If we are checking to see if a PC is fully updated are these the registry keys and value, we need to have.   Also the required BIOS version.

Dell BIOS Requirements – Each model has a specific version it must be on or newer to be able to update the UEFI 2023 Certificates. https://www.dell.com/support/kbdoc/en-us/000347876/microsoft-2011-secure-boot-certificate-expiration

UEFICA2023Status – Required to be set as Updated.   Other known settings are NotCapable, InProgress.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecureBoot\Servicing

AvailableUpdates – 0 is required Value.   Other possible values are set depending on stages of the process, restarts required or errors. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecureBoot

WindowsUEFICA2023Capable – 2 is required value.

0 = or key does not exist - “Windows UEFI CA 2023” certificate is not in the DB

1 = “Windows UEFI CA 2023” certificate is in the DB

2 = “Windows UEFI CA 2023” certificate is in the DB and the system is starting from the 2023 signed boot manager ​​​​​​​

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecureBoot\Servicing

UEFISecureBootEnabled – 1 is required value.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecureBoot\State