PowerShell: Using the -Decoded parameter in Get-SecureBootUEFI

Застосовується до
Win 10 Ent LTSB 2016 Win 10 Ent LTSC 2019 Windows 10 IoT Enterprise LTSC 2021 Windows 10, version 22H2, all editions Windows 11 Home and Pro, version 22H2 Windows 11 Enterprise Multi-Session, version 22H2 Windows 11 Enterprise and Education, version 22H2 Windows 11 IoT Enterprise, version 22H2 Windows 11 SE, version 23H2 Windows 11 Home and Pro, version 23H2 Windows 11 Enterprise and Education, version 23H2 Windows 11 Enterprise Multi-Session, version 23H2 Windows 11 version 24H2, all editions Windows 11 version 25H2, all editions Windows 11 version 26H1, all editions Windows Server 2012 ESU Windows Server 2012 R2 ESU Windows Server 2016 Windows Server 2019 Windows Server 2022 Windows Server 2025

Note

Original publish date: April 28, 2026
KB ID: 5093574

Note

The -Decoded parameter was added to the Get-SecureBootUEFI PowerShell cmdlets in the April 14, 2026, monthly cumulative updates, and updates released after that date.

Introduction

The Get-SecureBootUEFI PowerShell cmdlet retrieves UEFI Secure Boot variables such as PK (Platform Key), KEK (Key Exchange Key), DB (allowed signature database), and DBX (revoked signature database). These variables normally return raw binary data, which can be difficult to interpret directly.

The new -Decoded parameter provides a more accessible view of this information.

What does the -Decoded parameter do?

When you use the -Decoded parameter, the cmdlet displays the contents of Secure Boot databases in a human-readable format. Instead of raw bytes, it decodes and presents the underlying data, including certificates, hashes, and associated metadata stored in UEFI authenticated variables.

With the -Decoded parameter, the output includes readable certificate information such as:

  • Subject (for example, Microsoft Windows Production PCA 2011)
  • Algorithm and version
  • Serial number
  • Validity period

This makes it easier to:

  • Inspect Secure Boot items such as certificates, hashes, and public keys
  • View certificate properties such as subject, issuer, and validity dates
  • More easily understand what is trusted in PK, KEK, and DB, and what is revoked in DBX without additional parsing

Example

Command usage in PowerShell:

Note

Get-SecureBootUEFI -Name db -Decoded

Command returns:

Note

  • SignatureOwner : 77fa9abd-0359-4d32-bd60-28f4e78f784b
  • Subject        : CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Version        : 3
  • Algorithm      : sha256RSA
  • SerialNumber   : 61077656000000000008
  • ValidFrom      : 2011-10-19 11:41:42Z
  • ValidTo        : 2026-10-19 11:51:42Z
  • SignatureOwner : 77fa9abd-0359-4d32-bd60-28f4e78f784b
  • Subject        : CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
  • Version        : 3
  • Algorithm      : sha256RSA
  • SerialNumber   : 330000001A888B9800562284C100000000001A
  • ValidFrom      : 2023-06-13 11:58:29Z
  • ValidTo        : 2035-06-13 12:08:29Z

When to use it

Use the -Decoded parameter when you need to analyze or validate Secure Boot configuration, rather than retrieve their raw values.

Learn more

For full cmdlet details, parameters, and additional examples, see the Get-SecureBootUEFI documentation.

Note

The referenced documentation does not yet include the -Decoded parameter. The documentation will be updated in a future revision.

Change log

Change date Change description
April 30, 2026
  • Added the descriptive text for the UEFI Secure Boot variables PK, KEK, DB, and DBX in the "Introduction" section
  • Added a "Note" to indicate the -Decoded parameter was added in the April 2026 monthly security update.