Act now: Secure Boot certificates expire in June 2026


UPDATE:
www.elevenforum.com

Updating Microsoft Secure Boot keys before expiration in June 2026

https://techcommunity.microsoft.com/event/windowsevents/ask-microsoft-anything-secure-boot---may-2026/4513524 UPDATE 4/02: https://support.microsoft.com/en-us/topic/secure-boot-certificate-update-status-in-the-windows-security-app-5ce39986-7dd2-4852-8c21-ef30dd04f046 UPDATE 2/10...
www.elevenforum.com www.elevenforum.com


 Windows IT Pro Blog:

Prepare for the first global large-scale certificate update to Secure Boot.

The Microsoft certificates used in Secure Boot are the basis of trust for operating system security, and all will be expiring beginning June 2026. The way to automatically get timely updates to new certificates for supported Windows systems is to let Microsoft manage your Windows updates, which include Secure Boot. A close collaboration with original equipment manufacturers (OEMs) who provide Secure Boot firmware updates is also essential.

If you haven't yet, begin evaluating options and start preparing for the rollout of updated certificates across your organization in the coming months. Learn about this effort, its impact, and what you as an IT admin should do to help ensure that your Windows devices can receive updates after June 2026 without compromising system security.

Important: While platforms beyond Windows are affected, this article focuses on the solution for Windows systems. Be sure to monitor the Secure Boot certificate rollout landing page for status and guidance updates.
Click to expand...

Recap: Why Secure Boot requires updating​

Secure Boot helps to prevent malware from running early in the startup sequence of a Windows device. Coupled with the Unified Extensible Firmware Interface (UEFI) firmware signing process, Secure Boot uses cryptographic keys, known as certificate authorities (CAs), to validate that firmware modules come from a trusted source.

After 15 years, the Secure Boot certificates that are part of Windows systems will start expiring in June 2026. Windows devices will need new certificates to maintain continuity and protection.
  • Affected: Physical and virtual machines (VMs) on supported versions of Windows 10, Windows 11, Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2012 R2—the systems released since 2012, including the long-term servicing channel (LTSC)
  • Not affected: Copilot+ PCs released in 2025
Note: Affected third-party OS includes MacOS. However, it's outside the scope of Microsoft support. For Linux systems dual booting with Windows, Windows will update the certificates that Linux relies on.
Click to expand...

Secure Boot uses certificate-based trust hierarchy to ensure that only authorized software runs during system startup. At the top of this hierarchy is the Platform Key (PK), typically managed by the OEM or a delegate, which acts as the root of trust. The PK authorizes updates to the Key Enrollment Key (KEK) database, which in turn authorizes updates to two critical signature databases: the Allowed Signature Database (DB) and the Forbidden Signature Database (DBX). This layered structure ensures that only validated updates can modify the system's boot policy, maintaining a secure boot environment. See how it works in Updating Secure Boot keys.

The change: Expiring certificates​

Windows systems released since 2012 might have expiring versions of the certificates listed below. The UEFI Secure Boot DB and KEK need to be updated with the corresponding new certificate versions.

See what new certificates will be available in the coming months to maintain UEFI Secure Boot continuity.

Expiration dateExpiring certificateUpdated certificateWhat it doesStoring location
June 2026Microsoft Corporation KEK CA 2011Microsoft Corporation KEK 2K CA 2023Signs updates to DB and DBXKEK
June 2026Microsoft Corporation UEFI CA 2011 (or third-party UEFI CA)*a) Microsoft Corporation UEFI CA 2023
b) Microsoft Option ROM UEFI CA 2023		a) Signs third-party OS and hardware driver components
b) Signs third-party option ROMs		DB
Oct 2026Microsoft Windows Production PCA 2011Windows UEFI CA 2023Signs the Windows bootloader and boot componentsDB
*You need two new certificates for Microsoft Corporation UEFI CA 2011, which together allow for more granular control.

Microsoft and partner OEMs will be rolling out certificates to add trust for the new DB and KEK certificates in the coming months.

The impact and implications​

The CAs ensure the integrity of the device startup sequence. When these CAs expire, the systems will stop receiving security fixes for the Windows Boot Manager and the Secure Boot components. Compromised security at startup threatens the overall security of affected Windows devices, especially due to bootkit malware. Bootkit malware can be difficult or impossible to detect with standard antivirus software. For example, even today, the unsecured boot path can be used as a cyberattack vector by the BlackLotus UEFI bootkit (CVE-2023-24932).

Every Windows system with Secure Boot enabled includes the same three certificates in support of third-party hardware and Windows ecosystem. Unless prepared, physical devices and VMs will:
  • Lose the ability to install Secure Boot security updates after June 2026.
  • Not trust third-party software signed with new certificates after June 2026.
  • Not receive security fixes for Windows Boot Manager by October 2026.
To prevent this, you'll need to update your organization's entire Windows ecosystem with certificates dated 2023 or newer. This will also help you apply mitigations needed to help secure your systems against the BlackLotus and similar boot-level cyberattacks today.

Take action today​

To begin, bookmark the Secure Boot certificate rollout landing page and take our readiness survey!

Important: Check with your OEMs on the latest available OEM firmware. Apply any available firmware updates to your Windows systems before applying the new certificates. In the Secure Boot flow, firmware updates from OEMs are the foundation for Windows Secure Boot updates to apply correctly.
Click to expand...

Microsoft support is only available for supported client versions of Windows 11 and Windows 10. Once Windows 10 reaches end of support in October 2025, consider getting Extended Security Updates (ESU) for Windows 10, version 22H2 if you're not ready to upgrade.

In the coming months, we expect to update the Secure Boot certificates as part of our latest cumulative update cycle.

The solution that requires the least effort is letting Microsoft manage your Windows device updates, including Secure Boot updates. However, you might need to adopt multiple solutions. Your specific next step depends on the Windows systems and how you manage them.

