Act now: Secure Boot certificates expire in June 2026


UPDATE:
www.elevenforum.com

Updating Microsoft Secure Boot keys before expiration in June 2026

https://techcommunity.microsoft.com/event/windowsevents/ask-microsoft-anything-secure-boot---may-2026/4513524 UPDATE 4/02: https://support.microsoft.com/en-us/topic/secure-boot-certificate-update-status-in-the-windows-security-app-5ce39986-7dd2-4852-8c21-ef30dd04f046 UPDATE 2/10...
www.elevenforum.com www.elevenforum.com


 Windows IT Pro Blog:

Prepare for the first global large-scale certificate update to Secure Boot.

The Microsoft certificates used in Secure Boot are the basis of trust for operating system security, and all will be expiring beginning June 2026. The way to automatically get timely updates to new certificates for supported Windows systems is to let Microsoft manage your Windows updates, which include Secure Boot. A close collaboration with original equipment manufacturers (OEMs) who provide Secure Boot firmware updates is also essential.

If you haven't yet, begin evaluating options and start preparing for the rollout of updated certificates across your organization in the coming months. Learn about this effort, its impact, and what you as an IT admin should do to help ensure that your Windows devices can receive updates after June 2026 without compromising system security.

Important: While platforms beyond Windows are affected, this article focuses on the solution for Windows systems. Be sure to monitor the Secure Boot certificate rollout landing page for status and guidance updates.
Click to expand...

Recap: Why Secure Boot requires updating​

Secure Boot helps to prevent malware from running early in the startup sequence of a Windows device. Coupled with the Unified Extensible Firmware Interface (UEFI) firmware signing process, Secure Boot uses cryptographic keys, known as certificate authorities (CAs), to validate that firmware modules come from a trusted source.

After 15 years, the Secure Boot certificates that are part of Windows systems will start expiring in June 2026. Windows devices will need new certificates to maintain continuity and protection.
  • Affected: Physical and virtual machines (VMs) on supported versions of Windows 10, Windows 11, Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2012 R2—the systems released since 2012, including the long-term servicing channel (LTSC)
  • Not affected: Copilot+ PCs released in 2025
Note: Affected third-party OS includes MacOS. However, it's outside the scope of Microsoft support. For Linux systems dual booting with Windows, Windows will update the certificates that Linux relies on.
Click to expand...

Secure Boot uses certificate-based trust hierarchy to ensure that only authorized software runs during system startup. At the top of this hierarchy is the Platform Key (PK), typically managed by the OEM or a delegate, which acts as the root of trust. The PK authorizes updates to the Key Enrollment Key (KEK) database, which in turn authorizes updates to two critical signature databases: the Allowed Signature Database (DB) and the Forbidden Signature Database (DBX). This layered structure ensures that only validated updates can modify the system's boot policy, maintaining a secure boot environment. See how it works in Updating Secure Boot keys.

The change: Expiring certificates​

Windows systems released since 2012 might have expiring versions of the certificates listed below. The UEFI Secure Boot DB and KEK need to be updated with the corresponding new certificate versions.

See what new certificates will be available in the coming months to maintain UEFI Secure Boot continuity.

Expiration dateExpiring certificateUpdated certificateWhat it doesStoring location
June 2026Microsoft Corporation KEK CA 2011Microsoft Corporation KEK 2K CA 2023Signs updates to DB and DBXKEK
June 2026Microsoft Corporation UEFI CA 2011 (or third-party UEFI CA)*a) Microsoft Corporation UEFI CA 2023
b) Microsoft Option ROM UEFI CA 2023		a) Signs third-party OS and hardware driver components
b) Signs third-party option ROMs		DB
Oct 2026Microsoft Windows Production PCA 2011Windows UEFI CA 2023Signs the Windows bootloader and boot componentsDB
*You need two new certificates for Microsoft Corporation UEFI CA 2011, which together allow for more granular control.

Microsoft and partner OEMs will be rolling out certificates to add trust for the new DB and KEK certificates in the coming months.

The impact and implications​

The CAs ensure the integrity of the device startup sequence. When these CAs expire, the systems will stop receiving security fixes for the Windows Boot Manager and the Secure Boot components. Compromised security at startup threatens the overall security of affected Windows devices, especially due to bootkit malware. Bootkit malware can be difficult or impossible to detect with standard antivirus software. For example, even today, the unsecured boot path can be used as a cyberattack vector by the BlackLotus UEFI bootkit (CVE-2023-24932).

Every Windows system with Secure Boot enabled includes the same three certificates in support of third-party hardware and Windows ecosystem. Unless prepared, physical devices and VMs will:
  • Lose the ability to install Secure Boot security updates after June 2026.
  • Not trust third-party software signed with new certificates after June 2026.
  • Not receive security fixes for Windows Boot Manager by October 2026.
To prevent this, you'll need to update your organization's entire Windows ecosystem with certificates dated 2023 or newer. This will also help you apply mitigations needed to help secure your systems against the BlackLotus and similar boot-level cyberattacks today.

Take action today​

To begin, bookmark the Secure Boot certificate rollout landing page and take our readiness survey!

Important: Check with your OEMs on the latest available OEM firmware. Apply any available firmware updates to your Windows systems before applying the new certificates. In the Secure Boot flow, firmware updates from OEMs are the foundation for Windows Secure Boot updates to apply correctly.
Click to expand...

Microsoft support is only available for supported client versions of Windows 11 and Windows 10. Once Windows 10 reaches end of support in October 2025, consider getting Extended Security Updates (ESU) for Windows 10, version 22H2 if you're not ready to upgrade.

In the coming months, we expect to update the Secure Boot certificates as part of our latest cumulative update cycle.

The solution that requires the least effort is letting Microsoft manage your Windows device updates, including Secure Boot updates. However, you might need to adopt multiple solutions. Your specific next step depends on the Windows systems and how you manage them.

