Secure boot certificate update for Optiplex 5000 SFF

I don't have the same machine.  But, you can run Windows update until you receive Secure Boot Allowed Key Exchange Key (KEK) Update.  That should make Powershell command returns a True.

Thanks for responding.

I've checked for updates, but there aren't any related to secure boot.

You can verify if the system has been updated with KEK update.  While on Windows Update page, select Update history.  There should be 4 groups, select the last one, Other updates and check for any KEK update.

Another way to check is going to Windows Security, click on Device Security and checking the status of Secure Boot.  If it has been updated with KEK update, the status will say everything is okay, no other change needed.

Thanks for the instruction updates.

I checked Other updates in Windows Update History—there’s nothing about KEK. I also checked Secure Boot under Device Security; it says I’m still on the older boot-trust configuration.

It's back to square one, my first response.  With the new BIOS update, you would get a true for 2023 certificate is in firmware database.  With the Windows update with KEK update, you will get a true for 2023 certificate actively being used at boot.

Just verify your system for UEFI mode is ON, Secure Boot is ON, and TPM is ON,  Run update again, then use computer for whatever purpose you need.  The KEK update will run by itself and sending you notification (on system tray) to restart the system.  After KEK update applied, you will get a true.  

Thanks for the updates.

All mentioned—UEFI, Secure Boot, and TPM—have always been on.

I found another PowerShell command from a search (screenshot attached) that returns True, but since my OP screen returns False and the Device Security screen still shows the "old trust configuration," I don't know how it affects the active certificate status on my system. Supposedly the secondary PowerShell command polls the "Default Database" (the backup certificates stored in BIOS). Do you know the differences?

Although there are some ways to run manually to get the update, just wait until next Tuesday and run update again.  It's very likely that your system will be updated with all require certificates before June.

chino is correct that for relatively new model best to let vendor bios push for SB update.

just want to say regarding AI, I had the same recommendation of the two manual update commands too, but upon further evaluation 

"AvailableUpdates" -Value 0x40

the value 0x40 is a limited update for Windows secure boot 2023 alone. If you want to do the manual way better to change the

• 0x0040: DB update (adds Windows UEFI CA 2023).
• 0x0004: KEK update (adds KEK 2K CA 2023).
• 0x0100: Installs the 2023 signed Boot Manager.
• 0x0200: VBS anti-rollback counter updates.
• 0x0800/0x1000: Adds additional Microsoft UEFI/Option ROM CA 2023 certificates

You can read about differences btn 0x40 and 0x5944

• 0x40 (Phase 1): This flag tells the system to update the Secure Boot database (db) by adding the new 2023 Certificate Authority (CA) certificate. It does not immediately update the boot manager or other keys.
• 0x5944 (Full Deployment): This is the recommended value for enterprise deployment, often set in the AvailableUpdates registry key. It ensures all required certificates (CA and KEK) are added and upgrades the boot manager to the new signed version.