Microsoft Collaborates with OEMs to Update Windows Secure Boot Keys

Windows Logo

Key Takeaways:

  • Microsoft is updating Secure Boot on Windows UEFI PCs in collaboration with OEM partners.
  • The update aims to address firmware bugs that could cause startup issues or overlook important database updates.
  • Users can expect a controlled rollout of updates, with Microsoft blocking updates on devices with known issues until fixes are available.

Microsoft has announced its plans to update Secure Boot on Windows Unified Extensible Firmware Interface (UEFI) PCs. The company is collaborating with its equipment manufacturer (OEM) partners to issue new Secure Boot keys starting this year.

Secure Boot is a security feature that was first implemented in Windows 8 machines, particularly those running on the Unified Extensible Firmware Interface (UEFI). UEFI is a specification for a software program that connects a firmware to its operating system (OS) on a computer.

The Secure Boot feature is designed to ensure that only trusted software is executed during the boot process. It verifies the digital signatures of the boot components to prevent rootkit and bootkit malware from making any unauthorized system changes before the PC boots up.

Microsoft requires OEMs to install three certificates to enable the Secure Boot feature on Windows devices. These include the Key Exchange Key (KEK), the Allowed Signature Database (DB), and the Disallowed Signature Database (DBX). These Microsoft-managed certificates are set to expire in 2026.

Microsoft Collaborates with OEMs to Update Windows Secure Boot Keys

Microsoft announces phased rollout for new Secure Boot certificates

Earlier this week, Microsoft announced that it is collaborating with its OEM partners to release replacement certificates. These certificates aim to address bugs in firmware implementation that may cause start-up issues or ignore important DB updates. On February 13, Microsoft released the new Windows UEFI CA 2023 as an optional update for all Secure Boot-enabled devices. It will be used to sign Windows boot components before the expiration of the 2021 version.

“The full DB update’s controlled-rollout process to all Windows customers will begin during the 2024 April servicing and preview updates, ahead of the certificate expiration in 2026. Meanwhile, efforts to update the Microsoft UEFI CA 2011 (aka third-party UEFI CA) and Microsoft Corporation KEK CA 2011 will begin late 2024, and will follow a similar controlled rollout process as this DB update,” Microsoft explained.

Microsoft plans to release updates in stages and will block updates on devices with known problems until a fix is available. The company has provided some steps to help administrators manually apply the new certificates using PowerShell commands. Keep in mind that enterprise consumers who use BitLocker encryption will be required to back up their keys before installing the updates on their Windows PCs.