After 2025-10 update, secure boot problems with recovery media built with WinRE?

pokeefe0001 · Oct 19, 2025

I don't understand a word of what I'm posting here. I'm hoping someone will help me understand it.

I've heard that people using Macrium Reflect (and some other unnamed product) that built recovery media using WinRE after installing the Windows 2025-10 update were no longer able to boot the recovery media. My (lack of) understanding is that the new WinRE used the new Windows 2023 security certificate the the recovery media did not recognize platforms using the 2022 certificate as valid.

In all the Windows doc I've seen makes the Windows Secure Boot certificate expiration and remediation sound pretty simple and straightforward. The user experience of people trying to boot recovery media built with post 2025-20 WinRE makes it sound anything but simple and straightforward.

I use Macrium Reflect and am about to install an update that requires building new Recovery Media. I have not yet installed the Window 2025-10 update my computers but intend to soon. I need to build the Reflect Recovery Media based on WinRE because I need the WiFi support. So I can do that now, but if Macrium has another update that requires a rebuild of the recovery media I'll be stuck.

Is this a known problem that has been described other than on the Reflect forum? If so, is the issue with WinRE in the 2025-10 update a temporary one that will be fixed (allowing platforms with the 2011 certificate to be used) or is this a permanent restriction? Or have I completely misunderstood the problem?

Is Windows Secure Boot certificate expiration going to be a problem with old motherboards that are no longer getting BIOS updates, or can software updates somehow make up for old hardware with old certificates? (I really don't understand this!)

Ghot · Oct 19, 2025

@pokeefe0001

Macrium Reflect X

knowledgebase.macrium.com

Format a USB stick (FAT32), ...and scroll down and follow the directions, here... Create New Macrium Reflect Rescue Media

pokeefe0001 · Oct 19, 2025

I know how to create the recovery media - I've been doing it for several years. I'm asking about what will happen in the future when I have to create it again after 2025-10 (or later) Window updates.

garlin · Oct 19, 2025

The answer depends on where you are with the CA 2011 revocation process.

If you haven't touched anything with Secure Boot, then you don't need to rebuild a Macrium USB just yet. Windows is in the optional UEFI migration stage, and nothing mandatory happens until early 2026.

If you have installed the CA 2023 certs (if none of this sounds familiar, you're in the previous category), then you have a choice of using CA 2011 or CA 2023-signed boot files. Your BIOS will trust either version. You don't need to rebuild Macrium USB just yet.

If you have installed the CA 2023 certs and revoked CA 2011 certs (banning them), then you must change the boot file on your Macrium USB. This can be done as Administrator:

Code:

copy C:\Windows\Boot\EFI_EX\bootmgfw_EX.efi F:\EFI\boot\bootx64.efi

Revert to old boot file:

Code:

copy C:\Windows\Boot\EFI\bootmgfw_EX.efi F:\EFI\boot\bootx64.efi

It's not clear if Macrium will adopt some smart logic (c'mon guys, it's NOT THAT DIFFICULT) to figure out if CA 2011 is revoked and build the right USB for you. It's not so much about future Windows, as checking to see where your UEFI status is currently at. Users may elect to disable Secure Boot entirely, and making a new USB drive might be unnecessary.

Ghot · Oct 19, 2025

pokeefe0001 said:
I know how to create the recovery media - I've been doing it for several years. I'm asking about what will happen in the future when I have to create it again after 2025-10 (or later) Window updates.

If you READ that link... you'll see that occasionally, you have to remake the MR bootable Rescue Media with a new ADK, which needs to be downloaded from Microsoft.

Sometimes a Windows update will cause it, sometimes flashing the BIOS causes it.

The trick is forcing the media builder to download and use the newest ADK from MS.
The link in post #2, explains how to do that.

gunrunnerjohn · Oct 19, 2025

@garlin even created a nice batch job for this update, I used it on my Acronis boot to fix the same issue.

Contents of the attached copy Key to Boot USB.BAT file.

