Check Secure Boot 2023 Certificates: PowerShell & UEFI Guide
Verify Windows has Secure Boot 2023 certificates before the June 2026 expiry. PowerShell scripts and UEFI methods to check KEK 2K CA 2023 and UEFI CA 2023.
by Emanuel De Almeida
TL;DR
- June 2026 deadline: Original 2011 Secure Boot certificates expire, blocking boot updates on unpatched systems
- Three certificates to verify: Windows UEFI CA 2023, Microsoft UEFI CA 2023, and Microsoft Corporation KEK 2K CA 2023
- PowerShell is fastest: Run
Confirm-SecureBootUEFIand query the certificate store for 2030+ expiration dates - Windows Server needs manual action: Unlike consumer PCs, servers require administrator intervention for certificate updates
- Missing certificates? Run Windows Update immediately and reboot to receive the 2023 replacements
---
Microsoft's original Secure Boot certificates from 2011 expire in June 2026. The Microsoft Corporation KEK CA 2011 expires June 24, 2026, and Microsoft UEFI CA 2011 expires June 27, 2026, according to Microsoft. Devices without the replacement 2023 certificates will stop receiving Secure Boot updates and become vulnerable to firmware attacks.
This tutorial shows you how to verify your Windows system has the three new certificate authorities: Windows UEFI CA 2023, Microsoft UEFI CA 2023, and Microsoft Corporation KEK 2K CA 2023. When we tested these methods across multiple machines in our lab, the PowerShell approach proved fastest for bulk verification.
Why Do Secure Boot 2023 Certificates Matter?
Devices without the 2023 certificates will lose critical security protections. Microsoft confirms these systems can no longer receive new security protections for the early boot process, including updates to Windows Boot Manager, Secure Boot databases, revocation lists, or mitigations for newly discovered boot-level vulnerabilities.
Firmware attacks are rising sharply. More than 80% of enterprises have experienced at least one firmware attack in the past two years, but only 29% of security budgets address firmware protection, per Microsoft research from 2021.
The BlackLotus bootkit demonstrated this risk clearly. ESET reported it was the first in-the-wild UEFI bootkit capable of bypassing Secure Boot on fully updated Windows 11 systems. The NSA released a dedicated mitigation guide warning administrators against "a false sense of security." For related updates, see our coverage of the June 2026 Patch Tuesday fixes.
What Do You Need Before Checking Certificates?
Gather these requirements before starting:
- Windows 10 (version 1903 or later) or Windows 11
- Administrative privileges on the target system
- UEFI firmware with Secure Boot capability, not legacy BIOS
- PowerShell 5.1 or later
- Write access to a temporary folder for report generation
Windows Server administrators face additional steps. Unlike consumer PCs that receive 2023 Secure Boot certificates through Controlled Feature Rollout as part of monthly updates, Microsoft confirms Windows Server requires manual action. Check our Windows Server 2025 June Update guide for server-specific procedures.
How Do You Confirm Secure Boot Is Enabled?
Before checking certificates, verify that Secure Boot is active. Certificate verification is meaningless if Secure Boot is disabled since the certificates are not used during boot validation.
Open PowerShell as Administrator and run:
Confirm-SecureBootUEFIThis cmdlet returns True when Secure Boot is enabled and False when disabled. If you receive an error stating the system does not support Secure Boot, your machine uses legacy BIOS rather than UEFI firmware. Secure Boot must be enabled for the 2023 certificates to provide protection.
How Should You Configure PowerShell Execution Policy?
To run the verification scripts in later steps, configure PowerShell to allow local script execution. This setting permits scripts you create while requiring downloaded scripts to carry a valid signature.
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUserConfirm the change by running:
Get-ExecutionPolicyThe output should display RemoteSigned. This scope applies only to your user account and does not affect system-wide policy. For broader PowerShell guidance, see our SharePoint domain rename tutorial which covers similar prerequisites.
How Do You Query the Certificate Store for Secure Boot 2023 Certificates?
Windows stores Secure Boot certificates in the local machine certificate store. Query this store for Microsoft certificates with expiration dates beyond the original 2011 certificate lifespans.
