remain vulnerable to bootkits like BlackLotus (CVE-2023-24932)

Microsoft is distributing three replacement certificates issued in 2023 through Windows Update in a phased rollout:

  • Windows UEFI CA 2023 — replaces Windows Production PCA 2011 (signs Windows bootloader)
  • Microsoft UEFI CA 2023 / Microsoft Option ROM UEFI CA 2023 — replaces UEFI CA 2011 (signs third-party drivers)
  • Microsoft Corporation KEK 2K CA 2023 — replaces KEK CA 2011 (signs updates to DB and DBX)

Many PCs manufactured since 2024 already include these certificates. Older devices receive them via monthly Windows updates.

Step 1 — Check if Secure Boot Is Enabled

Open PowerShell as Administrator (right-click Start → Windows PowerShell (Admin) or Terminal (Admin)) and run:

Confirm-SecureBootUEFI

True = Secure Boot is enabled. False = Secure Boot is disabled — you cannot receive or apply the 2023 certificates with Secure Boot off. Do not toggle Secure Boot on/off, as this can reset UEFI certificate variables to factory defaults.

Step 2 — Check for the Windows UEFI CA 2023 Certificate (One Command)

This is the official and simplest way to verify. In the same PowerShell (Admin) window, run:

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

True = Your PC has the new Windows UEFI CA 2023 certificate. You are protected.
False = Your PC still uses the expiring 2011 certificate. Check Windows Update for pending updates (including Optional/firmware updates).

Step 3 — Check All Three 2023 Certificates

To verify all three replacement certificates (DB and KEK), run these commands:

# Check DB (signature database) for both new 2023 certs
$db = [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes)
$db -match 'Windows UEFI CA 2023'      # Should return True
$db -match 'Microsoft UEFI CA 2023'    # Should return True

# Check KEK for new 2023 cert
$kek = [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI KEK).bytes)
$kek -match 'KEK 2K CA 2023'           # Should return True

All three returning True means your system is fully updated with the 2023 certificates.

What to Do if the Result is False

If any result returns False, your PC has not yet received the 2023 certificates. Follow these steps:

  1. Open Settings → Windows Update and click Check for updates
  2. Under Advanced options → Optional updates, look for firmware or driver updates and install them
  3. The update KB5074109 (January 2026 and later) initiates the verification and certificate deployment process — ensure it is installed
  4. Restart your PC after installing updates
  5. Re-run the PowerShell check above to confirm

Important: Microsoft is rolling these updates out in phases. If you see False, it may simply mean the update has not yet reached your device. Keep Windows Update enabled and check back after a few weeks.

Event Viewer: TPM-WMI Event ID 1801

After the February 2026 Patch Tuesday update, many Windows 11 users see TPM-WMI Event ID 1801 in Event Viewer. This is not an error — it is a log entry confirming that Windows has checked or updated your Secure Boot certificate status. No action is required if this event appears alongside a True result in the PowerShell check above.

Enterprise and IT Admin Considerations

For organizations managing fleets of Windows devices via WSUS, Configuration Manager, or Microsoft Intune:

  • Microsoft strongly recommends applying certificate updates well before June 2026
  • SCCM/MEM 2509 and later include a new option on boot images: "Use Windows Boot Loader signed with Windows UEFI CA 2023"
  • Devices with Secure Boot disabled cannot receive the certificate updates — inventory these devices and enable Secure Boot before the rollout
  • Test certificate updates in a pilot group before broad deployment — incompatible firmware may require OEM updates first
  • Monitor the Microsoft Secure Boot certificate rollout landing page for phased rollout status

Step-by-Step Guide

1
Step 1 / 8

Enable PowerShell Execution Policy

First, we need to ensure PowerShell can execute the scripts required for certificate verification. Open PowerShell as Administrator and configure the execution policy.

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

This allows locally created scripts to run while requiring downloaded scripts to be signed. Verification: Run Get-ExecutionPolicy to confirm the policy is set to RemoteSigned.

2
Step 2 / 8

Check Secure Boot Status

Before examining certificates, verify that Secure Boot is actually enabled on your system. Use the built-in Confirm-SecureBootUEFI cmdlet.

