Event details

Join us in May for our fourth Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they start expiring in June of 2026. If you've already bookmarked Sec...
Heather_Poulsen
Updated May 18, 2026
AMA
Technical Takeoff
ERottier8472's avatar
ERottier8472
Brass Contributor
May 18, 2026

See:

https://support.microsoft.com/en-us/topic/how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d

iokdeda's avatar
iokdeda
Occasional Reader
May 18, 2026

I wasn't aware of this KB, and it seriously concerns me. It says that sooner or later (during 2026) the "Windows Production PCA 2011" certificate will be added to the dbx, which, if I'm not mistaken, is the one used to sign the current bootloaders for various versions of Windows.

Up until now, I was comfortable and thought I could delay any action, especially in VMware environments where we have the null PK problem. Instead, both the KEK and DB, as well as the bootloader, need to be updated soon. Or am I wrong?

  • ERottier8472's avatar
    ERottier8472
    Brass Contributor
    May 18, 2026

    Since the new certificate is from 2023 and it's now 2026, I would've thought this would be done already indeed. I wouldn't know why it should be delayed at all. It feels unsecure by design rn.