Code:

set /p id=Enter Destination Drive Letter with a colon:
echo %id%
pause

COPY %id%\EFI\MICROSOFT\BOOT\BCD %id%\EFI\MICROSOFT\BOOT\BCD.BAK
pause

bcdboot c:\windows /f UEFI /s %id% /bootex
pause

COPY %id%\EFI\MICROSOFT\BOOT\BCD.BAK %id%\EFI\MICROSOFT\BOOT\BCD
pause

glasskuter · Oct 19, 2025

pokeefe0001 said:
I don't understand a word of what I'm posting here

And I don't understand one lick of all the problems that using secure brings along with it. That's why I relieved myself of secure boot in all my machines.
I don't need the added grief.

Good luck in finding your solution.

gunrunnerjohn · Oct 19, 2025

glasskuter said:
And I don't understand one lick of all the problems that using secure brings along with it. That's why I relieved myself of secure boot in all my machines.
I don't need the added grief.

Good luck in finding your solution.

I've had zero problems with Secure Boot once I got it setup and configured. A couple of bootable USB drives didn't like it, but the simple batch script posted by @garlin solved that problem.

glasskuter · Oct 19, 2025

I'm glad for you @gunrunnerjohn.

hsehestedt · Oct 19, 2025

Not to purposely complicate things even further, but right now you would not be able to use a USB mouse or keyboard either since the October Patch Tuesday updates introduced a bug where those devices do not work in Win RE. If you have recovery media created prior to the Oct updates you should be okay, or you could create your recovery media using Win PE rather than Win RE.

What a mess!

pokeefe0001 · Oct 19, 2025

Ghot said:
If you READ that link... you'll see that occasionally, you have to remake the MR bootable Rescue Media with a new ADK, which needs to be downloaded from Microsoft.

I may be completely off base here, but I think downloading and using an ADK is only applicable PE builds. The RE builds of Rescue Media use something (the winre.wim file, maybe) that gets updated by Windows maintenance. And Microsoft did something in the 2025.10 update that has caused RE builds of the Reflect Rescue Media to be unbootable in some environments. PE builds of the Reflect Rescue Media remain usable (assuming a recent enough ADK) if you don't need WiFi support.

Ghot · Oct 19, 2025

pokeefe0001 said:
I may be completely off base here, but I think downloading and using an ADK is only applicable PE builds. The RE builds of Rescue Media use something (the winre.wim file, maybe) that gets updated by Windows maintenance. And Microsoft did something in the 2025.10 update that has caused RE builds of the Reflect Rescue Media to be unbootable in some environments. PE builds of the Reflect Rescue Media remain usable (assuming a recent enough ADK) if you don't need WiFi support.

YES. Use the PE build. ^^

pokeefe0001 · Oct 19, 2025

hsehestedt said:
Not to purposely complicate things even further, but right now you would not be able to use a USB mouse or keyboard either since the October Patch Tuesday updates introduced a bug where those devices do not work in Win RE. If you have recovery media created prior to the Oct updates you should be okay, or you could create your recovery media using Win PE rather than Win RE.

What a mess!

Well, the good news is that Microsoft will have to fix this. If it were just the Secure Boot certificate expiration issue they might be able to tap-dance their way around it.

gunrunnerjohn said:
@garlin even created a nice batch job for this update, I used it on my Acronis boot to fix the same issue.

I see here an explanation of that but I'm not sure I understand. As near as I can tell, with the corrupt WinRE stuff the Reflect Rescue Media already has the 2023 certificates in it.

pokeefe0001 · Oct 19, 2025

Ghot said:
YES. Use the PE build. ^^

Can't. I need WiFi support. I've seen a technique to add WiFi support to WinPE but it looked complicated enough that I could easily mess it up.

Ghot · Oct 19, 2025

pokeefe0001 said:
Can't. I need WiFi support. I've seen a technique to add WiFi support to WinPE but it looked complicated enough that I could easily mess it up.

This won't work for you?

Macrium Reflect User Guide...

https://updates.macrium.com/reflect/v8/user_guide/macrium_reflect_v8.0_user_guide.pdf

This may also help...

Rescue Media

forum.macrium.com

After 2025-10 update, secure boot problems with recovery media built with WinRE?

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

Attachments

My Computers

aka Mama Glass

My Computers

Well-known member

My Computers

aka Mama Glass

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Similar threads