@SteveD70,

Welcome to our HP Community forum!

The ProDesk 400 G4 platform is not Windows 11 eligible due to its 6th/7th gen Intel CPUs, even though it can be upgraded to TPM 2.0 (see HP doc: Enable/Upgrade TPM 2.0) and: https://h30434.www3.hp.com/t5/Desktop-Hardware-and-Upgrade-Questions/TPM-upgrade-for-Desktop-HP-ProD....

Later ProDesk G5/G6 or ProDesk 600 G4 models are natively Windows 11–ready and already receive(d) the required BIOS updates for Secure Boot/UEFI CA 2023.

If you’ve installed the latest BIOS for your system, no further firmware update is expected or needed. The error you’re seeing is most likely because the system firmware already enforces the new DB policy, so the manual Microsoft mitigation steps do not apply.

For owners who still want to run Windows 11 on a ProDesk 400 G4 or other "unsupported hardware", it is possible to upgrade using this effective method: YouTube guide – Install Windows 11 on unsupported hardware.

Kind Regards,

NonSequitur777

Thanks very much for the response.

Just to clarify, here are the machine types I have: Z2 SFF G4, Prodesk 400 G5 and G6.

When I go to the HP website and enter the machine serial numbers I'm presented with Windows 11 drivers for all these models. Along with the G5 and G6, I thought the Z2 G4 would also be supported in this scenario.

To ensure we don't hit an issue next year, is there a way to check and validate if the machines have all the required certificates etc? I know someone will ask me to prove we're all good 🙂

I should have mentioned,  all our machines have TPM 2.0 and are running Windows 11.

@SteveD70,

Yes, all the PCs you mentioned are fully Windows 11 compliant: you really don't need to worry about it -not next year or any year after that.

Kind Regards,

NonSequitur777

I'm sure when running the following command the result should = True. I get a False.

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023’

I also get False with this check.

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Microsoft Windows Production PCA 2011'

@SteveD70,

My friend, the False result from your PowerShell commands does not mean your system isn’t Windows 11–eligible.

Those commands are looking for certain certificate strings inside the UEFI Secure Boot database. Some HP firmware stores them differently (not in plain ASCII), so the string check fails even though Secure Boot is still working as intended.

For Windows 11, what really matters to you is:

• UEFI mode is enabled (no Legacy boot).

• Secure Boot is turned On in BIOS (even if the PowerShell string search shows False).

• TPM 2.0 is present and enabled.

• Your CPU is on Microsoft’s supported list (all your models are supported).

If you want more confirmation beyond what I tried to provide, the best test is to run Microsoft’s PC Health Check app → it will tell you definitively if the system is Windows 11 ready.  End of discussion.

So, your False results are just quirks of how the certificates are stored in HP’s UEFI, not a sign that your PCs are ineligible.

Kind Regards,

NonSequitur777

I have the following Reg entry which is set to 0. According to the article my machine is not fully protected. I could manually set it to 2, but this could cause a problem if the database hasn't been updated. At this point it may of course have nothing to do with the hardware and be some other issue.

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing.
• Look for the registry value named WindowsUEFICA2023Capable.
• If the key exists and is set to 1, the system has the "Windows UEFI CA 2023" certificate in the DB, and the mitigation is in place.
• If the key is set to 2, the certificate is in the DB, and the system is using the 2023 signed boot manager.
• If the key is missing or set to 0, the certificate is not in the DB, and the system is not fully protected.

Here's some more info should anyone be interested.

I've just installed the latest BIOS update Ver. 02.23.00 on a G6 machine. Despite the update, released mid August 2025, it didn't contain any updated certificates pertaining the the kek and db, both are still dated 2011.

@SteveD70,

The registry entry and PowerShell checks you’re running are only about Microsoft’s Secure Boot certificate rotation, not Windows 11 eligibility.  I have said it more than once before: your PCs are fully Windows 11–compliant.

The False or 0 results you’re seeing do not mean your systems are insecure -it just means HP’s firmware still lists the older certificate set, and Microsoft hasn’t yet flagged your platform for the new one. When Microsoft requires it, the update will come via Windows Update or a future BIOS update.

Again, there’s no action for you to take.

That was the short version, now the longer one: my friend, I see exactly what’s happening here: you are going down the proverbial rabbit hole on Secure Boot internals, mixing up Windows 11 eligibility with Microsoft’s Secure Boot certificate rotation (Windows UEFI CA 2023).

So, hopefully -and for the last time, let’s untangle it:

1. Windows 11 compliance vs. Secure Boot CA rotation:

• Windows 11 compliance only cares about:

  • UEFI boot

  • Secure Boot enabled

  • TPM 2.0 enabled

  • Supported CPU
    Your Z2 SFF G4, ProDesk 400 G5, and G6 meet all these.

• Secure Boot CA rotation (the "Windows UEFI CA 2023" certificate) is a security hardening measure, not an eligibility requirement.

  • Microsoft introduced it in 2023 to replace older signing keys.

  • It doesn’t affect whether Windows 11 runs -it only changes which bootloaders and OS images are considered trusted.

2. Why You keeps seeing False and 0:

HP firmware often doesn’t expose these certs as plain ASCII (so their PowerShell regex checks fail).

• The registry key WindowsUEFICA2023Capable is an OS-level detection flag, not a BIOS switch.

  • 0 = Windows didn’t detect the 2023 cert in UEFI DB.

  • 1 = cert present.

  • 2 = cert present and system using 2023-signed boot manager.

This key is not something you should manually edit -changing it doesn’t add certs, it just confuses Windows.

3. Why Your BIOS update didn’t help:

• Firmware updates don’t always include updated KEK/DB certificates immediately.

• Microsoft often pushes Secure Boot DB updates through Windows Update instead of bundling them in OEM BIOS.

• So even if HP hasn’t yet shipped new KEK/DB certs in BIOS 02.23.00, Windows itself can enforce protection by updating its boot manager and checking against allowed certs.

4. Bottom line:

You are stressing over something that:

• Does not affect Windows 11 support (your machines are eligible and supported).

• Is handled automatically by Microsoft via Windows Update (firmware cert rotation isn’t user-managed).

• Can’t be fixed by poking registry keys -if the system shows 0, it just means the new cert isn’t in DB yet. Microsoft’s update process will handle it when required aka when they get to it.

Kind Regards,

NonSequitur777