Issue:
Users need to understand what Secure Boot is, its importance, and how to verify if the latest Secure Boot certificates are applied on their system.
Cause:
Secure Boot certificates have an expiry date. Widely used certificates issued in 2011 are set to expire in June 2026. If updated 2023 certificates are not in place before the 2011 certificates expire, new Secure Boot and Boot Manager protections cannot be applied, and vulnerability fixes for the early boot environment will not be available.
Resolution:
To verify if the Secure Boot 2023 certificate is applied on your system, follow these steps:
Check for Secure Boot Certificate via PowerShell:
- Open PowerShell as an administrator.
- Run the following command:
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023') - If the output is
True, the Windows UEFI CA 2023 certificate is present in the Secure Boot database. If the output isFalse, the certificate is not currently present.
Verify Full Certificate Rollout via Event Viewer:
- Open Event Viewer.
- Navigate to Windows Logs > System.
- Use the Filter Current Log option and select TPM-WMI (or Microsoft-Windows-TPM-WMI on some systems).
- Look for an event indicating that the new Secure Boot certificate update is installed and correctly applied.
- Specifically, look for:
- Event ID 1808: Indicates all needed certificates have been applied to firmware and the boot manager has been updated. The event message will state: “This device has updated Secure Boot CA/keys. This device signature information is included here.”
- Event ID 1043: Indicates “Secure Boot KEK update applied successfully” if you want to confirm the KEK portion specifically.
Install Windows Update:
- If you see a Windows Update related to Secure Boot certificates, it is a legitimate security update and should be installed to ensure your device receives the latest protections.
By following these steps, you can confirm whether your system has the latest Secure Boot certificates and protections applied.