Applies To
Win 10 Ent LTSB 2016 Win 10 Ent LTSC 2019 Windows 10 IoT Enterprise LTSC 2021 Windows 10, version 22H2, all editions Windows 11 Home and Pro, version 22H2 Windows 11 Enterprise Multi-Session, version 22H2 Windows 11 Enterprise and Education, version 22H2 Windows 11 IoT Enterprise, version 22H2 Windows 11 SE, version 23H2 Windows 11 Home and Pro, version 23H2 Windows 11 Enterprise and Education, version 23H2 Windows 11 Enterprise Multi-Session, version 23H2 Windows 11 version 24H2, all editions Windows 11 version 25H2, all editions Windows 11 version 26H1, all editions Windows Server 2012 ESU Windows Server 2012 R2 ESU Windows Server 2016 Windows Server 2019 Windows Server 2022 Windows Server 2025

Original publish date: April 28, 2026KB ID: 5093574

Introduction

The Get-SecureBootUEFI PowerShell cmdlet retrieves UEFI Secure Boot variables such as PK, KEK, DB, and DBX. These variables normally return raw binary data, which can be difficult to interpret directly.

The new -Decoded parameter provides a more accessible view of this information.

What does the -Decoded parameter do?

When you use the -Decoded parameter, the cmdlet displays the contents of Secure Boot databases in a human-readable format. Instead of raw bytes, it decodes and presents the underlying data, including certificates, hashes, and associated metadata stored in UEFI authenticated variables.

With the -Decoded parameter, the output includes readable certificate information such as:

  • Subject (for example, Microsoft Windows Production PCA 2011)

  • Algorithm and version

  • Serial number

  • Validity period

This makes it easier to:

  • Inspect Secure Boot items such as certificates, hashes, and public keys

  • View certificate properties such as subject, issuer, and validity dates

  • More easily understand what is trusted in PK, KEK, and DB, and what is revoked in DBX without additional parsing

Example

Command usage in PowerShell​​​​​​​:

​​​​​​​Get-SecureBootUEFI -Name db -Decoded

Command returns:

SignatureOwner : 77fa9abd-0359-4d32-bd60-28f4e78f784b

Subject        : CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

Version        : 3

Algorithm      : sha256RSA

SerialNumber   : 61077656000000000008

ValidFrom      : 2011-10-19 11:41:42Z

ValidTo        : 2026-10-19 11:51:42Z

SignatureOwner : 77fa9abd-0359-4d32-bd60-28f4e78f784b

Subject        : CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US

Version        : 3

Algorithm      : sha256RSA

SerialNumber   : 330000001A888B9800562284C100000000001A

ValidFrom      : 2023-06-13 11:58:29Z

ValidTo        : 2035-06-13 12:08:29Z​​​​​​​

When to use it

Use the -Decoded parameter when you need to analyze or validate Secure Boot configuration, rather than retrieve their raw values.

Learn more

For full cmdlet details, parameters, and additional examples, see the Get-SecureBootUEFI documentation.

Note: The referenced documentation does not yet include the -Decoded parameter. The documentation will be updated in a future revision.

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center