Enterprise IT-managed systems that send diagnostic data​

No action is required if Windows systems at your organization receive Windows updates from Microsoft and send diagnostic data back to Microsoft. This includes devices that receive updates through Windows Autopatch, Microsoft Configuration Manager, or third-party solutions.

Note: Check that your firewall doesn't block diagnostic data. If it does, please take action to help diagnostic data reach Microsoft.
Click to expand...

Windows diagnostic data and OEM feedback will help us group devices with similar hardware and firmware profiles to gradually release Secure Boot updates to you. This allows us to intelligently monitor the rollout process, proactively pausing, addressing any issues, and continuing as needed. Just keep your devices updated with the latest Windows updates!

Enterprise IT-managed systems that don't send diagnostic data​

Enable Windows diagnostic data and let Microsoft manage your updates by taking the following steps:
  1. Configure your organizational policies to allow at least the “required” level of diagnostic data. You can use Group Policy or mobile device management (MDM) to do this. See how to do this in Group Policy Management Editor for Windows 11 and Windows 10.
  2. Allow Microsoft to manage Secure Boot-related updates for your devices by setting the following registry key:
  • o Registry path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot
  • o Key name: MicrosoftUpdateManagedOptIn
  • o Type: DWORD
  • o DWORD value: 0x5944 (opt in to Windows Secure Boot updates)
We recommend setting this key to 0x5944. It indicates that all certificates should be updated in a manner that preserves the security profile of the existing device. It also updates the boot manager to the one signed by the Windows UEFI CA 2023 certificate. Note: If the DWORD value is 0 or the key doesn't exist, Windows diagnostic data is disabled.

If you prefer not to enable diagnostic data, please take this anonymous readiness survey. Help us assess the needs of environments like yours to create future guidance on managing the update process independently. You'll remain fully in control and responsible to execute and monitor these updates.

Air-gapped devices, such as in government scenarios or manufacturing, are a special case. Because Microsoft cannot manage these updates, we can only offer the following limited support:
  • Recommend known steps or methods for deploying these updates
  • Share data gathered from our rollout stream
When available, look for these resources on the Secure Boot certificate rollout landing page.

Systems with Secure Boot disabled​

Windows cannot update the active variables of the Secure Boot certificates if Secure Boot is disabled.

Important: Toggling Secure Boot on or off might erase the updated certificates. If Secure Boot is on, leave it enabled. Turning it off can reset the settings with defaults, which is not desirable.
Click to expand...

Share these recommendations with individual users:
  1. Press Windows key + R, type msinfo32, and then press Enter.
  2. In the System Information window, look for Secure Boot State.
  3. If it says On, you're good to go!
If Secure Boot is off or unsupported, the device may not receive the new CAs. For these devices, you may choose to enable Secure Boot with this guidance: Windows 11 and Secure Boot.

www.elevenforum.com

Check if Secure Boot is Enabled, Disabled, or Unsupported in Windows 11

This tutorial will show you how to check if Secure Boot is currently enabled, disabled, or unsupported on your Windows 10 or Windows 11 PC. Windows 11 minimum system requirements include your system to be UEFI (Unified Extensible Firmware Interface) and Secure Boot capable. While the...
www.elevenforum.com www.elevenforum.com
www.elevenforum.com

Enable or Disable Secure Boot in Windows 11

This tutorial will show you how to enable or disable Secure Boot on your Windows 10 and Windows 11 PC. Windows 11 minimum system requirements include your system to be UEFI (Unified Extensible Firmware Interface) and Secure Boot capable. While the requirement to upgrade a Windows 10 device to...
www.elevenforum.com www.elevenforum.com

Change management considerations​

Don't wait until June 2026! Updating DB and KEK with new 2023 certificates will help prevent your systems from boot-level security vulnerabilities today.

Get the latest OEM firmware updates and let Microsoft manage your Windows updates to receive Secure Boot updates automatically. Otherwise, help us understand your special case by completing this anonymous readiness survey.

Watch the release notes for Windows 11, version 24H2, version 23H2, and Windows 10 in the coming months to know when these updates are available to you. Stay tuned for additional guidance for the LTSC as needed.

Bookmark these additional resources:


 Source:

techcommunity.microsoft.com

Act now: Secure Boot certificates expire in June 2026 - Windows IT Pro Blog

Get tips to prepare for the rollout of updated certificates across your organization.
techcommunity.microsoft.com techcommunity.microsoft.com

See also:
www.elevenforum.com

Updating Microsoft Secure Boot keys before expiration in June 2026

https://techcommunity.microsoft.com/event/windowsevents/ask-microsoft-anything-secure-boot---may-2026/4513524 UPDATE 4/02: https://support.microsoft.com/en-us/topic/secure-boot-certificate-update-status-in-the-windows-security-app-5ce39986-7dd2-4852-8c21-ef30dd04f046 UPDATE 2/10...
www.elevenforum.com www.elevenforum.com
 
Last edited:
Click to expand...
uncyler825 said:
No one told me what problems I might encounter if I forbidden CA 2011. They just tell you that there are risks if you don't do it. As a result, I followed these instructions and encountered some problems.

I contacted the manufacturer in my area, and the staff told me that I could manually import the new certificate according to this article.
Click to expand...
You're joking right? That reference is over 800 lines long! :rolleyes:
 

