How can I verify that security certificates (Secure Boot / DBX) are fully updated?

To verify that Secure Boot and DBX-related certificates are fully updated on Windows 11, use a combination of registry checks, event logs, and (optionally) a PowerShell query of the Secure Boot database.

1. Confirm Secure Boot is enabled

• Open an elevated PowerShell window.
• Run:

    Confirm-SecureBootUEFI
  

• Output True means Secure Boot is on.

2. Check registry status for Secure Boot certificate updates Use Registry Editor or a script to inspect these keys:

• Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing
  • UEFICA2023Status
    • Updated → Secure Boot certificate update completed successfully.
    • Any other value or missing → Action required.
  • UEFICA2023Error and UEFICA2023ErrorEvent
    • These keys should not exist. If present, they indicate an error during update.
• Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot
  • AvailableUpdates
    • Indicates pending Secure Boot updates. If bits are set here, updates may still be pending.

If UEFICA2023Status = Updated and no UEFICA2023Error / UEFICA2023ErrorEvent exist, the certificates are considered fully updated from the registry perspective.

3. Check Event Viewer for Secure Boot certificate events

• Open Event Viewer → Windows Logs → System.
• Look for events from source TPM-WMI:
  • Event ID 1808 – Certificates successfully applied.
  • Event ID 1801 – Certificates updated but not yet applied to firmware (incomplete state).
  • Event ID 1800 – Restart required.
  • Event ID 1803 – Missing KEK.
  • Event ID 1795 – Firmware error when updating DB/DBX/KEK.

A healthy, fully updated state is indicated by:

• Presence of Event ID 1808 (success), and
• No persistent Event ID 1801, 1803, or 1795 after reboots and any required firmware updates.

4. Verify DB (Secure Boot signature database) content via PowerShell (optional but precise) If the October 2024+ Secure Boot tooling is installed (WinCS / Secure Boot updates), run in elevated PowerShell:

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'

• If this returns True, the Secure Boot DB contains the Windows UEFI CA 2023 certificate, confirming the updated CA is present.

5. If certificates show as incomplete (Event 1801 or errors)

• For Event 1801 (incomplete):
  • Restart the device (often more than once) so the Secure Boot servicing task can apply the update.
• For Event 1795 (firmware error):
  • Update system firmware/BIOS from the device manufacturer, then reboot and re-check.
• For Event 1803 (missing KEK):
  • Check OEM firmware support and apply any OEM Secure Boot/firmware updates that add the required KEK.

6. Manually trigger Secure Boot servicing (if needed) If the update appears stuck and WinCS tooling is present:
7. Open elevated PowerShell.
8. Run:

      Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
   

9. Restart the device two times.
10. Re-check Event Viewer (look for Event 1808) and the registry keys above.

When all of the following are true, Secure Boot / DBX certificates can be considered fully updated:

• Confirm-SecureBootUEFI returns True.
• UEFICA2023Status = Updated and no UEFICA2023Error / UEFICA2023ErrorEvent keys exist.
• System log shows Event ID 1808 and no ongoing 1801/1795/1803 errors.
• Optional: Get-SecureBootUEFI db content contains Windows UEFI CA 2023.

References:

• Windows Configuration System (WinCS) APIs for Secure Boot
• Secure Boot DB and DBX variable update events
• Troubleshooting Windows Server Secure Boot certificate update issues
• Secure Boot Certificate updates: Guidance for IT professionals and organizations
• Secure Boot Certificate Updates for Windows 365