Secure Boot Readiness Checker is a PowerShell-based audit tool designed to assess a device's readiness for Microsoft's Secure Boot 2023 certificate deployment and the upcoming Secure Boot changes related to the 2026 certificate transition.
The tool performs a non-intrusive audit of the local device and provides a clear readiness assessment, detailed certificate information, firmware details, BitLocker status, and optional reporting capabilities.
- Detects UEFI firmware mode
- Verifies Secure Boot status
- Detects Microsoft KEK 2023 certificate
- Detects Microsoft DB 2023 certificate
- Verifies DBX presence
- Generates a readiness score
Detects OEM-specific Secure Boot certificates when available:
- Dell Platform Key
- Dell Key Exchange Key
- Lenovo Secure Boot KEK
- HP Secure Boot KEK
- BitLocker protection status
- BitLocker encryption method
- Secure Boot AvailableUpdates registry value
Supports multiple output formats:
- Console Report
- JSON Export
- CSV Export
- HTML Report
Microsoft is introducing Secure Boot certificate updates that include the transition from legacy Secure Boot certificates to the newer 2023 certificate chain.
Many organizations currently have limited visibility into:
- Secure Boot configuration
- Certificate deployment status
- OEM Secure Boot keys
- Firmware readiness
- Device compliance
This tool provides a simple way to assess device readiness before large-scale deployments.
- Windows 10
- Windows 11
- Windows Server (where Secure Boot cmdlets are available)
- Windows PowerShell 5.1 or later
Administrator privileges are recommended.
Some Secure Boot variables may not be accessible without elevated permissions.
Download the script:
SecureBootReadinessChecker.ps1No installation is required.
.\SecureBootReadinessChecker.ps1.\SecureBootReadinessChecker.ps1 -Detailed.\SecureBootReadinessChecker.ps1 -ExportHtml.\SecureBootReadinessChecker.ps1 -ExportJson.\SecureBootReadinessChecker.ps1 -ExportCsv.\SecureBootReadinessChecker.ps1 `
-Detailed `
-ExportJson `
-ExportCsv `
-ExportHtml.\SecureBootReadinessChecker.ps1 `
-ExportHtml `
-OpenReportThe device meets all current Secure Boot readiness checks.
Requirements:
- UEFI firmware
- Secure Boot enabled
- Microsoft KEK 2023 present
- Microsoft DB 2023 present
- DBX present
The device is partially compliant but may require additional validation.
One or more critical Secure Boot components are missing.
The device appears to be running in Legacy BIOS mode or Secure Boot cmdlets are unavailable.
==================================================
Secure Boot Readiness Checker v2.0
Lijane Consulting
==================================================
Computer Name : DEVICE01
Manufacturer : Dell Inc.
Model : Latitude 7420
Firmware Mode : UEFI
Secure Boot : True
KEK 2023 : True
DB 2023 : True
DBX Present : True
Status : READY
Score : 100 / 100
This tool is provided for auditing and assessment purposes only.
The script does not modify:
- Secure Boot configuration
- UEFI variables
- Firmware settings
- BitLocker configuration
- Windows security settings
No changes are performed on the audited device.
Contributions, feedback, bug reports, and improvement suggestions are welcome.
Please open an issue or submit a pull request.
Lijane Consulting
Digital Workplace • Endpoint Management • Intune • Configuration Manager • PowerShell
Website: https://lijaneconsulting.com
MIT License