My Computers

System One System Two

  • OS
    Win 11 Pro 25H2, Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14500
    Motherboard
    Gigabyte B760M G P WIFI
    Memory
    64GB DDR4
    Graphics Card(s)
    GeForce RTX 4060
    Sound Card
    Chipset Realtek
    Monitor(s) Displays
    LG 45" Ultragear, Acer 24" 1080p
    Screen Resolution
    5120x1440, 1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 3D NAND NVMe M.2 SSD (O/S)
    Silicon Power 2TB US75 NVMe PCIe Gen4 M.2 2280 SSD (backup)
    Crucial BX500 2TB 3D NAND (2nd backup)
    Seagate 4TB Ironwolf, rotating HDD archive files
    External off-line backup Drives: 2 NVMe 4TB drives in external enclosures
    PSU
    Thermaltake Toughpower GF3 750W
    Case
    LIAN LI LANCOOL 216 E-ATX PC Case
    Cooling
    Lots of fans!
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
  • Operating System
    Win 11 Pro 25H2, Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14400
    Motherboard
    Gigabyte B760M DS3H AX
    Memory
    32GB DDR5
    Graphics card(s)
    Intel 700 Embedded GPU
    Sound Card
    Realtek Embedded
    Monitor(s) Displays
    27" HP 1080p
    Screen Resolution
    1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 eD NAND PCIe SSD
    Samsung EVO 990 2TB NVMe Gen4 SSD
    Samsung 2TB SATA SSD
    PSU
    Thermaltake Smart BM3 650W
    Case
    Okinos Micro ATX Case
    Cooling
    Fans
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
That's the MS manual for OEM's. If your OEM's support team provided you that link, they're just lazy.
 

My Computer

System One

  • OS
    Windows 7
If you are still missing the CA 2023 certificate and you see Event ID 1795 in the Event Viewer. This means Windows is trying to update the certificate but access is denied. Your firmware may be missing the Microsoft KEK certificate, so the Secure Boot denies Windows certificate access.

You can check this with an additional KEK script based on @garlin PowerShell script.
PGLmSmU.png


If your "EFI KEK Certificates" is empty. You need to manually download the KEK certificate and add *.der in BIOS. Otherwise you will never get the CA 2023 certificate updated.

Download "MicCorKEKCA2011_2011-06-24.der" and "microsoft corporation kek 2k ca 2023.der" from HERE. You can also download all 2023 certificates and add them.
DfqWS42.png

3Zh8lEU.png

Reminder: DBX is a certificate blacklist, it is not recommended to add CA 2011 certificate to the blacklist too early.
ncgbtBJ.png


Then prepare a USB and put these two files into the USB. Enter to BIOS. And navigate to Secure Boot > Key Management
7pGkhc8.png

a4xzDax.png


For example. I like to add CA 2023 certificate to DB allowlist. Select DB Management > Append Key
0LJZ3qT.png


Choose No to load it from a file on external media.
GEyHFZy.png

IRb6Xmu.png


Choose Public Key Certificate.
jaAYAI0.png


After completing these actions, exit BIOS.
 

Attachments

My Computer

System One

  • OS
    Windows 11, version 25H2 (26200)
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 9 9950X 16-Core Processor
    Motherboard
    ASRock B650M PG Riptide
    Memory
    DDR5-6000 (CL36) 64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4090
    PSU
    1200W
    Case
    Phanteks Enthoo Pro 2
    Cooling
    Noctua NH-D12L
My Current Results

My Results.webp
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2 26200.8037
    Computer type
    PC/Desktop
    Manufacturer/Model
    PreBuilt
    CPU
    AMD Ryzen 7700X
    Motherboard
    MSI B650 VC WIfi Rev 1.0
    Memory
    32GB DDR 5 RGB 5600Mhz
    Graphics Card(s)
    Radeon 7800XT
    Sound Card
    Onboard Audio
    Monitor(s) Displays
    Asus VG245H
    Screen Resolution
    1920x1080
    Hard Drives
    Samsung 990 Evo Plus NVMe Boot
    Samsung 990 Pro 1TB Game NVMe



    External
    Western Digital Elements 500GB
    Western Digital My Passport 2TB Blue
    Western Digital My Passport 2TB Red
    Toshiba 2TB in External Enclosure
    Seagate 8TB in External Enclosure
    Seagate 1TB Portable USB 3 External Drive
    Western Digital My Book 8TB (Primary Backup drive)
    Western Digital Black 4TB In External Enclosure
    PSU
    750 Watt High Power
    Case
    Lian Li Lan Cool 216 ARGB Airflow
    Cooling
    2 160MM Front, 1 140MM Rear Exhaust
    Keyboard
    Logitech G513
    Mouse
    Logitech G502 X
    Internet Speed
    Gigabit 1100Mb/35 Upload
    Browser
    MS Edge Chromium and Bing Search
    Antivirus
    Windows Defender, Malwarebytes Premium
    Other Info
    UEFI, Secure Boot, TPM 2.0, Macrium Reflect X
  • Operating System
    Windows 11 Pro 25H2 26200.8037
    Computer type
    Laptop
    Manufacturer/Model
    Asus TUF A16 Advantage Edition FA617NT.A16.R7700
    CPU
    Ryzen 7 7735HS
    Motherboard
    OEM Asus Motherboard
    Memory
    16GB DDR 5
    Graphics card(s)
    AMD Radeon™ 680M & Radeon 7700S
    Sound Card
    Onboard
    Monitor(s) Displays
    16inch FHD 165hz
    Screen Resolution
    1920x1080
    Hard Drives
    512GB NVMe Boot Drive
    PSU
    Laptop PSU
    Case
    Laptop Case
    Cooling
    OEM Cooling
    Keyboard
    OEM Laptop Keyboard
    Mouse
    Touchpad & G502 Hero
    Internet Speed
    Gigabit 1100 Download/35 Upload
    Browser
    MS Edge with Bing search
    Antivirus
    Windows Defender & Malwarebytes Premium
    Other Info
    Macrium Reflect X

My Computer

System One

  • OS
    Windows 11, version 25H2 (26200)
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 9 9950X 16-Core Processor
    Motherboard
    ASRock B650M PG Riptide
    Memory
    DDR5-6000 (CL36) 64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4090
    PSU
    1200W
    Case
    Phanteks Enthoo Pro 2
    Cooling
    Noctua NH-D12L
Awesome! relaxes on mine then, and gets other PC tasks done today shortly
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2 26200.8037
    Computer type
    PC/Desktop
    Manufacturer/Model
    PreBuilt
    CPU
    AMD Ryzen 7700X
    Motherboard
    MSI B650 VC WIfi Rev 1.0
    Memory
    32GB DDR 5 RGB 5600Mhz
    Graphics Card(s)
    Radeon 7800XT
    Sound Card
    Onboard Audio
    Monitor(s) Displays
    Asus VG245H
    Screen Resolution
    1920x1080
    Hard Drives
    Samsung 990 Evo Plus NVMe Boot
    Samsung 990 Pro 1TB Game NVMe



