Share via

How to confirm the SecureBoot Cert expire issue fixed ???

Lui Lui 5 Reputation points
2026-04-17T05:58:10.52+00:00

Dear

Good day, we follow the MS KB to applied the Secureboot Cert issue.

May I know how to confirm it fixed by command ?

Many thanks,

Windows for business | Windows Client for IT Pros | Devices and deployment | Install Windows updates, features, or roles
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. HLBui 6,025 Reputation points Independent Advisor
    2026-04-20T09:24:34.16+00:00

    Dear Lui Lui

    After applying the Secure Boot certificate fix, the easiest way to confirm things are healthy is by running a couple of quick PowerShell checks. First, you can use: Confirm-SecureBootUEFI

    If it returns True, that means Secure Boot is enabled and working properly. Next, you can run: Get-SecureBootPolicy

    This will show you the active Secure Boot policy in place. If the cert issue was resolved, you shouldn’t see any expired or invalid entries here. Another handy one is: Get-SecureBootUEFI

    Run those commands, check for True on the first one, and make sure the policy looks clean. If everything checks out, you’re good to go

    Was this answer helpful?

    2 people found this answer helpful.
    0 comments
  2. Q&A Assist
    2026-04-17T05:58:22.23+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Use the following checks, depending on which Secure Boot update was applied.

    1. Verify Windows UEFI CA 2023 (new Secure Boot DB certificate)

    After applying the Secure Boot DB update (for example via WinCS/TPMTasks):

    1. Open PowerShell as Administrator.
    2. Run:
    [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
    1. If the command returns True, the Secure Boot DB has been updated successfully with the Windows UEFI CA 2023 certificate.

    If the update was triggered via WinCS, the state can also be audited with:

    WinCsFlags.exe /query --key F33E0C8E002

    Expected output when applied:

    • State: Enabled
    • Current Configuration: F33E0C8E002
    • Pending Configuration: None
    • Pending Action: None
    1. Verify Windows Production PCA 2011 is in DBX (revocation for CVE-2023-24932)

    If the mitigation to revoke the old Windows Production PCA 2011 certificate was applied:

    1. Open PowerShell as Administrator.
    2. Run:
    [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbx).bytes) -match 'Microsoft Windows Production PCA 2011'
    1. If the command returns True, the revocation list (DBX) contains Microsoft Windows Production PCA 2011, confirming the mitigation is in place.

    Additionally, after running the Secure-Boot-Update task, Event Log entry 1037 (per KB5016061) confirms the DBX update was applied.

    1. Confirm Secure Boot servicing task has completed

    If the update was initiated via WinCS/TPMTasks:

    1. Open PowerShell as Administrator.
    2. Manually trigger the task:
    Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
    1. Restart the device two times.
    2. Re-run the verification commands above (Get-SecureBootUEFI db and/or dbx) to confirm the new certificates or revocations are present.

    When all of the following are true, the Secure Boot certificate/DB updates are confirmed as applied:

    • Get-SecureBootUEFI db contains Windows UEFI CA 2023 (returns True).
    • If applicable, Get-SecureBootUEFI dbx contains Microsoft Windows Production PCA 2011 (returns True).
    • WinCsFlags.exe /query --key F33E0C8E002 shows State: Enabled and no pending configuration or action.

    References:

    Was this answer helpful?

    1 person found this answer helpful.
  3. Lui Lui 5 Reputation points
    2026-04-20T06:05:59.0833333+00:00

    Hello MS Support,

    Good day, please help to provide some simple command to check them in powershell for confirme the Secureboot cert expired issue fixed ??

    Many thanks,

    Was this answer helpful?

    0 comments
  4. HLBui 6,025 Reputation points Independent Advisor
    2026-04-17T07:20:37.5933333+00:00

    Good day Lui Lui

    After you’ve applied the Secure Boot certificate fix from the KB article, the easiest way to confirm it’s actually in place is by checking the Secure Boot status from the command line. On Windows, you can open PowerShell (as admin) and run:

    Confirm-SecureBootUEFI

    If Secure Boot is enabled and healthy, that command will return True. If it comes back as False or throws an error, that means either Secure Boot isn’t enabled in BIOS/UEFI or something’s still off with the certs.

    Another quick check is to run:

    Get-SecureBootPolicy

    That will show you the current Secure Boot policy being enforced. If the KB fix was applied correctly, you should see a valid policy listed instead of an error.

    For extra peace of mind, you can also run:

    systeminfo

    Scroll down and look for the “Secure Boot State” line it should say On.

    So in short: PowerShell’s Confirm-SecureBootUEFI is your go-to command, and pairing it with systeminfo gives you a nice double-check.

    If this guidance proves helpful, feel free to click “Accept Answer” so we know we’re heading in the right direction and let me know if you need any assistance. Thank you!

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.