Ask Microsoft Anything: Secure Boot - April 23, 2026

It's time for our fourth Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot play...

Pearl-Angeles

Updated Apr 15, 2026

AMA

acamachor

Copper Contributor

Apr 27, 2026

Hello.

I have some pcs Windows 11 and some Windows servers that show the CA2023 is "true" with this command (

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

), and show the KEK certificate is "true" with this command (

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI KEK).bytes) -match 'Microsoft Corporation KEK 2K CA 2023')

), but with this query (certutil -dump PK.der) show 00 that means they don't have the Platform key (PK) certificate present in the VM, in this scenario do I need to update the PK or is enough to have the CA2023 present and the KEK certificate present too in this VMs?

Thanks.

mihi

Brass Contributor

Apr 27, 2026

You do not need a PK installed if Secure Boot is working fine without (depending on firmware) and you have all the required KEKs in the KEK store. The PK is only needed to update PK or KEK stores.

Event details