Event details

It's time for our third Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot playb...
Pearl-Angeles
Updated Mar 11, 2026
AMA
DJ8014A's avatar
DJ8014A
Copper Contributor
Mar 13, 2026

We won't get updates to the Secure Boot DBX. Does that mean we will get updates to other Secure Boot components, or is it all or nothing?

mihi's avatar
mihi
Brass Contributor
Mar 13, 2026

You will get updates to the boot manager, even without KEK. You won't get the next certificates (in 2038 when the current ones expire) and you won't get any new DBX entries.

  • DJ8014A's avatar
    DJ8014A
    Copper Contributor
    Mar 16, 2026

    Sorry for being dense, but could you provide a semi-layman's explanation of the benefits of the updated/2023 signed boot manager when it is updated without an accompanied updated KEK?

    I think I understand that since we won't get updates to DBX, the list of "bad" boot signatures won't be updated, so that's unfortunate. But it would be good to know if we will still get some benefit to getting as much updated as we can (even without the KEK/DBX).

     

    • Arden_White's avatar
      Arden_White
      Icon for Microsoft rankMicrosoft
      Mar 16, 2026

      Two of the certificates are used to sign security updates in Windows:

      • KEK - signed DBX (and DB) updates to block vulnerable and malicious boot loaders (and other firmware utilities)
      • PCA2023(Windows UEFI CA 2023) - signs Windows boot loader updates - mainly security fixes.

      Not having the updated KEK prevents security updates that block boot loaders. Not having the PCA2023, means not getting boot manager updates.

      The third-party certificates (Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023) means that updates to third party software will be blocked - this could be things like 3rd party disk encryption, firmware utilities, and firmware drivers for things like plug in video cards.

      The certificates establish what should be trusted by the firmware. The certificates in turn sign firmware/software that the firmware needs to validate.

      • DJ8014A's avatar
        DJ8014A
        Copper Contributor
        Mar 16, 2026

        Thank you. 

        So, to be clear, I think we on these systems we do have PCA2023 - can you confirm that is correct if I provide the list of Event ID's that I believe verifies that statement? Here they are (this is from the Dell T5610):
        ID 1036: Secure Boot Db update applied successfully
        ID 1044: Secure Boot DB update to install Microsoft Option ROM UEFI CA 2023 certificate applied successfully
        ID 1045: Secure Boot DB update to install Microsoft UEFI CA 2023 certificate applied successfully
        ID 1799: Boot Manager signed with Windows UEFI CA 2023 was installed successfully

        If that is correct, and we have PCA2023, but not KEK, can you provide a rough estimation of how often fixes/updates are made to Secure Boot and a rough idea of how many of those fixes we would and would not get?

        For example, you could say "In the last 5 years, we have pushed 25 updates to Secure Boot to address security issues. 5 of those 25 updates have been to block (non-Windows?) bootloaders, requiring the KEK. The other 20 updates have been Windows boot loader updates, which do not require the KEK."

        I clearly have no idea about the correct numbers there, or even if my statements about how they apply are correct, I'm just trying to get a gauge of how big a hole we're leaving in our security measures by only getting Secure Boot partially updated.