On April 28, 2026, Microsoft published KB5093574 detailing a small but transformative update to Windows PowerShell: the Get-SecureBootUEFI cmdlet now accepts a -Decoded switch that renders Secure Boot’s firmware databases — previously a wall of raw bytes — into readable certificate fields. The new capability, which arrived via the April 14, 2026 cumulative update, comes as Windows’ long-planned Secure Boot certificate rollover enters a critical phase.

What’s New: From Raw Bytes to Readable Certificates

For years, administrators and security teams who needed to inspect what their devices actually trust at boot time faced a frustrating obstacle. The core Secure Boot databases — PK, KEK, DB, and DBX — live in UEFI firmware, and PowerShell’s Get-SecureBootUEFI cmdlet could retrieve them, but the output was a cryptic jumble of binary data. Parsing it required custom scripts, ASCII string searches, or manual hex dives.

That changes with the -Decoded parameter. When you run Get-SecureBootUEFI -Name db -Decoded, for example, the cmdlet no longer dumps raw bytes. Instead, it displays each certificate entry as a structured object with human-readable fields: Subject, Version, Algorithm, SerialNumber, ValidFrom, ValidTo, and SignatureOwner. Microsoft’s support article shows two sample entries side by side: the older “Microsoft Windows Production PCA 2011” and the newer “Windows UEFI CA 2023,” complete with their issuance dates and SHA-256 RSA fingerprints.

The parameter works across all the standard Secure Boot variables. You can decode PK (Platform Key), KEK (Key Exchange Key), DB (allowed signature database), and DBX (forbidden signature database) with the same simple syntax. It turns an operation that once demanded low-level binary parsing into a one-liner that any experienced admin can read and understand.

This is more than cosmetic. During the current certificate transition, knowing whether a machine contains the right 2023-era trust anchor isn’t just a compliance checkbox — it’s a predictor of whether the device will boot correctly after future servicing updates. A hex dump might show the string “Windows UEFI CA 2023” if you squint, but only the decoded view reveals the full certificate metadata: algorithm, serial number, validity period. That’s the kind of detail auditors and support engineers need.

Why Secure Boot Databases Matter Now More Than Ever

Secure Boot is often marketed as a simple on/off toggle, but under the hood it’s a hierarchy of cryptographic trust stores that decide what code can execute before Windows loads. PK establishes platform ownership. KEK controls who can update the other databases. DB contains the signed certificates and hashes of trusted bootloaders and UEFI drivers. DBX holds revocations — signatures of boot code known to be vulnerable or malicious.

When a device boots, the firmware checks every UEFI application and bootloader against DB and DBX. If a binary is signed with a certificate that chains to an entry in DB and isn’t blocked by DBX, it runs. If not, the machine halts or fails over to recovery.

That’s why the contents of these databases matter intensely right now. Microsoft has been migrating away from the original 2011 Secure Boot certificate chain toward a new 2023 chain. The old Microsoft Windows Production PCA 2011 certificate, embedded in billions of devices since the Windows 8 era, expires in October 2026. To avoid a future where unpatched machines can’t boot newer signed media — or where they accept only outdated trust — the ecosystem must adopt the 2023 certificates while phasing out the old ones gracefully.

The move isn’t optional for enterprises. A fleet that lacks the Windows UEFI CA 2023 in DB may still boot today, but it’s on a path toward cryptographic obsolescence. Worse, a device with an incomplete or stale DBX might be vulnerable to known boot‑chain attacks that have already been patched elsewhere. Readability has therefore become a security requirement, not just a convenience.

What This Means for IT Admins and Power Users

For anyone managing Windows at scale, the -Decoded parameter is a fleet‑validation tool disguised as a cmdlet upgrade. Before, verifying the Secure Boot certificate state across hundreds or thousands of machines meant writing fragile string‑parsing scripts that often needed custom tuning for different firmware implementations. Now you can write a short, reliable PowerShell block that extracts structured certificate objects and compares them against your baseline.

A few critical checks that become straightforward:

  • Run Get-SecureBootUEFI -Name db -Decoded on a representative machine. Look for entries whose Subject contains “Windows UEFI CA 2023” and “Microsoft UEFI CA 2023.” The former covers Windows boot components; the latter signs third-party UEFI software.
  • Run Get-SecureBootUEFI -Name kek -Decoded. The KEK database authorizes future updates to DB and DBX. If it still contains only the old 2011 CA, your devices may not accept updated database content later.
  • Run Get-SecureBootUEFI -Name dbx -Decoded. A populated DBX means revoked bootloaders are blocked. Missing critical revocations could leave the door open to known vulnerabilities.

This data can be integrated directly into endpoint management reports, Configuration Manager baselines, or Microsoft Intune custom detection scripts. A common pattern: collect the decoded DB, extract the Subject strings, and flag any device that lacks “Windows UEFI CA 2023.” That single metric gives you a reliable gauge of transition readiness without needing to interpret raw bytes.

Power users who dual-boot Linux or run custom UEFI configurations will also benefit. Many Linux distributions rely on the Microsoft‑signed shim bootloader to boot with Secure Boot enabled. The -Decoded parameter can reveal whether the needed certificate chain is present in DB, helping diagnose boot failures that previously led only to “Secure Boot violation” messages.

How We Got Here: The 2026 Certificate Transition

Microsoft’s Secure Boot infrastructure dates to the Windows 8 launch in 2012. The original trust chain was built around the Microsoft Windows Production PCA 2011 certificate, which signed Windows bootloaders and also authenticated the UEFI signing service that third parties use to get their boot software signed. That certificate was set to expire after 15 years, in October 2026.

