Event details

It's time for our third Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot playb...
Pearl-Angeles
Published Feb 19, 2026
AMA
antfr's avatar
antfr
Copper Contributor
Feb 27, 2026

The DBX is updated when necessary to revoke known bootkit hashes. The DB doesn't need to be updated as long as the certificates are still valid (to allow signing boot managers). In addition, the latest boot loaders implement a version check to prevent loading former versions. The SVN update appends a fake hash in the DBX that identifies a specific minimum version of a specific component (such as bootmgfw.efi).

JamesEpp's avatar
JamesEpp
Iron Contributor
Feb 27, 2026

Thanks for the reply.

"The DB doesn't need to be updated as long as the certificates are still valid (to allow signing boot managers)."

I think you've missed the point I was trying to make. I'm trying to point out that if MS commissions keypairs more regularly and gets those deployed out sooner than in this case, we can be more prepared for expirations like this rather than still having all these conversations 4 months before expiry.

It's great that MS commissioned new keys at 80% of the lifecycle of the original 2011 keys but they seemed to wait until mid-2025 to start thinking about deploying the new keys to all pre-2023 devices. Seems to lack planning.