Enterprise IT-managed systems that send diagnostic data​

No action is required if Windows systems at your organization receive Windows updates from Microsoft and send diagnostic data back to Microsoft. This includes devices that receive updates through Windows Autopatch, Microsoft Configuration Manager, or third-party solutions.

Note: Check that your firewall doesn't block diagnostic data. If it does, please take action to help diagnostic data reach Microsoft.
Click to expand...

Windows diagnostic data and OEM feedback will help us group devices with similar hardware and firmware profiles to gradually release Secure Boot updates to you. This allows us to intelligently monitor the rollout process, proactively pausing, addressing any issues, and continuing as needed. Just keep your devices updated with the latest Windows updates!

Enterprise IT-managed systems that don't send diagnostic data​

Enable Windows diagnostic data and let Microsoft manage your updates by taking the following steps:
  1. Configure your organizational policies to allow at least the “required” level of diagnostic data. You can use Group Policy or mobile device management (MDM) to do this. See how to do this in Group Policy Management Editor for Windows 11 and Windows 10.
  2. Allow Microsoft to manage Secure Boot-related updates for your devices by setting the following registry key:
  • o Registry path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot
  • o Key name: MicrosoftUpdateManagedOptIn
  • o Type: DWORD
  • o DWORD value: 0x5944 (opt in to Windows Secure Boot updates)
We recommend setting this key to 0x5944. It indicates that all certificates should be updated in a manner that preserves the security profile of the existing device. It also updates the boot manager to the one signed by the Windows UEFI CA 2023 certificate. Note: If the DWORD value is 0 or the key doesn't exist, Windows diagnostic data is disabled.

If you prefer not to enable diagnostic data, please take this anonymous readiness survey. Help us assess the needs of environments like yours to create future guidance on managing the update process independently. You'll remain fully in control and responsible to execute and monitor these updates.

Air-gapped devices, such as in government scenarios or manufacturing, are a special case. Because Microsoft cannot manage these updates, we can only offer the following limited support:
  • Recommend known steps or methods for deploying these updates
  • Share data gathered from our rollout stream
When available, look for these resources on the Secure Boot certificate rollout landing page.

Systems with Secure Boot disabled​

Windows cannot update the active variables of the Secure Boot certificates if Secure Boot is disabled.

Important: Toggling Secure Boot on or off might erase the updated certificates. If Secure Boot is on, leave it enabled. Turning it off can reset the settings with defaults, which is not desirable.
Click to expand...

Share these recommendations with individual users:
  1. Press Windows key + R, type msinfo32, and then press Enter.
  2. In the System Information window, look for Secure Boot State.
  3. If it says On, you're good to go!
If Secure Boot is off or unsupported, the device may not receive the new CAs. For these devices, you may choose to enable Secure Boot with this guidance: Windows 11 and Secure Boot.

www.elevenforum.com

Check if Secure Boot is Enabled, Disabled, or Unsupported in Windows 11

This tutorial will show you how to check if Secure Boot is currently enabled, disabled, or unsupported on your Windows 10 or Windows 11 PC. Windows 11 minimum system requirements include your system to be UEFI (Unified Extensible Firmware Interface) and Secure Boot capable. While the...
www.elevenforum.com www.elevenforum.com
www.elevenforum.com

Enable or Disable Secure Boot in Windows 11

This tutorial will show you how to enable or disable Secure Boot on your Windows 10 and Windows 11 PC. Windows 11 minimum system requirements include your system to be UEFI (Unified Extensible Firmware Interface) and Secure Boot capable. While the requirement to upgrade a Windows 10 device to...
www.elevenforum.com www.elevenforum.com

Change management considerations​

Don't wait until June 2026! Updating DB and KEK with new 2023 certificates will help prevent your systems from boot-level security vulnerabilities today.

Get the latest OEM firmware updates and let Microsoft manage your Windows updates to receive Secure Boot updates automatically. Otherwise, help us understand your special case by completing this anonymous readiness survey.

Watch the release notes for Windows 11, version 24H2, version 23H2, and Windows 10 in the coming months to know when these updates are available to you. Stay tuned for additional guidance for the LTSC as needed.

Bookmark these additional resources:


 Source:

techcommunity.microsoft.com

Act now: Secure Boot certificates expire in June 2026 - Windows IT Pro Blog

Get tips to prepare for the rollout of updated certificates across your organization.
techcommunity.microsoft.com techcommunity.microsoft.com

See also:
www.elevenforum.com

Updating Microsoft Secure Boot keys before expiration in June 2026

https://techcommunity.microsoft.com/event/windowsevents/ask-microsoft-anything-secure-boot---may-2026/4513524 UPDATE 4/02: https://support.microsoft.com/en-us/topic/secure-boot-certificate-update-status-in-the-windows-security-app-5ce39986-7dd2-4852-8c21-ef30dd04f046 UPDATE 2/10...
www.elevenforum.com www.elevenforum.com
 
Last edited:
Click to expand...
(I have a little tangential question about this update; if I should start a new thread, just say so.)

Is this update likely to fix issues that prevent PCR7 binding and make Secure Boot a little less secure WRT Bitlocker? The Bitlocker-API logs for my new 9900X/B650 Asus system generate the following when I boot:

BitLocker cannot use Secure Boot for integrity because the expected TCG Log separator entry is missing or invalid.
BitLocker determined that the TCG log is invalid for use of Secure Boot. The filtered TCG log for PCR[7] is included in this event.

This is a widely reported problem for Asus, MSI, and others using this AMI BIOS, and the consensus is that there is no user-level fix; it's a problem with the BIOS containing a certificate that cause Windows to punt on PCR7 binding. Ironically, this is the same Windows 11 installation I was using with 5800X/B550 (also Asus motherboard), and PCR7 was bound. I've tried clearing the TPM in Windows, but that didn't help.
 

My Computer

System One

  • OS
    Windows 11
barreleye said:
(I have a little tangential question about this update; if I should start a new thread, just say so.)

