Blog Post

Hardware Dev Center
4 MIN READ

Signing with the new 2023 Microsoft UEFI certificates: what submitters need to know

Pratishtha's avatar
Pratishtha
Icon for Microsoft rankMicrosoft
Sep 22, 2025

The original Microsoft UEFI certificates are expiring in 2026. This impacts Windows and Linux customers alike. Starting October 20, 2025, Hardware Developer Center (HDC) will return two signed binaries for each approved submission—one signed with the existing 2011 certificate and one with one of the new 2023 certificates, depending on the submission type. Submitters must separate Option ROM and UEFI applications into unique submissions. A submission must not contain an Option ROM and UEFI application. Submitters must ensure their installers can detect whether the 2023 certificates are present in the Secure Boot DB. This requirement applies to partners distributing UEFI applications or Option ROMs—not to enterprise IT admins deploying standard Windows updates. If present, use the 2023-signed file; if not, use the 2011-signed file. Microsoft will not issue dual signed packages given concerns around comprehensive testing and support in the ecosystem. Submitters—such as OEMs, IHVs, and ISVs—should expect to continue releasing their 2011-signed binaries alongside 2023-signed binaries for the foreseeable future.

Note: This blog is intended for Microsoft partners who submit UEFI binaries for signing—such as OEMs, IHVs, ISVs, and other device builders. If you are a Windows IT administrator or enterprise custom...
Updated Sep 24, 2025
Version 3.0
Karl-WE's avatar
Karl-WE
MVP
Sep 24, 2025

Keep shipping the 2011-signed binary along with the 2023-signed binary until most devices have updated their UEFI trust anchors – Microsoft will provide an update when this happens.

Dear Pratishtha has Microsoft given any guidance to OEMs and more generally mainboard vendors (Asrock, Asus, MSI, Gigabyte etc.), when and how to update their UEFI firmware, so that customers will have trust that the certificate DB will see these updates required on the firmware level?

I am still seeing a lot of Mainboard vendors that do not offer firmware updates through Windows Update, let alone Autopatch. Especially for custom built and consumer devices. 

Could you share some insights on the firmware upgrade process and how it relates to this change in terms of timelines? 

Thank you! 

 

 

 

  • Jordan_Geurten's avatar
    Jordan_Geurten
    Icon for Microsoft rankMicrosoft
    Sep 25, 2025

    Hi Karl-WE​, we have given explicit guidance to partners that they should not ship DB updates via UEFI updates. This action causes PCR7 mismatches leading to possible BitLocker and VSM recoveries which is a bad experience for Windows users. The goal is to have the OS (Windows, Linux, others) update the DB. 

    • Karl-WE's avatar
      Karl-WE
      MVP
      Oct 02, 2025

      Thank you Jordan_Geurten​ and this update happens in from the OS to the OS bootloader or from OS to the into the UEFI firmware? 

      Just asking as I feel unsure what will happen if customers and users reinstall from ISO / media. 

      In case you are updating UEFI from the OS would this require Admin rights and will it work with UEFI password set? 

      Asking as in many business environments users do no longer have elevated rights while the UEFI firmware is locked with a password. 

      For UEFI updates through Windows Update this is no longer a blocker. 

      Thanks for your clarification.  

       

       

      • Jordan_Geurten's avatar
        Jordan_Geurten
        Icon for Microsoft rankMicrosoft
        Oct 03, 2025

        Good questions. SYSTEM components in the OS are calling into and updating the UEFI firmware. There is no requirement or dependency on users having admin rights. There is also no impact whether a UEFI password is set - that is only to access the UEFI menu. Thanks