Share this article
Latest news
With KB5043178 to Release Preview Channel, Microsoft advises Windows 11 users to plug in when the battery is low
Copilot in Outlook will generate personalized themes for you to customize the app
Microsoft will raise the price of its 365 Suite to include AI capabilities
Death Stranding Director’s Cut is now Xbox X|S at a huge discount
Outlook will let users create custom account icons so they can tell their accounts apart easier
Microsoft is preparing a massive update on the Secure Boot keys for UEFI
This DB update is the first large Secure Boot update since its inception
2 min. read
Published onFebruary 14, 2024
published onFebruary 14, 2024
Share this article
Read our disclosure page to find out how can you help Windows Report sustain the editorial teamRead more
Microsoftannouncedthat it’s changing the Secure Boot keys database in collaboration with the OEM partners to further prevent malware attacks before boot.
Secure Boot was implemented first on Windows 8 and it’s a prerequisite for Windows 11. This UEFI security feature appeared as an indispensable method of countering any attacks that occur before the boot sequence, when the system is most vulnerable.
It’s not the first time that Microsoft is updating DBX, but according to the Redmond giant, it’s the first DB update on such a large scale.
Why is Microsoft updating the Secure Boot keys?
First, don’t get alarmed. Microsoft is updating the Secure Boot keys because the Key Exchange Key (KEK), the Allowed Signature Database (DB) and the Disallowed Signature Database (DBX), will expire in 2026.
Microsoft is preparing to roll out replacement certificates that will set new UEFI CA trust anchors for the future. Microsoft will be rolling out Secure Boot database updates in phases to add trust for the new DB and KEK certificates. The first DB update will add theMicrosoft Windows UEFI CA 2023to the system DB. The new Microsoft Windows UEFI CA 2023 will be used to sign Windows boot components prior to the expiration of theWindows Production CA 2011.
Furthermore, Microsoft will validate devices and firmware compatibility and the DB update will be optional for the February 2024 servicing and preview updates.
The full DB update’s controlled-rollout process to all Windows customers will begin during the 2024 April servicing and preview updates, ahead of the certificate expiration in 2026. Meanwhile, efforts to update the Microsoft UEFI CA 2011 (aka third-party UEFI CA) and Microsoft Corporation KEK CA 2011 will begin late 2024, and will follow a similar controlled rollout process as this DB update.
To prevent any problems, Microsoft will block updates for the devices that are identified with any issues.
The DB updates can be also performed manually and the Redmond giant alsoissued a guideon how to do that and the prerequisites to apply before installing them.
What do you think about Microsoft’s Secure Boot update? Let’s talk about that in the comments section below.
More about the topics:security
Claudiu Andone
Windows Toubleshooting Expert
Oldtimer in the tech and science press, Claudiu is focused on whatever comes new from Microsoft.
His abrupt interest in computers started when he saw the first Home Computer as a kid. However, his passion for Windows and everything related became obvious when he became a sys admin in a computer science high school.
With 14 years of experience in writing about everything there is to know about science and technology, Claudiu also likes rock music, chilling in the garden, and Star Wars. May the force be with you, always!
User forum
0 messages
Sort by:LatestOldestMost Votes
Comment*
Name*
Email*
Commenting as.Not you?
Save information for future comments
Comment
Δ
Claudiu Andone
Windows Toubleshooting Expert
Oldtimer in the tech and science press, with 14 years of experience in writing on everything there is to know about science, technology, and Microsoft
