How To Check Secure Boot Certificates

Summary: This article provides information about how to check whether 2011, 2023, or both Secure Boot certificates are present on a computer using PowerShell.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

Affected Operating Systems:

  • Windows 11
  • Windows 10

The Secure Boot certificates can be checked from PowerShell using a cmdlet. You must run PowerShell as Administrator to avoid access issues.

There are two methods:

  • Method 1
    • Check the Active DB:
      • Type, ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')
        Note: The Active DB is what the computer uses to boot the computer.
      These are the certificates that the operating system uses to Secure Boot the computer.
      This example shows the Windows UEFI CA 2023 certificate (CA) not being present in the Active DB:
      Windows UEFI CA 2023 certificate (CA) not being present in the Active DB
    • Check the Default DB:
      • Type, ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) -match 'Windows UEFI CA 2023')
      This example shows the Windows UEFI CA 2023 certificate (CA) is present in the Default DB:
      Windows UEFI CA 2023 certificate (CA) is present in the Default DB
  • Method 2
    Note: For installation of the PowerShell module, an internet connection is required.
    • Install the PowerShell Module
      • Type, Install-Module -Name UEFIv2
        • Type Y (for yes) to questions asked about installing NuGet provider and installing from PSGallery
      • Type, Set-ExecutionPolicy -ExecutionPolicy RemoteSigned
      • Type, Import-Module -Name UEFIv2
    • Checking the Active DB:
      • Type, (Get-UEFISecureBootCerts db).signature
        Note: The Active DB is what the computer uses to boot the machine. These are the certificates that the operating system uses to Secure Boot the computer.
      This example shows only the 2011 certificates (CAs) in the Active DB:
      2011 certificates (CAs) in the Active DB
    • Check the Default DB:
      • Type, (Get-UEFISecureBootCerts dbdefault).signature
        Note: The Default DB is a backup copy of the Secure Boot DB. These are the certificates that are used to overwrite the Active DB when the BIOS requested to do so (either through Expert Key Mode or BIOS Resets). Reference How To Update Secure Boot Active Database from BIOS.
      This example shows both the 2011 and 2023 certificates (CAs) in the default DB:
      2011 and 2023 certificates (CAs) in the default DB

    Secure Boot Certificates:

    2011 Certificates (CAs) 2023 Certificates (CAs)
    Microsoft Corporation KEK CA 2011 Microsoft Corporation KEK 2K CA 2023
    Microsoft Windows Production PCA 2011 Windows UEFI CA 2023
    Microsoft Corporation UEFI CA 2011 Microsoft UEFI CA 2023
      Microsoft Option ROM UEFI CA 2023
    Note: Not all certificates show on every Certificate. The important certificates for booting Windows are Microsoft Windows Production PCA 2011 and Windows UEFI CA 2023.

    For more information about the Secure Boot certificate update on Dell computers, reference Microsoft 2011 Secure Boot Certificate Expiration.

Article Properties
Article Number: 000385747
Article Type: How To
Last Modified: 30 Oct 2025
Version:  1
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.