Since January 2026, Microsoft has been quietly rolling out new Secure Boot certificates through Windows Update. Known as Windows UEFI CA 2023, these certificates replace the original 2011 certificates that are set to expire in June 2026.

For most modern PCs, the transition happened automatically in the background. No alerts. No required action. Just a silent security update.

However, on some systems—especially older PCs—the update may have failed or been blocked due to:

  • Full or corrupted NVRAM
  • Outdated or buggy UEFI firmware
  • Missing BIOS updates
  • Secure Boot being disabled

The result? Your PC may appear fully updated, but your Secure Boot certificates might still be outdated.

Here’s how to quickly verify whether your system has received the new Windows UEFI CA 2023 certificates, using PowerShell or the Windows Registry.

Why the 2023 Secure Boot Certificates Matter

Secure Boot ensures that only trusted, digitally signed software can load during system startup. When the 2011 certificates expire in June 2026, systems that haven’t transitioned to the 2023 certificates could face:

  • Boot failures
  • Compatibility issues with updated bootloaders
  • Reduced firmware-level security
READ 👉  How to Partition a SSD in Windows 11? - Easy Guide

That’s why verifying your Secure Boot certificate status now is a smart move.

Method 1: Check Active Secure Boot Certificates with PowerShell (Recommended)

This is the fastest and most reliable method. It checks the active Secure Boot database (db) — the certificates currently used to validate your system’s boot process.

Step-by-Step Instructions

  1. Right-click the Start menu (or press Win + X).
  2. Select Terminal (Admin) or Windows PowerShell (Admin).
  3. Copy and paste the following command, then press Enter:
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

What the Result Means

  • True → The 2023 Secure Boot certificates are installed and active. You’re fully protected.
  • False → Your PC has not yet received the new certificates.

This is the most important check. If this returns True, you’re safe—even if other checks suggest otherwise.

Method 2: Check If the Certificates Are Embedded in Firmware

This second test goes a step further. It checks the default Secure Boot database (dbdefault) stored in your system firmware.

Why does this matter?

If the certificates are embedded in firmware, your PC will retain support for the 2023 certificates even if Secure Boot settings are reset in BIOS.

How to Run the Firmware Check

Open PowerShell as Administrator again and run:

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) -match 'Windows UEFI CA 2023')

Results Explained

  • True → The 2023 certificates are integrated directly into your BIOS/UEFI firmware.
  • False → The firmware does not contain the new certificates natively.

Important: A False result here is not necessarily a problem. Many older PCs simply haven’t received BIOS updates that embed the certificates. If the first PowerShell command returned True, your system is still secure.

READ 👉  How to Uninstall NVIDIA drivers in Windows PC

What to Do If PowerShell Returns False

If the first command (active database check) returns False, your system has not yet installed the new certificates.

Here’s what to verify:

1️⃣ Check Your Windows Version

  • Windows 11: You must be running version 24H2 or newer.
  • Windows 10: You must be enrolled in the Extended Security Updates (ESU) program, which remains free for individuals until October 13, 2026.

To check your version:

  • Press Win + R
  • Type winver
  • Press Enter

2️⃣ Confirm Secure Boot Is Enabled

If Secure Boot is disabled, the certificate update won’t apply.

To check:

  1. Press Win + R
  2. Type msinfo32
  3. Look for Secure Boot State

It must show On.

3️⃣ Look for a BIOS/UEFI Firmware Update

Older PCs often require a firmware update before the new certificates can be installed.

Visit your manufacturer’s support page:

  • Dell
  • HP
  • Lenovo
  • ASUS
  • MSI
  • Acer

Check the BIOS release notes. Some vendors explicitly mention:

“This BIOS contains the new 2023 Secure Boot Certificates.”

If available, install the update carefully following the manufacturer’s instructions.

4️⃣ If Everything Looks Correct…

If your system meets all requirements and still shows False, don’t panic.

Microsoft is deploying the 2023 Secure Boot certificates gradually via Windows Update. You may simply need to wait a few weeks and check again.

Advanced Method: Verify Deployment Status in the Windows Registry

This method is primarily intended for IT administrators and enterprise environments managing multiple machines.

How to Access the Registry Key

  1. Press Win + R
  2. Type regedit
  3. Navigate to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing

Inside this key, look for two values:

UEFICA2023Status

This is the primary deployment indicator.

Possible values:

  • NotStarted → Update has not begun
  • InProgress → Update is currently being applied
  • Updated → 2023 certificates successfully installed
READ 👉  How to Check Your Windows 11 Version and Build Number (Step-by-Step)

⚠️ Important: On some newer PCs that shipped with 2023 certificates preinstalled, this value may remain NotStarted even though the system is already updated. In that case, rely on the PowerShell check instead.

WindowsUEFICA2023Capable

This secondary value reflects certificate detection status:

  • 0 (or missing key) → Certificate not present
  • 1 → Certificate present in Secure Boot database
  • 2 → Certificate present and system boots using the new 2023 boot manager

Microsoft recommends using UEFICA2023Status for most deployment scenarios. Manually editing these values does nothing—they only reflect the actual system state.

Why Older PCs Are More Likely to Have Issues

Systems released before 2018–2019 are more likely to encounter problems due to:

  • Limited NVRAM storage
  • Firmware that cannot accommodate updated certificate databases
  • Lack of ongoing BIOS support

In such cases, manufacturer firmware updates are critical.

Conclusion:

Checking your Secure Boot certificate status takes less than a minute using PowerShell—and it can prevent major headaches before June 2026.

If the command returns True, your system is ready for the 2026 certificate expiration and beyond.

If it returns False, follow the troubleshooting steps:

  • Update Windows
  • Enable Secure Boot
  • Check for BIOS updates
  • Wait for Windows Update rollout

In most cases, there’s no urgent issue—just a phased deployment process.

Taking a few minutes to verify today ensures your PC remains secure, bootable, and compliant with Microsoft’s upcoming security requirements.

Did you enjoy this article? Feel free to share it on social media and subscribe to our newsletter so you never miss a post!

And if you'd like to go a step further in supporting us, you can treat us to a virtual coffee ☕️. Thank you for your support ❤️!
Buy Me a Coffee
⚠️ Legal Disclaimer: This website is an informational and educational tech blog. The content provided aims to help users better understand technologies, software, online tools, and digital practices.

We do not support or promote any form of piracy, copyright infringement, or illegal use of software, video content, or digital resources.

Any mention of third-party sites, tools, or platforms is purely for informational purposes. It is the responsibility of each reader to comply with the laws in their country, as well as the terms of use of the services mentioned.

We strongly encourage the use of legal, open-source, or official solutions in a responsible manner.

Categorized in:

Windows

Tagged in:

, , , , , , , , , , , ,