In Windows 11, how to check the installed Secure Boot relevant Windows certificates ? - dcasota/Lenovo83BY GitHub Wiki

Using Powershell, you can check the installed Windows certificates for Secure Boot by following comdlet.

Get-SecureBootUEFI -Name PK # Platform Key
Get-SecureBootUEFI -Name KEK # Key Exchange Key
Get-SecureBootUEFI -Name db # Signature Database
Get-SecureBootUEFI -Name dbx # Revoked Signatures Database

The array contents are, however, in an EFI_SIGNATURE_LIST structure.

import-module Get-UEFIDatabaseSignatures.ps1
(Get-SecureBootUEFI -Name db | Get-UEFIDatabaseSignatures).SignatureList.SignatureData | select-object {$_.Issuer +" : "+ $_.Subject}
CN=Microsoft Root Certificate Authority 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US : CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft Corporation Third Party Marketplace Root, O=Microsoft Corporation, L=Redmond, S=Washington, C=US : CN=Microsoft Corporation UEFI CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=[Hersteller-spezifisch] : CN=[Hersteller-spezifisch]
CN=Microsoft Root Certificate Authority 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US : CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US

[1] https://www.borncity.com/blog/2025/02/05/windows-10-11-kb5053484-neues-ps-script-fuer-zertifikate-in-boot-medien/#comment-207476