How to check the version and expiration date of Windows Secure Boot certificate

Ads

April 2025, 9April 2026, 3

Do you have Secure Boot enabled on your Windows 10/11 PC?

In fact, some of the certificates currently used on many PCs will begin to expire in 2026. This issue, also known by some as the "2026 problem," is an important security update that affects the startup of PCs.

In this article, we will explain in an easy-to-understand manner, even for beginners, the overview of the "2026 problem" and how to check whether your PC has already been prepared for it.

table of contents

Basic premise: Check if Secure Boot is enabled

All of the methods introduced in this article assume that Secure Boot is enabled on your PC.

If Secure Boot is disabled, the certificate check itself will be meaningless, so first check the current status using the following steps.

Verification Procedure

1. Press Windows key + R to open Run, type "msinfo32" and press Enter.

2. System Information will open, so look for Secure Boot Status in the items on the right.

If "enabled": No problem, just keep reading.
If "Disabled"First, you need to reboot your PC and enable Secure Boot in the UEFI/BIOS settings. To enable it, please refer to the other article in this blog (or the method explained in Part 1).

Steps to enable Secure Boot:

Restart your PC and during startupDeleteKeys andF2Press the key repeatedly to enter the BIOS/UEFI settings screen.
Find the item "CSM (Compatibility Support Module)" in the settings and set it to "Disabled."
Next, change the "BIOS Mode" to "UEFI" in the "Boot" menu (some motherboards automatically go into UEFI only mode when you disable CSM).
Finally, find "Secure Boot" in the "Security" menu and set it to "Enabled."
Save the settings and reboot.

Some PCs require you to install Secure Boot keys:

Some PCs may not have the Secure Boot key installed. To enable Secure Boot, you must install the Secure Boot key. Please refer to the instructions below to install it.

If you select "Install Default Secure Boot keys" and press "YES", the correct factory keys (PK, KEK, db, dbx) will be installed, your PC will enter secure "User Mode" and Secure Boot will be automatically enabled.

Once you clear the Secure Boot keys, your PC will return to "Setup Mode" where you will see the message "Reset to setup mode" and "Clear Secure Boot keys."

The following image shows the state when the Secure Boot key is not installed. *This is the BIOS (UEFI) screen for the author's PC motherboard model: B550M-P4.

Motherboard model number: B550M-P4 - BIOS (UEFI) screen — Motherboard model number: B550M-P4 – BIOS (UEFI) screen

Once the Secure Boot keys are installed, the correct factory default keys (PK, KEK, db, dbx) will be displayed (in the red box at the bottom left of the image).

Platform Key (PK)

This is PK .
The master key for the entire Secure Boot.

Key Exchange Keys

This is KEK (Key Exchange Key).
db と dbx A list of keys that have permission to update.

Authorized Signatures

This is db (Signature Database).
" which has registered the signatures of OS and drivers that are allowed to startAllowlist".

Forbidden Signatures

This is dbx (database forbidden executable).
A signature that prohibits the launch of software that has been found to have vulnerabilities is registered.Banned List".

*Some manufacturers' PCs may have another key unique to the manufacturer. For example,

Authorized TimeStamps

This means DBT .
Simply put, it is a "certificate list of trusted Time Stamping Authority (TSA)" and is a "dated stamp" from a notary public that certifies when the signature was written.

In my environment, after updating to the BIOS (version 3.90) released on 2025/10/09, the item was added. (However, this key was empty.)

Why is certificate verification necessary now? – Secure Boot’s “2026 problem”

OverviewThe Secure Boot certificates (2011 version) currently used on many PCs will begin to expire one after another starting in 2026.
riskIf left unaddressed, the OS may not start up or security updates may not be applied in the future.
Solutions: This issue is resolved by adding the new "2023 edition" certificate to your PC.
Supplemental: This measure is usually implemented automatically through Windows Update, but in this article we will show you how to check for yourself whether it has been applied.

This article explains in detail how this certificate update may affect your PC and explains two important steps you should take now to protect yourself from the risks.

