January Patch Tuesday: Refresh Secure Boot certificates to close pre-OS gaps

Background / Overview​

What Microsoft shipped in January (technical summary)​

• Add device‑targeting metadata and health‑gating logic that identifies systems eligible for automatic enrollment of the 2023 certificate set.
• Deliver payloads that can add the new certificates into firmware DB/KEK variables and, where necessary, swap the Windows boot manager for a binary signed under the new PCA to complete the trust hand‑off.
• Expose administrative controls (registry keys, Group Policy/Ian pilot, opt‑in, or opt‑out of automated enrollment and troubleshoot failures.

• KB5074109 — Windows 11 cumulative update containing the Secure Boot certificate rollout logic and related servicing changes.
• KB5073724 — Windows 10 servicing package that includes high‑confidence device targeting for the certificate refresh; this package also removes legacy modem drivers as an attack‑surface reduction step.

The certificate timeline — exact dates and replacement keys​

• Microsoft Corporation KEK CA 2011 — scheduled to begin expiring in June 2026; replacement: Microsoft Corporation KEK 2K CA 2023.
• Microsoft UEFI CA 2011 — scheduled to begin expiring in June 2026; replacements: Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023.
• Microsoft Windows Production PCA 2011 — later expiry, October 2026; UEFI CA 2023*.

Threat context: bootkits, BlackLotus, and BootHole — why the refresh matters​

• Bootkits operate below the operating system and can survive OS reinstallations, masking their presence from traditional anti‑malware tools. They’re prized by attackers who want persistence and stealth.
• BlackLotus is a prominent UEFI bootkit that researchers analyzed and confirmed had been used in the wild. It leveraged CVE‑2022‑21894 (and related weaknesses) to bypass Secure Boot and install persistent pre‑OS components; Microsoft, ESET and CISA have produced guidance for detection and response. This real‑world precedent explains why maintaining an up‑to‑date certificate and revocation ecosystem matters.
• Historically, the BootHole family of vulnerabilities in GRUB2 required broad industry coordination: revocations, new shim binaries, and updates to the DB/DBX revocation store across millions of devices. BootHole demonstrates that when signed boot components turn out to be vulnerable, prompt and coordinated certificate/revocation updates are necessary to prevent attackers from re‑using older, signed binaries.

Who should install this e refresh — prioritization​

• Consumers / Home users: install the January cumulative update through Windows Update (or via the Microsoft Update Catalog if you manage updates manually). Most users will receive the new certificates automatically and invisibly if their device is eligible.
• Enterprises, government and compliance‑sensitive organizations: treat this as a high‑priority change. Inventory Secure Boot state and firmware versions across your fleet, pilot the update in a small ring, and monitor the UEFICA2023Status/UEFICA2023Error event log and registry values documented by Microsoft before mass rollout. Use Intune/WSUS/ConfigMgr controls to stage the deployment.
• Specialists and multi‑boot systems: Linux distributions that rely on shim and signed GRUB2 must also be considered. The key expiry affects multi‑boot scenarios and non‑Windows OS bootloaders because they share trust anchors in firmware; coordinate with OS vendor guidance and OEM firmware updates.

How to install, verify, and troubleshoot — practical steps​

• Install the update (consumer flow)
• Open Settings → Windows Update → Check for updates. Look for KB5074109 on Windows 11 or KB5073724 on supported Windows 10 builds. Install and restart.
• Install the update (enterprise flow)
• Ensure your Servicing Stack Update (SSU) prerequisites are present, then publish the LCU/KB to WSUS / ConfigMgr / Intune with pilot rings. Monitor event logs and the UEFICA2023Status instrumentation Microsoft documents for per‑device progress.
• Confirm Secure Boot is enabled
• 32 (System Information) and check Secure Boot State — it should read On.
• PowerShell: Run an elevated PowerShell and execute: Confirm-SecureBootUEFI — the cmdlet returns True if Secure Boot is enabled. These checks are recommended both before and after installing the update.
• Firmware updates
• If Microsoft’s OS‑side logic cannot complete enrollment because the platform needs OEM KEK updates, follow your vendor’s firmware guidance (Surface, HP, Dell, Lenovo all published readiness notes). Apply vendor firmware updates as required.
• Troubleshoot known impacts
• Legacy hardware or specialized devices that rely on removed in‑box drivers (for example, certain soft‑modems removed by KB5073724) may lose functionality; inventory those dependencies and install OEM driver replacements where required.
• Post‑deployment hardening (recommended)
• Keep firmware and device drivers up to date.
• Enable BitLocker with TPM+PIN or TPM+startup key to protect data if a device is physically compromised.
• Use virtualization‑based security (VBS / HVCI) where available to isolate critical kernel components.
• Enforce driver signing and restrict installation of unsigned pre‑boot drivers via Group Policy / endpoint controll and security trade‑offs — strengths and risks