Is this update likely to fix issues that prevent PCR7 binding and make Secure Boot a little less secure WRT Bitlocker? The Bitlocker-API logs for my new 9900X/B650 Asus system generate the following when I boot:
Click to expand...
Short answer: Probably not.

Many folks believe the root cause is related to AMI's firmware code signed with the UEFI CA 2011 cert. This mitigation procedure is designed to install a new Windows CA 2023 cert, and cancel the old PCA 2011 cert. Both of which are used for Windows boot files.

MS is not canceling the UEFI CA 2011 cert, which appears to be causing the problem.
 

My Computer

System One

  • OS
    Windows 7
bikemanAMD said:
Only thing i can't get to work is the Make2023Bootable.Ps1

View attachment 140634
Click to expand...

Did you install the Windows ADK according to Microsoft's instructions?

And try use this command:
Code: 
powershell -ExecutionPolicy Bypass -NoLogo -NoProfile -File Make2023BootableMedia.ps1 -MediaPath "...\Windows_11.iso" -TargetType ISO -ISOPath "...\Windows_11_U.iso"


I finally found the answer to why I couldn't boot with "Invalid signature detected. Check Secure Boot Policy in Setup" when I banned CA 2011 on a clean install of Windows 11. In this thread, someone answered this problem. This is a Microsoft problem. Microsoft has not updated the official ISO (Install.wim, Winre.wim....etc) so some devices may still use the old CA 2011 certificate as the boot when installing Windows (Even if you have a CA 2023 certificate detected in your hardware). This is why I don't revoke the CA 2011 certificate right now. I need to wait until 2026 when Microsoft completely revokes the old CA 2011 certificate and releases a new ISO to resolve this issue.
 

My Computer

System One

  • OS
    Windows 11, version 25H2 (26200)
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 9 9950X 16-Core Processor
    Motherboard
    ASRock B650M PG Riptide
    Memory
    DDR5-6000 (CL36) 64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4090
    PSU
    1200W
    Case
    Phanteks Enthoo Pro 2
    Cooling
    Noctua NH-D12L
uncyler825 said:
Did you install the Windows ADK according to Microsoft's instructions?

And try use this command:
Code: 
powershell -ExecutionPolicy Bypass -NoLogo -NoProfile -File Make2023BootableMedia.ps1 -MediaPath "...\Windows_11.iso" -TargetType ISO -ISOPath "...\Windows_11_U.iso"


I finally found the answer to why I couldn't boot with "Invalid signature detected. Check Secure Boot Policy in Setup" when I banned CA 2011 on a clean install of Windows 11. In this thread, someone answered this problem. This is a Microsoft problem. Microsoft has not updated the official ISO (Install.wim, Winre.wim....etc) so some devices may still use the old CA 2011 certificate as the boot when installing Windows. This is why I don't revoke the CA 2011 certificate right now. I need to wait until 2026 when Microsoft completely revokes the old CA 2011 certificate and releases a new ISO to resolve this issue.
Click to expand...
Yes i Installed the Windows ADK according to the Microsoft Instructions i do believe.

Banned mine when i did my setup of the 2023 Certificate, not knowing i'd have boot problems with certian things at the time. Only found out when i did a Restore with Macrium, then couldn't boot into the restored Image at all, ended up having to do a clean install of everything on system at the time

Tried that command after making sure the paths lead to directory where the files were, and of course still get error lol

The argument 'Make2023BootableMedia.ps1' to the -File parameter does not exist. Provide the path to an existing '.ps1' file as an argument to the -File parameter.

Whatever that exactly means lol

Well system is secure when i can't even run a script i want to lol for some strange reason lol
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2 26200.8037
    Computer type
    PC/Desktop
    Manufacturer/Model
    PreBuilt
    CPU
    AMD Ryzen 7700X
    Motherboard
    MSI B650 VC WIfi Rev 1.0
    Memory
    32GB DDR 5 RGB 5600Mhz
    Graphics Card(s)
    Radeon 7800XT
    Sound Card
    Onboard Audio
    Monitor(s) Displays
    Asus VG245H
    Screen Resolution
    1920x1080
    Hard Drives
    Samsung 990 Evo Plus NVMe Boot
    Samsung 990 Pro 1TB Game NVMe



    External
    Western Digital Elements 500GB
    Western Digital My Passport 2TB Blue
    Western Digital My Passport 2TB Red
    Toshiba 2TB in External Enclosure
    Seagate 8TB in External Enclosure
    Seagate 1TB Portable USB 3 External Drive
    Western Digital My Book 8TB (Primary Backup drive)
    Western Digital Black 4TB In External Enclosure
    PSU
    750 Watt High Power
    Case
    Lian Li Lan Cool 216 ARGB Airflow
    Cooling
    2 160MM Front, 1 140MM Rear Exhaust
    Keyboard
    Logitech G513
    Mouse
    Logitech G502 X
    Internet Speed
    Gigabit 1100Mb/35 Upload
    Browser
    MS Edge Chromium and Bing Search
    Antivirus
    Windows Defender, Malwarebytes Premium
    Other Info
    UEFI, Secure Boot, TPM 2.0, Macrium Reflect X
  • Operating System
    Windows 11 Pro 25H2 26200.8037
    Computer type
    Laptop
    Manufacturer/Model
    Asus TUF A16 Advantage Edition FA617NT.A16.R7700
    CPU
    Ryzen 7 7735HS
    Motherboard
    OEM Asus Motherboard
    Memory
    16GB DDR 5
    Graphics card(s)
    AMD Radeon™ 680M & Radeon 7700S
    Sound Card
    Onboard
    Monitor(s) Displays
    16inch FHD 165hz
    Screen Resolution
    1920x1080
    Hard Drives
    512GB NVMe Boot Drive
    PSU
    Laptop PSU
    Case
    Laptop Case
    Cooling
    OEM Cooling
    Keyboard
    OEM Laptop Keyboard
    Mouse
    Touchpad & G502 Hero
    Internet Speed
    Gigabit 1100 Download/35 Upload
    Browser
    MS Edge with Bing search
    Antivirus
    Windows Defender & Malwarebytes Premium
    Other Info
    Macrium Reflect X
bikemanAMD said:
Tried that command after making sure the paths lead to directory where the files were, and of course still get error lol

The argument 'Make2023BootableMedia.ps1' to the -File parameter does not exist. Provide the path to an existing '.ps1' file as an argument to the -File parameter.