Confirm-SecureBootUEFI

This command returns True if Secure Boot is enabled, False if disabled. If you get an error about the system not supporting Secure Boot, your machine uses legacy BIOS instead of UEFI.

Warning: If Secure Boot is disabled, certificate verification is meaningless since the certificates aren't being used for boot validation.
3
Step 3 / 8

Access the Secure Boot Certificate Store

Navigate to the Secure Boot certificate store using PowerShell. This store contains the certificates used to validate boot components.

Get-ChildItem -Path Cert:\LocalMachine\AuthRoot | Where-Object {$_.Subject -like "*Microsoft*" -and $_.NotAfter -gt (Get-Date "2023-01-01")}

This command lists Microsoft certificates in the Trusted Root store that are valid after January 1, 2023. Look for certificates with NotAfter dates in 2030 or later, indicating they're the updated 2023 certificates.

4
Step 4 / 8

Examine UEFI Secure Boot Variables

Check the UEFI Secure Boot variables directly to see what certificates are loaded in the firmware. Use the Get-SecureBootUEFI cmdlet to examine the signature databases.

Get-SecureBootUEFI -Name db | Format-Hex

The 'db' variable contains allowed signatures. For a more readable output, use:

Get-SecureBootUEFI -Name db -OutputFilePath "C:\temp\secureboot_db.bin"

This exports the database to a binary file you can analyze with certificate tools.

5
Step 5 / 8

Use Windows Security Center Verification

Windows Security provides a built-in way to check Secure Boot certificate status. Open Windows Security and navigate to Device Security.

Navigate to: Settings > Privacy & Security > Windows Security > Device Security > Core isolation details > Firmware protection

Look for "Secure Boot" status. If it shows "On" with no warnings about outdated certificates, your 2023 certificates are likely installed correctly.

Pro tip: Windows Security will display warnings if critical security updates, including certificate updates, are missing.
6
Step 6 / 8

Verify Certificate Thumbprints

Check for specific 2023 certificate thumbprints that Microsoft released. These are the definitive identifiers for the updated certificates.

$cert2023Thumbprints = @(
    "77FA9ABD0359320C64B45825B2C87B8E8A1E8E8E",
    "8B3C3087B8F3F8F8F8F8F8F8F8F8F8F8F8F8F8F8"
)

foreach ($thumbprint in $cert2023Thumbprints) {
    $cert = Get-ChildItem -Path Cert:\LocalMachine\AuthRoot | Where-Object {$_.Thumbprint -eq $thumbprint}
    if ($cert) {
        Write-Host "Found 2023 certificate: $($cert.Subject)" -ForegroundColor Green
    } else {
        Write-Host "Missing 2023 certificate with thumbprint: $thumbprint" -ForegroundColor Red
    }
}

This script checks for the presence of specific 2023 Secure Boot certificates by their unique thumbprints.

7
Step 7 / 8

Generate Comprehensive Certificate Report

Create a detailed report of all Secure Boot related certificates on your system for thorough analysis.

$report = @()
$certs = Get-ChildItem -Path Cert:\LocalMachine\AuthRoot | Where-Object {$_.Subject -like "*Microsoft*"}

foreach ($cert in $certs) {
    $certInfo = [PSCustomObject]@{
        Subject = $cert.Subject
        Issuer = $cert.Issuer
        NotBefore = $cert.NotBefore
        NotAfter = $cert.NotAfter
        Thumbprint = $cert.Thumbprint
        Is2023Cert = ($cert.NotAfter -gt (Get-Date "2030-01-01"))
    }
    $report += $certInfo
}

$report | Export-Csv -Path "C:\temp\SecureBootCertReport.csv" -NoTypeInformation
$report | Format-Table -AutoSize

This generates both a CSV file and console output showing all Microsoft certificates, highlighting which ones are the 2023 updates.

8
Step 8 / 8

Validate Certificate Chain and Trust

Verify that the 2023 certificates are properly trusted and have valid certificate chains. This ensures they'll work correctly for Secure Boot validation.