In 2023, Microsoft began issuing a new generation of certificates: Windows UEFI CA 2023 for Windows itself, and Microsoft UEFI CA 2023 for platform partners. The idea is to replace the aging 2011 anchors long before they expire, and to do so without breaking compatibility with existing signed binaries. For several years, Microsoft has been dual-signing boot components so that devices with either chain could validate them.

Now, with the 2026 expiration approaching, the company has moved into the enforcement phase. The April 14, 2026 cumulative updates delivered not only the -Decoded parameter but also behind‑the‑scenes logic that pushes updated database content to eligible devices. The support article’s applicability list is striking: it spans Windows 10 LTSC 2016 through Windows 11 version 26H1, plus Windows Server from 2012 ESU to 2025. That breadth shows this isn’t a feature limited to a single release — it’s an ecosystem‑wide servicing effort.

Yet firmware remains the wild card. A device may receive the Windows update and still fail to incorporate the new certificates if its UEFI implementation is buggy, locked by an OEM policy, or simply running outdated firmware. That’s why the -Decoded parameter is so timely: it lets you check the actual firmware state, not just the OS’s intent.

Step-by-Step: Using the New Parameter to Check Your Systems

The syntax is simple, but you need to follow a few rules to get reliable results. Start with one device to validate your process, then scale out.

  1. Open an elevated PowerShell console. The Get-SecureBootUEFI cmdlet requires admin rights to read firmware variables.
  2. Confirm Secure Boot is enabled. Run Confirm-SecureBootUEFI or check (Get-SecureBootUEFI -Name SecureBoot).SecureBoot. If the system doesn’t support UEFI Secure Boot, the cmdlet will error.
  3. Inspect the allowed signature database.
    Get-SecureBootUEFI -Name db -Decoded | Format-List Subject, ValidTo
    Look for the subjects mentioned earlier. A healthy 2026 device should show both the 2011 and 2023 entries, proving it trusts both current and future signing chains.
  4. Check the Key Exchange Key database.
    Get-SecureBootUEFI -Name kek -Decoded | Format-List Subject
    The KEK should contain the 2023 certificate, otherwise future DB/DBX updates from Microsoft may be rejected.
  5. Review the revocation database.
    Get-SecureBootUEFI -Name dbx -Decoded
    This output is often large. Focus on whether entries are present at all; a zero-entry DBX is a red flag.
  6. Optionally decode the Platform Key.
    Get-SecureBootUEFI -Name PK -Decoded
    This reveals who owns the policy. Typically it’s the OEM or the user who enrolled their own PK.

For fleet automation, consider a script that runs these checks and outputs structured objects to a central location. Be defensive: if the -Decoded parameter isn’t present (because the system hasn’t received the April 2026 cumulative update), fall back to a simple string search of the raw bytes or flag the device as needing an update.

Quick Command-Reference Table

Command What It Decodes Why You Run It
Get-SecureBootUEFI -Name db -Decoded Allowed signature database Confirm presence of 2023 certificates
Get-SecureBootUEFI -Name kek -Decoded Key Exchange Key database Verify future update authorization
Get-SecureBootUEFI -Name dbx -Decoded Forbidden signature database Check that revocations are loaded
Get-SecureBootUEFI -Name PK -Decoded Platform Key See who controls policy

Home Users and Small Businesses: Yes, This Affects You Too

Most home users won’t ever open PowerShell, and that’s fine. Windows Update will attempt to deliver the new certificates automatically. However, if you’re the go‑to tech person for family or a small office, this tool is a lifesaver when something goes wrong.

Common scenarios where the -Decoded parameter helps:

  • A custom‑built gaming PC refuses to boot after a BIOS update. You can quickly check whether the motherboard’s firmware still stores the expected certificates.
  • An older laptop that hasn’t received a firmware update in years suddenly shows “Secure Boot violation” after a Windows feature update. Decoded output can confirm whether the DB contains the necessary 2023 entry or if the OEM never provisioned it.
  • A dual‑boot Linux system hangs at the bootloader. By decoding DB, you can see if the Microsoft‑signed shim certificate is present and whether a DBX entry might be blocking a specific component.

One critical warning: Do not disable Secure Boot as a knee‑jerk reaction. Use the decoded output to diagnose the real issue. If you turn off Secure Boot, you lose the pre‑boot anti‑malware protection it provides, and you may also break features that rely on measured boot, such as BitLocker with TPM validation. The better path is to update your firmware, apply the latest Windows updates, and verify the database contents.

What to Watch and Do Next

Microsoft hasn’t yet updated the formal cmdlet documentation on Learn to reflect the -Decoded parameter; the support article itself notes that the documentation will be revised in a future update. Until then, administrators should rely on the KB article and test the parameter’s availability on each OS build they manage.

The more important watch item is OEM firmware. Even with the Windows servicing stack in perfect order, many devices will require a separate UEFI firmware update before the 2023 certificates are accepted and stored correctly. Watch for advisories from Dell, HP, Lenovo, ASUS, and motherboard vendors, and integrate firmware updates into your regular maintenance cycle.

Enterprises should begin building Secure Boot health reporting now. Combine the decoded database output with firmware version, Windows build number, and event logs (especially Event ID 1808, which signals a Secure Boot update failure). Tools like Microsoft Intune, Configuration Manager, and third‑party ITSM platforms can ingest this data to produce dashboards that track your transition readiness. The danger isn’t a single catastrophic fail date — it’s a slow drift where older devices become unable to validate new boot media, recovery tools stop working, or security audits start finding missing revocations.

In the longer term, the -Decoded parameter should become the default way to interact with Secure Boot variables. Transparency around what a device trusts at boot time is too important to remain hidden behind byte arrays. Microsoft has taken a meaningful step toward making firmware security inspectable. Now it’s up to administrators to use that visibility to keep their fleets safe and up‑to‑date.