Event details

It's time for our second Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot play...
Heather_Poulsen
Updated Jan 29, 2026
AMA
jeddunn's avatar
jeddunn
Copper Contributor
Feb 07, 2026

Concerned about the inconsistent registry values we are seeing. In the Secure Boot Playbook, it mentions that the device should have a key of UEFI2023Status set to Updated if the device has been through the process. We have a high number of machines that don't have this but the value for WindowsUEFICA2023Capable is set to 2. 

Arden_White's avatar
Arden_White
Icon for Microsoft rankMicrosoft
Feb 07, 2026

UEFI2023Status and WindowsUEFICA2023Capable serve related but different purposes.

  • WindowsUEFICA2023Capable was originally created to help validate the move to the 2023 signed boot manager. This was needed so the 2011 certificate authority (CA) that signs the older boot manager could be added to the DBX, which prevents 2011 signed boot managers from being trusted. This key only indicates that the 2023 CA used to sign the boot manager is present, and that the device is running the 2023 signed boot manager. When both conditions are true, the system can safely add the 2011 CA to the DBX. The primary purpose of this key is to help protect against boot manager rollback attacks.
  • UEFI2023Status goes further. It accounts for the presence of the 2023 CA, the 2023 signed boot manager, the updated KEK (Key Exchange Key), and the third party CA certificates when those are required. When all of the new Secure Boot certificates and the 2023 signed boot manager are in place, this key reports “Updated.” Its primary purpose is to confirm that the device has the full set of updated certificates from Microsoft along with the correct boot manager in use.

More details on these registry keys can be found on 

Registry key updates for Secure Boot: Windows devices with IT-managed updates