Whatever that exactly means lol

Well system is secure when i can't even run a script i want to lol for some strange reason lol
Click to expand...

You need to navigate to the "Make2023BootableMedia.ps1" directory in Command and then use this command. Example. CD "Your Make2023BootableMedia.ps1 directory"
 

My Computer

System One

  • OS
    Windows 11, version 25H2 (26200)
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 9 9950X 16-Core Processor
    Motherboard
    ASRock B650M PG Riptide
    Memory
    DDR5-6000 (CL36) 64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4090
    PSU
    1200W
    Case
    Phanteks Enthoo Pro 2
    Cooling
    Noctua NH-D12L
uncyler825 said:
I finally found the answer to why I couldn't boot with "Invalid signature detected. Check Secure Boot Policy in Setup" when I banned CA 2011 on a clean install of Windows 11. In this thread, someone answered this problem. This is a Microsoft problem. Microsoft has not updated the official ISO (Install.wim, Winre.wim....etc) so some devices may still use the old CA 2011 certificate as the boot when installing Windows (Even if you have a CA 2023 certificate detected in your hardware). This is why I don't revoke the CA 2011 certificate right now. I need to wait until 2026 when Microsoft completely revokes the old CA 2011 certificate and releases a new ISO to resolve this issue.
Click to expand...
MS doesn't update the official ISO because it doesn't know if you've applied the CA 2023 cert.

Otherwise you end up with two different Windows ISO's and users don't know which one works if they're not technical. Eventually they will release (or re-release) a version which is clearly marked as CA 2023-only.

A number of Windows modding tools have awareness of the issue. UUP dump allows you to specify whether to re-use the boot file provided on the ISO or copy from the integrated updates. Windows ADK has the CA 2023 files too, but they're not making a decision to switch it out for you.

It's been covered in the KB articles. Though again, they really could improve the terrible writing.
 

My Computer

System One

  • OS
    Windows 7
bikemanAMD said:
The argument 'Make2023BootableMedia.ps1' to the -File parameter does not exist. Provide the path to an existing '.ps1' file as an argument to the -File parameter.
Click to expand...

Like that:
DWLKsYI.png

Jy70Vsj.png
 

My Computer

System One

  • OS
    Windows 11, version 25H2 (26200)
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 9 9950X 16-Core Processor
    Motherboard
    ASRock B650M PG Riptide
    Memory
    DDR5-6000 (CL36) 64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4090
    PSU
    1200W
    Case
    Phanteks Enthoo Pro 2
    Cooling
    Noctua NH-D12L
uncyler825 said:
Like that:
DWLKsYI.png

Jy70Vsj.png
Click to expand...
Ok Gives that a shot, and hopefully works this time lol, shall see--Negative on working that time....unless it is Malwarebytes Premium interfering somehow, not entirely sure lol.

Might give up on it for today and work on it more tomorrow or later tonight possibly, been working on trying to get it to work right since 9am this morning lol
 
Last edited:

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2 26200.8037
    Computer type
    PC/Desktop
    Manufacturer/Model
    PreBuilt
    CPU
    AMD Ryzen 7700X
    Motherboard
    MSI B650 VC WIfi Rev 1.0
    Memory
    32GB DDR 5 RGB 5600Mhz
    Graphics Card(s)
    Radeon 7800XT
    Sound Card
    Onboard Audio
    Monitor(s) Displays
    Asus VG245H
    Screen Resolution
    1920x1080
    Hard Drives
    Samsung 990 Evo Plus NVMe Boot
    Samsung 990 Pro 1TB Game NVMe



    External
    Western Digital Elements 500GB
    Western Digital My Passport 2TB Blue
    Western Digital My Passport 2TB Red
    Toshiba 2TB in External Enclosure
    Seagate 8TB in External Enclosure
    Seagate 1TB Portable USB 3 External Drive
    Western Digital My Book 8TB (Primary Backup drive)
    Western Digital Black 4TB In External Enclosure
    PSU
    750 Watt High Power
    Case
    Lian Li Lan Cool 216 ARGB Airflow
    Cooling
    2 160MM Front, 1 140MM Rear Exhaust
    Keyboard
    Logitech G513
    Mouse
    Logitech G502 X
    Internet Speed
    Gigabit 1100Mb/35 Upload
    Browser
    MS Edge Chromium and Bing Search
    Antivirus
    Windows Defender, Malwarebytes Premium
    Other Info
    UEFI, Secure Boot, TPM 2.0, Macrium Reflect X
  • Operating System
    Windows 11 Pro 25H2 26200.8037
    Computer type
    Laptop
    Manufacturer/Model
    Asus TUF A16 Advantage Edition FA617NT.A16.R7700
    CPU
    Ryzen 7 7735HS
    Motherboard
    OEM Asus Motherboard
    Memory
    16GB DDR 5
    Graphics card(s)
    AMD Radeon™ 680M & Radeon 7700S
    Sound Card
    Onboard
    Monitor(s) Displays
    16inch FHD 165hz
    Screen Resolution
    1920x1080
    Hard Drives
    512GB NVMe Boot Drive
    PSU
    Laptop PSU
    Case
    Laptop Case
    Cooling
    OEM Cooling
    Keyboard
    OEM Laptop Keyboard
    Mouse
    Touchpad & G502 Hero
    Internet Speed
    Gigabit 1100 Download/35 Upload
    Browser
    MS Edge with Bing search
    Antivirus
    Windows Defender & Malwarebytes Premium
    Other Info
    Macrium Reflect X
garlin said:
MS doesn't update the official ISO because it doesn't know if you've applied the CA 2023 cert.

