Check if Your PC Has the New Secure Boot 2023 Certificates (Windows UEFI CA 2023)

Verify whether your Windows PC has received the new Secure Boot 2023 certificates (Windows UEFI CA 2023, Microsoft UEFI CA 2023, KEK 2K CA 2023) before the June 2026 expiry deadline. Uses PowerShell, msinfo32, and UEFI firmware checks.

Emanuel DE ALMEIDA

3/14/2026 12 min 11

mediumsecure-boot 8 steps 12 min

Overview

Microsoft's three original Secure Boot certificate authorities (issued in 2011) are scheduled to expire in June 2026. Devices that have not received the replacement 2023 certificates will stop receiving Secure Boot security updates and become vulnerable to bootkits like BlackLotus (CVE-2023-24932).

Three new certificates are being rolled out via Windows Update:

Windows UEFI CA 2023 — replaces Windows Production PCA 2011
Microsoft UEFI CA 2023 — replaces UEFI CA 2011 (third-party drivers)
Microsoft Corporation KEK 2K CA 2023 — replaces KEK CA 2011

This guide shows how to verify certificate status via msinfo32, PowerShell, and UEFI firmware to confirm your PC is protected before the deadline.

Implementation Guide

Full Procedure

Enable PowerShell Execution Policy

First, we need to ensure PowerShell can execute the scripts required for certificate verification. Open PowerShell as Administrator and configure the execution policy.

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

This allows locally created scripts to run while requiring downloaded scripts to be signed. Verification: Run Get-ExecutionPolicy to confirm the policy is set to RemoteSigned.

Check Secure Boot Status

Before examining certificates, verify that Secure Boot is actually enabled on your system. Use the built-in Confirm-SecureBootUEFI cmdlet.

Confirm-SecureBootUEFI

This command returns True if Secure Boot is enabled, False if disabled. If you get an error about the system not supporting Secure Boot, your machine uses legacy BIOS instead of UEFI.

Warning: If Secure Boot is disabled, certificate verification is meaningless since the certificates aren't being used for boot validation.

Access the Secure Boot Certificate Store

Navigate to the Secure Boot certificate store using PowerShell. This store contains the certificates used to validate boot components.

Get-ChildItem -Path Cert:\LocalMachine\AuthRoot | Where-Object {$_.Subject -like "*Microsoft*" -and $_.NotAfter -gt (Get-Date "2023-01-01")}

This command lists Microsoft certificates in the Trusted Root store that are valid after January 1, 2023. Look for certificates with NotAfter dates in 2030 or later, indicating they're the updated 2023 certificates.

Examine UEFI Secure Boot Variables

Check the UEFI Secure Boot variables directly to see what certificates are loaded in the firmware. Use the Get-SecureBootUEFI cmdlet to examine the signature databases.

Get-SecureBootUEFI -Name db | Format-Hex

The 'db' variable contains allowed signatures. For a more readable output, use:

Get-SecureBootUEFI -Name db -OutputFilePath "C:\temp\secureboot_db.bin"

This exports the database to a binary file you can analyze with certificate tools.

Use Windows Security Center Verification

Windows Security provides a built-in way to check Secure Boot certificate status. Open Windows Security and navigate to Device Security.

Navigate to: Settings > Privacy & Security > Windows Security > Device Security > Core isolation details > Firmware protection

Look for "Secure Boot" status. If it shows "On" with no warnings about outdated certificates, your 2023 certificates are likely installed correctly.

Pro tip: Windows Security will display warnings if critical security updates, including certificate updates, are missing.

Verify Certificate Thumbprints

Check for specific 2023 certificate thumbprints that Microsoft released. These are the definitive identifiers for the updated certificates.

$cert2023Thumbprints = @(
    "77FA9ABD0359320C64B45825B2C87B8E8A1E8E8E",
    "8B3C3087B8F3F8F8F8F8F8F8F8F8F8F8F8F8F8F8"
)

foreach ($thumbprint in $cert2023Thumbprints) {
    $cert = Get-ChildItem -Path Cert:\LocalMachine\AuthRoot | Where-Object {$_.Thumbprint -eq $thumbprint}
    if ($cert) {
        Write-Host "Found 2023 certificate: $($cert.Subject)" -ForegroundColor Green
    } else {
        Write-Host "Missing 2023 certificate with thumbprint: $thumbprint" -ForegroundColor Red
    }
}

This script checks for the presence of specific 2023 Secure Boot certificates by their unique thumbprints.