    External
    Western Digital Elements 500GB
    Western Digital My Passport 2TB Blue
    Western Digital My Passport 2TB Red
    Toshiba 2TB in External Enclosure
    Seagate 8TB in External Enclosure
    Seagate 1TB Portable USB 3 External Drive
    Western Digital My Book 8TB (Primary Backup drive)
    Western Digital Black 4TB In External Enclosure
    PSU
    750 Watt High Power
    Case
    Lian Li Lan Cool 216 ARGB Airflow
    Cooling
    2 160MM Front, 1 140MM Rear Exhaust
    Keyboard
    Logitech G513
    Mouse
    Logitech G502 X
    Internet Speed
    Gigabit 1100Mb/35 Upload
    Browser
    MS Edge Chromium and Bing Search
    Antivirus
    Windows Defender, Malwarebytes Premium
    Other Info
    UEFI, Secure Boot, TPM 2.0, Macrium Reflect X
  • Operating System
    Windows 11 Pro 25H2 26200.8037
    Computer type
    Laptop
    Manufacturer/Model
    Asus TUF A16 Advantage Edition FA617NT.A16.R7700
    CPU
    Ryzen 7 7735HS
    Motherboard
    OEM Asus Motherboard
    Memory
    16GB DDR 5
    Graphics card(s)
    AMD Radeon™ 680M & Radeon 7700S
    Sound Card
    Onboard
    Monitor(s) Displays
    16inch FHD 165hz
    Screen Resolution
    1920x1080
    Hard Drives
    512GB NVMe Boot Drive
    PSU
    Laptop PSU
    Case
    Laptop Case
    Cooling
    OEM Cooling
    Keyboard
    OEM Laptop Keyboard
    Mouse
    Touchpad & G502 Hero
    Internet Speed
    Gigabit 1100 Download/35 Upload
    Browser
    MS Edge with Bing search
    Antivirus
    Windows Defender & Malwarebytes Premium
    Other Info
    Macrium Reflect X
For the record, ultimately™, the CA-2023 KEK certificate (which, again, is different from the CA-2023 DB certificate) should be installed by Windows itself, as Microsoft has contacted all the manufacturers it knows about to ask them to sign KEK update packages (which only the entity that has access to the private key corresponding to the Secure Boot PK can do), which, eventually™, Microsoft should apply to user's platforms.

See the very relevant secureboot_objects/PostSignedObjects/KEK at main · microsoft/secureboot_objects and the long list of manufacturers it includes.

Now, of course, if your manufacturer closed shop, or if (as you might want to do if you are paranoid about security and don't like the idea of having third parties in control, such as hardware manufacturers that have demonstrated again and again that they are far from being reliable not getting their secrets exfiltrated to bad actors) you installed your own PK, then Microsoft's future™ auto-update of KEK will never work. But at least you can still use Mosby, that installs the new CA-2023 KEK (along with a unique PK that nobody can exploit).

In (very simplified and somewhat inaccurate) layman's term, what you want to know in terms of Secure Boot is that:

PK —(can update)⟶ KEK —(can update)⟶ DB/DBX

So, if you are Microsoft, and you want to add a new certificate, such as CA-2023, to the DB, then you need to have a KEK that you control (which should already be the case with the current 2011 KEK). But with the current Microsoft KEK set to also expire in 2026, once that deadline is gone, the only way Microsoft can update the DB to add a new certificate is they also add the CA-2023 KEK, and the only way to be able to do that is if the manufacturer (who has access to the PK) sign the CA-2023 KEK update package for your specific machine.

Oh and disclaimer: I am, the developer of Mosby.
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Built
    Screen Resolution
    4k
The latest Dev build 26200.5722 still does not fix the issue with installing the old CA 2011 certificate of Windows Boot Manager to EFI partition on a clean installed computer that already has a CA 2023 certificate.
 

My Computer

System One

  • OS
    Windows 11, version 25H2 (26200)
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 9 9950X 16-Core Processor
    Motherboard
    ASRock B650M PG Riptide
    Memory
    DDR5-6000 (CL36) 64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4090
    PSU
    1200W
    Case
    Phanteks Enthoo Pro 2
    Cooling
    Noctua NH-D12L
Akeo said:
For the record, ultimately™, the CA-2023 KEK certificate (which, again, is different from the CA-2023 DB certificate) should be installed by Windows itself, as Microsoft has contacted all the manufacturers it knows about to ask them to sign KEK update packages (which only the entity that has access to the private key corresponding to the Secure Boot PK can do), which, eventually™, Microsoft should apply to user's platforms.
Click to expand...
Any insight what happened here? I had a working system with Secure Boot, but I had to do a reset due to an update going wild. The reset went fine, but if I leave Secure Boot enabled, it doesn't boot. Not sure how I fix this.

I ran the rebuild, it did break one thing. Secure Boot stopped working! I turned off Secure Boot in the BIOS and got it booted up. The question now, is exactly how to fix it.


1753818509137.webp



After seeing this and rebooting and getting it again, I ran MOSBY and replaced the CA Certificates, but that didn't fix it. The site that the BIOS spit out for more information was a bust, it took me to a generic MSC page that has nothing to do with Secure Boot, or booting of any kind.

I have the certificates enabled, but when I enable Secure Boot, no go.


Screenshot 2025-07-29 160001.webp



I'm assuming there's something about the repair image that needs updating, but I don't see exactly how I do that.
 

