Event details

It's time for our third Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot playb...
Pearl-Angeles
Updated Apr 21, 2026
AMA
mihi's avatar
mihi
Brass Contributor
Mar 13, 2026

If Dell won't provide a signed KEK update to Microsoft for those devices (probably because they cannot), Windows will not be able to update the KEK.

In my experience, Dell devices often have an option in their firmware setup to enroll a DB or KEK certificate from an USB key manually. You can try by putting 

https://github.com/microsoft/secureboot_objects/blob/main/PreSignedObjects/KEK/Certificates/microsoft%20corporation%20kek%202k%20ca%202023.der  on a FAT32 formatted USB key and trying to import it as KEK. This should make the secure boot update continue and complete successfully.

 

Still, from an economic standpoint, you have to decide whether spending a few minutes on each device manually is worth the effort or whether you would be better off replacing the devices.

DJ8014A's avatar
DJ8014A
Copper Contributor
Mar 13, 2026

Thank you for the response and giving me something to try. I have about a dozen machines that will probably need this workaround (hope it works). So, not hundreds or thousands. But unlike a general user's 4-core Optiplex from 10+ years ago, these are workstations that have 12 or 14 cores. Are they as powerful as an equivalent new machine? No, but they still do what we need them to do, and do it pretty well. So, a few minutes, assuming the fix works, is well worth my time. Thanks again. I'll report back when I've had a chance to try.

  • mihi's avatar
    mihi
    Brass Contributor
    Mar 14, 2026

    In case that option is not there, feel free to take and share photos of which Secure Boot options are there, maybe there is another way we can get that KEK in.

    And in general, before messing with Secure Boot options, it is a good idea to suspend BitLocker (if in use).

    • DJ8014A's avatar
      DJ8014A
      Copper Contributor
      Mar 14, 2026

      The option was there, and I tried both the .der file in your link, as well as the .crt found here:
      https://go.microsoft.com/fwlink/?linkid=2239775

      Both resulted in this error (see below). I tried saving the original KEK to see if it would at least identify the correct extension, but it didn't specify an extension on export.

      Any other suggestions?

       



      • DJ8014A's avatar
        DJ8014A
        Copper Contributor
        Mar 15, 2026

        This page: https://www.dell.com/community/en/conversations/optiplex-desktops/how-to-manage-secure-boot-key-files-on-bios-type-2-machines/691c874fca58a9338d7717a9 says Dell needs .auth files.

        This defense dept PDF (https://media.defense.gov/2020/Sep/15/2002497594/-1/-1/0/CTR-UEFI-Secure-Boot-Customization-UOO168873-20.PDF) (believe it or not) says you can turn a CRT into a .auth as follows - but I don't know where to get the KEK.key file or the PK.crt 

        PowerShell can also be used to convert ESL files into AUTH files. Only AUTH files can be used to update Secure Boot values while enforcing signature checks. The PK can sign itself and KEK(s).

        openssl pkcs12 –export –in KEK.crt –inkey KEK.key –out KEK.pfx –name "KEK"