• Prevents a predictable failure mode: Enrolling new 2023 CAs before the 2011 CAs expire preserves the platform’s ability to accept future Secure Boot updates and to revoke vulnerable signed binaries.
• Phased, telemetry‑gated rollout reduces widespread breakage risk: Microsoft’s staged approach limits mass disruption and gives administrators controls to pilot the change.
• Industry coordination: OEM advisories and Microsoft guidance aim to synchronize firmware and OS changes to avoid a messy mid‑2026 scramble.

• Legacy hardware and non‑standard configurations: Older systems or devices using vendor‑specific Secure Boot layouts may require firmware updates or manual interventions; in rare cases, certificate changes can render those devices unable to boot until remediated.
• False sense of safety: Certificate renewal patches do not fix bootloader bugs themselves; they preserve the revocation and signing channels that let Microsoft and vendors deliver fixes in future. Patching the certificate chain is necessary but not sufficient for complete mitigation against all bootkit techniques.
• Phased rollout complexity: Telemetry gating reduces risk but also creates uneven global coverage: a device may appear “up to date” in Windows Update yet still lack the firmware entries because it did not meet Microsoft’s automatic‑enrollment criteria. IT teams must still inventory and verify their estate.

• Assertions that “there is no evidence of exploitation” or that “only targeted attacks exist” are inherently time‑sensitive. Threat landscape statements can change rapidly as new incidents are discovered; treat historic “no evidence” claims as provisional and rely on current telemetry and vendor advisories for your environment. Flagged claims in older reporting should be re‑checked against current advisories (Microsoft, CISA, ESET, vendor bulletins) before you act on them.

Enterprise checklist — deployment and audit controls​

• Inventory Secure Boot state across the estate (Confirm‑SecureBootUEFI via PowerShell, Intune compliance scripts, or firmware inventory tools).
• Identify devices that require OEM firmware updates and schedule vendor‑coordinated maintenance windows.
• Create a pilot ring: pick a healthof devices to validate enrollment, monitor UEFICA2023Status and event logs, and capture any remediation steps.
• Document a remediation plan for air‑gapped/telemetry‑off devices (likely manual enrollment or OEM firmware patching).
• Ensure backups and recovery images are tested before rolling out certificate changes at scale.

Final analysis and recommendations​

• Install the January cumulative update (KB5074109 on Windows 11; KB5073724 on supported Windows 10). Restart and let the servicing tasks complete.
• Verify Secure Boot is enabled (msinfo32 or Confirm‑SecureBootUEFI) and confirm device firmware is at vendor‑recommended levels.
• For fleets, pilot then scale: use Intune/WSUS/ConfigMgr to control rollout and monitor the UEFICA2023Status telemetry.
• Apply firmware updates from your OEM where required — especially for older devices that may not accept the OS‑side enrollment.
• Maintain layered defenses: enable BitLocker, enforce driver signing, maintain endpoint EDR, and monitor firmware‑relevant logs.

Background / Overview​

What Microsoft has published and why the AMA matters​

• A Secure Boot playbook that lays out inventory, pilot, deployment, and remediation steps.
• Registry and Group Policy controls that let administrators opt‑in, opt‑out, or force updates for managed fleets.
• WinCS CLI (Windows Configuration System) and PowerShell samples for larger domain environments.
• Microsoft-managed (telemetry‑gated) rollout for devices classified as “high confidence,” plus manual methods for the rest.

Technical summary: the mechanics of the change​

Which certificates are changing and when​

• Microsoft Corporation KEK CA 2011 — expires June 2026; replaced by Microsoft Corporation KEK 2K CA 2023 (or KEK CA 2023).
• Microsoft Corporation UEFI CA 2011 (and related option-ROM CA) — expires June 2026; replaced by UEFI/Option ROM 2023 certificates.
• Microsoft Windows Production PCA 2011 — slated to expire later in 2026 (October for the PCA used to sign the Windows bootloader) and replaced by Windows UEFI CA 2023.

How Microsoft is delivering the update​

• OS-side servicing (monthly cumulative updates) that delivers the enrollment logic and payloads needed to apply certificates to firmware variables when the device is capable.
• Firmware updates from OEMs where firmware-level acceptance or KEK provisioning is required. Microsoft’s servicing may attempt to enroll new CAs automatically only on devices that report sufficient update health telemetry, while registry/GPO/WinCS options allow admins to force or control deployments in managed environments.

