What is this “Secure Boot Allowed Key Exchange Key (KEK) Update,” and do I actually need to install it?

Hello,

The “Secure Boot Allowed Key Exchange Key (KEK) Update” is a critical Windows security update that refreshes the Secure Boot certificates stored in your system’s UEFI firmware. You do need to install it, because older KEK certificates issued back in 2011 are expiring in 2026, and without this update your system may eventually fail to validate Secure Boot policies or block legitimate software from loading.

Secure Boot works by ensuring that only trusted, signed code can run during the boot process. To do this, your firmware maintains a set of certificates: the Platform Key (PK), Key Exchange Keys (KEKs), and signature databases (DB/DBX). The KEK is essentially the “master authority” that allows Microsoft to update the Secure Boot signature databases. If the KEK expires or is invalid, your machine cannot accept new Secure Boot updates, which undermines the integrity of the boot process.

Microsoft is rolling out new KEKs through Windows Update so that systems can continue to validate and apply Secure Boot updates beyond the expiration of the original 2011 certificates. This update does not change your operating system features or user experience, but it ensures that your device remains compliant with Secure Boot requirements and protected against firmware-level attacks. The update is marked “Pending restart” because the new KEK must be written into UEFI, which only happens during a reboot.

If you ignore the update, your system will continue to run for now, but once the old KEK expires, Secure Boot updates (such as revocation lists for compromised bootloaders) will no longer apply. That could leave your machine vulnerable to boot-level malware or prevent certain trusted software from loading. Installing the update guarantees that your device remains able to process future Secure Boot certificate changes.

I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!

The “Secure Boot Allowed Key Exchange Key (KEK) Update” is a firmware-level security update that refreshes the Microsoft Secure Boot Key Exchange Key stored in your device’s UEFI firmware.

What it is:

• Secure Boot uses a hierarchy of keys in firmware to decide which pre‑boot code is trusted.
• The Key Exchange Key (KEK) is the layer under the Platform Key (PK) and is used to authorize changes to the allowed (DB) and disallowed (DBX) signature databases.
• Microsoft provides a KEK certificate (currently Microsoft Corporation KEK 2K CA 2023) so Windows can continue to update the Secure Boot allowlist (DB) and revocation list (DBX) on in‑market devices.
• Older Microsoft KEK certificates (for example, Microsoft Corporation KEK CA 2011) are expiring, so devices must be updated to the newer KEK to keep receiving Secure Boot policy and revocation updates.

Why it matters:

• Without an up‑to‑date Microsoft KEK in firmware, the device may stop receiving new Secure Boot DB/DBX updates.
• That would prevent automatic revocation of newly discovered malicious or vulnerable bootloaders and firmware components, weakening protection against bootkits and other pre‑boot malware.

Whether to install it:

• The update is security‑related and is required to maintain ongoing Secure Boot servicing (DB/DBX updates) after the older KEK expires.
• It should be installed and the system restarted so the new KEK can be enrolled in UEFI firmware and Secure Boot can continue to function as designed.

In short: this update refreshes the Microsoft Secure Boot KEK in UEFI so the device can keep receiving Secure Boot certificate and revocation updates; it is recommended to install it.

References:

• Windows Secure Boot Key Creation and Management Guidance
• Windows Secure Boot certificate expiration and CA updates