Event details
I must have a thousand questions. I'm making one comment per question as that seems reasonable. Posted in no particular order. As of 2026-02-26 I have 22 questions.
I typed up all these questions not knowing there was a February AMA. I'll have to watch that later to see if any of my questions are answered there.
---
If I understand the nature of the KEK correctly, it's the key that is far more difficult to update than the CAs installed in the DB/DBX (which are signed by the KEK). Why doesn't Microsoft rotate out these "lowest" bootmgr signing certs more frequently? It would seem that as long as machines are getting KEK-signed DB/DBX updates frequently enough that Microsoft could replace these CAs way faster than once every 10 years.
The DBX is updated when necessary to revoke known bootkit hashes. The DB doesn't need to be updated as long as the certificates are still valid (to allow signing boot managers). In addition, the latest boot loaders implement a version check to prevent loading former versions. The SVN update appends a fake hash in the DBX that identifies a specific minimum version of a specific component (such as bootmgfw.efi).
Thanks for the reply.
"The DB doesn't need to be updated as long as the certificates are still valid (to allow signing boot managers)."
I think you've missed the point I was trying to make. I'm trying to point out that if MS commissions keypairs more regularly and gets those deployed out sooner than in this case, we can be more prepared for expirations like this rather than still having all these conversations 4 months before expiry.
It's great that MS commissioned new keys at 80% of the lifecycle of the original 2011 keys but they seemed to wait until mid-2025 to start thinking about deploying the new keys to all pre-2023 devices. Seems to lack planning.
