Updating Microsoft Secure Boot keys


  • Staff

 Windows IT Pro Blog:

Microsoft, in collaboration with our ecosystem partners, is preparing to roll out replacement certificates that’ll set new Unified Extensible Firmware Interface (UEFI) Certificate Authorities (CAs) trust anchors in Secure Boot for the future. Look out for Secure Boot database updates rolling out in phases to add trust for the new database (DB) and Key Exchange Key (KEK) certificates. This new DB update is available as an optional servicing update for all Secure Boot enabled devices from February 13, 2024.

What is Secure Boot?​

Secure Boot is a security feature in the UEFI that helps ensure that only trusted software runs during the system’s boot sequence. It works by verifying the digital signature of any software against a set of trusted digital keys stored in the UEFI. As an industry standard, UEFI’s Secure Boot defines how platform firmware manages certificates, authenticates firmware, and how the operating system (OS) interfaces with this process. For more details on UEFI and Secure Boot, please refer to this article.

Secure Boot was first introduced to Windows systems with the Windows 8 release to protect against the emerging pre-boot malware (bootkit) threat at that time. Since then, Secure Boot has continued to be a part of Microsoft's Trusted Boot security architecture. Secure Boot authenticates modules such as UEFI firmware drivers, bootloaders, applications, and option ROMs (Read-Only Memory), which are firmware run by the PC BIOS during platform initialization, before they are all executed. As the final step of the Secure Boot process, the firmware verifies the Windows boot loader is trusted by Secure Boot and then passes control to the boot loader which in turn verifies, loads into memory, and launches Windows. This process coupled with the UEFI firmware signing process helps to ensure that only verified code executes before Windows, preventing attackers from utilizing the boot path as an attack vector. To learn more about how Secure Boot fits in with the overall Windows chip-t-cloud security, please refer to the Windows Security Book RWMyFE.

Trust and authenticity in Secure Boot are built using the Public-Key Infrastructure (PKI). This establishes a certificate management system which utilizes CAs to store digital certificates. These CAs, consisting of Original Equipment Manufacturer (OEM) or their delegates and Microsoft, generate key pairs that form the root of trust of a system.

688x600


Secure Boot “root of trust”: Setting trust anchors for the future​

Secure Boot’s root of trust utilizes a hierarchical system, where the Platform Key (PK) is typically managed by the OEM and used to sign updates to the KEK database. The KEK in turn signs updates to both the Allowed Signature DB and the Forbidden Signature Database (DBX).

The Secure Boot Allowed Signature DB and the DBX are integral to the functionality of Secure Boot. Bootloader modules’ signing authority must be allowlisted by the Secure Boot DB, while the DBX is used for revoking previously trusted boot components. Updates to the DB and DBX must be signed by a KEK in the Secure Boot KEK database.

The configuration of Secure Boot DB and KEK for Windows devices has remained the same since Windows 8. Microsoft requires every OEM to include the same three certificates managed by Microsoft for Windows and in support of the third-party hardware and OS ecosystem. These include the Microsoft Corporation KEK CA 2011 stored in the KEK database, and two certificates stored in the DB called the Microsoft Windows Production PCA 2011, which signs the Windows bootloader, and the Microsoft UEFI CA 2011 (or third-party UEFI CA), which signs third-party OS and hardware driver components.

All three of these Microsoft certificates expire in 2026. So, in collaboration with our ecosystem partners, Microsoft is preparing to roll out replacement certificates that will set new UEFI CA trust anchors for the future. Microsoft will be rolling out Secure Boot database updates in phases to add trust for the new DB and KEK certificates. The first DB update will add the Microsoft Windows UEFI CA 2023 to the system DB. The new Microsoft Windows UEFI CA 2023 will be used to sign Windows boot components prior to the expiration of the Windows Production CA 2011. This DB update will be optional for the February 2024 servicing and preview updates, and can be manually applied to devices. Microsoft will slowly roll out this DB update as we validate devices and firmware compatibility globally. The full DB update’s controlled-rollout process to all Windows customers will begin during the 2024 April servicing and preview updates, ahead of the certificate expiration in 2026. Meanwhile, efforts to update the Microsoft UEFI CA 2011 (aka third-party UEFI CA) and Microsoft Corporation KEK CA 2011 will begin late 2024, and will follow a similar controlled rollout process as this DB update.