[Warning] BIOS manipulation can make your PC unbootable? Three measures to prepare for Secure Boot updates

The following article provides more information about Event ID 1801 (Secure Boot CA/Key Notification) and explains how to manually renew the Secure Boot certificate.

What causes "Error 1801 (TPM-WMI)" to be logged in the Event Viewer and how to fix it from Microsoft

Method 1: Check the certificate version using PowerShell commands

This is a method to directly read the certificate information registered in UEFI using PowerShell, which is standard on Windows.

procedure:

1.Start buttonRight-click on the icon and click "Terminal (Administrator)" or "Windows Powershell (Administrator)."

2. Type the following command and press Enter:

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes)

How to interpret the results:

Most of the text will appear garbled, but this is normal.

The garbled text contains "Windows UEFI CA"Or"Microsoft UEFI CA" followed by "2023If you see the message ", the new certificate has been installed.

*The old certificate "2011" remains to maintain compatibility and is not a problem.

In the case of Windows 11, in many environments, "U”Microsoft Corporation UEFI CA 20110?”0"Or"U%Microsoft Windows Production PCA 20110?”0" I think you will find it.

Method 2: One-click verification with Windows Secure Boot Certificate Checker

For those who find command operations a little difficult, we have created a tool called the "Windows Secure Boot Certificate Checker" that allows you to easily perform this verification process with just one click.

However, depending on your PC environment, it may not work properly, so please use it only as a quick and easy way to check.

How to download the tool:

* Regarding use of the software (please read carefully)

Update history:

2025/10/11 Ver 1.0.0.1:The fix was to obtain only the following four certificates:

"Microsoft UEFI CA" (Signs third-party boot loaders and EFI applications.)
"Microsoft Corporation UEFI CA" (This is the old name, same as above.)
"Microsoft Corporation KEK 2K CA" (signs DB and DBX updates)
"Windows UEFI CA" (used to sign the Windows boot loader)

*October 15, 2025: ESET security software may mistakenly detect the object as suspicious.

2025/11/04 Ver 1.0.0.2:Added the following certificate acquisition. The results are now easier to view.

"Microsoft Option ROM UEFI CA 2023" (Signs third-party option ROMs.)

2026/02/03 Ver 1.0.0.3:

UI Adjustments: The screen layout has been partially changed, including the addition of a menu bar.
Internal processing fixes: The internal processing of the program has been revised to improve stability.

2026/02/04 Ver 2.0.0.0:

New features: A function has been implemented to check whether the boot manager (bootmgfw.efi) is signed with the 2023 version (new certificate).
UI revamp: The screen design has been updated to dark mode, and the font has been changed to Meiryo UI and MS Gothic to improve visibility.
Internal processing fixes: Added EFI partition access processing and improved the accuracy of the detection logic.

2026/02/06 Ver 2.1.0.0:

Decision logic bug fixes: We have fixed a bug that, in some environments, would cause the number "2023" in the display of an older version to be incorrectly detected and incorrectly determined to be "updated."
Improved results display: The results are now separated into two sections: "Boot Manager" and "Windows UEFI CA 2023 (Certificate)," and the status of each section is now displayed in a different color.
Tighter criteria: We have changed the system so that it is determined to be "compatible" only if "Windows UEFI CA 2023", which is required for Windows boot, is present in the database. (If only KEK or Microsoft UEFI CA 2023 is present, it will be determined to be "non-compatible.")
Status wording changes: To convey the current status more intuitively, the judgment message has been changed to "New Boot Manager Compatible/Not Compatible."

2026/02/14 Ver 2.2.0.0:

[Major changes]

Fully supports multilingual UI (Japanese and English) The app now automatically detects the OS language settings and displays the English UI by default when launched in a non-Japanese environment (such as an English OS). This means that overseas users can use the app without any settings.
Added manual language switching function A new "Options" has been added to the menu bar, allowing you to seamlessly switch between Japanese and English with one click, even after launching.
Layout optimization for overseas markets The monospaced font and text placement in the console area have been fine-tuned to match global specifications so that text does not get cut off even when displayed in English.