Practical steps: an administrator’s checklist​

• Inventory and categorize devices
• Determine which devices have Secure Boot enabled and which certificate family they currently carry (2011 vs 2023).
• Prioritize by device criticality (domain controllers, shared workstations, kiosks, cloud images), OEM model, and firmware age. Use enterprise inventory tools plus sampling via PowerShell on representative devices.
• Verify OS support and servicing channel
• Ensure devices are running a supported Windows build that can process the certificate enrollment. Windows 10 support ended for mainstream security updates on October 14, 2025 (note: some devices may be on ESU), so verify each OS version’s support status before relying on Windows Update to carry the workload. Microsoft’s guidance calls out supported Windows versions and the need for specific servicing levels.
• Patch to required baseline updates
• Install the cumulative updates that introduced the Secure Boot enrollment logic (these began appearing in 2025). On managed devices, Microsoft’s staged approach may only automatically enroll “high‑confidence” devices; for everything else use the registry/GPO or WinCS approaches. Confirm which KBs your images include before injecting into golden images.
• Firmware updates
• Contact OEMs for firmware updates for models that do not accept the new CA entries cleanly. Devices with proprietary or older firmware may require vendor-provided EFI updates before certificate enrollment is possible. Test each OEM model class during pilot.
• Pilot and validation
• Run small pilots per device model and per OS image. Validate: a) Secure Boot variables (DB/DBX/KEK), b) Windows event logs for Secure Boot events, c) BitLocker behaviour across reboots, and d) recovery media and imaging workflows using updated winre.wim/install.wim images. Microsoft supplies event IDs and registry indicators to monitor progress and errors.
• Full rollout and monitor deployment windows and track UEFICA2023Status for device-level state. Instrument event forwarding for Event IDs tied to Secure Boot DB/DBX updates and watch for UEFICA2023Error non-zero values to capture failures needing OEM or manual remediation.
• Update imaging and recovery media
• Inject the requisite cumulative updates into golden images and recovery media (WinRE) so field recovery does not rely on images signed by expired authorities. Test Reset/Refresh, offline servicing and bare-metal restores after updating golden images.

Deployment methods — what Microsoft provides and when to use them​

• Microsoft-managed (telemetry-gated) rollout: Let Microsoft’s confidence buckets apply the updates where dees success. This is lowest-effort for admins but requires diagnostic telemetry and is not intended where admins must show explicit control for compliance scenarios.
• Registry / Group Policy trigger: Set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\AvailableUpdates to 0x5944 to trigger the full update path (note: the task that processes this runs every 12 hours; administrators can schedule the Secure-Boot-Update task to run immediately during testing). Track progress and UEFICA2023Error. This is the recommended controlled method for corporate rollouts. Microsoft documents the values and test commands.
• WinCS / domain-level CLI: Use WinCS in enterprise scenarios for large, domain-joined deployments where scripting or centralized control is required. The playbook includes guidance for WinCS usage.
• OEM firmware update path: For devices that refuse to accept new CA values in DB/KEK due to firmware constraints, wait for or request OEM-supplied firmware that provisions the KEK/DB updates. In these cases, firmware updates are mandatory before OS-side enrollment will succeed.

Verification and troubleshooting — the key signals​

• Registry indicators: UEFICA2023Status (NotStarted → InProgress → Updated) and UEFICA2023Error (0 for success, non-zero indicates a failure code). These keys are the canonical device-level indicators Microsoft recommends for tracking per-device state.
• Event logs: Microsoft surfaces specific Secure Boot DB/DBX update events; Event IDs highlighted in the playbook (for example, success and error event IDs such as) are useful for bulk monitoring. Correlate these events with UEFICA2023Error for root-cause.
• PowerShell verification: Use Secure Boot–related cmdlets (Confirm-SecureBootUEFI, Get-SecureBootUEFI) to inspect UEFI variables and confirm the presence of the new certificates, where supported by the platform. Note: some platforms — particularly virtual machines or BIOS-only systems — may not support all cmdlets. Test on representative hardware.
• Manual recovery test: Always validate recovery media and BitLocker recovery behavior across pilot devices. In some deployments, DBX updates or boot manager swaps can prompt BitLocker to go into recovery on systems whose recovery keys are not readily available. Keep recovery keys accessible for pilots.

