I'm trying to get a better understanding of secure boot certificates, specifically those that are set to expire after June 30, 2026. My immediate goal is to manually check the certificates on a Windows machine using PowerShell. I'm aware there are scripts available, but I want to know what each command does so I can automate this process later. The commands I've gathered include `Get-SecureBootUEFI`, `Get-SecureBootUEFI -Name PK`, `Get-SecureBootUEFI -Name KEK`, `Get-SecureBootUEFI -Name db`, and `Get-SecureBootUEFI -Name dbx`. However, the output isn't human-readable and seems encoded, with some parts showing a lot of question marks. Can I simply run these commands to check the certificates on any Windows machine, or do I need to take extra precautions about the sensitive information they might reveal?
3 Answers
You can absolutely use those commands to check the certificates. The important point is that you want to confirm that the certificates are not expired and that they’re the correct ones needed for secure boot after June 30, 2026. If you're seeing a lot of question marks, it might not be an error, just a sign that some portions are encoded or not visible. Focus on the output that does display correctly, like the `CN` (Common Name) fields, which should give clues about validity. And yes, script that whole process once you get it down to be more efficient!
To manually check secure boot certificates, you can run the `Get-SecureBootUEFI` commands you listed. Just make sure Secure Boot is enabled—check with `msinfo32`. You can output the certificates to text files with something like `Get-SecureBootUEFI -Name PK | Out-File PK.txt`. As for decoding the output, it can be tricky since a lot of it appears as gibberish. If you're looking for specific expiration dates, you’ll have to extract and interpret that data after decoding it. It's good to be cautious with the output, especially sensitive info—never share that over unsecured channels.
Yeah, definitely don't send those outputs over email without checking them first. There could be sensitive cert data. To decode the bytes, consider trying a script like the one mentioned earlier; it should help parse everything into a readable format.
If you want to see more detailed outputs rather than raw data, consider modifying your script to pull only relevant sections. Also, keep in mind some certificates may be machine-specific, so if you're comparing across different manufacturers, that could yield different results. It might help to go through the data line by line to see what you can safely ignore for your alerts.
Thanks for the tip! I will definitely dig deeper and tailor the scripts to pull out the most important data.
Good to know! Remember that every machine is different; just running the commands doesn’t guarantee you’re getting the same output across all systems. Keep an eye out for the specific certs that you want for the future.