Target file: "SBCertificateChecker.exe" (Ver 1.0.0.0)
ハ/ッシュ値(SHA256):45541771c5cdd48bc6c898a082725fdf2fa609d2e2845c630682cc908302093c

Target file: "SBCertificateChecker.exe" (Ver 1.0.0.1)
ハッシュ値(SHA256):53e85b24326d4b4207e1425c97f2773a4cb9bae17bec865a7b34f57011297bbb

Target file: "SBCertificateChecker.exe" (Ver 1.0.0.2)
ハッシュ値(SHA256):036dd645628bbac3f9ef241345c9b060f2e9e3ca57d130515cd64edbfdbd8938

Target file: "SBCertificateChecker.exe" (Ver 1.0.0.3)
ハッシュ値(SHA256):d400e398d3b331473515ad300e11369bec4c3c5977188ac8c04c6d93f0f230c4

Target file: "SBCertificateChecker.exe" (Ver 2.0.0.0)
ハッシュ値(SHA256):3bfb427208f39c2445be3d22f5aae366a02885176591af194bf62380e25a78b7

Target file: "SBCertificateChecker.exe" (Ver 2.1.0.0)
ハッシュ値(SHA256):fa27e2fabe917c80ecffb1d147d8dbe03ae4978a8447df42387e459051ed95cf

Target file: "SBCertificateChecker.exe" (Ver 2.2.0.0)
ハッシュ値(SHA256):38a14c239d1606282a070c9518aa043ff8da0ce44eeec8a4cf33b09adf79fbec

SBCertificateChecker_v2.2.zip

How to use:

Extract "SBCertificateChecker.zip" and run "SBCertificateChecker.exe" inside.
If "User Account Control" appears, click "Yes".
Click the "Start Checking" button.
The result will be a list of currently installed certificates and whether they are 2023 versions.

* Version 2.0.0.0 and later include a function to check whether the signature of the boot manager (bootmgfw.efi) is the 2023 version (new certificate).

Windows Secure Boot Certificate Checker v2.2 (supports Japanese and English)

How do I find out the exact expiration date of a certificate?

You can check the expiration date of the older version (2011) from the following page:

Windows Secure Boot Certificate Expiration and CA Renewal

The expiration date of the new version (2023) can be found in the certificate file (extension The best way to find out is to download the certificate (.cer or .crt) directly and check its properties.

Windows Secure Boot key creation and management guidance

*You cannot view the expiration date directly using commands such as PowerShell.

How to check the expiration date from a certificate:

1. The download URL is displayed under the item "Windows UEFI CA 2023" on the Microsoft page, so click on it to download.

2. Double-click the certificate to open it.

3. The "Opening File - Security Warning" message will appear, so click "Open".

Open File - Security Warning — Open File – Security Warning

4. The certificate information will then be displayed, so please check the expiration date.

About the "Install Certificate" button:

When you open the certificate, you will see an "Install Certificate" button, which may have caught your attention.

Pressing this button to install will have no effect on the Secure Boot update (a solution to the 2026 problem).

Why no impact? – Two different “certificate stores”

There are two main locations (certificate stores) on a PC where certificates are stored, each with a completely different role.

1. UEFI firmware certificate store (db, dbxSuch)

role: Turn on your PC,Before Windows startsAt this stage, we verify that the boot loader and other components are safe.
Place: It is stored in a special memory (NVRAM) on the motherboard.
example: "Master Key List" held by the building's security officeIf you are not on this list, you will not be able to enter the building in the first place.

2. Windows OS Certificate Store

role: After Windows startsIn addition, it verifies software signatures, website SSL/TLS certificates, and more.
Place: It is stored in the Windows system files.
example: "Business partner list" held by tenants (companies) in the buildingIt is used for internal business after entering the building.

The "Install Certificate" button is the latter Windows OS certificate storeThe operation to add a certificate to.

