Solved: Re: Secure Boot Certificates - What to expect - HP Support Community

BrooklynParkMik · ‎11-24-2025

I ran the following PowerShell command in Admin mode and it returned false. That means I do not have the 2023 version of the Secure Boot Certificates.

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

I have seen at least one post where it said that secure boot certificate updates would be delivered via WIndows Update. If so, when will that occur?

BIOS AMI F.51, 8/12/2025

Pallipurath · ‎11-26-2025

Hi @BrooklynParkMik,

Welcome to the HP Support Community.

Thank you for posting your query.

Why You’re Seeing False

Your PowerShell check shows False because your system’s Secure Boot database (DB) does not yet contain the Windows UEFI CA 2023 certificate. This is expected for many devices until the update is applied.

How and When Will It Be Updated?

Microsoft is delivering the new Secure Boot certificates via Windows Update, starting with updates released in February 2024 (KB5036210) and continuing through monthly cumulative updates.
The rollout is gradual and will complete by June 2026, before the older 2011 certificates expire.
For most consumer and business PCs, you do not need to manually add keys—Windows Update will handle it automatically once your device meets requirements (latest BIOS + Secure Boot enabled).

What HP Requires

HP has confirmed that supported HP PCs need two things:
Latest BIOS/firmware update from HP (to support new certificates).
Windows Update applied (to inject the new certificate into the Secure Boot DB).

HP’s timeline:

HP PCs released 2024 and later already have the new certificates.
HP PCs from 2022–2023: BIOS updates targeted by Sept 30, 2025.
HP PCs from 2018–2021: BIOS updates targeted by Dec 31, 2025.
Older than 2017: No BIOS update; these platforms are out of support.

What You Should Do Now

Enable Secure Boot in BIOS (if not already).
Update your HP BIOS to the latest version for your model:
👉 Official HP® Support
Run Windows Update and install all pending updates.
Do not manually import keys unless instructed by HP or Microsoft errors can make the system unbootable.

How to Check Again

After updates: ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

If it returns True, your system has the new certificate.

Take care and have an amazing day!

Did we resolve the issue? If yes, please consider marking this post as "Accepted Solution" and click "Yes" to give us a helpful vote - your feedback keeps us going!

Regards

Pallipurath.

View solution in original post

Pallipurath · ‎11-26-2025

Hi @BrooklynParkMik,

Welcome to the HP Support Community.

Thank you for posting your query.

Why You’re Seeing False

Your PowerShell check shows False because your system’s Secure Boot database (DB) does not yet contain the Windows UEFI CA 2023 certificate. This is expected for many devices until the update is applied.

How and When Will It Be Updated?

Microsoft is delivering the new Secure Boot certificates via Windows Update, starting with updates released in February 2024 (KB5036210) and continuing through monthly cumulative updates.
The rollout is gradual and will complete by June 2026, before the older 2011 certificates expire.
For most consumer and business PCs, you do not need to manually add keys—Windows Update will handle it automatically once your device meets requirements (latest BIOS + Secure Boot enabled).

What HP Requires

HP has confirmed that supported HP PCs need two things:
Latest BIOS/firmware update from HP (to support new certificates).
Windows Update applied (to inject the new certificate into the Secure Boot DB).

HP’s timeline:

HP PCs released 2024 and later already have the new certificates.
HP PCs from 2022–2023: BIOS updates targeted by Sept 30, 2025.
HP PCs from 2018–2021: BIOS updates targeted by Dec 31, 2025.
Older than 2017: No BIOS update; these platforms are out of support.

What You Should Do Now

Enable Secure Boot in BIOS (if not already).
Update your HP BIOS to the latest version for your model:
👉 Official HP® Support
Run Windows Update and install all pending updates.
Do not manually import keys unless instructed by HP or Microsoft errors can make the system unbootable.

How to Check Again

After updates: ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

If it returns True, your system has the new certificate.

Take care and have an amazing day!

