Event details

It's time for our second Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot play...
Heather_Poulsen
Updated Jan 29, 2026
AMA
jeddunn's avatar
jeddunn
Copper Contributor
Feb 07, 2026

Concerned about the inconsistent registry values we are seeing. In the Secure Boot Playbook, it mentions that the device should have a key of UEFI2023Status set to Updated if the device has been through the process. We have a high number of machines that don't have this but the value for WindowsUEFICA2023Capable is set to 2. 

mihi's avatar
mihi
Copper Contributor
Feb 07, 2026

I cannot tell from experience here, but from the documentation of these keys I would assume this would happen if the original AvailableUpdates value included the 0x0004 bit and it is still there (i.e. it ended with 0x4004 or 0x0004), because there is no KEK update available for the machine's platform key. UEFI2023Status is (correct me if I am wrong) tracking KEK updates, but WindowsUEFICA2023Capable is not (it is only tracking DB and boot manager updates).

Can you share from one such machine:

  • initial value of AvailableUpdates (as you set it)
  • current value of AvailableUpdates
  • Which related event IDs you are seeing in event log

In case the situation points to KEK, you might also want to check the contents of the KEK variable and the thumbprint of the platform key.

  • Arden_White's avatar
    Arden_White
    Icon for Microsoft rankMicrosoft
    Feb 07, 2026

    mihi, I think you're right. If AvailableUpdates started at 0x5944 and is now 0x4004, that would indicate that a PK signed KEK from the OEM isn't yet available. There is an ongoing effort to work with the OEMs to fill in as many PK signed KEKs as possible.

    A device with setting 0x4004 will continue retrying to apply the KEK until one shows up, which is okay. I believe it'll also emit an 1803 event each time it doesn't find one.