Windows11 Prompts Secure Boot KEK Update Should I Install It?

The Secure Boot KEK is a critical UEFI firmware key that authorizes updates to Secure Boot signature databases, ensuring your system only runs trusted pre-boot software.

What is the KEK?

The Key Exchange Key (KEK) is part of the Secure Boot key hierarchy in your system’s UEFI firmware, sitting below the Platform Key (PK). It acts as a gatekeeper, authorizing changes to the allowed (DB) and disallowed (DBX) signature databases, which determine which bootloaders and firmware components are trusted or revoked. Without a valid KEK, your system cannot accept new Secure Boot updates, leaving it vulnerable to boot-level malware