While Microsoft has frequently performed DBX updates globally since the inception of Secure Boot, this will be the first DB update performed on such a large scale. We’re actively collaborating with our OEM partners to identify and address bugs in firmware implementation that could result in unbootable systems or render a device unreceptive to the DB update. To ensure a successful rollout, devices with identified issues will be suspended from receiving the update until a fix is released.

Microsoft is taking a very deliberate and cautious approach to rolling out this update. With this DB update, Microsoft will sustain its ability to service all Windows devices’ boot components.

Guidance to manually apply DB update​

The DB update is available on February 13, 2024, along with manual steps to allow customers to test for firmware compatibility, especially for organizations with fleets of devices. If you would like to manually apply the DB update to validate that your system is compatible, please read the following instructions. These actions should be completed with non-critical hardware representing devices in your environment.

Pre-requisite checks​

Before attempting the DB update, please ensure to perform the necessary pre-requisite checks:
  1. If you intend to manually apply this update to a large group of devices, we advise that you begin by rolling out to individual devices with the same firmware and specifications first to minimize the risks in the case of firmware bugs in your devices.
  2. Please verify that your UEFI firmware version is the most recent available version by your firmware vendor or OEM.
  3. For data backup steps, please refer to this guide.
  4. If you use BitLocker or if your enterprise has deployed BitLocker on your machine, ensure to backup BitLocker Keys:

    A) See this portal to ensure your BitLocker keys are backed up before your next reboot for your selfhost device. In the unlikely event that device becomes inoperable after receiving the update, the hard drive can still be unlocked.

    B) If the keys are backed up, the UI should resemble the following:

    698x665


    C) If the keys are not backed up, please open Windows Search to search for “Manage BitLocker” and select Back up your recovery key followed by Save to your Azure AD or MSA account.

    large


    800x624


    800x620
For users that use a local account instead of an Azure Active Directory (AAD) or Microsoft account (MSA), you can print your recovery password, save to a file, and store it in a secure location.

Formal DB update steps​

  1. Apply the February 2024 (or later) security update.
  2. Open a PowerShell console and ensure that PowerShell is running as an administrator before running the following commands:
    1. Set the registry key to:

      Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot" -Name "AvailableUpdates" -Value 0x40
    2. Run the following scheduled task as:

      Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
  3. Reboot the machine twice after running these commands to confirm that the machine is booting with the updated DB.
  4. To verify that the Secure Boot DB update was successful, open a PowerShell console and ensure that PowerShell is running as an administrator before running the following command:

    [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023’

    large
If the command returns “True”, the update was successful. In the case of errors while applying the DB update, please refer to the article, KB5016061: Addressing vulnerable and revoked Boot Managers.


 Source:

 
Last edited:

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    HP Pavilion Desktop 590-p0xxx
    CPU
    Intel(R) Core(TM) i7-8700 CPU @ 3.20GHz
    Motherboard
    843B 00
    Memory
    16684 MB
    Graphics Card(s)
    Intel(R) UHD Graphics 630
    Sound Card
    Realtek High Definition Audio
    Monitor(s) Displays
    HP 22fw 22-inch Display
    Screen Resolution
    1920 x 1080
    Hard Drives
    SSD 119.24 GB
    HDD 1863.01 GB
    Case
    Tower
    Cooling
    Fan
    Keyboard
    HP
    Mouse
    HP
    Internet Speed
    50 Mbps down, 20 Mbps up
    Browser
    Edge
    Antivirus
    MS Defender, Malwarebytes
@Marcus Vinicus

Thanks for your comment.

