Microsoft is quietly rolling out one of the most important platform security changes in recent years: the migration from the legacy Secure Boot certificate chain (2011) to the new Windows UEFI CA 2023 chain.
This isn’t just another update. It’s a change to the trust foundation of Windows devices. And if you’re responsible for endpoints, VDI, or physical workstations, this is something you should be watching closely.
At ControlUp, we’ve built a way to both visualize and remediate this migration across your environment with:
- The Windows Boot Certificate Migration dashboard
- The Windows Secure Boot Certificate Expiration Status detection script
- The Windows Secure Boot Certificate Expiration Remediation action script
Let’s walk through what’s actually happening and why it matters.
What Is Microsoft Changing?
Secure Boot works by trusting a chain of certificates stored in firmware. For years, Windows relied on certificates issued under the Microsoft Windows Production PCA 2011 chain.
Microsoft is now migrating devices to the Windows UEFI CA 2023 certificate. This migration is necessary because certificates age, revocation policies evolve, and security baselines tighten. Eventually, systems that rely solely on the older trust chain may face enforcement changes or revocation updates that could impact boot behavior.
In other words: this is foundational security work.
The Complication: It’s a Staged Process
The migration doesn’t happen automatically the moment you install a Windows update.
Instead, Windows evaluates:
- Whether the device is capable of migration (WindowsUEFICA2023Capable)
- Whether Secure Boot is enabled
- Whether the migration has started (UEFICA2023Status)
- Whether a registry trigger (AvailableUpdates) has been set
- Whether reboots and scheduled tasks have executed successfully
This means you can end up with devices that are:
- Fully capable but never triggered
- Mid-migration and waiting for reboot
- Stuck in an unknown state
- Already migrated but not visible to you
Without visibility, it’s difficult to know where your environment migration actually stands.
Turning Uncertainty into Visibility
That’s why we created the Windows Boot Certificate Migration dashboard in ControlUp.
Instead of manually checking registry keys or firmware states, the dashboard gives you a live view of which devices are ready and which are not. And shows the state of BitLocker, Secure Boot and the migration status.
You can immediately identify devices that are “ready but not started,” devices that are complete, and devices that may need attention.
It transforms a low-level firmware process into something you can manage operationally.
To start collecting data for the dashboard, simply go to:
Devices → Scripts → Script Library
and import the script Windows Secure Boot Certificate Expiration Status.
Once deployed, the script runs daily and feeds the Windows Boot Certificate Migration dashboard.
When Migration Hasn’t Started
One common scenario we see:
WindowsUEFICA2023Capable = 2 (device is ready)
UEFICA2023Status = NotStarted
Secure Boot enabled
The device is fully capable, but nothing has initiated the migration. That’s where the remediation action comes in!
The Windows Secure Boot Certificate Expiration Remediation script safely:
- Sets the required registry trigger and attempts to start the Windows Secure Boot update scheduled task.
- Logs whether the fix was implemented or not in a device event.
This script is by default a System action you can manually launch on a device or use a Workflow to roll it out on all devices that need it.
It does not force reboots. It does not override Windows servicing logic. It simply nudges the system into beginning the official migration process.
The next daily scan then confirms whether the device progressed.
Why This Matters for Operations Teams
Boot-level changes are some of the most sensitive changes you can make in Windows. When they fail, systems don’t partially break — they fail early in the boot chain.
That’s why this transition should not be handled blindly.
With ControlUp you can:
- Visualize the migration state across your entire estate
- Identify devices that are ready but idle
- Remediate only the systems that need it
- Track progress over time
This isn’t just about compliance. It’s about confidence.
