Event details

It's time for our third Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot playb...
Pearl-Angeles
Updated Mar 11, 2026
AMA
MikeMyers's avatar
MikeMyers
Occasional Reader
Mar 12, 2026

I update the servers to the point where I see the following Reg entries..

  • Both Active and Default DBs show both 2023 and 2011.
  • AvailableUpdates show 0x00004000
  • WindowsUEFICA2023Capable registry key was set to 2
  • UEFICA2023Status registry key shows “Updated”
  • For Server OS I see the following:
  • Server 2019/2022 I see Event ID 1808 in system log
  • Server 2025 I see event 1799 in system log

Both events say that the UEFI CA 2023 was installed successfully….so does that mean the system is up to date?  

However, if we run the command below, I get the return code “00” …is that a problem???

  • $pk = Get-SecureBootUEFI -Name PK
  • $bytes = $pk.Bytes
  • $cert = $bytes[44..($bytes.Length-1)]
  • [IO.File]::WriteAllBytes("PK.der", $cert)
  • certutil -dump PK.der
  • richardhicks's avatar
    richardhicks
    Copper Contributor
    Mar 13, 2026

    You can view PK and KEK certificates, as well as DB and DBX certificates and hashes, using my PowerShell script Get-UEFICertificate PowerShell script. You can install it from the PowerShell gallery here.

    Install-Script -Name Get-UEFICertificate -Scope CurrentUser

     

    GitHub: https://github.com/richardhicks/uefi.

  • mihi's avatar
    mihi
    Brass Contributor
    Mar 13, 2026

    Not sure why you are trying to manually extract a certificate from the PK variable with some magic offsets. I don't know if that will work every time.

    But you are lucky, March updates, Get-SecureBootUEFI learned a new -decoded switch which can decode the PK for you.