Forum Discussion
GageWilder
Apr 24, 2026Iron Contributor
Windows11 Prompts Secure Boot KEK Update Should I Install It?
The system showed a "Secure Boot KEK update" notification. What is this, and is it necessary to install?
flhenriquez
Apr 25, 2026Copper Contributor
The Secure Boot KEK is a critical UEFI firmware key that authorizes updates to Secure Boot signature databases, ensuring your system only runs trusted pre-boot software.
What is the KEK?
The Key Exchange Key (KEK) is part of the Secure Boot key hierarchy in your system’s UEFI firmware, sitting below the Platform Key (PK). It acts as a gatekeeper, authorizing changes to the allowed (DB) and disallowed (DBX) signature databases, which determine which bootloaders and firmware components are trusted or revoked. Without a valid KEK, your system cannot accept new Secure Boot updates, leaving it vulnerable to boot-level malware