Did we resolve the issue? If yes, please consider marking this post as "Accepted Solution" and click "Yes" to give us a helpful vote - your feedback keeps us going!

Regards

Pallipurath.

BrooklynParkMik · ‎11-26-2025

I use this PowerShell script to look at the Secure Boot Certificates. It gives a complete list inlcuding the expiration dates.

# Consolidated Secure Boot parser (PK, KEK, DB, DBX)
# Detects X.509 vs SHA256 and prints certificate metadata or hash values.

$x509Guid = [Guid]::Parse("a5c059a1-94e4-4aa7-87b5-ab155a6db0da") # EFI_CERT_X509_GUID
$sha256Guid = [Guid]::Parse("a5c059a1-94e4-4aa7-87b5-ab155c2bf072") # EFI_CERT_SHA256_GUID

function Read-EfiGuid([System.IO.BinaryReader]$r) {
$b = $r.ReadBytes(16)
$d1 = [System.BitConverter]::ToUInt32($b, 0)
$d2 = [System.BitConverter]::ToUInt16($b, 4)
$d3 = [System.BitConverter]::ToUInt16($b, 6)
return [Guid]::new($d1, $d2, $d3, $b[8],$b[9],$b[10],$b[11],$b[12],$b[13],$b[14],$b[15])
}

function Is-DerCertificate([byte[]]$data) {
return ($data.Length -gt 64 -and $data[0] -eq 0x30)
}

function Parse-SecureBootStore($name) {
[byte[]]$bytes = (Get-SecureBootUEFI -Name $name).Bytes
if (-not $bytes -or $bytes.Length -eq 0) { return @() }

$stream = [System.IO.MemoryStream]::new($bytes)
$reader = [System.IO.BinaryReader]::new($stream)

$items = New-Object System.Collections.Generic.List[object]

while ($stream.Position -lt $stream.Length) {
if (($stream.Length - $stream.Position) -lt 28) { break }

$sigType = Read-EfiGuid $reader
$listSize = $reader.ReadUInt32()
$headerSize = $reader.ReadUInt32()
$sigSize = $reader.ReadUInt32()

if ($listSize -lt 28 -or $sigSize -lt 16) { break }
if ($headerSize -gt 0) { [void]$reader.ReadBytes([int]$headerSize) }

$payloadStart = $stream.Position
$payloadBytes = $listSize - 28 - $headerSize
if ($payloadBytes -lt 0) { break }
$sigCount = [math]::Floor($payloadBytes / $sigSize)

for ($i = 0; $i -lt $sigCount; $i++) {
$ownerGuid = Read-EfiGuid $reader
$dataLen = [int]($sigSize - 16)
$sigData = $reader.ReadBytes($dataLen)

if ($sigType -eq $x509Guid -or (Is-DerCertificate $sigData)) {
try {
$cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($sigData)
$items.Add([PSCustomObject]@{
Store = $name
Type = "X509"
Subject = $cert.Subject
Issuer = $cert.Issuer
NotBefore = $cert.NotBefore
NotAfter = $cert.NotAfter
Thumbprint = $cert.Thumbprint
})
} catch { }
} elseif ($sigType -eq $sha256Guid -and $dataLen -eq 32) {
# Only keep SHA256 entries if we want to see the actual hash
$hash = [BitConverter]::ToString($sigData).Replace("-", "")
$items.Add([PSCustomObject]@{
Store = $name
Type = "SHA256"
Hash = $hash
})
}
}

$stream.Position = $payloadStart + $payloadBytes
}

return $items
}

# Collect results
$stores = @("pk","kek","db","dbx")
$results = foreach ($s in $stores) { Parse-SecureBootStore $s }

# Filter: drop rows that are SHA256 with no hash value
$results = $results | Where-Object {
-not (($_.Type -eq "SHA256") -and (-not $_.Hash -or $_.Hash -eq ""))
}

# Display neatly
$results

Secure Boot Certificates - What to expect

Create an account on the HP Community to personalize your profile and ask a question