• After updating Microsoft Secure Boot certificates (PK and KEK) in a Windows Virtual Machine, the registry key WindowsUEFICA2023Capable remains at a value of 1 instead of transitioning to 2 (where 2 indicates a successful transition to the 2023 CA).
  
  
  
  
• PowerShell command Get-AuthenticodeSignature S:\EFI\Microsoft\Boot\bootmgfw.efi | fl Status,SignerCertificate shows 2011 Secure Boot certificate is active.
  
  

The WindowsUEFICA2023Capable registry key and the Get-AuthenticodeSignature PowerShell command may provide inaccurate status reporting regarding the active Secure Boot Certificate.

• Verify that the Secure Boot certificates are updated correctly, as described in the following KB articles:
  
  
  • Verification of Secure Boot Certificate on Virtual Machines
  • Secure Boot Certificate Expirations and Update Failures in VMware Virtual Machines
    
    
• If PK and KEK certs shows as 2023 contact Microsoft Support for further assistance. 

Reference :-

• The registry key WindowsUEFICA2023Capable is for reference only; do not use this key when checking the status of Secure Boot updates. Use the UEFICA2023Status key instead WindowsUEFICA2023Capable
• How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932
• KB5037167: Security Update Validation Program guide to test PCA2011 revocation to address CVE-2023-24932