What is UEFI-SECURE-BOOT-DB-EXPIRED?
A Secure Boot signature in the UEFI signature database (db) has expired. Microsoft has been revoking old Secure Boot certificates as part of CVE mitigations (e.g., Black Lotus bootkit fix). After a BIOS or Windows update applies the revocation, previously trusted bootloaders or recovery media become untrusted, preventing boot.
Common Causes
- Microsoft Secure Boot certificate revocation (KB5025885)
- Outdated dual-boot Linux EFI bootloader
- Old USB recovery media with expired signatures
Step-by-Step Fix Guide
-
1
Update UEFI Secure Boot database via Windows Update
Running Windows Update applies the latest Secure Boot Allowed Signature Database (db) which recognizes current bootloaders.
-
2
Regenerate Secure Boot keys in BIOS
If dual-booting Linux, update shim and GRUB packages to signed versions.
-
3
Update or recreate bootable USB media
Commands & Diagnostics
Confirm-SecureBootUEFIStill Need Help?
Search our full database of 481+ documented PC errors for more solutions and step-by-step repair guides.
Search Error Database