Solved Secure Boot Allowed Signature Database (DB) Update

trevo · Apr 8, 2026

Just got this Windows Update from Microsoft.

dgwin11 · May 3, 2026

Same here

EB2XR6 · May 3, 2026

dgwin11 said:
Same here
View attachment 170495

Have you done any manual updates to your boot certificates? e.g. using Garlins Scripts or Mosby.

dgwin11 · May 3, 2026

EB2XR6 said:
Have you done any manual updates to your boot certificates? e.g. using Garlins Scripts or Mosby.

No, I am not familiar with Garlins Scripts or Mosby.

garlin · May 3, 2026

You have a supported PC (meaning Windows can install the Secure Boot updates by itself). A restart is required for the changes to take effect.

DSAND1 · May 18, 2026

On my computer (located under Other Updates): "Successfully installed on ‎5/‎15/‎2026: Secure Boot Allowed Signature Database (DB) Update"

However, under Device Security > Secure Boot (which is now check marked green) this dialog still displays:

"Secure boot is on but your device is using an older boot trust configuration that should be updated.
There is not enough data to classify your device for automatic update. Visit link below for more info"

I assumed that statement would have changed once I received & installed the Secure Boot DB (& associated Key Exchange Key?) although another automatic Windows Update might be required to fully complete the updated boot trust configuration process.

garlin · May 18, 2026

If you get the "not enough data to classify your device", your UEFI is probably missing the KEK CA 2023 update (unsupported BIOS). You should download this check script, and see where your PC stands. Whenever there isn't enough telemetry data to suggest a specific model can be updated, Windows will hold updates back.

garlin's PowerShell scripts for updating Secure Boot CA 2023

Code:

Check-UEFI.bat -Verbose

DSAND1 · Jun 1, 2026

2 days ago, an update to Parallels Desktop version 26.3.3 resolved the Secure Boot issue for my VM:

"Existing Windows 11 virtual machines will be updated to the new Secure Boot certificates automatically upon Windows restart after installing the Parallels Tools update.

After running this PowerShell command: ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023') I received a TRUE result as a certificate update confirmation.

I assumed I would get a new Secure Boot status message stating "all required certificates have been applied" (or seeing a green badge) means your certificates are fully updated" although the status message is still "Secure boot is on but your device is using an older boot trust configuration that should be updated. There is not enough data to classify your device for automatic update"

garlin · Jun 1, 2026

Checking a single cert doesn't provide a complete summary of the situation. You won't get a change in the Security Center status until all of the CA 2023 certs are installed, Windows has switched to a new boot manager, AND rebooted the system.

For a VM, typically they update the "BIOS" so it appears you have new factory defaults. The Secure Boot update task runs twice a day, and will detect new certs are present, and finish the update process. Because a VM isn't a physical PC, it won't be listed in the Confidence Bucket JSON as a "known" device.

Running the update script and restarting Windows should get you the preferred Security Center status. There's no point in waiting for MS to decide if your device is ready, it probably is ready after the Parallels update.

DSAND1 · Jun 2, 2026

garlin,

I appreciate your detailed information, instructions, and the time you have expended throughout the forums on the Secure Boot matter and others. Your explanations are precise, logical and intuitive.

DSAND1 · Tuesday at 8:14 PM

With today's Patch Tuesday (26200.8655) my VM Secure Boot was automatically updated under Device Security >

"Secure Boot is on and all required updates have been applied. No further certificate changes are needed."

Thanks again to garlin. I decided to wait for MS to update instead of running garlin's update script to see if this Patch Tuesday would update/change the certificate. Had it not, the script was next.

garlin · Tuesday at 8:27 PM

The CA 2023 cert migration is an one-time event. Due to security fixes, June 2026 rolled out a new version of the boot manager and a higher DBX SVN along with it. Your Security Center status only refers to the basic Secure Boot certs.

If you see this message, Windows will handle installing the new boot manager for you. It might not happen right away, but within 24 hours.

Solved Secure Boot Allowed Signature Database (DB) Update

Well-known member

My Computer

Well-known member

My Computer

Active member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Similar threads