To continue with the building analogy, it would be like adding a new company to the "client list," but it would have no effect on the "master key list" held by the security office.

So how do you update Secure Boot?:

To update the Secure Boot certificate (the master key list of the security room), it is not an OS-level operation, but a PC foundation. UEFI/BIOS firmwareWe need to work on this.

The two correct ways to do this are as follows:

Windows Update: Microsoft will prompt you to update the firmware through OS updates.
UEFI/BIOS updates: Apply firmware updates provided by your PC manufacturer.

Therefore, there is no need to "install" the downloaded certificate yourself, and even if you do install it, it will not solve the Secure Boot problem.

Summary

Review of key points:
- Secure Boot certificates have an expiration date, and as a measure to address the "2026 problem," they are being updated to new "2023 version" certificates.
- The countermeasure status can be checked using PowerShell or a verification tool.
- In most cases, updates are done automatically, so all users need to do is enable Secure Boot and keep Windows Update up to date.

PC security is an invisible part of the system, but by understanding how it works and checking the status from time to time, you can continue to use your PC with greater peace of mind. I hope this article will help you do just that.

【Related Links】

If you found this article helpful, please share it on social media.

I copied the URL!

Person who wrote this article

wenbang

Driven by questions arising from my daily PC use and the desire to "do more," I have been pursuing self-study in Windows since around 2008. I am sharing the "aha!" techniques and solutions I discovered through trial and error with the sole purpose of helping you in your PC life.

View profile

Comment:

Comment list (22)

Anonymous Than:

2026 year 2 month 21 Date 8: 32 PM

If you submit SBCertificateChecker_v2.2.exe to virustotal, the following will be displayed.
Gridinsoft (no cloud) Trojan.Heur!.02016423 SecureAge Malicious
What is Gridinsoft (no cloud) Trojan.Heur!.02016423 SecureAge Malicious?
ttps://www.virustotal.com/gui/file/38a14c239d1606282a070c9518aa043ff8da0ce44eeec8a4cf33b09adf79fbec/detection

Reply
- wenbang Than:
  
  2026 year 2 month 22 Date 6: 48 AM
  
  Dear Anonymous
  
  Thank you very much for your comment and for using "SBCertificateChecker".
  We also appreciate you checking the security of your computer with VirusTotal before running it and reporting the results to us. We believe that running your own security check is a great way to protect yourself.
  
  To put it simply, the detection result displayed is a "false positive," so you can use the product with confidence.
  
  Regarding the display of "Trojan.Heur!.02016423" and "Malicious" that you asked about, we would like to explain the technical background.
  
  1. Meaning of detection name (not a specific virus)
  The "Heur" in the name stands for heuristic detection. This does not mean that the virus matched with known virus data, but rather that the program's structure predicted it to be suspicious and blocked it just in case.
  
  2. Reasons for the false positive
  This tool was written in a programming language called "AutoIt," but executable files (.exe) created in this language have a known tendency to be falsely detected by some overly sensitive antivirus software.
  In fact, the following warning is clearly stated by the system in the middle of the VirusTotal page shared by Anonymous (in the Crowdsourced YARA rules section):
  
  "Identifies compiled AutoIT script (as EXE). This rule by itself does NOT necessarily mean the detected file is malicious."
  (Identified an AutoIt script. This rule, in itself, does not necessarily mean that the file is malicious.)
  
  3. Tool Safety
  According to the VirusTotal test results, out of the 68-72 security engines, except for the two that overreacted (Gridinsoft and SecureAge), all the remaining major engines (Windows Defender, Kaspersky, ESET, McAfee, etc.) judged the virus to be "safe (undetected)."
  
  This type of judgment may occur because the system temporarily accesses deep system areas (such as the EFI partition) to read the Secure Boot signature, but I wrote the code myself from scratch and it does not contain any malicious programs.
  
  We hope you will use our site with confidence. We look forward to your continued support.
  
