Computer security is very important for people and companies using Windows devices. That’s why Microsoft tries to offer the best solutions to protect your operating systems and apps. One solution is Secure Boot, which came in Windows 8. It stops unauthorized programs from running when you start up your computer.
Secure Boot uses “security keys” to check that the programs starting up are authentic and safe. These keys are stored in a database called the DBX. This database blocks programs with unsafe keys. There is another database called the DB with keys for programs that start the DBX and add/remove keys. This database doesn’t get updated as much.
Well, Microsoft will update the security keys for the DB and other startup programs. The current keys are from 2011 and will expire soon. The keys set to expire are:
- Microsoft Corporation KEK CA 2011
- Microsoft Windows Production PCA 2011
- Microsoft UEFI CA 2011
The new 2023 key versions are:
- Microsoft Corporation KEK CA 2023
- Microsoft Windows Production PCA 2023
- Microsoft UEFI CA 2023
This article explains why this update to the Windows 11 security keys is important.
What does updating UEFI security keys entail?
Updating UEFI security keys is a big deal because it involves changing the DB database. This database holds certificates used to sign the DB and the KEK, which are crucial for establishing trust during Secure Boot. Secure Boot ensures that your system starts safely and without interference.
Microsoft is updating these security keys because the current ones are almost expired. They were issued in 2011, back when Windows 8 was released, and are valid for 15 years. If these keys expire, Secure Boot might not work properly, causing compatibility or boot issues on Windows devices.
To avoid these problems, Microsoft is issuing new certificates valid for another 15 years. These certificates will be signed by the DB and KEK from now on. The new certificates will be distributed through updates to the DB database, which will roll out in phases to all devices with Secure Boot enabled.
The first phase of updates started on February 13, 2024. It involves adding the new certificates to the DB database without removing the old ones. This creates mutual trust between the certificates issued in 2011 and those issued in 2023, preventing errors or incompatibilities during the transition.
The second phase of updates will happen later. It involves removing the 2011 certificates from the DB database, leaving only the 2023 ones. This completes the change of UEFI security keys, ensuring that Secure Boot keeps working correctly until 2038 when the new certificates expire.
Reasons behind updating UEFI keys
The update of the UEFI security keys is significant for several reasons. Firstly, it’s a rare occurrence since these keys are valid for 15 years and have only been updated once since Secure Boot was introduced in Windows 8.
This update directly impacts the security of your Windows 11 PC because Secure Boot is a feature that prevents unauthorized components from running during system startup. This helps prevent potential attacks or malware infections, enhancing the overall security of your system.
Moreover, this change requires coordination between Microsoft and its ecosystem partners, including device manufacturers, firmware vendors, software developers, and system administrators. This ensures that the update process for UEFI security keys is carried out smoothly and without disruptions.
Despite its importance, this change may go unnoticed by most users since updating UEFI security keys happens automatically and transparently. Users don’t need to take any action themselves. However, it’s crucial to recognize that this update can significantly impact the security and operation of your Windows 11 PC, safeguarding it against potential threats.