Known pitfalls, incompatibilities and risks​

• BitLocker recovery prompts and locked devices: DB/DBX changes and boot manager swaps can trigger BitLocker recovery. If recovery keys are not available, this creates operational outages. Microsoft explicitly warns to validate BitLocker flows during pilot.
• OEM firmware quirks: Some OEM firmware requires a specific sequence or vendor-signed firmware before accepting KEK/DB updates. In practice this has shlder or heavily customized OEM images. Coordinate closely with vendor support for models that show UEFICA2023Error codes.
• Virtual machines and cloud images: Some hypervisor or cloud images (or older generation virtual platforms) may not expose UEFI variables in the same way as physical devices or may use vendor-specific shim keys. Validate VMs and cloud images you manage (including Windows 365 and Azure images) as part of your plan.
• Linux and non-Windows OS compatibility: Some Linux distributions rely on Microsoft’s signing (shim) and may be affected if firmware does not contain the new CA entries. Public coverage has highlighted that older signers or missing firmware updates can break Linux Secure Boot compatibility, forcing users to disable Secure Boot or seek vendor-friendly shims. Plan for dual‑boot or Linux-hosted systems.
• Imaging and recovery media: Older offline media and installation images created before the update will not contain the new certs and may fail to boot or install on updated devices. Update golden images and portable recovery media as part of the rollout.

What to ask during the AMA — high-value questions to bring​

• “For OEM model X (provide exact model and firmware version), is a vendor firmware update confirmed and what is the recommended sequencing?”
• “If UEFICA2023Error returns error code 0x800703e6 (or other non-zero), can you map the top 10 error codes to remediation steps?”
• “Will images built before KB XYZ require injection of a specific package to avoid WinRE or Reset failures?”
• “How will Microsoft manage the interaction between Microsoft-managed assists and an enterprise that uses registry/GPO-driven enrollment simultaneously?”
• “Is there an MDM CSP timeline that maps into Intune templates, and will that support bulk telemetry for rollout status?”

Strengths of Microsoft’s approach — and the tradeoffs​

• Microsoft published a detailed playbook and many of the deployment controls (registry/GPO/WinCS), which provides multiple supported paths for different organizational sizes and compliance postures.
• Staged, telemetry-gated updates reduce the risk of widespread failures by first targeting devices with observed good update behavior. This lowers blast radius relative to a single global push.
• The approach includes eventing, registry state, and diagnostic hooks that enable automated monitoring and remediation at scale.

• Dependency on OEM firmware updates introduces a vendor-coordination step that can delay or complicate rollouts, especially for older or customized hardware.
• Changes at the firmware trust layer are inherently high-impact and can induce BitLocker or imaging disruptions if not tested thoroughly. The timeline to June 2026 is fixed; this compresses the testing and remediation window for organizations with large heterogeneous estates.
• Some platforms (legacy BIOS, non-UEFI VMs, or unsupported Windows editions) cannot participate in OS-managed enrollment and require bespoke handling.

Verification of the key claims (explicit cross-checks)​

• Claim: Microsoft-supplied CAs from 2011 start expiring in June 2026 and must be replaced to maintain Secure Boot servicing. Verified against Microsoft guidance that explicitly names the 2011 CAs and schedule for 2026 expirations.
• Claim: Microsoft shipped enrollment logic in 2025 cumulative updates and uses KBs such as the January/May 2025 servicing to begin the rollout. Confirmed via Microsoft support notes and independent coverage that examined the KBs used to carry enrollment behavior.
• Claim: Administrators can trigger and track updates via AvailableUpdates = 0x5944 and follow UEFICA2023Status values. Confirmed in Microsoft’s registry key guidance and cross-referenced in the Windows IT Pro playbook materials and forum threads documenting real-world trials.

Final recommendations — an operational plan you can start today​

• Week 1–2: Inventory and classify devices by model, firmware date, OS version and Secure Boot status. Ensure BitLocker recovery keys are centralized and retrievable.
• Week 3–4: Patch pilot devices to the baseline cumulative updates that include enrollment logic. Inject updates into golden images and update recovery media.
• Week 5–8: Pilot per OEM model and per image, exercise recovery workflows, and collect UEFICA2023Status/U EFICA2023Error data and Secure Boot event logs.
• Week 9–12: Coordinate firmware updates for models that failed enrollment, remediate or replace units where OEM fixes are not available, and begin phased production rollout using registry/GPO or WinCS.
• Ongoing: Monitor event telemetry, watch for post-rollout helpdesk spikes related to BitLocker, and attend the Microsoft AMA on February 5 for live answers to unresolved edge cases.