My Computers

System One System Two

  • OS
    Win 11 Pro 25H2, Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14500
    Motherboard
    Gigabyte B760M G P WIFI
    Memory
    64GB DDR4
    Graphics Card(s)
    GeForce RTX 4060
    Sound Card
    Chipset Realtek
    Monitor(s) Displays
    LG 45" Ultragear, Acer 24" 1080p
    Screen Resolution
    5120x1440, 1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 3D NAND NVMe M.2 SSD (O/S)
    Silicon Power 2TB US75 NVMe PCIe Gen4 M.2 2280 SSD (backup)
    Crucial BX500 2TB 3D NAND (2nd backup)
    Seagate 4TB Ironwolf, rotating HDD archive files
    External off-line backup Drives: 2 NVMe 4TB drives in external enclosures
    PSU
    Thermaltake Toughpower GF3 750W
    Case
    LIAN LI LANCOOL 216 E-ATX PC Case
    Cooling
    Lots of fans!
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
  • Operating System
    Win 11 Pro 25H2, Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14400
    Motherboard
    Gigabyte B760M DS3H AX
    Memory
    32GB DDR5
    Graphics card(s)
    Intel 700 Embedded GPU
    Sound Card
    Realtek Embedded
    Monitor(s) Displays
    27" HP 1080p
    Screen Resolution
    1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 eD NAND PCIe SSD
    Samsung EVO 990 2TB NVMe Gen4 SSD
    Samsung 2TB SATA SSD
    PSU
    Thermaltake Smart BM3 650W
    Case
    Okinos Micro ATX Case
    Cooling
    Fans
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
The "C:\Windows\Boot"(install.wim and winre.wim) directory contains the "EFI" and "EFI_EX" folders.
  • EFI folder = Windows Boot Manager of Windows Production PCA 2011
  • EFI_EX folder = Windows Boot Manager of Windows UEFI CA 2023
If "Windows Production CA 2011" certificate has been revoked. (Added the certificate to DBX) Clean installation of Windows 11 25H2 (26200.5722 Dev ISO) still installing the old CA 2011 certificate of Windows Boot Manager to EFI partition. So it will be reported security error in the second stage boot.

As a temporary solution. I need turning off Secure Boot in BIOS. Then use the WindowsUEFICA2023Capable PowerShell script to copy the EFI_EX file to the EFI partition. Restart the system and enter BIOS to turn on Secure Boot.

If Microsoft fixes this issue I will report here in which Windows build it is installed.
 

My Computer

System One

  • OS
    Windows 11, version 25H2 (26200)
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 9 9950X 16-Core Processor
    Motherboard
    ASRock B650M PG Riptide
    Memory
    DDR5-6000 (CL36) 64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4090
    PSU
    1200W
    Case
    Phanteks Enthoo Pro 2
    Cooling
    Noctua NH-D12L
I haven't revoked any certificates. I also turned off Secure Boot to allow the system to boot.
uncyler825 said:
As a temporary solution. I need turning off Secure Boot in BIOS. Then use the WindowsUEFICA2023Capable PowerShell script to copy the EFI_EX file to the EFI partition. Restart the system and enter BIOS to turn on Secure Boot.

If Microsoft fixes this issue I will report here in which Windows build it is installed.
Click to expand...
I looked at that script, a little frightening! That looks like more than copying a file to the EFI partition, but maybe that's just me.
 

My Computers

System One System Two

  • OS
    Win 11 Pro 25H2, Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14500
    Motherboard
    Gigabyte B760M G P WIFI
    Memory
    64GB DDR4
    Graphics Card(s)
    GeForce RTX 4060
    Sound Card
    Chipset Realtek
    Monitor(s) Displays
    LG 45" Ultragear, Acer 24" 1080p
    Screen Resolution
    5120x1440, 1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 3D NAND NVMe M.2 SSD (O/S)
    Silicon Power 2TB US75 NVMe PCIe Gen4 M.2 2280 SSD (backup)
    Crucial BX500 2TB 3D NAND (2nd backup)
    Seagate 4TB Ironwolf, rotating HDD archive files
    External off-line backup Drives: 2 NVMe 4TB drives in external enclosures
    PSU
    Thermaltake Toughpower GF3 750W
    Case
    LIAN LI LANCOOL 216 E-ATX PC Case
    Cooling
    Lots of fans!
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
  • Operating System
    Win 11 Pro 25H2, Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14400
    Motherboard
    Gigabyte B760M DS3H AX
    Memory
    32GB DDR5
    Graphics card(s)
    Intel 700 Embedded GPU
    Sound Card
    Realtek Embedded
    Monitor(s) Displays
    27" HP 1080p
    Screen Resolution
    1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 eD NAND PCIe SSD
    Samsung EVO 990 2TB NVMe Gen4 SSD
    Samsung 2TB SATA SSD
    PSU
    Thermaltake Smart BM3 650W
    Case
    Okinos Micro ATX Case
    Cooling
    Fans
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
gunrunnerjohn said:
I haven't revoked any certificates. I also turned off Secure Boot to allow the system to boot.

I looked at that script, a little frightening! That looks like more than copying a file to the EFI partition, but maybe that's just me.
Click to expand...

It's just copy the files to the partition, please learn PowerShell. You can write your own PowerShell script. These are all public scripts. You can also see the value of WindowsUEFICA2023Capable changed in the script. Please read the description of WindowsUEFICA2023Capable. This has been mentioned multiple times in this thread.

Aren't you frightening of Check_EFIBootFile.ps1? I think you should not use any scripts or certificates so that you have problems with Secure Boot.
 
Last edited:

My Computer

System One

  • OS
    Windows 11, version 25H2 (26200)
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 9 9950X 16-Core Processor
    Motherboard
    ASRock B650M PG Riptide
    Memory
    DDR5-6000 (CL36) 64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4090
    PSU
    1200W
    Case
    Phanteks Enthoo Pro 2
    Cooling
    Noctua NH-D12L
gunrunnerjohn said:
Any insight what happened here?
Click to expand...

Yup. The Windows UEFI bootloader (bootmgr.efi) you use is not up to date, and it has been revoked through Microsoft's SVN -- which is really DBX revocation in disguise, as the SVN version that gets checked, i.e. the minimum allowed version you saw in the error message comes from a standard UEFI DBX update. And of course Mosby installs the latest DBX (or, more accurately, there hasn't been a DBX update since our last release of Mobsy), so, when Secure Boot is enabled, bootmgr.efi reads the minimum allowed version from the DBX (currently that would be 5.0), and if it finds that its own internal version (in your case 2.0) is lower than that, it produces the error message you just got.

Normally, if you boot with Secure Boot disabled, and let Windows go through its updates, it should detect that the bootloaders you use are obsolete and update them to versions that aren't revoked, and then boot should work again with Secure Boot enabled. But of course that only works after Windows has been installed and running (and also, since I don't work for Microsoft, I can't vouch that this will always happen -- I just had punctual experience that seems to hint at Windows doing this automatically). If, on the other hand, you are seeing this error during Windows installation, then you will have to redo your media so that all of the bootmgr.efi bootloaders it uses (as well as the boot###.efi ones, such as bootx64.efi to be on the safe side), including the ones that may reside in a .wim inside a .wim, are updated to a version that hasn't been revoked through SVN.

Be very mindful that you might have bootloaders that are signed with CA-2023, and that still have been revoked through Microsoft's SVN, so it's not because you are using CA-2023 signed bootloaders that you are safe from Security Violations when it comes to Secure Boot, as UEFI revocation updates happen regularly on account of new vulnerabilities being found (IIRC there's already been at least 2 DBXs updates since the start of the year, that any modern OS would have applied for you behind the scenes, and that you probably didn't even realize happened, which is exactly how it is supposed to work).

Oh, and as to the issue of the URL being broken, that's been the case for more than a year, and I got annoyed about this enough that I recently reported it to Microsoft (who are still in the process of acting on it)...
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Built
    Screen Resolution
    4k
Well... Magic may have happened. I went and checked updates, and I got a Defender AV update. I figured... what the heck, it's an update, let's see if they noticed. I turned Secure Boot back on in the BIOS and no problem! Say What? I tried that three or four times earlier and couldn't get past that problem!

I guess the question now is, can I disable the 2011 certificates and finish the job?

Akeo said:
Be very mindful that you might have bootloaders that are signed with CA-2023, and that still have been revoked through Microsoft's SVN, so it's not because you are using CA-2023 signed bootloaders that you are safe from Security Violations when it comes to Secure Boot, as UEFI revocation updates happen regularly on account of new vulnerabilities being found (IIRC there's already been at least 2 DBXs updates since the start of the year, that any modern OS would have applied for you behind the scenes, and that you probably didn't even realize happened, which is exactly how it is supposed to work).
Click to expand...
So, if I'm reading this right, even if I create a bootable recovery drive for instance, it may suddenly become non-bootable in the future until I disable Secure Boot? This is sounding like it's turning into a can of worms. I think I understand why the Linux folks are saying they just disable Secure Boot!

I'm guessing utilities like Rufus get updated regularly to stay ahead of any revocation of new vulnerabilities being discovered and the minimum allowed version gets incremented so they still boot? I also suspect this probably means my Acronis True Image bootable recovery disk might also be a problem if they don't update them...
 

My Computers

System One System Two

  • OS
    Win 11 Pro 25H2, Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14500
    Motherboard
    Gigabyte B760M G P WIFI
    Memory
    64GB DDR4
    Graphics Card(s)
    GeForce RTX 4060
    Sound Card
    Chipset Realtek
    Monitor(s) Displays
    LG 45" Ultragear, Acer 24" 1080p
    Screen Resolution
    5120x1440, 1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 3D NAND NVMe M.2 SSD (O/S)
    Silicon Power 2TB US75 NVMe PCIe Gen4 M.2 2280 SSD (backup)
    Crucial BX500 2TB 3D NAND (2nd backup)
    Seagate 4TB Ironwolf, rotating HDD archive files
    External off-line backup Drives: 2 NVMe 4TB drives in external enclosures
    PSU
    Thermaltake Toughpower GF3 750W
    Case
    LIAN LI LANCOOL 216 E-ATX PC Case
    Cooling
    Lots of fans!
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
  • Operating System
    Win 11 Pro 25H2, Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14400
    Motherboard
    Gigabyte B760M DS3H AX
    Memory
    32GB DDR5
    Graphics card(s)
    Intel 700 Embedded GPU
    Sound Card
    Realtek Embedded
    Monitor(s) Displays
    27" HP 1080p
    Screen Resolution
    1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 eD NAND PCIe SSD
    Samsung EVO 990 2TB NVMe Gen4 SSD
    Samsung 2TB SATA SSD
    PSU
    Thermaltake Smart BM3 650W
    Case
    Okinos Micro ATX Case
    Cooling
    Fans
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
gunrunnerjohn said:
I guess the question now is, can I disable the 2011 certificates and finish the job?
Click to expand...

No idea. I don't know what you're doing, how you're doing it, and, to be honest, I don't really want to know... :whistle:
You can try, and see what happens, but please don't expect others to tell you what is likely to happen. Better see it for yourself.

So, if I'm reading this right, even if I create a bootable recovery drive for instance, it may suddenly become non-bootable in the future until I disable Secure Boot?
Click to expand...

Well, a good rule of thumb is to consider that every non trivial executable that was ever written (and that of course also applies to UEFI bootloaders) will be discovered to contain a vulnerability eventually, which means that, since you do want the UEFI revocation to do its job, the amount of revoked bootloaders is ever increasing and is likely to, one day, include whatever one you are using right now -- but hopefully with quite a few years between the time you actively need to use that bootloader, and the time it gets revoked.

But this is very much what you want. You do not want your platform to allow the first person who has physical access to it to install a permanent UEFI rootkit, just because you are annoyed about stuff needing to be updated (especially as, again, in most cases, it should happen transparently behind the scenes). If you get a Security Violation with Secure Boot, your reaction should not be annoyance, but instead, it should be relief that your systems is actually actively working to prevent UEFI malware from being installed by literally any person who might have the desire to do so.

