If you have recently checked your Windows update history, you probably noticed something about the Secure Boot Allowed Key Exchange Key (KEK) and wondered what it is.
In 2011, with Windows 8, Microsoft introduced a feature called Secure Boot. This feature ensures that your computer loads only software signed and verified by trusted authorities, such as Microsoft. To do so, Microsoft issued digital certificates.
However, now these certificates are set to expire in mid-2026. As a result, some of your software might no longer load on your computer.
To fix this, Microsoft has launched a new update called the Secure Boot Allowed Key Exchange Key (KEK).
What is the Key Exchange Key (KEK)?
The Key Exchange Key is sort of a master key stored in your computer’s UEFI (BIOS) firmware. It doesn’t verify Windows directly. But it acts as an authority that allows Microsoft to update the other databases, like the DB and DBX that tell your computer which bootloaders are safe and which ones are malicious.
The original certificate, known as Microsoft Corporation KEK CA 2011, is set to expire in June 2026. With this new update, Microsoft will add the Microsoft Corporation KEK 2K CA 2023 to your computer’s firmware.
As a result, with this new key, your computer would be able to accept future security updates for Secure Boot after the old one expires. Plus, it will ensure that your system remains secure by default and will continue to receive fixes for vulnerabilities.
Microsoft began rolling this out in phases starting in 2024 and will continue to do so till mid-2026. And for most Home users, the update is applied automatically via Windows Update. So you are probably already on the safer side.
In the end, the Secure Boot Allowed Key Exchange Key (KEK) isn’t an annoying bug or an unnecessary security feature. Instead, your computer needs to function properly.
Leave a Reply