How to Check If Your PC Has the New 2023 Secure Boot Certificates (Before June 2026)

Secure Boot is an important security feature built into modern Windows systems that protects your computer during the startup process. It ensures that only trusted and signed software can run when the system boots, preventing malicious code or rootkits from loading before the operating system starts. This feature works through a set of digital certificates stored in the system firmware.

In 2023, Microsoft introduced updated Secure Boot certificates to strengthen the security of Windows devices and replace older signing certificates that will eventually expire. Systems that do not install these updated certificates before June 2026 may encounter boot issues, especially when installing newer Windows updates or firmware updates that rely on the new certificate chain.

Because of this change, it is important to verify whether your Windows 11 PC has already received the updated 2023 Secure Boot certificates. In this guide, we will walk you through the methods you can use to check if your PC has the new Secure Boot certificates installed.

How to Check If Your PC Has the New 2023 Secure Boot Certificates (Before June 2026)

Follow the methods below to verify whether the updated Secure Boot certificates are present on your system.

1. Check Secure Boot Status Using System Information

Before verifying certificates, confirm that Secure Boot is enabled on your system.

1. Press Windows + R to open the Run dialog box.
2. Type the following command and press Enter: msinfo32
3. The System Information window will open.
4. Locate Secure Boot State in the right panel.
5. Verify that the value is set to On.

If Secure Boot is enabled, your system is capable of using updated Secure Boot certificates.

2. Check Secure Boot Certificates Using PowerShell

PowerShell allows you to check the Secure Boot database stored in system firmware.

1. Right-click the Start button.
2. Select Terminal (Admin) or Windows PowerShell (Admin).
3. Run the following command: Confirm-SecureBootUEFI
4. Press Enter.
5. If the result returns True, Secure Boot is enabled.

Next, you can view Secure Boot variables.

6. Run the following command: Get-SecureBootUEFI -Name db
7. Review the certificate information returned by the command.

The output contains details about trusted Secure Boot signatures stored in the system.

3. Verify That the Latest Windows Security Updates Are Installed

The new Secure Boot certificates are delivered through Windows security updates.

1. Press Windows + I to open the Settings app.
2. Click Windows Update.
3. Select Update history.
4. Review the list of installed Security Updates.
5. Ensure that the latest cumulative updates for Windows 11 are installed.

Installing the latest updates ensures that your system receives firmware and security certificate updates provided by Microsoft.

4. Check Firmware Updates from Your PC Manufacturer

Some Secure Boot certificate updates may also be delivered through BIOS or UEFI firmware updates.

1. Press Windows + S and search for System Information.
2. Locate the BIOS Version/Date entry.
3. Visit your computer manufacturer’s support website.
4. Search for your specific PC model.
5. Check whether newer BIOS or firmware updates are available.
6. Install firmware updates if recommended.

Firmware updates may include updated Secure Boot keys and security improvements.

5. Confirm Secure Boot Key Updates in the UEFI Firmware

Advanced users can verify Secure Boot keys directly from the system firmware.

1. Restart your computer.
2. Enter the BIOS or UEFI setup during startup (commonly by pressing F2, Delete, Esc, or F10).
3. Navigate to the Secure Boot section.
4. Locate options related to:
   • Platform Key (PK)
   • Key Exchange Keys (KEK)
   • Signature Database (db)
   • Forbidden Signatures Database (dbx)
5. Verify that the Secure Boot keys are updated and active.
6. Exit the firmware setup without making changes if everything appears correct.

These keys contain the certificates used by Secure Boot to verify trusted software during startup.

Conclusion

The updated 2023 Secure Boot certificates are an important security improvement designed to replace older signing certificates before their expiration in June 2026. Systems that do not receive these updates may encounter compatibility issues with future Windows updates and security features.

By checking Secure Boot status through System Information, verifying Secure Boot variables using PowerShell, ensuring Windows security updates are installed, updating system firmware, and reviewing Secure Boot keys in UEFI firmware, you can confirm that your Windows 11 PC is properly configured with the latest Secure Boot certificates. Keeping these security components up to date helps ensure that your system remains protected against low-level boot threats.