Skip to content

Secure Boot Recovery

The Microsoft 2011 Secure Boot Certificates used to boot Windows OS and Third Party applications, drivers, option roms, through Secure Boot are expiring on 10/19/2026. New certificates have been created and are available at Keys Required for Secure Boot on all PCs | Learn Microsoft..

This EFI application is used to transition a system from the 2011 certificates to the 2023 certificates.


  • SecureBootRecovery.c
  • Recovery Logic
  • SecureBootRecovery.inf
  • Setup Information
  • Payload/dbUpdate.bin
  • Raw Recovery Payload - This file is an authenticated variable with a payload to update the DB
    • Attributes:
    • Note: The signer must have it's public certificate found in the L"KEK" variable
    • Note: The payload found in this repo is the Microsoft Windows Production PCA 2011 signed Windows UEFI CA 2023 DB payload
  • RecoveryPayload.h
  • The C representation of the dbUpdate.bin file auto generated by
  • Generates RecoveryPayload.h from Payload/dbUpdate.bin


stuart_ci_setup -c .pytool/ BUILDMODULE=MsApplicationPkg/SecureBootRecovery/SecureBootRecovery.inf -p MsApplicationPkg
stuart_update -c .pytool/ BUILDMODULE=MsApplicationPkg/SecureBootRecovery/SecureBootRecovery.inf -p MsApplicationPkg
stuart_ci_build -c .pytool/ BUILDMODULE=MsApplicationPkg/SecureBootRecovery/SecureBootRecovery.inf -p MsApplicationPkg

Update the payload

If the recovery payload needs to be updated, replace the file Payload/dbUpdate.bin with a KEK signed payload.

Then execute: