Secure Boot Allowed Key Exchange Key (KEK)"

Question

i just got this update what does this mean my certificates for boot still said 2011 im pretty sure so what was this supposed to do.

Answer 1

Hi Chanman,

The update for "Secure Boot Allowed Key Exchange Key (KEK)" you received is part of Microsoft’s proactive measures to ensure Secure Boot remains secure as older certificates near expiration.

This ensures that your system can continue to receive and validate Secure Boot updates (DB/DBX) even after the 2011 KEK expires.

I hope this information helps. If you have any more questions, don't hesitate to reach out.

Otherwise, please take a moment to rate the answer. Wishing you good luck!

Answer 2

The "Secure Boot Allowed Key Exchange Key (KEK)" update is part of Microsoft’s Secure Boot certificate refresh. It is meant to add a new Microsoft Key Exchange Key certificate into your firmware so Secure Boot can keep trusting future Secure Boot database (DB/DBX) updates after the old 2011 certificates start expiring in 2026.

Key points:

1. What KEK is
   • KEK = Key Exchange Key.
   • It establishes trust between Windows and the UEFI firmware for updating Secure Boot’s allowed (DB) and disallowed (DBX) signature databases.
   • KEKs are stored in a UEFI signature database variable and are managed via authenticated UEFI variables.
2. What is changing
   • Existing Microsoft Secure Boot certificates from 2011 (including Microsoft Corporation KEK CA 2011) start expiring in June–October 2026.
   • New 2023 certificates are being rolled out:
     • Microsoft Corporation KEK 2K CA 2023 (stored in KEK) – signs DB/DBX updates.
     • Windows UEFI CA 2023 (stored in DB) – signs the Windows boot loader.
     • Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023 (stored in DB) – for third‑party bootloaders and option ROMs.
3. What the update you saw is supposed to do
   • It is intended to add the new Microsoft Corporation KEK 2K CA 2023 into the Secure Boot KEK store in your firmware.
   • This does not immediately remove the 2011 certificates; it adds the new ones so that when the 2011 KEK expires, Windows can still receive and validate Secure Boot DB/DBX updates.
   • That is why you may still see 2011 certificates present; the update is about adding new trust, not instantly replacing all old entries.
4. When action is needed
   • For most home Windows 11 devices, the process is handled automatically via Windows Update; no manual action is required.
   • If a KEK update fails because the OEM has not provided a PK‑signed KEK for that model, Windows logs specific events (for example, Event ID 1803 or 1796) and the guidance is to contact the device manufacturer.
5. How to know it worked (for advanced checking)
   • When the new KEK is successfully applied, Windows logs Event ID 1043: “Secure Boot KEK update applied successfully.”
   • When all required new Secure Boot certificates are applied and the boot manager is updated to one signed by Windows UEFI CA 2023, Windows logs Event ID 1808 indicating the device has updated Secure Boot CAs/keys.

In short, the update is preparing the device for the 2026 expiration of the old Secure Boot certificates by adding a new allowed KEK so Secure Boot can continue to function securely. Seeing 2011 certificates still listed does not mean the update failed; it means the new certificates are being added alongside the existing ones as part of a staged transition.

---

References:

• Windows Secure Boot certificate expiration and CA updates
• Windows Secure Boot Key Creation and Management Guidance
• Secure Boot Certificate updates: Guidance for IT professionals and organizations
• Secure Boot DB and DBX variable update events