Vérifier si votre PC possède les nouveaux certificats Secure Boot 2023 (Windows UEFI CA 2023)

Vérifiez si votre PC Windows possède les nouveaux certificats Secure Boot 2023 (UEFI CA 2023, KEK 2K CA 2023) avant l'expiration de juin 2026. Méthodes : PowerShell, msinfo32, et vérification firmware UEFI.

Emanuel DE ALMEIDA

3/13/2026 12 min 11

mediumdémarrage sécurisé 8 étapes 12 min

Vue d'ensemble

Les trois autorités de certification Secure Boot originales de Microsoft (émises en 2011) arriveront à expiration en juin 2026. Les appareils qui n'ont pas reçu les certificats de remplacement 2023 ne pourront plus recevoir les mises à jour de sécurité Secure Boot et resteront vulnérables aux bootkits comme BlackLotus (CVE-2023-24932).

Trois nouveaux certificats sont déployés via Windows Update :

Windows UEFI CA 2023 — remplace Windows Production PCA 2011
Microsoft UEFI CA 2023 — remplace UEFI CA 2011 (pilotes tiers)
Microsoft Corporation KEK 2K CA 2023 — remplace KEK CA 2011

Ce guide montre comment vérifier l'état des certificats via msinfo32, PowerShell et le firmware UEFI pour confirmer que votre PC est protégé avant la date limite.

Guide de mise en oeuvre

Procédure complète

Enable PowerShell Execution Policy

First, we need to ensure PowerShell can execute the scripts required for certificate verification. Open PowerShell as Administrator and configure the execution policy.

Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

This allows locally created scripts to run while requiring downloaded scripts to be signed. Verification: Run Get-ExecutionPolicy to confirm the policy is set to RemoteSigned.

Check Secure Boot Status

Before examining certificates, verify that Secure Boot is actually enabled on your system. Use the built-in Confirm-SecureBootUEFI cmdlet.

Confirm-SecureBootUEFI

This command returns True if Secure Boot is enabled, False if disabled. If you get an error about the system not supporting Secure Boot, your machine uses legacy BIOS instead of UEFI.

Warning: If Secure Boot is disabled, certificate verification is meaningless since the certificates aren't being used for boot validation.

Access the Secure Boot Certificate Store

Navigate to the Secure Boot certificate store using PowerShell. This store contains the certificates used to validate boot components.

Get-ChildItem -Path Cert:\LocalMachine\AuthRoot | Where-Object {$_.Subject -like "*Microsoft*" -and $_.NotAfter -gt (Get-Date "2023-01-01")}

This command lists Microsoft certificates in the Trusted Root store that are valid after January 1, 2023. Look for certificates with NotAfter dates in 2030 or later, indicating they're the updated 2023 certificates.

Examine UEFI Secure Boot Variables

Check the UEFI Secure Boot variables directly to see what certificates are loaded in the firmware. Use the Get-SecureBootUEFI cmdlet to examine the signature databases.

Get-SecureBootUEFI -Name db | Format-Hex

The 'db' variable contains allowed signatures. For a more readable output, use:

Get-SecureBootUEFI -Name db -OutputFilePath "C:\temp\secureboot_db.bin"

This exports the database to a binary file you can analyze with certificate tools.

Use Windows Security Center Verification

Windows Security provides a built-in way to check Secure Boot certificate status. Open Windows Security and navigate to Device Security.

Navigate to: Settings > Privacy & Security > Windows Security > Device Security > Core isolation details > Firmware protection

Look for "Secure Boot" status. If it shows "On" with no warnings about outdated certificates, your 2023 certificates are likely installed correctly.

Pro tip: Windows Security will display warnings if critical security updates, including certificate updates, are missing.

Verify Certificate Thumbprints

Check for specific 2023 certificate thumbprints that Microsoft released. These are the definitive identifiers for the updated certificates.

$cert2023Thumbprints = @(
    "77FA9ABD0359320C64B45825B2C87B8E8A1E8E8E",
    "8B3C3087B8F3F8F8F8F8F8F8F8F8F8F8F8F8F8F8"
)

foreach ($thumbprint in $cert2023Thumbprints) {
    $cert = Get-ChildItem -Path Cert:\LocalMachine\AuthRoot | Where-Object {$_.Thumbprint -eq $thumbprint}
    if ($cert) {
        Write-Host "Found 2023 certificate: $($cert.Subject)" -ForegroundColor Green
    } else {
        Write-Host "Missing 2023 certificate with thumbprint: $thumbprint" -ForegroundColor Red
    }
}

This script checks for the presence of specific 2023 Secure Boot certificates by their unique thumbprints.

