Microsoft Secure Boot technology UEFI – Unified Extensible Firmware Interface is based on certificates, it was established when Windows 8, Windows Server 2012 were released.  This technology is still used in Windows 10, and 11 and all versions of Windows Server 2012 R2, 2016, 2019, 2022 and 2025 since then.

The Secure Boot technology is based on several certificates:

PK – Platform Key typically from the computer manufacture
KEK – Key Exchange Key which most of the time is the Microsoft KEK
DB – Allowed Signature Database
DBX – Disallowed Signature Database

Certificates that Microsoft has for UEFI
Microsoft Corporation KEK CA 2011 which expires June 2026
replaced by Microsoft Corporation KEK 2K CA 2023 and this certifiate is stored in KEK
signs updates to DB and DBX
Microsoft Windows Production PCA 2011 which expires October 2026
replaced by Microsoft UEFI CA 2023 and this certificate is stored in DB
used for signing the Windows boot loader
Microsoft UEFI CA 2011 which expires June 2026
replaced by Microsoft UEFI CA 2023 and this certificate is stored in DB
used by third-party boot loaders, EFI applications and option ROMs

What does it mean if your computer does not update or can not update to the new 2023 certificates?
Windows devices that do not have the 2023 certificates will no longer receive security fixes for pre-boot components – which compromises Windows boot security protections.

Does my Windows installation have secure boot enabled?

1. Option 1, press Windows Key + R to open run erase anything in that box and type in msinfo32 click OK.  On the System Summary look for Secure Boot State.
2. Option 2, check HKLM\SYSTEM\ControlSet001\Control\SecureBoot\State, Key UEFISecureBootEnabled if it is 1 – UEFI Secure Boot is enabled, if it is 0 – UEFI Secure Boot is not enabled

How can I check if the UEFI Secure Boot Certificates have been updated to the new 2023 certificates?

• Dell has a couple of PowerShell scripts to check your system, they work on all PC manufactures. How To Check Secure Boot Certificates | Dell US
• Check Eventlog and look for Event ID 1034 – Secure Boot Dbx update applied successfully, and Event ID 1808 – informational event that the new Secure Boot certificates applied.  The latest change was in February 2026 security updates.
• Event ID 1801 will indicate that the updated certificates have not been applied to the device.
• My Windows Software Version Check Utility  – must be Run as Administrator, so it can check the certificate. If it is not run as administrator it will not be able to show anything about the certificates

What do I need to do, or is there anything people need to do to get these updates?

• Check for updates from your PC manufacture, primarily BIOS updates these provide updated 2023 secure boot certificates.  Check for new updates, some manufactures have released more than one update for this purpose.
• Keep the latest Microsoft Windows software updates for your version of Windows, as additional updates have been released for this update, latest was in February 2026 Security Update.
• Some computers are also getting a Secure Boot Allowed Key Exchange Key (KEK) Update, if offered that update install to allow it to update the KEK database in Windows

What if I do not get the update?

• Your system should continue to start and operate after the expiration in June 2026. But it will not be able to receive new security protections for the early boot process. That would include no updates for Windows Boot Manger, Secure Boot databases, recovation lists, or mitigations for newly discovered boot level vulnerabilities.
• Computers with Secure Boot not enabled will not get these updates.
• Windows 10 computers without Extended Security Update will not receive the update.
• If it is after the expiration and the computer has not applied the updates, and the system is able to obtain updates for that version of Windows, the Certificates will be updated when the cumulative security updates are installed.