Could you let us know please if you have Secure Boot on or off after installing these revocation files ?

Clearly you no issue with normal booting. Does that now include any USB boot for image recovery ?
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    HP 15s_du1xxx
    CPU
    Intel i5 10210U
    Motherboard
    85F1
    Memory
    16Gb
    Graphics Card(s)
    Intel UHD
    Sound Card
    Realtek
    Screen Resolution
    1920 x 1080
I have no intention of doing this manual update and assume it will eventually be implements via Windows Update.
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self build
    CPU
    Core i7-13700K
    Motherboard
    Asus TUF Gaming Plus WiFi Z790
    Memory
    64 GB Kingston Fury Beast DDR5
    Graphics Card(s)
    Gigabyte GeForce RTX 2060 Super Gaming OC 8G
    Sound Card
    Realtek S1200A
    Monitor(s) Displays
    Viewsonic VP2770
    Screen Resolution
    2560 x 1440
    Hard Drives
    Kingston KC3000 2TB NVME SSD & SATA HDDs & SSD
    PSU
    EVGA SuperNova G2 850W
    Case
    Nanoxia Deep Silence 1
    Cooling
    Noctua NH-D14
    Keyboard
    Microsoft Digital Media Pro
    Mouse
    Logitech Wireless
    Internet Speed
    50 Mb / s
    Browser
    Chrome
    Antivirus
    Defender
I did a test with running this DB update with secure boot off. Result just shows it failed. So it will fail, obviously, in WU if you're running with secure boot off when the automatic update appears.
Updated boot media boot ok.
 

My Computers

System One System Two

  • OS
    Win 11 Home & 🐥.
    Computer type
    Laptop
    Manufacturer/Model
    ACER Nitro AN16-41
    CPU
    AMD Ryzen™ 7 7735HS Processor 3.2Ghz
    Motherboard
    RB Sierra_PEH (FP7)
    Memory
    32 GB DDR5 4800MHz
    Graphics Card(s)
    NVIDIA GeForce RTX 4060 8GB GDDR6
    Monitor(s) Displays
    16" QHD+ 165Hz 16:10 IPS Technology
    Screen Resolution
    1920 X 1200
    Hard Drives
    Hynix HFS001TEJ9X125N : 1024.2 GB
    PSU
    330 Watts
    Mouse
    Lenovo Bluetooth.
    Internet Speed
    500 Mbps
    Browser
    Edge
    Antivirus
    Defender
  • Operating System
    Windows 11
    Computer type
    Laptop
    Manufacturer/Model
    ACER NITRO
    CPU
    AMD Ryzen 7 5800H / 3.2 GHz
    Motherboard
    CZ Scala_CAS (FP6)
    Memory
    32 GB DDR4 SDRAM 3200 MHz
    Graphics card(s)
    NVIDIA GeForce RTX 3060 6 GB GDDR6 SDRAM
    Sound Card
    Realtek Audio. NVIDIA High Definition Audio
    Monitor(s) Displays
    15.6" LED backlight 1920 x 1080 (Full HD) 144 Hz
    Screen Resolution
    1920 x 1080 (Full HD)
    Hard Drives
    Samsung 970 Evo Plus 2TB NVMe M.2
    PSU
    180 Watt, 19.5 V
    Mouse
    Lenovo Bluetooth
    Internet Speed
    500 Mbps
    Browser
    Edge
    Antivirus
    Defender
I checked my desktop PC (see specs below) to see if the two boot USBs I've created work with Secure Boot enabled in the Asus UEFI bios. Also updates listed at the top of this thread completed.

The two USBs are one created in Rufus (NTFS) and the other created using the Windows Media Creation Tool (FAT32).

Both show up in the Boot Menu of the UEFI Bios and work.