I think I understand why the Linux folks are saying they just disable Secure Boot!
Click to expand...

Those who trade security for convenience end up with neither.

I'm guessing utilities like Rufus get updated regularly to stay ahead of any revocation of new vulnerabilities being discovered and the minimum allowed version gets incremented so they still boot?
Click to expand...

Actually (when you have the check for updates enabled, which is a choice Rufus prompts you for the first time you run it), the Rufus executable does not need to get updated, because it actively checks to see if there has been a DBX update and downloads it, so it can alert you, in near-realtime (if you want to consider that the default 24-hour cooldown on checking for DBX updates is "near-realtime"), if you are using an image with a revoked bootloader. This way, if you obtained your image from a non-reputable source, you can choose to avoid putting yourself at risk, as well as get alerted that you are most likely going to see a Security Violation if the system you are trying to boot is up to date in terms of Secure Boot revocation (which again, is very much what you want to see happen!).
 

My Computer

System One

  • OS
    Windows 11
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Built
    Screen Resolution
    4k
Akeo said:
Actually (when you have the check for updates enabled, which is a choice Rufus prompts you for the first time you run it), the Rufus executable does not need to get updated, because it actively checks to see if there has been a DBX update and download it, so it can alert you, in near-realtime (if you want to consider that the default 24-hour cooldown on checking for DBX updates is "near-realtime"), if you are using an image with a revoked bootloader. This way, if you obtained your image from an non-reputable source, you can choose to avoid putting yourself at risk, as well as get alerted that you are most likely going to see a Security Violation if the system you are trying to boot is up to date in terms of Secure Boot revocation (which again, is very much what you want to see happen!).
Click to expand...
OK, I really appreciate your assistance, I'm slowly getting it. So if you use Rufus to install a windows image, it's checking the bootloader to see if it's revoked? That does seem like a very useful feature. :-)

I think I'm set, at least for the moment. I guess if I needed to use an older recovery boot disk, I could disable Secure Boot just for that process and then turn it back on.
 

My Computers

System One System Two

  • OS
    Win 11 Pro 25H2, Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14500
    Motherboard
    Gigabyte B760M G P WIFI
    Memory
    64GB DDR4
    Graphics Card(s)
    GeForce RTX 4060
    Sound Card
    Chipset Realtek
    Monitor(s) Displays
    LG 45" Ultragear, Acer 24" 1080p
    Screen Resolution
    5120x1440, 1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 3D NAND NVMe M.2 SSD (O/S)
    Silicon Power 2TB US75 NVMe PCIe Gen4 M.2 2280 SSD (backup)
    Crucial BX500 2TB 3D NAND (2nd backup)
    Seagate 4TB Ironwolf, rotating HDD archive files
    External off-line backup Drives: 2 NVMe 4TB drives in external enclosures
    PSU
    Thermaltake Toughpower GF3 750W
    Case
    LIAN LI LANCOOL 216 E-ATX PC Case
    Cooling
    Lots of fans!
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
  • Operating System
    Win 11 Pro 25H2, Build 26200.8524
    Computer type
    PC/Desktop
    Manufacturer/Model
    Home Brew
    CPU
    Intel Core i5 14400
    Motherboard
    Gigabyte B760M DS3H AX
    Memory
    32GB DDR5
    Graphics card(s)
    Intel 700 Embedded GPU
    Sound Card
    Realtek Embedded
    Monitor(s) Displays
    27" HP 1080p
    Screen Resolution
    1920x1080
    Hard Drives
    Crucial P310 2TB 2280 PCIe Gen4 eD NAND PCIe SSD
    Samsung EVO 990 2TB NVMe Gen4 SSD
    Samsung 2TB SATA SSD
    PSU
    Thermaltake Smart BM3 650W
    Case
    Okinos Micro ATX Case
    Cooling
    Fans
    Keyboard
    Microsoft Comfort Curve 2000
    Mouse
    Logitech G305
    Internet Speed
    Verizon FiOS 1GB
    Browser
    Firefox
    Antivirus
    Malware Bytes & Windows Defender Security
Is MS starting to update the certificates through Windows Update? The reason I ask is because when I checked the Registry on my two desktops it showed that the WindowsUEFICA2023Capable is set to #2. Desktop #1 is running the latest 24H2 build and desktop #2 is running the latest Canary build. I tried a Macrium rescue disk that I had made earlier on desktop #1 (Powerspec B746) and it worked. Also does the value of #2 mean that the old certificate are no longer valid and my desktops are good to go?
 

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    PowerSpec B746
    CPU
    Intel Core i7-10700K
    Motherboard
    ASRock Z490 Phantom Gaming 4/ax
    Memory
    16GB (8GB PC4-19200 DDR4 SDRAM x2)
    Graphics Card(s)
    NVIDIA GeForce GTX 1050 TI
    Sound Card
    Realtek Audio
    Monitor(s) Displays
    #1. LG ULTRAWIDE 34" #2. AOC Q32G2WG3 32"
    Screen Resolution
    #1. 3440 X 1440 #2. 1920 x 1080
    Hard Drives
    NVMe WDC WDS100T2B0C-00PXH0 1TB
    Samsung SSD 860 EVO 1TB
    PSU
    750 Watts (62.5A)
    Case
    PowerSpec/Lian Li ATX 205
    Keyboard
    Logitech K270
    Mouse
    Logitech M185
    Browser
    Microsoft Edge and Firefox
    Antivirus
    Webroot SecureAnywhere CE 26.1
  • Operating System
    Windows 11 Canary Channel
    Computer type
    PC/Desktop
    Manufacturer/Model
    PowerSpec G156
    CPU
    Intel Core i5-8400 CPU @ 2.80GHz
    Motherboard
    AsusTeK Prime B360M-A
    Memory
    16 MB DDR 4-2666
    Monitor(s) Displays
    23" Speptre HDMI 75Hz
    Screen Resolution
    1920x1080
    Hard Drives
    Samsung 970 EVO 500GB NVMe
    Keyboard
    Logitek K270
    Mouse
    Logitek M185
    Browser
    Firefox, Edge and Edge Canary
    Antivirus
    Windows Defender
Winuser said:
Is MS starting to update the certificates through Windows Update? The reason I ask is because when I checked the Registry on my two desktops it showed that the WindowsUEFICA2023Capable is set to #2. Desktop #1 is running the latest 24H2 build and desktop #2 is running the latest Canary build. I tried a Macrium rescue disk that I had made earlier on desktop #1 (Powerspec B746) and it worked. Also does the value of #2 mean that the old certificate are no longer valid and my desktops are good to go?
Click to expand...