  Reply
  - Anonymous Than:
    
    2026 year 3 month 1 Date 2: 21 PM
    
    I tried using it on a PC with Windows 10 and all MS updates blocked by firmware.
    [Boot Manager (bootmgfw.efi)] – Old version (not signed for 2023)
    -----------------
    [Windows UEFI CA 2023] – Expiration date: June 2035
    [Microsoft UEFI CA 2023] – Expiration date: June 2038
    *[Microsoft Corporation UEFI CA 2011] – Expiration date: June 2026
    [Microsoft Corporation KEK 2K CA 2023] – Expiration date: March 2038
    I blocked every update on the experimental device, but the expiration date is in June... I wonder why lol
    To continue using Windows 10, should I stop the experiment and update Windows?
    Should I reluctantly give up on Win10 and use the popular article on how to download the Win11 ISO and install it on Win11?
    
    Reply
    - wenbang Than:
      
      2026 year 3 month 2 Date 5: 10 AM
      
      Dear Anonymous
      
      Thank you for sharing the results of running the tool.
      
      You may be wondering why the expiration date is coming even though updates are blocked, but the displayed date of "June 2026" is simply the tool's reading of the original "lifespan" that was set when the certificate was created in 2011.
      So, to get straight to the point, if you maintain the current state of "completely blocking Windows Update," there is a good chance that you will be able to continue using Windows 10 even after June 2026.
      
      The restriction that Microsoft plans to implement in 2026 will involve registering these old certificates in a "ban list (DBX)" on the PC via Windows Update, preventing them from launching. In other words, the "ban list" will not reach Anonymous's test machine, which has completely stopped updates, so the PC should continue to allow launch as before.
      
      So, if you are using it as an experimental machine, there is no need to download the Windows 11 ISO or restart the update. You can use it in the current environment.
      
      Reply
Sincerity Than:

2026 year 2 month 14 Date 3: 00 PM

Nice to meet you, I'm always learning.
My PC is a 2013 NEC laptop (PC-LL850msr-j).
Since it's an old computer, I've been careful about secure boot issues for a while now.
Event ID 1808 was recorded in the Event Viewer after the February Windows Update.
Also, SBCertificateChecker_v2.1.zip showed the same "Signed" result as the image in this article. (Previously, the new certificate was found, but not signed.)
I was relieved that this solved everything, but soon after, I started seeing error ID 1033 in the Event Viewer, which said "A possibly outdated boot manager has been detected on the EFI partition."
Is it okay to leave this situation as it is? Thank you in advance.

Reply
- wenbang Than:
  
  2026 year 2 month 15 Date 6: 10 AM
  
  Thank you for your comment, Makoto.
  
  Thank you for the detailed information.
  Even though the tool has determined that the file is signed in 2023, the occurrence of Event ID 1033 is likely related to the specific configuration of your NEC PC.
  
  1. Why do I keep getting error ID 1033?
  In NEC's LaVie series (2011 to 2013 models), old boot files may remain in NEC's own folder, such as \EFI\NEC\Boot\bootmgfw.efi, in addition to the standard Windows location.
  
  現状:The main launch file has been updated to the 2023 version (If the tool displays [Boot Manager (bootmgfw.efi)] ● 2023 version (Windows UEFI CA 2023 signed)), it appears that old files from the 2011 version remain in NEC's own folder.
  Windows determines:Microsoft periodically and incrementally updates the DBX (Secure Boot Revocation List) through Windows Update (e.g., quality updates).
  Perhaps this ID 1033 was recorded when you installed KB5074105 (January 30th, Japan time) or KB5077181 (February 11th, Japan time)?
  At that time, Windows determined that "there are still old, vulnerable files remaining. Updating the security settings now may cause the computer to become unable to start," and so for safety reasons it "postponed" the update and recorded ID 1033.
  
  2. Future responses and "preparedness for emergencies"
  Currently, Windows has stopped updates to protect your PC, so it will not become unbootable right away.
  
  However, if this "postponement" is lifted in the future, there is a non-zero risk that the system may fail to boot due to a "Secure Boot Violation."
  