Otherwise you end up with two different Windows ISO's and users don't know which one works if they're not technical. Eventually they will release (or re-release) a version which is clearly marked as CA 2023-only.

A number of Windows modding tools have awareness of the issue. UUP dump allows you to specify whether to re-use the boot file provided on the ISO or copy from the integrated updates. Windows ADK has the CA 2023 files too, but they're not making a decision to switch it out for you.

It's been covered in the KB articles. Though again, they really could improve the terrible writing.
Click to expand...

Is there a way to completely remove the old CA 2011 bootloader in the Install.wim? Because I tried to update the boot media using 'Make2023BootableMedia.ps1, but after the clean installation the reboot still reported "Invalid signature detected. Check Secure Boot Policy in Setup" when I banned CA 2011.
 

My Computer

System One

  • OS
    Windows 11, version 25H2 (26200)
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 9 9950X 16-Core Processor
    Motherboard
    ASRock B650M PG Riptide
    Memory
    DDR5-6000 (CL36) 64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4090
    PSU
    1200W
    Case
    Phanteks Enthoo Pro 2
    Cooling
    Noctua NH-D12L
I manually replace the bootmgfw.efi, bootmgr.efi and bootx64.efi files in the EFI partition to let the Windows use the boot manager of CA 2023. But I want Windows to always use the new CA 2023 as the boot, and manually replacing the new CA 2023 file is not a very good idea.
 

My Computer

System One

  • OS
    Windows 11, version 25H2 (26200)
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 9 9950X 16-Core Processor
    Motherboard
    ASRock B650M PG Riptide
    Memory
    DDR5-6000 (CL36) 64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4090
    PSU
    1200W
    Case
    Phanteks Enthoo Pro 2
    Cooling
    Noctua NH-D12L
uncyler825 said:
Because I tried to update the boot media using 'Make2023BootableMedia.ps1, but after the clean installation the reboot still reported "Invalid signature detected. Check Secure Boot Policy in Setup" when I banned CA 2011.
Click to expand...

Yup, though I don't think this is exactly your error if you banned CA-2011 post install, last time I tried, I found that Microsoft's script was bullshit, because it failed to patch the Winre.wim that resides within install.wim, and, as I mentioned earlier, unless you do that on the retail 24H2 ISOs, the second stage boot (that uses the CA-2023 signed UEFI bootloaders from Winre.wim when it detects that CA-2011 has been revoked/removed, and which Microsoft forgot to update to CA-2023 signed versions that weren't themselves revoked through the alternate SVN mechanism) will fail with a Security error.

Besides, when you call your script Make2023BootableMedia.ps1, I don't think the idea is that you expect people to still have CA-2011 present/unrevoked when booting the media. Yet, unless Microsoft added some patching for WIM inside WIM to their script, I don't see how that can ever be successful at making installation media that actually works with CA-2023, at least with the retail/publicly downloadable 24H2 ISOs.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Built
    Screen Resolution
    4k
Akeo said:
Yup, though I don't think this is exactly your error if you banned CA-2011 post install, last time I tried, I found that Microsoft's script was bullshit, because it failed to patch the Winre.wim that resides within install.wim, and, as I mentioned earlier, unless you do that on the retail 24H2 ISOs, the second stage boot (that uses the CA-2023 signed UEFI bootloaders from Winre.wim when it detects that CA-2011 has been revoked/removed, and which Microsoft forgot to update to CA-2023 signed versions that weren't themselves revoked through the alternate SVN mechanism) will fail with a Security error.

Besides, when you call your script Make2023BootableMedia.ps1, I don't think the idea is that you expect people to still have CA-2011 present/unrevoked when booting the media. Yet, unless Microsoft added some patching for WIM inside WIM to their script, I don't see how that can ever be successful at making installation media that actually works with CA-2023, at least with the retail/publicly downloadable 24H2 ISOs.
Click to expand...
I think you should be consulting with Microsoft, it seems obviously that you understand this issue more than the folks that are pumping out this crap at MSC. ;-) Someone sure has to wake them up!
 

My Computers

System One System Two

  • OS
    Win 11 Pro 25H2, Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14500
    Motherboard
    Gigabyte B760M G P WIFI
    Memory
    64GB DDR4
    Graphics Card(s)
    GeForce RTX 4060
    Sound Card
    Chipset Realtek
    Monitor(s) Displays
    LG 45" Ultragear, Acer 24" 1080p
    Screen Resolution
    5120x1440, 1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 3D NAND NVMe M.2 SSD (O/S)
    Silicon Power 2TB US75 NVMe PCIe Gen4 M.2 2280 SSD (backup)
    Crucial BX500 2TB 3D NAND (2nd backup)
    Seagate 4TB Ironwolf, rotating HDD archive files
    External off-line backup Drives: 2 NVMe 4TB drives in external enclosures
    PSU
    Thermaltake Toughpower GF3 750W
    Case
    LIAN LI LANCOOL 216 E-ATX PC Case
    Cooling
    Lots of fans!
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
  • Operating System
    Win 11 Pro 25H2, Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14400
    Motherboard
    Gigabyte B760M DS3H AX
    Memory
    32GB DDR5
    Graphics card(s)
    Intel 700 Embedded GPU
    Sound Card
    Realtek Embedded
    Monitor(s) Displays
    27" HP 1080p
    Screen Resolution
    1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 eD NAND PCIe SSD
    Samsung EVO 990 2TB NVMe Gen4 SSD
    Samsung 2TB SATA SSD
    PSU
    Thermaltake Smart BM3 650W
    Case
    Okinos Micro ATX Case
    Cooling
    Fans
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
Well i think i'll keep the OS in as good of condition as possible and hope i don't have to do a clean install anytime in the future, and just maybe they'll get it fully updated before i do my next clean install in the future.

