Microsoft is preparing a massive update on the Secure Boot keys for UEFI

This DB update is the first large Secure Boot update since its inception

Reading time icon 2 min. read


Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

Microsoft is further securing Secure Boot

Microsoft announced that it’s changing the Secure Boot keys database in collaboration with the OEM partners to further prevent malware attacks before boot.

Secure Boot was implemented first on Windows 8 and it’s a prerequisite for Windows 11. This UEFI security feature appeared as an indispensable method of countering any attacks that occur before the boot sequence, when the system is most vulnerable.

It’s not the first time that Microsoft is updating DBX, but according to the Redmond giant, it’s the first DB update on such a large scale.

Why is Microsoft updating the Secure Boot keys?

First, don’t get alarmed. Microsoft is updating the Secure Boot keys because the Key Exchange Key (KEK), the Allowed Signature Database (DB) and the Disallowed Signature Database (DBX), will expire in 2026.

Microsoft is preparing to roll out replacement certificates that will set new UEFI CA trust anchors for the future. Microsoft will be rolling out Secure Boot database updates in phases to add trust for the new DB and KEK certificates. The first DB update will add the Microsoft Windows UEFI CA 2023 to the system DB. The new Microsoft Windows UEFI CA 2023 will be used to sign Windows boot components prior to the expiration of the Windows Production CA 2011.

Furthermore, Microsoft will validate devices and firmware compatibility and the DB update will be optional for the February 2024 servicing and preview updates.

The full DB update’s controlled-rollout process to all Windows customers will begin during the 2024 April servicing and preview updates, ahead of the certificate expiration in 2026. Meanwhile, efforts to update the Microsoft UEFI CA 2011 (aka third-party UEFI CA) and Microsoft Corporation KEK CA 2011 will begin late 2024, and will follow a similar controlled rollout process as this DB update.

To prevent any problems, Microsoft will block updates for the devices that are identified with any issues.

The DB updates can be also performed manually and the Redmond giant also issued a guide on how to do that and the prerequisites to apply before installing them.

What do you think about Microsoft’s Secure Boot update? Let’s talk about that in the comments section below.

More about the topics: security

User forum

0 messages