Microsoft updating ...
Clear all

Microsoft updating Secure Boot Keys - Steps to upgrade

1 Posts
1 Users
Brandon Lee
Posts: 543
Member Admin
Topic starter

Microsoft, alongside its ecosystem partners, is beginning the deployment of new Unified Extensible Firmware Interface (UEFI) Certificate Authorities (CAs) to strengthen the Secure Boot feature. This will involve phased updates to the Secure Boot database to include new DB and Key Exchange Key (KEK) certificates, starting with an optional update for all Secure Boot-enabled devices from February 13, 2024 forward.

Secure Boot is a key component of UEFI and ensures system security by only allowing software with verified signatures to run during boot. It is essential for safeguarding against pre-boot malware. It relies on a Public-Key Infrastructure (PKI) to establish trust through digital certificates managed by CAs, including Microsoft and OEMs.

The Secure Boot infrastructure utilizes a hierarchical system with the Platform Key (PK) at the top, managed by OEMs, and the KEK database below it, which updates the Allowed Signature DB and the Forbidden Signature Database (DBX). The Allowed Signature DB permits bootloader modules, while the DBX revokes trust in components as needed. Microsoft mandates that OEMs include three specific Microsoft-managed certificates in their devices, all set to expire in 2026.

In preparation for these expirations, Microsoft is rolling out replacement certificates, beginning with the addition of the Microsoft Windows UEFI CA 2023 to the system DB in February 2024. This phased rollout, starting with an optional update, aims to ensure compatibility and prevent disruption. A comprehensive rollout is scheduled for April 2024, with updates to the remaining certificates planned for late 2024.

This update marks Microsoft's first large-scale DB update since Secure Boot's inception. They are taking a cautious approach to minimize firmware-related issues. The company is working closely with OEM partners to ensure a smooth transition, with guidance provided for manual update application to test device compatibility.

Pre-requisite checks

Prior to initiating the DB update, ensure the following prerequisites are met:

  1. For manual updates across multiple devices, start with individual units sharing identical firmware and specifications. This approach helps mitigate potential issues arising from firmware glitches.
  2. Confirm that your device is running the latest UEFI firmware version provided by your hardware manufacturer or Original Equipment Manufacturer (OEM).
  3. Follow this guide for instructions on how to back up your data properly.
  4. For users of BitLocker or those whose organizations have implemented BitLocker encryption, it's crucial to back up your BitLocker recovery keys. Visit this portal for guidance on backing up your keys before rebooting your self-hosted device. This precaution ensures that, should your device fail to operate post-update, you can still access your hard drive.
  1. thumbnail image 2 of blog post titled 
							Updating Microsoft Secure Boot keys

    1. If the keys are not backed up, please open Windows Search to search for “Manage BitLocker” and select Back up your recovery key followed by Save to your Azure AD or MSA account.

thumbnail image 3 of blog post titled 
							Updating Microsoft Secure Boot keys

thumbnail image 4 of blog post titled 
							Updating Microsoft Secure Boot keys

thumbnail image 5 of blog post titled 
							Updating Microsoft Secure Boot keys

Update Steps for DB

  1. Install the security update from February 2024 or any subsequent update.
  2. Launch a PowerShell console as an administrator and execute the commands below:
    • Update the registry key with: Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot" -Name "AvailableUpdates" -Value 0x40
    • Initiate the scheduled task: Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
  3. Restart your computer twice to ensure the updates are correctly applied and the system boots using the updated DB.
  4. To confirm the Secure Boot DB update's success, open an administrator PowerShell console and run: [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'

thumbnail image 6 of blog post titled 
							Updating Microsoft Secure Boot keys

From the blog: Updating Microsoft Secure Boot keys | Windows IT Pro blog


Posted : 17/02/2024 12:07 am