Had i known about the possible boot issues, maybe wouldn't banned the CA 2011, but always like to keep my systems as secure as possible, maybe a little too much at times
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2 26200.8037
    Computer type
    PC/Desktop
    Manufacturer/Model
    PreBuilt
    CPU
    AMD Ryzen 7700X
    Motherboard
    MSI B650 VC WIfi Rev 1.0
    Memory
    32GB DDR 5 RGB 5600Mhz
    Graphics Card(s)
    Radeon 7800XT
    Sound Card
    Onboard Audio
    Monitor(s) Displays
    Asus VG245H
    Screen Resolution
    1920x1080
    Hard Drives
    Samsung 990 Evo Plus NVMe Boot
    Samsung 990 Pro 1TB Game NVMe



    External
    Western Digital Elements 500GB
    Western Digital My Passport 2TB Blue
    Western Digital My Passport 2TB Red
    Toshiba 2TB in External Enclosure
    Seagate 8TB in External Enclosure
    Seagate 1TB Portable USB 3 External Drive
    Western Digital My Book 8TB (Primary Backup drive)
    Western Digital Black 4TB In External Enclosure
    PSU
    750 Watt High Power
    Case
    Lian Li Lan Cool 216 ARGB Airflow
    Cooling
    2 160MM Front, 1 140MM Rear Exhaust
    Keyboard
    Logitech G513
    Mouse
    Logitech G502 X
    Internet Speed
    Gigabit 1100Mb/35 Upload
    Browser
    MS Edge Chromium and Bing Search
    Antivirus
    Windows Defender, Malwarebytes Premium
    Other Info
    UEFI, Secure Boot, TPM 2.0, Macrium Reflect X
  • Operating System
    Windows 11 Pro 25H2 26200.8037
    Computer type
    Laptop
    Manufacturer/Model
    Asus TUF A16 Advantage Edition FA617NT.A16.R7700
    CPU
    Ryzen 7 7735HS
    Motherboard
    OEM Asus Motherboard
    Memory
    16GB DDR 5
    Graphics card(s)
    AMD Radeon™ 680M & Radeon 7700S
    Sound Card
    Onboard
    Monitor(s) Displays
    16inch FHD 165hz
    Screen Resolution
    1920x1080
    Hard Drives
    512GB NVMe Boot Drive
    PSU
    Laptop PSU
    Case
    Laptop Case
    Cooling
    OEM Cooling
    Keyboard
    OEM Laptop Keyboard
    Mouse
    Touchpad & G502 Hero
    Internet Speed
    Gigabit 1100 Download/35 Upload
    Browser
    MS Edge with Bing search
    Antivirus
    Windows Defender & Malwarebytes Premium
    Other Info
    Macrium Reflect X
Akeo said:
Yup, though I don't think this is exactly your error if you banned CA-2011 post install, last time I tried, I found that Microsoft's script was bullshit, because it failed to patch the Winre.wim that resides within install.wim, and, as I mentioned earlier, unless you do that on the retail 24H2 ISOs, the second stage boot (that uses the CA-2023 signed UEFI bootloaders from Winre.wim when it detects that CA-2011 has been revoked/removed, and which Microsoft forgot to update to CA-2023 signed versions that weren't themselves revoked through the alternate SVN mechanism) will fail with a Security error.

Besides, when you call your script Make2023BootableMedia.ps1, I don't think the idea is that you expect people to still have CA-2011 present/unrevoked when booting the media. Yet, unless Microsoft added some patching for WIM inside WIM to their script, I don't see how that can ever be successful at making installation media that actually works with CA-2023, at least with the retail/publicly downloadable 24H2 ISOs.
Click to expand...

Thanks for your quick reply.

I will not ban the old CA 2011 certificates for now, until Microsoft fixes this issue.

Today, I tested it again. Banned the old CA 2011 and do a clean install. I temporarily disabled Secure Boot to allow the system to boot. Then manually replace the boot file in the EFI partition.

Code: 
mountvol X: /s
copy "%WINDIR%\Boot\EFI_EX\bootmgfw_EX.efi" "X:\EFI\Microsoft\Boot\bootmgfw.efi" /y
copy "%WINDIR%\Boot\EFI_EX\bootmgr_EX.efi" "X:\EFI\Microsoft\Boot\bootmgr.efi" /y
copy "%WINDIR%\Boot\EFI_EX\bootmgfw_EX.efi" "X:\EFI\Boot\bootx64.efi" /y
mountvol X: /D

Reboot, enable Secure Boot in BIOS. Now, successfully boot in the banned state of CA 2011. But be careful! If you use the command bcdboot "%WINDIR%" /s X: /f UEFI to repair the EFI partition files, it will fail with a Security error. Because the *.efi is restored to the boot manager of the old CA 2011 certificate.
 

My Computer

System One

  • OS
    Windows 11, version 25H2 (26200)
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 9 9950X 16-Core Processor
    Motherboard
    ASRock B650M PG Riptide
    Memory
    DDR5-6000 (CL36) 64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4090
    PSU
    1200W
    Case
    Phanteks Enthoo Pro 2
    Cooling
    Noctua NH-D12L
We shouldn't have to fool around with any of this.
MS is dropping the ball.
 

