Skip to main content

© Securetron Inc. All rights reserved.

ADCS | Compliance
SaaS | Enterprise | Community Edition

How to update Windows Secure Boot Certificate

About Secure Boot

Secure Boot enforces a chain of trust by checking signatures against certificates stored in firmware (DB/KEK/PK). The 2011 Microsoft UEFI CA certificates begin expiring in June 2026; systems that do not receive the replacement certificates will enter a degraded security state and may lose future boot‑time protections

What Microsoft is doing and timeline

Microsoft published guidance and began a phased rollout of the Windows UEFI CA 2023 certificate family via Windows Update and platform compatibility checks; OEM firmware updates are used where required. Most supported Windows 11 devices should receive the update automatically through Windows Update; some older devices may require OEM firmware updates or manual admin deployment.

How to check certificate status (quick steps)

  1. Run PowerShell as Administrator.

  2. Check the active DB for the new CA:

    powershell
    ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

    If it returns True, the new CA is present in the active DB.

Fleet inventory script (PowerShell)

Use this script to detect Secure Boot state and whether the Windows UEFI CA 2023 entry exists in the active DB. Run as Administrator.

powershell
# Inventory-SecureBootCerts.ps1
$computers = Get-Content -Path .\computers.txt
$results = foreach ($c in $computers) {
  try {
    $session = New-PSSession -ComputerName $c -ErrorAction Stop
    Invoke-Command -Session $session -ScriptBlock {
      $sb = Get-SecureBootUEFI -Name db
      $dbText = [System.Text.Encoding]::ASCII.GetString($sb.bytes)
      [PSCustomObject]@{
        Computer = $env:COMPUTERNAME
        SecureBootEnabled = (Get-SecureBootUEFI -Name SetupMode).SecureBoot
        Has2023CA = ($dbText -match 'Windows UEFI CA 2023')
        DBSummary = ($dbText -replace "`r`n", ' ') -replace '\s{2,}',' '
      }
    }
    Remove-PSSession -Session $session
  } catch {
    [PSCustomObject]@{ Computer=$c; Error=$_.Exception.Message }
  }
}
$results | Export-Csv -Path .\SecureBootInventory.csv -NoTypeInformation

Notes: Get-SecureBootUEFI is the supported cmdlet to read UEFI Secure Boot variables; remote execution requires WinRM and admin rights. Test on a small set before broad runs.

Update paths and procedures

  • Automatic via Windows Update: Microsoft is distributing the replacement certificates through Windows Update for eligible devices; ensure Windows Update is current.

  • OEM firmware update: If Windows Update cannot write the new DB/KEK into firmware, the OEM must provide a firmware (UEFI) update that includes the new CA. Check your vendor support pages (Dell, HP, Lenovo, etc.).

  • Enterprise deployment: Administrators can deploy certificate updates using Group Policy, PowerShell scripts, or Windows Configuration Service (WinCS) to push DB updates to domain‑joined machines. Test in a lab before mass deployment.

GPO / WinCS deployment (high level)

  1. Prerequisites: Ensure devices are on supported Windows builds and have telemetry/diagnostics required by Microsoft’s OS‑driven update path. Coordinate OEM firmware updates for devices that block DB writes.

  2. GPO method (recommended for on‑prem AD):

    • Create a new GPO under Computer Configuration → Administrative Templates → Windows Components → Secure Boot.

    • Enable the policy “Enable Secure Boot certificate updates” and configure the cadence (test → pilot → broad). Link to an OU with test machines first.

  3. WinCS / Intune: Use the Windows Configuration Service (WinCS) or Intune Settings Catalog profile Microsoft published to opt devices into the OS‑driven rollout and to collect status telemetry.

Testing, monitoring, and rollback

  • Test on representative hardware and VMs; verify Has2023CA true and check Event Viewer Secure Boot / TPM‑WMI logs for status.

  • ESP space issues: Some updates fail if the EFI System Partition lacks free space; coordinate with OEMs and use firmware updates where necessary.

  • Rollback: Document firmware and OS restore steps; GPO changes are reversible but firmware DB writes may be irreversible on some platforms.

Troubleshooting and logs

  • Look in Event Viewer for Secure Boot and TPM‑WMI events (compatibility checks, Event ID messages) during rollout; informational messages are common during staged updates.

  • If a device fails to accept the new CA, check firmware Secure Boot settings and contact OEM for a firmware update.