  As a "remedy" in such cases, we have summarized the steps to create "Secure Boot recovery media" in a separate article.
  This is a tool that people like you who treasure old PCs should definitely keep as a "talisman."
  
  ▼[Important] Click here for instructions on how to create a repair tool if the game no longer starts up
  Windows 11 won't boot? "Secure Boot 2023 Signature" issue and how to create a repair tool(The mechanism is the same in Windows 10.)
  
  First, check the BootMgr path in the event log. If it says \EFI\NEC\..., then the problem is as explained here. Please refer to this article as a "safety net."
  
  Reply
  - Sincerity Than:
    
    2026 year 2 month 15 Date 10: 42 AM
    
    Thank you for your quick response and detailed explanation.
    As you pointed out, I recall that the initial explanation for ID1033 mentioned a vulnerability in NEC's own system files.
    I would like to prepare "Create Secure Boot Recovery Media" just in case.
    Furthermore, we are concerned that in the state where "Windows is deliberately stopping updates to protect the PC," there may be adverse effects such as future Windows Update failures.
    
    Reply
    - wenbang Than:
      
      2026 year 2 month 16 Date 4: 58 AM
      
      Dear Makoto
      
      Regarding the impact on future Windows Updates, rest assured.
      In conclusion, this ID 1033 warning will not cause future regular Windows updates (such as cumulative updates) to fail or stop.
      
      This "postponement" only applies to the rewriting of the Secure Boot security settings (DBX). Security updates for the OS itself will continue to be performed as usual even when this warning is displayed, so there will be no disruption to your PC's use.
      Windows will continue to check if it is safe to apply the update, and if the conditions are met in the future, it will automatically move to ID 1034 (update successful).
      
      Reply
      - Sincerity Than:
        
        2026 year 2 month 16 Date 11: 00 AM
        
        Thank you for your honest answers to my irrelevant questions as someone unfamiliar with PCs.
        Since the Secure Boot Authorized Key Exchange Key (KEK) Update was installed last December, I have been monitoring the progress of the Secure Boot update by checking the Event Viewer and using PowerShell commands, but every time I made progress, a new obstacle appeared. I was also confused by the incomplete information available online.
        Through this consultation, I learned that Microsoft is proceeding very carefully, and it also clarified what I need to do going forward.
      - wenbang Than:
        
        2026 year 2 month 16 Date 11: 20 AM
        
        Dear Makoto
        
        Thank you for your kind reply.
        The fact that Makoto continued his research tenaciously and was able to arrive at a satisfactory answer on his own will surely give him great confidence in his future PC life.
        
        As the administrator, I would be very happy if this blog could be of any help to users like Makoto, who carefully maintains his beloved 2013 machine.
        If you have any questions, please feel free to visit our blog anytime.
Anoni Than:

2026 year 2 month 6 Date 1: 19 PM

I always refer to it.

I used the Secure Boot Certificate Checker Ver. 2.0, and the following message was displayed:
[Boot Manager (bootmgfw.efi)]
– Old version (not signed for 2023)
————————————————————————
(No known certificate found in DB/KEK)

At that time, it says "Result: New certificate (2023 version) found."
Is this not an error in judgment?
Please check it out.

Reply
- wenbang Than:
  
  2026 year 2 month 6 Date 3: 29 PM
  
  Thank you for always reading my blog, Anoni-san. Also, thank you for reporting on the operation of the tool. It's very helpful.
  
  I have checked the issue you pointed out. As you said, this is a mistake (bug) in the tool's judgment logic.
  Because the number "2023" is used in the displayed log (old version...), the tool hastily concluded that "2023 included = there is a new certificate!" and made a mistaken judgment. (This is exactly why it was judged as "present" even though it said "none.")
  
  We have quickly created a revised version (Version 2.1) and updated the link in the article. We apologize for the inconvenience, but if you would like, we would appreciate it if you could check the revised version again.
  
