Event details
About files: In C:\Windows\Boot you will find EFI\bootmgfw.efi and EFI_EX\bootmgfw.efi. The first is signed with 2011 and the second with 2023 certificates. This file exists at up to two places in your EFI partition (depending on how exactly the boot variables are set within UEFI). \EFI\boot\bootx64.efi and \EFI\Microsoft\boot\bootmgfw.efi.
Whichever one or two of these files exist, they will be initially the first EFI file, and replaced by the EFI_EX files.
In the firmware, there are named slots, called Variables, which are updated in this process. When secure boot is active, there are restrictions intact that control which variables can be updated from the Operating System. And each of this updates needs to be cryptographically signed by a key that is already mentioned in these variables. In properly implemented Secure Boot UEFI, the PK and KEK variables can only be updated if the update is signed with a key in the PK variable (Platform Key), and the DB and DBX variables can only be updated if the update is signed with a key in the KEK variable.
Also, if TPM is used and sealed against PCR7, the TPM keys will be resealed against the new PCR7 value derived from the new certificates, at the same time when the variables are updated.
Some firmware versions have bugs, like PK or KEK being readonly, or KEK cannot be updated since Microsoft did not receive a signed EFI variable update for that PK (e.g. because the vendor lost it or no longer exists).
In many cases, there are manual workarounds. For example, the firmware setup may provide a menu where you can manually enroll a PK or a KEK. In this case, if enrolling the KEK works there, it is the easiest workaround. (Suspend Bitlocker, if used, before you do anything in firmware setup since it may reset the TPM).
Or it provides a "Setup Mode" where Secure Boot is active but variables are not protected, so you can use third-party tools to enroll the KEK, and afterwards disable Setup Mode again.
Others only provide a single option that will clear all 4 variables, and enroll a new PK only. In that case, you will need third-party tools to sign the KEKs you want to use with the PK, and the DB and DBX content with a KEK (maybe a third KEK you add yourself), and then you can fill the variables again with these updates. After that,, Windows will be happy and work securely again. Just make sure you don't keep your PK secret key on the machine where an attacker could steal it (as in that case you could just turn of Secure Boot and are not off worse). And make sure not to forget any DB or KEK content needed by the firmware or other hardware, or you may have "bricked" your device if you cannot enter UEFI setup any longer.
The last two options are obviously only for people who like to tinker with their hardware and invest some time in them. The same kind of people who brag with using Arch Linux :-P. By the way, the Arch Linux wiki has a good explanation how to set up secure boot completely from scratch, with or without Microsoft keys, so maybe their wiki is for you :)
In any case, for the foreseeable future, having a system that has secure boot enabled but expired KEK only (or even expired KEK and expired DB) is still more secure than secure boot off, as it will properly protect agaisnt a lot of old attacks. It will not protect against new attacks, but disabled Secure Boot will neither.
There may come a point when the old boot manager lacks features you want to use, and only in this case you'd have to bite the bullet and disable Secure Boot.
I know, many technical details in very condensed form. Probably it gives you some basic understanding and you can find the details on the Internet (or in the Secure Boot specification), or just ask again :)
thanks for the explanations!
In one machine from 2013 already mentioned in an earlier comment some weeks ago with an Asrock mainboard, it seems it does NOT have a "properly implemented Secure Boot UEFI" since the KEK seems readonly, and there is no way to add certificates from the firmware. On that machine, I will stay with the 2011's certificates with SecureBoot enabled as long as I am using Windows on that machine (currently win10 Pro on ESU, so only for 2026). In case of more trouble, I can always disable the SecureBoot.
More challenging is for the bootable USB key I am using for different PC. I will likely keep the EFI files with 2011's certificates there. It seems more compatible across machines.
You are very welcome.
The requirements for "properly implemented Secure boot" on x64 platform are pretty low
- It must be possible to turn it off
- It must provide some way to change the Platform Key. Minimally that would be either a "Setup Mode" where all variables are unprotected, or an option to upload a Platform Key and clear the others 3 variables, or an option to clear all variables with the additional requirement that if a variable is empty it means "allow all" and not "deny all".
All other options are for convenience. I understand that nobody likes to create their own platform key, sign everything with that and use third party tools to update the variables. Also, some motherboards have enrolled their own keys to DB and it may brick the machine (allow neither boot nor enter UEFI setup) if the DB is non-empty and does not contain them.
Therefore I agree you are better off not to mess with that machine, especially since you will repurpose it for another OS this year anyway.
And yes, I agree for recovery media you carry around in your purse to help others, it is currently best option to have bootloaders signed by Microsoft 2011 certificates.
The USB key I am currently carrying with me (powering various WinRE versions, Ubuntu, Grml and more recovery tools) is using Linux Foundation's Preloader, which has the disadvantage you need to manually confirm you want to boot on every reboot from it, and also since it is signed with Microsoft's 2011 Third-Party CA, some more recent machines do not longer ship the required certificates for that. Using Microsoft's certificate (i.e. have Microsoft's boot menu first with an option to boot other OS that would then load GRUB) is not an option since for recent boot managers (starting from Win10 RTM or so) it is impossible to chainload the Linux Foundation Preloader from bootmgr.
But if all you have on your media is Windows bootloader bootable stuff, the MS 2011 certificate would be my choice for now, too.