HomeWinBuzzer NewsMicrosoft Announces Major Secure Boot Certificate Renewal for 2024

Microsoft Announces Major Secure Boot Certificate Renewal for 2024

Microsoft, collaborating with OEMs, will significantly enhance Windows security on UEFI PCs through a phased Secure Boot update starting in 2024.


has announced an update to the Secure Boot feature on Windows Unified Extensible Firmware Interface (UEFI) PCs, slated to begin in 2024. This initiative, undertaken in conjunction with original equipment manufacturer (OEM) partners, is set to enhance the security infrastructure of Windows-powered devices.

Understanding Secure Boot

Secure Boot, an essential security component of the PC industry's UEFI standard, has played a crucial role in safeguarding PCs since its adoption with Windows 8. This feature works by preventing unauthorized rootkits and bootkits from making system modifications during the PC's startup process. By doing so, it ensures that such malware remains detectable by antimalware software. To activate Secure Boot, Microsoft mandates that OEMs incorporate three Microsoft-managed certificates into Windows PCs: the Key Exchange Key (KEK), the Allowed Signature Database (DB), and the Disallowed Signature Database (DBX), all of which are scheduled to expire in 2026.

The Path Forward

In anticipation of these certificates' expiration, Microsoft and its OEM partners are set to issue replacement certificates. These new certificates aim to establish future UEFI CA (certificate authority) trust anchors, marking a significant update to the Windows security architecture. This process also includes revising the Disallowed Signature Database (DBX), an effort meant to be the most extensive to date.

To ensure a smooth transition, Microsoft plans a phased rollout of the new certificates, accompanied by rigorous testing to identify and address any compatibility issues. This careful approach intends to minimize the risk of unbootable systems or devices that cannot receive the DB update. Devices identified with potential issues during testing phases will not receive the update, ensuring system stability and reliability.

Organizations are advised to prepare for this update, particularly those utilizing BitLocker encryption, to back up their keys before the certification renewal process begins. Microsoft's commitment to maintaining robust security measures, like Secure Boot, underscores its dedication to protecting its user base from emerging cyber threats.

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.