Share via

Missing KEK signed by "Windows OEM Devices PK" in KEKUpdateCombined.bin

Tackey-8993 25 Reputation points
2026-02-13T08:23:47.2566667+00:00

Hi,

I am investigating an issue where the Secure Boot KEK update via Windows fails on devices that use the "Windows OEM Devices PK".

Upon inspecting KEKUpdateCombined.bin, it appears that the KEK payload signed by the "Windows OEM Devices PK" is missing.

Does anyone know if this is a known issue, and if there are plans to update KEKUpdateCombined.bin to include the KEK signed by the "Windows OEM Devices PK"?

Thank you.

Windows for business | Windows Server | Devices and deployment | Install Windows updates, features, or roles
0 comments
Answer accepted by question author
  1. Jason Nguyen Tran 12,485 Reputation points Independent Advisor
    2026-02-13T09:06:45.6533333+00:00

    Hi Tackey-8993,

    From what you describe, the issue seems to be tied to how the KEKUpdateCombined.bin file is currently packaged. The absence of the KEK payload signed by the Windows OEM Devices PK has been noted by others in the community, and it does appear to be a limitation in the way the update bundle was built rather than a problem with your devices.

    When transition mode or alternate signing keys are used, reauthentication and updates typically succeed, but strict reliance on the Windows OEM Devices PK can expose this gap. The fact that you are seeing the KEK payload missing suggests that the combined update file may not yet include all expected signatures.

    The best course of action is to monitor the official Secure Boot objects repository and Windows release notes, as updates to the KEK package are periodically published. In the meantime, you can validate whether your devices are applying the latest cumulative updates, since improvements to Secure Boot handling are often rolled out through those channels. Capturing logs during the update attempt and submitting them via the Feedback Hub can also help escalate the issue to the product team.

    While this does look like a Windows-side packaging issue, it’s not uncommon for Secure Boot updates to lag slightly in including all OEM-related payloads. Keeping your test environment aligned with the latest builds will give you the best chance of seeing the corrected KEK included.

    I hope this helps clarify the situation and gives you a practical path forward. If you find this advice useful, please consider clicking Accept Answer so I know your concern has been addressed.

    Jason.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-02-13T08:23:57.37+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    The issue regarding the missing KEK signed by the "Windows OEM Devices PK" in the KEKUpdateCombined.bin is not explicitly mentioned in the provided context. However, it is important to note that the Key Enrollment Key (KEK) is crucial for updating the signature databases (db and dbx) in Secure Boot. If the KEK signed by the Windows OEM Devices PK is indeed missing, it could potentially lead to failures in the Secure Boot update process.

    For further assistance or to confirm if this is a known issue, it may be beneficial to reach out to Microsoft support or check for updates in the official documentation regarding Secure Boot and KEK management.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.