My Computers

System One System Two

  • OS
    Win 11 Home ♦♦♦26200.8457 ♦♦♦♦♦♦♦25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® [May 2020]
    CPU
    AMD Ryzen 7 3700X
    Motherboard
    Asus Pro WS X570-ACE (BIOS 5302)
    Memory
    G.Skill (F4-3200C14D-16GTZKW)
    Graphics Card(s)
    EVGA RTX 2070 (08G-P4-2171-KR)
    Sound Card
    Realtek ALC1220P / ALC S1220A
    Monitor(s) Displays
    Dell U3011 30"
    Screen Resolution
    2560 x 1600
    Hard Drives
    2x Samsung 860 EVO 500GB,
    WD 4TB Black FZBX - SATA III,
    WD 8TB Black FZBX - SATA III,
    DRW-24B1ST CD/DVD Burner
    PSU
    PC Power & Cooling 750W Quad EPS12V
    Case
    Cooler Master ATCS 840 Tower
    Cooling
    CM Hyper 212 EVO (push/pull)
    Keyboard
    Ducky DK9008 Shine II Blue LED
    Mouse
    Logitech Optical M-100
    Internet Speed
    300/300
    Browser
    Firefox (latest)
    Antivirus
    Bitdefender Total Security
    Other Info
    Speakers: Klipsch Pro Media 2.1
  • Operating System
    Windows XP Pro 32bit w/SP3
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® (not in use)
    CPU
    AMD Athlon 64 X2 5000+ (OC'd @ 3.2Ghz)
    Motherboard
    ASUS M2N32-SLI Deluxe Wireless Edition
    Memory
    TWIN2X2048-6400C4DHX (2 x 1GB, DDR2 800)
    Graphics card(s)
    EVGA 256-P2-N758-TR GeForce 8600GT SSC
    Sound Card
    Onboard
    Monitor(s) Displays
    ViewSonic G90FB Black 19" Professional (CRT)
    Screen Resolution
    up to 2048 x 1536
    Hard Drives
    WD 36GB 10,000rpm Raptor SATA
    Seagate 80GB 7200rpm SATA
    Lite-On LTR-52246S CD/RW
    Lite-On LH-18A1P CD/DVD Burner
    PSU
    PC Power & Cooling Silencer 750 Quad EPS12V
    Case
    Generic Beige case, 80mm fans
    Cooling
    ZALMAN 9500A 92mm CPU Cooler
    Keyboard
    Logitech Classic Keybooard 200
    Mouse
    Logitech Optical M-BT96a
    Internet Speed
    300/300
    Browser
    Firefox 3.x ??
    Antivirus
    Symantec (Norton)
    Other Info
    Still assembled, still runs. Haven't turned it on for 15 years?
garlin said:
It's been covered in the KB articles. Though again, they really could improve the terrible writing.
Click to expand...
Amen to that.
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Homebuilt
    CPU
    Intel Core i9 13900K
    Motherboard
    Asus ProArt Z790 Creator WiFi - Bios 3107
    Memory
    Corsair Dominator Platinum 64gb 5600MT/s DDR5 Dual Channel
    Graphics Card(s)
    Sapphire NITRO+ AMD Radeon RX 7900 XTX Vapor-X 24GB
    Sound Card
    External DAC: Cambridge Audio DACMagic200M - Headphone Amp: Topping L50
    Monitor(s) Displays
    Panasonic MX950 Mini LED 55" TV 120hz
    Screen Resolution
    3840 x 2160 120hz
    Hard Drives
    Samsung 980 Pro 2TB (OS)
    Samsung 980 Pro 1TB (Files)
    Lexar NZ790 4TB
    LaCie d2 Professional 6TB external - USB 3.1
    Seagate Expansion 16TB external - USB 3.2
    Seagate One Touch 18TB external HD - USB 3.0
    PSU
    Corsair RM1200x Shift
    Case
    Corsair RGB Smart Case 5000x (white)
    Cooling
    Corsair iCue H150i Elite Capellix XT
    Keyboard
    Incase Ergonomic USB (Microsoft clone)
    Mouse
    Logitech MX Master 3S
    Internet Speed
    Fibre 900/500 Mbps
    Browser
    Microsoft Edge Chromium
    Antivirus
    Bitdefender Total Security
    Other Info
    AMD Radeon Software & Drivers 26.1.1
    Hasleo Backup Suite
    Dashlane password manager
    Kensington Verimark fingerprint reader
    Logitech Brio 4K webcam
    Orico 10-port powered USB 3.0 hub
  • Operating System
    Windows 11 Pro 25H2
    Computer type
    Laptop
    Manufacturer/Model
    Asus Vivobook X1605VA
    CPU
    Intel® Core™ i9-13900H
    Motherboard
    Asus X1605VA bios 309
    Memory
    32GB DDR4-3200 Dual channel
    Graphics card(s)
    *Intel Iris Xᵉ Graphics G7
    Sound Card
    Realtek | Intel SST Bluetooth & USB
    Monitor(s) Displays
    16.0-inch, WUXGA 16:10 aspect ratio, IPS-level Panel
    Screen Resolution
    1920 x 1200 60hz
    Hard Drives
    512GB M.2 NVMe™ PCIe® 3.0 SSD
    Mouse
    Logitech MX Ergo Trackball
    Antivirus
    Bitdefender Total Security
    Other Info
    720p Webcam
    WiFi & USB to ethernet
bikemanAMD said:
Well i think i'll keep the OS in as good of condition as possible and hope i don't have to do a clean install anytime in the future, and just maybe they'll get it fully updated before i do my next clean install in the future.

Had i known about the possible boot issues, maybe wouldn't banned the CA 2011, but always like to keep my systems as secure as possible, maybe a little too much at times
Click to expand...

No one told me what problems I might encounter if I forbidden CA 2011. They just tell you that there are risks if you don't do it. As a result, I followed these instructions and encountered some problems.

I contacted the manufacturer in my area, and the staff told me that I could manually import the new certificate according to this article.

23fmt2O.png


Put these certificates into the USB, then select "Append" to add them.

I imported the missing certificate:
  • Microsoft Corporation KEK 2K CA 2023
  • Microsoft UEFI CA 2023
  • Microsoft Option ROM UEFI CA 2023
PGLmSmU.png
 

My Computer

System One

  • OS
    Windows 11, version 25H2 (26200)
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 9 9950X 16-Core Processor
    Motherboard
    ASRock B650M PG Riptide
    Memory
    DDR5-6000 (CL36) 64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4090
    PSU
    1200W
    Case
    Phanteks Enthoo Pro 2
    Cooling
    Noctua NH-D12L
Ghot said:
We shouldn't have to fool around with any of this.
MS is dropping the ball.
Click to expand...
We don't need to fool about do we? I assume all will be sorted out via Windows updates.
 