Certificates expiring in 2030 or later indicate the 2023 replacements. Run this command:
Get-ChildItem -Path Cert:\LocalMachine\AuthRoot | Where-Object {
$_.Subject -like "*Microsoft*" -and $_.NotAfter -gt (Get-Date "2030-01-01")
} | Format-Table Subject, NotAfter, Thumbprint -AutoSizeReview the output for entries containing "UEFI CA 2023" or "KEK 2K CA 2023" in the Subject field. The presence of these certificates confirms your system received the updates. If the query returns no results, your device may still require the 2023 certificate deployment.
Secure Boot 2023 Certificate Reference Table
Use this table to verify you have all three required certificates:
Certificate Name | Purpose | Expiration Year | Thumbprint Prefix |
|---|---|---|---|
Windows UEFI CA 2023 | Signs Windows boot components | 2035 | Check via PowerShell |
Microsoft UEFI CA 2023 | Signs third-party boot components | 2035 | Check via PowerShell |
Microsoft Corporation KEK 2K CA 2023 | Key Exchange Key for DB updates | 2035 | Check via PowerShell |
All three must appear in your certificate store for full protection. Missing even one leaves gaps in your Secure Boot chain.
How Do You Export the UEFI Signature Database?
For detailed analysis, export the UEFI signature database directly from firmware. The db variable contains allowed signatures that your system trusts during boot.
Get-SecureBootUEFI -Name db -OutputFilePath "C:\temp\secureboot_db.bin"This command writes a binary file containing all trusted boot signatures. You can analyze this file with certificate parsing tools or submit it to Microsoft support for verification. Enterprise auditing scenarios benefit most from this approach.
To view a hex dump directly in the console:
Get-SecureBootUEFI -Name db | Format-HexHow Can You Generate a Full Certificate Report?
Create a detailed CSV report listing all Microsoft certificates on your system. This report helps you document compliance and identify which certificates require attention.
$report = @()
$certs = Get-ChildItem -Path Cert:\LocalMachine\AuthRoot | Where-Object {
$_.Subject -like "*Microsoft*"
}
foreach ($cert in $certs) {
$certInfo = [PSCustomObject]@{
Subject = $cert.Subject
Issuer = $cert.Issuer
NotBefore = $cert.NotBefore
NotAfter = $cert.NotAfter
Thumbprint = $cert.Thumbprint
Is2023Cert = ($cert.NotAfter -gt (Get-Date "2030-01-01"))
}
$report += $certInfo
}
$report | Export-Csv -Path "C:\temp\SecureBootCertReport.csv" -NoTypeInformation
$report | Format-Table -AutoSizeThe Is2023Cert column flags certificates with expiration dates past 2030. This makes it easy to identify updated certificates at a glance. Store this report for compliance documentation.
How Do You Verify the Changes Worked?
After completing the steps above, confirm your system is protected:
- The
Confirm-SecureBootUEFIcmdlet returnsTrue - At least one certificate with "UEFI CA 2023" or "KEK 2K CA 2023" appears in Step 3 output
- The generated CSV report shows entries where
Is2023CertequalsTrue
You can also check through the GUI. Navigate to Settings > Privacy & Security > Windows Security > Device Security > Core isolation details. Look for Secure Boot status showing "On" without warnings about outdated certificates.
If certificates are missing, run Windows Update immediately and install all available security updates. Reboot and repeat the verification steps. Administrators encountering Intune deployment issues should review our Secure Boot certificate expiry error 65000 fix.
Frequently asked questions
What happens if my system lacks the 2023 Secure Boot certificates?+
Systems without the updated 2023 certificates may fail to receive boot security updates once the original 2011 certificates expire in June 2026. You lose protection against bootkits and firmware threats. Windows Update delivers these certificates automatically, but manual verification ensures continued protection.
How do I install missing 2023 Secure Boot certificates?+
Microsoft distributes the 2023 Secure Boot certificates through Windows Update. Run a full update check and install all security and firmware updates. Enterprise administrators can deploy certificates through Group Policy or configuration management platforms. The Windows Update Catalog provides manual downloads.
Do these verification steps work on both Windows 10 and Windows 11?+
Yes. The PowerShell cmdlets and certificate store paths function identically on Windows 10 version 1903 and later, plus all Windows 11 builds. The underlying UEFI and certificate infrastructure remains consistent across both operating systems despite minor interface differences.
Why do Secure Boot certificates have expiration dates?+
Certificate expiration reduces exposure if a private key becomes compromised and ensures organizations periodically refresh cryptographic infrastructure. Microsoft's original 2011 certificates had roughly 15-year lifespans. The 2023 replacements continue this security best practice with extended validity periods.
