Introduction
Windows updates released on and after February 13, 2024 include the ability to apply the Windows UEFI CA 2023 certificate to UEFI Secure Boot Allowed Signature Database (DB). Updating the DB will enable devices to receive future boot loader updates that are included in monthly updates.
This is important because the existing certificate will expire and moving to the new certificate is the first step in preparing devices to work with upcoming boot loader updates that will be cryptographically signed by using the new certificate.
Updates to the DB are known to have compatibility issues with some devices. To ease the rollout to Windows devices, the update to the DB does not apply automatically. For enterprise environments, it is important to have a controlled rollout of the update after careful validation with representative devices present in the environment to avoid any disruption.
For a detailed explanation, please see Updating Microsoft Secure Boot Keys.
Take Action
Deploy the DB update to representative sample test devices by following the deployment guidance provided in Updating Microsoft Secure Boot Keys.
After a test device successfully updates the DB, it should be safe to roll out the DB update to devices with the same hardware and firmware configuration. You can do this by setting the following registry key by using deployment software such as Group Policy or mobile device management (MDM):
Registry path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot
Name: AvailableUpdates
Value: 0x40
After the device has restarted, the DB should be updated. In some cases, a second restart may be required.
Known issues
|
Issue |
Next step |
|
ARM64-based devices are currently blocked from applying the DB update. |
Microsoft is working with OEM device vendors to update their firmware to address an issue with ARM64-based firmware. |
