Event details

It's time for our third Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot playb...
Pearl-Angeles
Updated Mar 11, 2026
AMA
JamesEpp's avatar
JamesEpp
Iron Contributor
Feb 25, 2026

I must have a thousand questions. I'm making one comment per question as that seems reasonable. Posted in no particular order. As of 2026-02-25 I have 22 questions.

I typed up all these questions not knowing there was a February AMA. I'll have to watch that later to see if any of my questions are answered there.

---

In the Dec AMA it was mentioned (I think by Scott) that the KEK-signed DB/DBX update binaries are time-stamped and continue to work. How does timestamping work with KEK updates? Similar to how we do it in x509/code signing? Or did I misunderstand? It also sounds like the KEK can't be used after it expires to make DB/DBX changes, so I find this all irreconcilable.

mihi's avatar
mihi
Brass Contributor
Mar 13, 2026

Technically, if your new DB/DBX update has a timestamp larger than the last one that is in the DB/DBX already, it can still be applied. The DB/DBX update timestamp needs to be within time range of the certificate signing it.

 

Technically, nothing stops Microsoft from issuing a KEK update with a timestamp 1 week before expiration although the signature has actually been created 3 years after expiration (Just like nothing stops a TLS CA to issue a certificate signed for a domain they do not control). Only that it would violate the policy of their CA, and maybe people would get mad at them and stop trusting them...