Event details

It's time for our third Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot playb...
Pearl-Angeles
Updated Mar 11, 2026
AMA
Arden_White's avatar
Arden_White
Icon for Microsoft rankMicrosoft
Mar 13, 2026

Yeah, it looks like it was able to update the DB with the certificates. I also would expect that the 2023 signed boot manager will update if it hasn't already. The KEK is what you don't get in this case - probably due to the age. The device will continue to run and get updates. What you won't get is the updates to the Secure Boot DBX when there are security issues in things like boot loaders and other firmware modules.

Kudos to you for keeping it running that long and to Dell for manufacturing something that lasts. I sympathize with you. I'm still using my Lenovo Yoga Pro 2 that is about the same age as your Dell. I can sense that I'm getting close to getting a new laptop. 🙂

DJ8014A's avatar
DJ8014A
Copper Contributor
Mar 13, 2026

We won't get updates to the Secure Boot DBX. Does that mean we will get updates to other Secure Boot components, or is it all or nothing?

  • mihi's avatar
    mihi
    Brass Contributor
    Mar 13, 2026

    You will get updates to the boot manager, even without KEK. You won't get the next certificates (in 2038 when the current ones expire) and you won't get any new DBX entries.

    • DJ8014A's avatar
      DJ8014A
      Copper Contributor
      Mar 16, 2026

      Sorry for being dense, but could you provide a semi-layman's explanation of the benefits of the updated/2023 signed boot manager when it is updated without an accompanied updated KEK?

      I think I understand that since we won't get updates to DBX, the list of "bad" boot signatures won't be updated, so that's unfortunate. But it would be good to know if we will still get some benefit to getting as much updated as we can (even without the KEK/DBX).

       

      • Arden_White's avatar
        Arden_White
        Icon for Microsoft rankMicrosoft
        Mar 16, 2026

        Two of the certificates are used to sign security updates in Windows:

        • KEK - signed DBX (and DB) updates to block vulnerable and malicious boot loaders (and other firmware utilities)
        • PCA2023(Windows UEFI CA 2023) - signs Windows boot loader updates - mainly security fixes.

        Not having the updated KEK prevents security updates that block boot loaders. Not having the PCA2023, means not getting boot manager updates.

        The third-party certificates (Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023) means that updates to third party software will be blocked - this could be things like 3rd party disk encryption, firmware utilities, and firmware drivers for things like plug in video cards.

        The certificates establish what should be trusted by the firmware. The certificates in turn sign firmware/software that the firmware needs to validate.