My Computer

System One

  • OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self build
    CPU
    Core i7-13700K
    Motherboard
    Asus TUF Gaming Plus WiFi Z790
    Memory
    64 GB Kingston Fury Beast DDR5
    Graphics Card(s)
    Gigabyte GeForce RTX 2060 Super Gaming OC 8G
    Sound Card
    Realtek S1200A
    Monitor(s) Displays
    Viewsonic VP2770 & Dell (secondary)
    Screen Resolution
    2560 x 1440
    Hard Drives
    Kingston KC3000 2TB NVME SSD & SATA HDDs & SSD
    PSU
    EVGA SuperNova G2 850W
    Case
    Nanoxia Deep Silence 1
    Cooling
    Noctua NH-D14
    Keyboard
    Microsoft Digital Media Pro
    Mouse
    Logitech Wireless
    Internet Speed
    80 Mb / s
    Browser
    Chrome
    Antivirus
    Defender, Malwarebytes Free & AdwCleaner
Steve C said:
I assume all will be sorted out via Windows updates.
Click to expand...


I think that's how it worked for the last revocations. I did mine early.
But others didn't, and all they suffered was things like bootable Macrium USB sticks had to be remade... etc.
I hope these are the same.
 

My Computers

System One System Two

  • OS
    Win 11 Home ♦♦♦26200.8457 ♦♦♦♦♦♦♦25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® [May 2020]
    CPU
    AMD Ryzen 7 3700X
    Motherboard
    Asus Pro WS X570-ACE (BIOS 5302)
    Memory
    G.Skill (F4-3200C14D-16GTZKW)
    Graphics Card(s)
    EVGA RTX 2070 (08G-P4-2171-KR)
    Sound Card
    Realtek ALC1220P / ALC S1220A
    Monitor(s) Displays
    Dell U3011 30"
    Screen Resolution
    2560 x 1600
    Hard Drives
    2x Samsung 860 EVO 500GB,
    WD 4TB Black FZBX - SATA III,
    WD 8TB Black FZBX - SATA III,
    DRW-24B1ST CD/DVD Burner
    PSU
    PC Power & Cooling 750W Quad EPS12V
    Case
    Cooler Master ATCS 840 Tower
    Cooling
    CM Hyper 212 EVO (push/pull)
    Keyboard
    Ducky DK9008 Shine II Blue LED
    Mouse
    Logitech Optical M-100
    Internet Speed
    300/300
    Browser
    Firefox (latest)
    Antivirus
    Bitdefender Total Security
    Other Info
    Speakers: Klipsch Pro Media 2.1
  • Operating System
    Windows XP Pro 32bit w/SP3
    Computer type
    PC/Desktop
    Manufacturer/Model
    Built by Ghot® (not in use)
    CPU
    AMD Athlon 64 X2 5000+ (OC'd @ 3.2Ghz)
    Motherboard
    ASUS M2N32-SLI Deluxe Wireless Edition
    Memory
    TWIN2X2048-6400C4DHX (2 x 1GB, DDR2 800)
    Graphics card(s)
    EVGA 256-P2-N758-TR GeForce 8600GT SSC
    Sound Card
    Onboard
    Monitor(s) Displays
    ViewSonic G90FB Black 19" Professional (CRT)
    Screen Resolution
    up to 2048 x 1536
    Hard Drives
    WD 36GB 10,000rpm Raptor SATA
    Seagate 80GB 7200rpm SATA
    Lite-On LTR-52246S CD/RW
    Lite-On LH-18A1P CD/DVD Burner
    PSU
    PC Power & Cooling Silencer 750 Quad EPS12V
    Case
    Generic Beige case, 80mm fans
    Cooling
    ZALMAN 9500A 92mm CPU Cooler
    Keyboard
    Logitech Classic Keybooard 200
    Mouse
    Logitech Optical M-BT96a
    Internet Speed
    300/300
    Browser
    Firefox 3.x ??
    Antivirus
    Symantec (Norton)
    Other Info
    Still assembled, still runs. Haven't turned it on for 15 years?
Microsoft's retail Windows 11 24H2 ISOs still use the old CA 2011 boot manager. If the old CA 2011 certificate is revoked too early, it will be malicious to the user.

I also tried deleting the old CA 2011 certificate from the firmware. And use Make2023BootableMedia.ps1 to update the installation media. Windows still uses the old boot manager file so that the second stage boot you will get fail with a security error.
 

My Computer

System One

  • OS
    Windows 11, version 25H2 (26200)
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 9 9950X 16-Core Processor
    Motherboard
    ASRock B650M PG Riptide
    Memory
    DDR5-6000 (CL36) 64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4090
    PSU
    1200W
    Case
    Phanteks Enthoo Pro 2
    Cooling
    Noctua NH-D12L
You must log in or register to reply here.

Similar threads

  • Article Article
Refreshing the root of trust: industry collaboration on Secure Boot certificate updates
Replies
6
Views
2K
garioch7
garioch7
Solved Windows Secure Boot certificates expiring in 2026
Replies
13
Views
767
jdUnionngarden
jdUnionngarden
  • Article Article
Win Update KB5087539 Windows Server 2025 Cumulative Update build 26100.32860 - May 12
Replies
0
Views
153
Brink
Brink
  • Article Article
Win Update KB5089549 Windows 11 Cumulative Update build 26100.8457 (24H2) and 26200.8457 (25H2) - May 12
7 8 9
Replies
164
Views
23K
banger
banger
  • Article Article
What is new in Windows 11 from February 2026
Replies
0
Views
349
Brink
Brink

Latest Support Threads

Latest Tutorials

Back
Top Bottom