Windows Secure Boot certificate expiration and CA updates

What is Secure Boot?

Secure Boot is a security feature in Unified Extensible Firmware Interface​​​​​​​ (UEFI) based firmware that helps ensure that only trusted software runs during a device's boot (start) sequence. It works by verifying the digital signature of pre-boot software against a set of trusted digital certificates (also known as certificate authority or CA) stored in the device's firmware. As an industry standard, UEFI Secure Boot defines how platform firmware manages the certificates, authenticates firmware, and how the operating system (OS) interfaces with this process. For more details on UEFI and Secure Boot, please see Secure boot.

Secure Boot was first introduced in Windows 8 to protect against the emerging pre-boot malware (also known as a bootkit) threat at that time. As part of platform initialization, Secure Boot authenticates firmware modules before execution. These modules include UEFI firmware drivers (such as Option ROMs), boot loaders, and applications. As the final step of the Secure Boot process, the firmware verifies if Secure Boot trusts the boot loader. Then, the firmware passes control to the boot loader, which in turn verifies, loads into memory, and starts the Windows OS.

Secure Boot defines trusted code through a firmware policy set during manufacturing. Changes to this policy, such as adding or revoking certificates, are controlled by a hierarchy of keys. This hierarchy starts with the Platform Key (PK), typically owned by the hardware manufacturer, followed by the Key Enrollment Key (KEK) (also known as Key Exchange Key), which may include a Microsoft KEK and other OEM KEKs. The Allowed Signature Database (DB) and the Disallowed Signature Database (DBX) determine which code can run in the UEFI environment before the OS starts. The DB includes certificates managed by Microsoft and the OEM, while the DBX is updated by Microsoft with the latest revocations. Any entity with a KEK can update the DB and DBX.

Windows Secure Boot certificates expiring in 2026

Since Windows introduced Secure Boot support, all Windows-based devices have carried the same set of Microsoft certificates in the KEK and DB. These original certificates are nearing their expiration date, and your device is affected if it has any of the listed certificate versions. To continue running Windows and receiving regular updates for your Secure Boot configuration, you will need to update these certificates.

Terminology

• KEK: Key Enrollment Key

• CA: Certificate Authority

• DB: Secure Boot Signature Database

• DBX: Secure Boot Revoked Signature Database

Microsoft has issued updated certificates to ensure continuity of Secure Boot protection on Windows devices. Microsoft will manage the update process for these new certificates on a significant portion of Windows devices. Additionally, we will offer detailed guidance for organizations that manages their own device updates.

Important When the 2011 CAs expire, Windows devices that do not have new 2023 certificates can no longer receive security fixes for pre-boot components compromising Windows boot security.

Call to action

You may need to take action to ensure that your Windows device remains secure when the certificates expire in 2026. Both UEFI Secure Boot DB and KEK need to be updated with the corresponding new 2023 certificate versions. For more information about the new certificates, see Windows Secure Boot Key Creation and Management Guidance. 

Important Without updates, the Secure Boot-enabled Windows devices risk not receiving security updates or trusting new boot loaders which will compromise both serviceability and security.

Your actions will vary depending on the type of Windows device you have. Select from the menu on the left for the type of device and specific action you need to take.