Blog Post

Hardware Dev Center
4 MIN READ

Signing with the new 2023 Microsoft UEFI certificates: what submitters need to know

Pratishtha's avatar
Pratishtha
Icon for Microsoft rankMicrosoft
Sep 22, 2025

The original Microsoft UEFI certificates are expiring in 2026. This impacts Windows and Linux customers alike. Starting October 20, 2025, Hardware Developer Center (HDC) will return two signed binaries for each approved submission—one signed with the existing 2011 certificate and one with one of the new 2023 certificates, depending on the submission type. Submitters must separate Option ROM and UEFI applications into unique submissions. A submission must not contain an Option ROM and UEFI application. Submitters must ensure their installers can detect whether the 2023 certificates are present in the Secure Boot DB. This requirement applies to partners distributing UEFI applications or Option ROMs—not to enterprise IT admins deploying standard Windows updates. If present, use the 2023-signed file; if not, use the 2011-signed file. Microsoft will not issue dual signed packages given concerns around comprehensive testing and support in the ecosystem. Submitters—such as OEMs, IHVs, and ISVs—should expect to continue releasing their 2011-signed binaries alongside 2023-signed binaries for the foreseeable future.

Note: This blog is intended for Microsoft partners who submit UEFI binaries for signing—such as OEMs, IHVs, ISVs, and other device builders. If you are a Windows IT administrator or enterprise custom...
Updated Sep 24, 2025
Version 3.0
Jordan_Geurten's avatar
Jordan_Geurten
Icon for Microsoft rankMicrosoft
Sep 25, 2025

Hi Karl-WE​, we have given explicit guidance to partners that they should not ship DB updates via UEFI updates. This action causes PCR7 mismatches leading to possible BitLocker and VSM recoveries which is a bad experience for Windows users. The goal is to have the OS (Windows, Linux, others) update the DB. 

Karl-WE's avatar
Karl-WE
MVP
Oct 02, 2025

Thank you Jordan_Geurten​ and this update happens in from the OS to the OS bootloader or from OS to the into the UEFI firmware? 

Just asking as I feel unsure what will happen if customers and users reinstall from ISO / media. 

In case you are updating UEFI from the OS would this require Admin rights and will it work with UEFI password set? 

Asking as in many business environments users do no longer have elevated rights while the UEFI firmware is locked with a password. 

For UEFI updates through Windows Update this is no longer a blocker. 

Thanks for your clarification.  

 

 

  • Jordan_Geurten's avatar
    Jordan_Geurten
    Icon for Microsoft rankMicrosoft
    Oct 03, 2025

    Good questions. SYSTEM components in the OS are calling into and updating the UEFI firmware. There is no requirement or dependency on users having admin rights. There is also no impact whether a UEFI password is set - that is only to access the UEFI menu. Thanks