Event details

It's time for our third Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot playb...
Pearl-Angeles
Published Feb 19, 2026
AMA
JamesEpp's avatar
JamesEpp
Iron Contributor
Feb 26, 2026

I must have a thousand questions. I'm making one comment per question as that seems reasonable. Posted in no particular order. As of 2026-02-26 I have 22 questions.

I typed up all these questions not knowing there was a February AMA. I'll have to watch that later to see if any of my questions are answered there.

---

I think it was Scott that said (in the Dec AMA) the 2011KEK key can no longer be used to sign updates post-expiration. If a device hasn't received any updates (CA or KEK) by expiration, is it true that device will *first* need to get the (PK-signed) 2023KEK installed and *second* install the (2023KEK-signed) CA into the DB list before bootmgr (or any boot loader for that matter) signed by 2023 CAs will boot? Is that the correct order of operations?

  • antfr's avatar
    antfr
    Copper Contributor
    Feb 27, 2026

    Both updates are independent and there is no required order.
    The KEK update (needs to be signed by the OEM because they own the PK) is required before June 2026. Microsoft will stop shipping security updates signed with 'Microsoft Corporation KEK CA 2011' after June because that is when the certificate expires. So DB/DBX updates shipped afterwards will only be signed by 'Microsoft Corporation KEK 2K CA 2023'.
    The DB update (signed by 'Microsoft Corporation KEK CA 2011' and probably also by 'Microsoft Corporation KEK 2K CA 2023') is required to be able to boot Windows on a boot manager signed by 'Windows UEFI CA 2023', and optionally some other specific components. There is technically no set date for updating the boot manager, but it helps fully mitigate BlackLotus and other past vulnerabilities. In addition, if the boot manager needs to be patched in the future, it will only be released as a 2023-signed version. Thus the DB update will be required to support the new secure version.

    • JamesEpp's avatar
      JamesEpp
      Iron Contributor
      Feb 27, 2026

      Thanks for the replies.

      "The KEK update (needs to be signed by the OEM because they own the PK) is required before June 2026."

      It's very possible I'm lost in the sauce, but I remember Scott in the December AMA saying that the various (existing) key/cert updates continued to work past 2026. This ties into the timestamping question you also responded to which I need to re-read.