  Reply
  - Anoni Than:
    
    2026 year 2 month 9 Date 9: 21 AM
    
    Thank you for your prompt response.
    When I tried it with Ver2.1,
    - - -
    [Boot Manager (bootmgfw.efi)]
    – Old version (not signed for 2023)
    ————————————————————————
    (No known certificate found in DB/KEK)
    
    Boot Manager: Old version (not updated)
    Windows UEFI CA 2023: Not detected (new boot manager not supported)
    - - -
    The following message was displayed.
    The model used for this check is a relatively new Dynabook B55. When I contacted the manufacturer based on the results of the other day's check, they asked me to check the signature of \boot\EFI_EX\bootmgfw_EX.efi.
    I believe this checking tool checks \boot\EFI\bootmgfw.efi, but if you know the difference between this and the above file, please let me know.
    
    Reply
    - wenbang Than:
      
      2026 year 2 month 10 Date 5: 56 AM
      
      Dear Anoni
      
      The detailed information and the results of your inquiries to the manufacturer are very helpful. Based on the information you provided, I performed a verification (reproduction experiment) on my actual machine environment and identified the role of bootmgfw_EX.efi and the current state of Anoni's PC.
      
      [Mechanism revealed through verification] My testing confirmed the following behavior: In the Windows boot manager update process, the system first references bootmgfw_EX.efi in C:\Windows\Boot\EFI_EX\. If this file is the latest (2023 version) and meets the system requirements (The DB has the 2023 certificate) is satisfied, this file will be used as the source to overwrite and update the bootmgfw.efi in the actual boot location (EFI system partition).
      
      [Reasons for discrepancies between manufacturers and tools]
      
      [Manufacturer (Dynabook)] The manufacturer recommends checking the bootmgfw_EX.efi (source file) in the C:\Windows\Boot\EFI_EX folder, which is usually the 2023 version if you are running Windows Update.
      
      [Tools on this site] The system is checking the "file actually used for booting (the file \EFI\Microsoft\Boot\bootmgfw.efi in the EFI system partition)." Since this file hasn't been overwritten on your PC yet, it's being considered "unsupported."
      
      Currently, the update file for Anoni's PC has arrived, but the conditions for application (BIOS update) have not been met, so the update is pending.
      In the future, if the 2023 certification is applied to the DB through a BIOS update, the boot manager will automatically be updated to the 2023 version. If the manufacturer does not provide a BIOS, the 2023 certification will be applied to the DB automatically through Windows Update, and the boot manager will also be updated to the 2023 version.
      
      Reply
      - Anoni Than:
        
        2026 year 2 month 10 Date 8: 53 AM
        
        Thank you for the verification and detailed explanation. I'm convinced that the tool's judgment method is correct.
        I'll update the BIOS on my dynabook and wait for the update.
      - wenbang Than:
        
        2026 year 2 month 10 Date 9: 18 AM
        
        Dear Anoni
        
        Thank you for your reply.
        I was pleased that you were satisfied with the test results.
        
        Dynabook is a manufacturer that provides strong support for its business models, so I think a BIOS update (DB update) will be provided soon. I hope the update comes without any problems.
        If you have any questions or have any new discoveries, please feel free to leave a comment. Thank you.
chika_chan Than:

2025 year 12 month 17 Date 4: 10 PM

Hello.
Chika_chan, the site administrator of "Simple Wireless LAN and Elementary School Education Practice"
I am

Today, I would like to introduce the "Windows Secure Boot Certificate Checker" posted on your blog.
We would like to inform you that we have used this in the article below.
I think it's very easy to use for multiple PC owners and beginners.
Thank you all!

Updating the Windows Update Secure Boot Key Encryption Key (KEK) on non-compliant PCs
https://kantanmusen.sakura.ne.jp/202402/84_009.htm

Reply
- wenbang Than:
  
  2025 year 12 month 17 Date 6: 10 PM
  
  chika_chan
  
  Thank you very much for your careful reporting.
  
  I read your article on "Updating the Windows Update Secure Boot (KEK) on a non-compliant PC." I am honored that you used our "Windows Secure Boot Certificate Checker" in your detailed verification article.
  