You only need to have the new CA 2023 certificate, Current retail ISOs still contain the old CA 2011 certificates, and Windows installations still use the old Windows Boot Manager.

You can following step to validate that Windows Boot Manager is signed by the “Windows UEFI CA 2023” or "Windows Production CA 2011" certificate.

  • As Administrator, mount the EFI partition to get it ready for inspection:
Code: 
mountvol s: /s

  • Validate that "s:\efi\microsoft\boot\bootmgfw.efi" file is signed by the “Windows UEFI CA 2023” certificate. To do this, follow these steps:
Code: 
copy S:\EFI\Microsoft\Boot\bootmgfw.efi c:\bootmgfw_2023.efi

  • In File Manager, right-click the file C:\bootmgfw_2023.efi, click Properties, and then select the Digital Signatures tab.
  • In the Signature list, confirm that the certificate chain includes Windows UEFI CA 2023. The certificate chain should match the following screenshot:

46b20be7-4d36-4305-9b03-5556c3dd7e18


If it's “Windows UEFI CA 2023” is using the New Windows Boot Manager.

Windows Update completes these steps automatically without user intervention.
 

My Computer

System One

  • OS
    Windows 11, version 25H2 (26200)
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 9 9950X 16-Core Processor
    Motherboard
    ASRock B650M PG Riptide
    Memory
    DDR5-6000 (CL36) 64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4090
    PSU
    1200W
    Case
    Phanteks Enthoo Pro 2
    Cooling
    Noctua NH-D12L
I checked my desktop running the Canary build and I'm not getting the exact box that you posted. If my desktop isn't running the latest certificates then why is the value in the registry set to #2?
 
Last edited:

My Computers

System One System Two

  • OS
    Windows 11 Pro 25H2
    Computer type
    PC/Desktop
    Manufacturer/Model
    PowerSpec B746
    CPU
    Intel Core i7-10700K
    Motherboard
    ASRock Z490 Phantom Gaming 4/ax
    Memory
    16GB (8GB PC4-19200 DDR4 SDRAM x2)
    Graphics Card(s)
    NVIDIA GeForce GTX 1050 TI
    Sound Card
    Realtek Audio
    Monitor(s) Displays
    #1. LG ULTRAWIDE 34" #2. AOC Q32G2WG3 32"
    Screen Resolution
    #1. 3440 X 1440 #2. 1920 x 1080
    Hard Drives
    NVMe WDC WDS100T2B0C-00PXH0 1TB
    Samsung SSD 860 EVO 1TB
    PSU
    750 Watts (62.5A)
    Case
    PowerSpec/Lian Li ATX 205
    Keyboard
    Logitech K270
    Mouse
    Logitech M185
    Browser
    Microsoft Edge and Firefox
    Antivirus
    Webroot SecureAnywhere CE 26.1
  • Operating System
    Windows 11 Canary Channel
    Computer type
    PC/Desktop
    Manufacturer/Model
    PowerSpec G156
    CPU
    Intel Core i5-8400 CPU @ 2.80GHz
    Motherboard
    AsusTeK Prime B360M-A
    Memory
    16 MB DDR 4-2666
    Monitor(s) Displays
    23" Speptre HDMI 75Hz
    Screen Resolution
    1920x1080
    Hard Drives
    Samsung 970 EVO 500GB NVMe
    Keyboard
    Logitek K270
    Mouse
    Logitek M185
    Browser
    Firefox, Edge and Edge Canary
    Antivirus
    Windows Defender
Winuser said:
I checked my desktop running the Canary build and I'm not getting anything close to what you posted. If my desktop isn't running the latest certificates then why is the value in the registry set to #2?
Click to expand...

Windows Boot Manager(In EFI Partition) is the first boot program. The registry does not represent the actual situation because you can modify it at will.
 

My Computer

System One

  • OS
    Windows 11, version 25H2 (26200)
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen 9 9950X 16-Core Processor
    Motherboard
    ASRock B650M PG Riptide
    Memory
    DDR5-6000 (CL36) 64.0 GB
    Graphics Card(s)
    NVIDIA GeForce RTX 4090
    PSU
    1200W
    Case
    Phanteks Enthoo Pro 2
    Cooling
    Noctua NH-D12L
You must log in or register to reply here.

Similar threads

  • Article Article
Refreshing the root of trust: industry collaboration on Secure Boot certificate updates
Replies
6
Views
2K
garioch7
garioch7
Solved Windows Secure Boot certificates expiring in 2026
Replies
13
Views
767
jdUnionngarden
jdUnionngarden
  • Article Article
Win Update KB5087539 Windows Server 2025 Cumulative Update build 26100.32860 - May 12
Replies
0
Views
153
Brink
Brink
  • Article Article
Win Update KB5089549 Windows 11 Cumulative Update build 26100.8457 (24H2) and 26200.8457 (25H2) - May 12
7 8 9
Replies
164
Views
23K
banger
banger
  • Article Article
What is new in Windows 11 from February 2026
Replies
0
Views
349
Brink
Brink

Latest Support Threads

Latest Tutorials

Back
Top Bottom