Well, in desperation I resorted to using an LLM (I refuse to call them AIs). I asked Perplexity (when I do resort to using an LLM, I like Perplexity because it cites sources for it's information), and it gave me a pretty good explanation:
QUESTION: Are the 2023 Microsoft secure boot certificates installed by a bios update?
Yes, in many cases the 2023 Microsoft Secure Boot certificates are delivered as part of a BIOS/UEFI firmware update, but that’s only part of the story and behavior varies by vendor.
How the 2023 keys get installed:
Many motherboard and OEM firmware updates released since late 2023–2025 include the 2023 Microsoft Secure Boot keys in the firmware’s default key database (KEK/DB/DBX). This means flashing a newer BIOS often adds the new keys to the firmware image.
However, updating the BIOS does not always activate those keys in the currently used Secure Boot database; often the update only refreshes the factory defaults, and your active keys stay as they were until you reset keys to factory defaults or Windows pushes an update into NVRAM.
Role of Windows Update:
Microsoft can also write the 2023 Secure Boot certificates into firmware from within Windows, as long as the firmware supports the necessary update interfaces, so it is possible to get the new keys without a BIOS update on some systems.
On other systems, vendors and Microsoft recommend first installing a BIOS/UEFI update that includes the new keys, then letting Windows Update apply or activate them if needed.
What this means for you:
If your vendor provides a recent BIOS/UEFI with notes or FAQs mentioning 2023 Secure Boot or Secure Boot certificate updates, installing that firmware is usually the most reliable way to ensure the new keys are present as defaults.
To be fully protected, you may still need either:
a “reset to factory default keys” in the BIOS (on systems where the new keys are in the default store), or
to let Windows Update (or a documented Microsoft procedure) apply the keys into the active Secure Boot database.
So: a BIOS update often includes the 2023 certificates, but by itself does not always guarantee they are installed and active in the Secure Boot database you are actually using.
---
“The Government of Spain will not applaud those who set the world on fire just because they show up with a bucket.” - Prime Minister of Spain, Pedro Sánchez
Yeah this is a cluster fuck. I decided to check another laptop that is windows 11 compliant, and it also returned "false". It's an Asus VivoBook F510UAR Laptop. It has the latest BIOS, but the Win Tuesday update did not fix it. Not sure where all this is headed, but MS needs to fix it. I also have some other older laptops from 2015 era, but Dell does not have any BIOS updates. All the used laptops I sell I always install the latest BIOS when installing a fresh OS.
According to MS, this is the first monthly update for Win11 that included the new Secure Boot certs. The reason I am downloading a copy is because after June 2026, it will be impossible for a motherboard that does not already have the new certs, to get them automatically via Windows Update (because all updates released after June will be signed with the new keys).
So, if after June, you wind up with a PC or mobo on your bench that does not already have the new certs, but is capable of installing the new certs, this will be the only easy way to get them installed.
---
“The Government of Spain will not applaud those who set the world on fire just because they show up with a bucket.” - Prime Minister of Spain, Pedro Sánchez
I just tried this on a laptop that does not fully support windows 11. I installed Windows 11 Home 25H2 with all the updates before I tried it. I get the following error:
"The update is not applicable to your computer. For more information, check the documentation for this update to find out if you need to install another update first."
I tried the smaller update first, then the larger update first, but in both cases it fails with the above comment. So I'm guessing that because this laptop does not fully support windows 11, I won't be able to install the update? If that is the case, I may as well simply go back to my installation of Windows 10 Home.
Hmm. I don't think so. Unsupported hardware has no effect on whether you get updates. But I have seen these manual cumulative updates fail on new installs. I think there's some prerequisite update you need.
I haven't had a chance to try it myself but I will sometime this week, on both unsupported hardware and supported.
---
“The Government of Spain will not applaud those who set the world on fire just because they show up with a bucket.” - Prime Minister of Spain, Pedro Sánchez
And yes, in theory last Win10 update from last year should include the new certs. I know I had a Win10 PC get them in September.
---
“The Government of Spain will not applaud those who set the world on fire just because they show up with a bucket.” - Prime Minister of Spain, Pedro Sánchez
I have an Asus VivoBook F510UAR laptop which was released in 2017. Complete windows 11 compliant. Before I updated the laptop today, the check came back as false. I noticed a new March update so I installed that one which fixed it. So now it comes back as true.
The other laptop is older, Dell Latitude 3340 2 in 1, released in 2015. I installed the same March update but still comes back as false. Does NOT fully support windows 11.
Some updates:
Looks like the March update, KB5077181 (26200.7840) has the updates certs superseding the ones from February.
Also, the old method of checking with Windows Power Shell has been updated. Now this works: [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) -match 'Windows UEFI CA 2023'
Using the old one will return False. Old One: ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')
Strange - I tried the new one on another laptop and it did not work but worked on the other laptop. Then I found this: Confirm-SecureBootUEFI
I guess I'll just go by what Windows Security shows with their colored dots.