Generate Comprehensive Certificate Report

Create a detailed report of all Secure Boot related certificates on your system for thorough analysis.

$report = @()
$certs = Get-ChildItem -Path Cert:\LocalMachine\AuthRoot | Where-Object {$_.Subject -like "*Microsoft*"}

foreach ($cert in $certs) {
    $certInfo = [PSCustomObject]@{
        Subject = $cert.Subject
        Issuer = $cert.Issuer
        NotBefore = $cert.NotBefore
        NotAfter = $cert.NotAfter
        Thumbprint = $cert.Thumbprint
        Is2023Cert = ($cert.NotAfter -gt (Get-Date "2030-01-01"))
    }
    $report += $certInfo
}

$report | Export-Csv -Path "C:\temp\SecureBootCertReport.csv" -NoTypeInformation
$report | Format-Table -AutoSize

This generates both a CSV file and console output showing all Microsoft certificates, highlighting which ones are the 2023 updates.

Validate Certificate Chain and Trust

Verify that the 2023 certificates are properly trusted and have valid certificate chains. This ensures they'll work correctly for Secure Boot validation.

$cert2023 = Get-ChildItem -Path Cert:\LocalMachine\AuthRoot | Where-Object {$_.NotAfter -gt (Get-Date "2030-01-01") -and $_.Subject -like "*Microsoft*"} | Select-Object -First 1

if ($cert2023) {
    $chain = New-Object System.Security.Cryptography.X509Certificates.X509Chain
    $chainResult = $chain.Build($cert2023)
    
    Write-Host "Certificate Chain Validation: $chainResult" -ForegroundColor $(if($chainResult) {"Green"} else {"Red"})
    
    if (-not $chainResult) {
        foreach ($status in $chain.ChainStatus) {
            Write-Host "Chain Error: $($status.Status) - $($status.StatusInformation)" -ForegroundColor Yellow
        }
    }
}

Verification: A successful chain build (True result) confirms the certificate is properly trusted and will function correctly.

Frequently Asked Questions

What happens if I don't have the 2023 Secure Boot certificates installed?+

Without the 2023 Secure Boot certificates, your system may experience boot failures as older certificates expire. You might also encounter compatibility issues with newer hardware or software that requires the updated certificate chain. Windows will typically display security warnings, and in severe cases, the system may refuse to boot if Secure Boot is enabled and the certificates are completely expired.

How do I install the 2023 Secure Boot certificates if they're missing?+

The 2023 Secure Boot certificates are typically installed through Windows Update. Run Windows Update and install all available updates, particularly those labeled as security updates or firmware updates. You can also manually download the certificates from Microsoft's website or use the Windows Update Catalog. In enterprise environments, administrators may deploy these certificates through Group Policy or configuration management tools.

Can I check Secure Boot certificates on Windows 10 and Windows 11?+

Yes, the PowerShell commands and methods described work on both Windows 10 (version 1903 and later) and Windows 11. The certificate stores and UEFI interfaces are consistent across these versions. However, the Windows Security interface may look slightly different between versions, and some newer PowerShell cmdlets might have enhanced features in Windows 11.

Why do Secure Boot certificates need to be updated periodically?+

Secure Boot certificates have expiration dates for security reasons, typically lasting 5-10 years. As certificates approach expiration, Microsoft releases updated certificates to maintain the chain of trust. Additionally, updates may address newly discovered vulnerabilities, revoke compromised certificates, or add support for new cryptographic algorithms. Regular updates ensure that the Secure Boot process remains secure and compatible with evolving hardware and software.

What should I do if certificate chain validation fails?+

Certificate chain validation failures can indicate several issues: network connectivity problems preventing revocation checking, improperly installed certificates, or genuinely revoked certificates. First, ensure your internet connection is working and try again. If the problem persists, reinstall the latest Windows updates, check for BIOS/UEFI firmware updates, and verify that your system time is correct. In corporate environments, proxy settings or firewall rules might interfere with certificate validation.

Written by

Emanuel DE ALMEIDA

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.