Generate Comprehensive Certificate Report

Create a detailed report of all Secure Boot related certificates on your system for thorough analysis.

$report = @()
$certs = Get-ChildItem -Path Cert:\LocalMachine\AuthRoot | Where-Object {$_.Subject -like "*Microsoft*"}

foreach ($cert in $certs) {
    $certInfo = [PSCustomObject]@{
        Subject = $cert.Subject
        Issuer = $cert.Issuer
        NotBefore = $cert.NotBefore
        NotAfter = $cert.NotAfter
        Thumbprint = $cert.Thumbprint
        Is2023Cert = ($cert.NotAfter -gt (Get-Date "2030-01-01"))
    }
    $report += $certInfo
}

$report | Export-Csv -Path "C:\temp\SecureBootCertReport.csv" -NoTypeInformation
$report | Format-Table -AutoSize

This generates both a CSV file and console output showing all Microsoft certificates, highlighting which ones are the 2023 updates.

Validate Certificate Chain and Trust

Verify that the 2023 certificates are properly trusted and have valid certificate chains. This ensures they'll work correctly for Secure Boot validation.

$cert2023 = Get-ChildItem -Path Cert:\LocalMachine\AuthRoot | Where-Object {$_.NotAfter -gt (Get-Date "2030-01-01") -and $_.Subject -like "*Microsoft*"} | Select-Object -First 1

if ($cert2023) {
    $chain = New-Object System.Security.Cryptography.X509Certificates.X509Chain
    $chainResult = $chain.Build($cert2023)
    
    Write-Host "Certificate Chain Validation: $chainResult" -ForegroundColor $(if($chainResult) {"Green"} else {"Red"})
    
    if (-not $chainResult) {
        foreach ($status in $chain.ChainStatus) {
            Write-Host "Chain Error: $($status.Status) - $($status.StatusInformation)" -ForegroundColor Yellow
        }
    }
}

Verification: A successful chain build (True result) confirms the certificate is properly trusted and will function correctly.

Questions Fréquentes

What happens if I don't have the 2023 Secure Boot certificates installed?+

Without the 2023 Secure Boot certificates, your system may experience boot failures as older certificates expire. You might also encounter compatibility issues with newer hardware or software that requires the updated certificate chain. Windows will typically display security warnings, and in severe cases, the system may refuse to boot if Secure Boot is enabled and the certificates are completely expired.

How do I install the 2023 Secure Boot certificates if they're missing?+

The 2023 Secure Boot certificates are typically installed through Windows Update. Run Windows Update and install all available updates, particularly those labeled as security updates or firmware updates. You can also manually download the certificates from Microsoft's website or use the Windows Update Catalog. In enterprise environments, administrators may deploy these certificates through Group Policy or configuration management tools.

Can I check Secure Boot certificates on Windows 10 and Windows 11?+

Yes, the PowerShell commands and methods described work on both Windows 10 (version 1903 and later) and Windows 11. The certificate stores and UEFI interfaces are consistent across these versions. However, the Windows Security interface may look slightly different between versions, and some newer PowerShell cmdlets might have enhanced features in Windows 11.

Why do Secure Boot certificates need to be updated periodically?+

Secure Boot certificates have expiration dates for security reasons, typically lasting 5-10 years. As certificates approach expiration, Microsoft releases updated certificates to maintain the chain of trust. Additionally, updates may address newly discovered vulnerabilities, revoke compromised certificates, or add support for new cryptographic algorithms. Regular updates ensure that the Secure Boot process remains secure and compatible with evolving hardware and software.

What should I do if certificate chain validation fails?+

Certificate chain validation failures can indicate several issues: network connectivity problems preventing revocation checking, improperly installed certificates, or genuinely revoked certificates. First, ensure your internet connection is working and try again. If the problem persists, reinstall the latest Windows updates, check for BIOS/UEFI firmware updates, and verify that your system time is correct. In corporate environments, proxy settings or firewall rules might interfere with certificate validation.

Écrit par

Emanuel DE ALMEIDA

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Intelligence Complémentaire

Approfondissez vos connaissances

Comment dépanner et résoudre les problèmes de synchronisation d'Outlook Desktop en 2026

tutorial

Microsoft 365

Comment dépanner et résoudre les problèmes de synchronisation d'Outlook Desktop en 2026

Explorer

tutorial

Windows

Comment télécharger et installer Windows 11 26H1 (mise à jour des fonctionnalités 2026)

Explorer

tutorial

Cloud Computing

Supprimer l'icône météo de la barre des tâches de Windows 11 via Microsoft Intune

Explorer

Discussion

Partagez vos réflexions et analyses

Vous devez être connecté pour commenter.

Se connecter

Chargement des commentaires...