  In particular, the evaluation that "it's very easy to use even for beginners" is the most encouraging thing for me as a developer. I created this app hoping to simplify complex confirmation work even a little, so I'm really happy that people have understood that intention and are making use of it.
  
  If you have any other tools or information that you find useful, please feel free to use them. Thank you for your continued support.
  
  Reply
Ambassador Magma's Toolbox Than:

2025 year 10 month 23 Date 11: 16 AM

Nice to meet you, I am the blog administrator of Ambassador Magma's Toolbox (magumataishi.com).
While researching the Secure Boot 2026 issue, I found this article helpful.
The app in this article, "Windows Secure Boot Certificate Checker," was introduced in a blog post.

Reply
- wenbang Than:
  
  2025 year 10 month 23 Date 12: 25 PM
  
  Ambassador Magma's Toolbox
  
  Nice to meet you. Thank you very much for your comment. Also, I would like to thank you for your comment.https://magumataishi.com/blog-entry-2707.html) I have read it.
  
  I am extremely honored that you have referred to our article on the important topic of the Secure Boot 2026 problem, and even introduced my app, "Windows Secure Boot Certificate Checker." The article is also very clear and well-explained, which is wonderful.
  
  This is an important change that affects many Windows users, so we feel it is very meaningful that information is being shared and disseminated in this way.
  Thank you very much for your kind contact and introduction. We look forward to working with you in the future.
  
  Reply
Akky Than:

2025 year 10 month 11 Date 7: 11 AM

Hello, I came across this site while researching the Secure Boot issue. I used the verification tool and it said "No new certificates were found." Does this mean that if I wait, the certificate will eventually be installed on my PC?
Windows Update has been causing some issues lately, so I have turned off the "When available" option (check for cumulative updates, but skip previews).
Also, I haven't had any particular problems with UEFI so I haven't updated it, but would it be a good idea to update it?

I apologize for the amateur question, but I would appreciate your advice.

Reply
- wenbang Than:
  
  2025 year 10 month 11 Date 12: 10 PM
  
  Thank you for your comment, Akki.
  
  As a developer, I am very pleased to hear that you also used our original verification tool.
  The Secure Boot issue is quite complex and understandably frustrating, so I'll answer your questions one by one.
  
  1. I received the message "No new certificate found." Does this mean that if I wait, the certificate will eventually be installed on my PC?
  
  Yes, that is certainly your understanding.
  Over time, Microsoft will distribute this new certificate through Windows Update, or your PC manufacturer will distribute it through a BIOS update, and your PC will automatically (or with your approval) receive the certificate.
  
  There is nothing to worry about at this point, and you can continue to use it as is without any problems.
  
  *However, if you are using a self-built PC or have disabled the support app on a manufacturer-made PC, you may need to periodically check the official website of your PC manufacturer (or motherboard manufacturer) and manually download and update the BIOS.
  
  2. I've been having some issues with Windows Update lately, so I've turned off the "When available" option (I check for cumulative updates, but skip previews).
  
  This method of operation is a very wise and excellent decision, as it prioritizes PC stability. Updates released immediately after release often contain unexpected bugs. Rather than applying updates immediately, check the latest information and then apply them at your own convenience. This is an ideal update management method practiced by advanced users to prevent problems before they occur. Please continue to do so.
  
  3. I haven't updated my UEFI (BIOS) because I haven't had any particular problems, but would it be a good idea to update it?
  
  The golden rule for using your PC safely is to "not force yourself to update the BIOS/UEFI unless there are any particular problems occurring."
  
  Updating the BIOS is a very delicate process that involves rewriting the most fundamental parts of your PC. If you fail, there is a non-zero risk that your PC will not start. Unless there is an important security update like this one, it is safest to continue using the current BIOS if your PC is running stably.
  
  Please check the update contents of all versions newer than your current UEFI (BIOS) version, and if they include Secure Boot certificate updates, we recommend updating them. However, be sure to back up your system before proceeding.
  
  If you have any further questions, please feel free to comment anytime.
  
  Reply