Blog Post

Hardware Dev Center
4 MIN READ

Signing with the new 2023 Microsoft UEFI certificates: what submitters need to know

Pratishtha's avatar
Pratishtha
Icon for Microsoft rankMicrosoft
Sep 22, 2025

The original Microsoft UEFI certificates are expiring in 2026. This impacts Windows and Linux customers alike. Starting October 20, 2025, Hardware Developer Center (HDC) will return two signed binaries for each approved submission—one signed with the existing 2011 certificate and one with one of the new 2023 certificates, depending on the submission type. Submitters must separate Option ROM and UEFI applications into unique submissions. A submission must not contain an Option ROM and UEFI application. Submitters must ensure their installers can detect whether the 2023 certificates are present in the Secure Boot DB. This requirement applies to partners distributing UEFI applications or Option ROMs—not to enterprise IT admins deploying standard Windows updates. If present, use the 2023-signed file; if not, use the 2011-signed file. Microsoft will not issue dual signed packages given concerns around comprehensive testing and support in the ecosystem. Submitters—such as OEMs, IHVs, and ISVs—should expect to continue releasing their 2011-signed binaries alongside 2023-signed binaries for the foreseeable future.

Note: This blog is intended for Microsoft partners who submit UEFI binaries for signing—such as OEMs, IHVs, ISVs, and other device builders. If you are a Windows IT administrator or enterprise custom...
Updated Sep 24, 2025
Version 3.0
Karl-WE's avatar
Karl-WE
MVP
Sep 24, 2025

Keep shipping the 2011-signed binary along with the 2023-signed binary until most devices have updated their UEFI trust anchors – Microsoft will provide an update when this happens.

Dear Pratishtha has Microsoft given any guidance to OEMs and more generally mainboard vendors (Asrock, Asus, MSI, Gigabyte etc.), when and how to update their UEFI firmware, so that customers will have trust that the certificate DB will see these updates required on the firmware level?

I am still seeing a lot of Mainboard vendors that do not offer firmware updates through Windows Update, let alone Autopatch. Especially for custom built and consumer devices. 

Could you share some insights on the firmware upgrade process and how it relates to this change in terms of timelines? 

Thank you!