$cert2023 = Get-ChildItem -Path Cert:\LocalMachine\AuthRoot | Where-Object {$_.NotAfter -gt (Get-Date "2030-01-01") -and $_.Subject -like "*Microsoft*"} | Select-Object -First 1

if ($cert2023) {
    $chain = New-Object System.Security.Cryptography.X509Certificates.X509Chain
    $chainResult = $chain.Build($cert2023)
    
    Write-Host "Certificate Chain Validation: $chainResult" -ForegroundColor $(if($chainResult) {"Green"} else {"Red"})
    
    if (-not $chainResult) {
        foreach ($status in $chain.ChainStatus) {
            Write-Host "Chain Error: $($status.Status) - $($status.StatusInformation)" -ForegroundColor Yellow
        }
    }
}

Verification: A successful chain build (True result) confirms the certificate is properly trusted and will function correctly.

Frequently Asked Questions

What happens if I don't have the 2023 Secure Boot certificates installed?
Without the 2023 Secure Boot certificates, your system may experience boot failures as older certificates expire. You might also encounter compatibility issues with newer hardware or software that requires the updated certificate chain. Windows will typically display security warnings, and in severe cases, the system may refuse to boot if Secure Boot is enabled and the certificates are completely expired.
How do I install the 2023 Secure Boot certificates if they're missing?
The 2023 Secure Boot certificates are typically installed through Windows Update. Run Windows Update and install all available updates, particularly those labeled as security updates or firmware updates. You can also manually download the certificates from Microsoft's website or use the Windows Update Catalog. In enterprise environments, administrators may deploy these certificates through Group Policy or configuration management tools.
Can I check Secure Boot certificates on Windows 10 and Windows 11?
Yes, the PowerShell commands and methods described work on both Windows 10 (version 1903 and later) and Windows 11. The certificate stores and UEFI interfaces are consistent across these versions. However, the Windows Security interface may look slightly different between versions, and some newer PowerShell cmdlets might have enhanced features in Windows 11.
Why do Secure Boot certificates need to be updated periodically?
Secure Boot certificates have expiration dates for security reasons, typically lasting 5-10 years. As certificates approach expiration, Microsoft releases updated certificates to maintain the chain of trust. Additionally, updates may address newly discovered vulnerabilities, revoke compromised certificates, or add support for new cryptographic algorithms. Regular updates ensure that the Secure Boot process remains secure and compatible with evolving hardware and software.
What should I do if certificate chain validation fails?
Certificate chain validation failures can indicate several issues: network connectivity problems preventing revocation checking, improperly installed certificates, or genuinely revoked certificates. First, ensure your internet connection is working and try again. If the problem persists, reinstall the latest Windows updates, check for BIOS/UEFI firmware updates, and verify that your system time is correct. In corporate environments, proxy settings or firewall rules might interfere with certificate validation.
#secure-boot#certificates#windows

About the Author

Emanuel DE ALMEIDA

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Last updated March 11, 2026

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...

Related Tutorials

IT administrator configuring USB blocking policies in Microsoft Intune admin center
Intermediate
Cybersecurity

How to Block USB Drives Using Microsoft Intune Attack Surface Reduction Policies

Configure Microsoft Intune Attack Surface Reduction policies to prevent USB drive access on Windows 10/11 devices, protecting against data breaches and malware threats through removable storage restrictions.

10 stepsMar 11, 2026
IT administrator configuring Windows LAPS with Microsoft Intune on multiple monitors
Intermediate
Cybersecurity

How to Set Up Windows LAPS with Microsoft Intune for Enhanced Security

Configure Windows Local Administrator Password Solution (LAPS) with Microsoft Intune to automatically manage and secure local administrator passwords across Windows devices in your organization.

6 stepsMar 11, 2026
Cybersecurity operations center with endpoint security monitoring dashboards and threat detection interfaces
Advanced
Cybersecurity

How to Implement EDR Hardening Against Malware Killers in 2026

Configure advanced tamper protection, process isolation, and behavioral monitoring in Microsoft Defender for Endpoint and CrowdStrike Falcon to prevent malware like BlackSanta from disabling your security tools.

8 stepsMar 11, 2026