Boot priority.png
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Homebuilt
    CPU
    Intel Core i9 13900K
    Motherboard
    Asus ProArt Z790 Creator WiFi - Bios 2002
    Memory
    Corsair Dominator 64gb 5600MT/s DDR5 Dual Channel
    Graphics Card(s)
    Sapphire NITRO+ AMD Radeon RX 7900 XTX Vapor-X 24GB
    Sound Card
    External Fiio K5 Pro ESS DAC - Headphone Amplifier
    Monitor(s) Displays
    Panasonic MX950 Mini LED 55" TV 120hz
    Screen Resolution
    3840 x 2160 120hz
    Hard Drives
    Samsung 980 Pro 2TB (OS)
    Samsung 980 Pro 1TB (Files)
    Lexar NZ790 4TB
    LaCie d2 Professional 6TB external - USB 3.1
    PSU
    Corsair RM1200x Shift
    Case
    Corsair RGB Smart Case 5000x (white)
    Cooling
    Corsair iCue H150i Elite Capellix XT
    Keyboard
    Logitech K860
    Mouse
    Logitech MX Ergo Trackball
    Internet Speed
    Fibre 900/500 Mbps
    Browser
    Microsoft Edge Chromium
    Antivirus
    Bitdefender Total Security
    Other Info
    Logitech Brio 4K Webcam
    Orico 10-port powered USB 3.0 hub
we install this new key, install the latest linux/windows11 builds signed with the new key, then 2026 comes around and our laptops will keep working, great

but current desktop gpu firmware is signed by the old key, i really doubt oems will issue firmware updates for current gpus either, not great

are there any GPUs currently on the market co-signed with the new key? am i correct in assuming all current GPUs will be blocked from booting by secure boot in 2026?
 

My Computer

System One

  • OS
    10
Did it without issues on a 1st try reboot...
1710097816621.png
 

My Computer

System One

  • OS
    Win 11 Insider Beta [Always the latest release] + Linux PopOS!
    Computer type
    Laptop
    Manufacturer/Model
    Asus TUF Gaming FA506IU Laptop
    CPU
    AMD Ryzen 7 4800H with Radeon Graphics
    Motherboard
    AMD K17.6 FCH, AMD K17.6 IMC
    Memory
    G.SKILL [Samsung Die] DRR4 - 3200Mhz CL18 (18-19-19-36) - 32GB(16GBx2)
    Graphics Card(s)
    nVidia GTX 1660ti GDDR6 6GB(90W) 2.02Ghz Core & +548Mhz Mem-OC'ed [VBIOS Unlocked]
    Sound Card
    Realtek ALC256 @ AMD K17.6
    Monitor(s) Displays
    LM156LF-2F03 144HZ with Adaptive SYNC
    Screen Resolution
    1920x1080 - 144Hz
    Hard Drives
    WDC PC SN530 SDBPNPZ-256G-1002 + SHGP31-500GM-2 + ST1000LM035-1RK172 + Samsung SSD 870 QVO 1TB 1000.2 GB
    PSU
    ASUS Power Brick 180W
    Case
    Laptop Case with Dual Fan
    Cooling
    Dual Fans Design with Self-Cleaning Cooling
    Keyboard
    Asus Aura RGB with Overstroke technology
    Mouse
    ROG SICA Gaming Mouse
    Internet Speed
    100Mbps FiberOptic [100 Mbps Down - 50 Mbps Up]
    Browser
    Chrome/Firefox/Tor
    Antivirus
    Symantec Endpoint Protection with Windows Defender (Active Mode) + Custom DNS Server
    Other Info
    CPU with -15 Curve Optimizer all cores and -50 Cure optimizer on iGPU
    BCLK OC to 101.6Mhz
    Benchmark Scores:-
    CineBench R23 Single core:- 1290 points
    CineBench R23 Multi core:- 11111 points

Latest Support Threads

Back
Top Bottom