Another Macrium Secure Boot Question

hgratt · Dec 19, 2025

Just joined. I’m still unsure of how Macrium 8.0 free will behave when the new certificate is introduced next June. I have perused this forum and have googled and attempted asking questions utilizing AI. Depending on the wording or time of day, I get different answers. So, my simple question is:

I have rebuilt my Macrium 8.0 free usb recovery media using winre ( Macrium indicated a new version was available for my updated win 11, version 26200.7462). Will this rebuilt recovery media include the new certificate and be bootable (with secure boot enabled) after June 2026?

I am aware that if it is not bootable, I can simply disable secure boot and then boot from the recovery usb and then enable secure boot after image restore.

Thanks,
Harvey

garlin · Dec 19, 2025

When you use the WinRE build method, it will capture whatever Secure Boot boot file is in place at the time.

Problem 1:
Suppose you started with CA 2011 certs, and made a boot USB. It's captured the CA 2011 boot file.
Later on you revoke the CA 2011 cert, so CA 2011 isn't allowed to boot. This requires you to remake the USB drive after the revocation.

In reality, you probably don't need to start over but copy over a new boot file from the \Windows\Boot\EFI_EX folder.

Problem 2:
Regardless of what boot file is on the USB drive, the Windows image you're backing up has its own version of the boot file.

Suppose you started with CA 2011 certs, and backed up this image. It has the CA 2011 boot file.

But later on, when you want to perform a restore, it's happening after you banned the CA 2011 boot file. So the restored image won't boot, because the restore only has a copy of the old boot file. You can temporarily disable Secure Boot to get Windows running, and then replace the one boot file.

Conclusion:
If you're a Macrium user, right after making the Secure Boot updates, you need to immediately perform TWO TASKS:

1. Redo the recovery USB (or simply replace the boot file on it)
2. Make a new backup (or be ready to replace the boot file when it gets restored).

What's likely going to happen is a large number of users will be stuck with Problems 1 or 2. They didn't realize they need to update the USB recovery drive and/or the backup image. But don't panic. As you pointed out, disable Secure Boot and your PC will allow any version of Windows to boot. Fix the boot file problem, and then enable Secure Boot again.

Whether Macrium will issue a clear guide to help users solve their problems is unknown at this time.

hgratt · Dec 19, 2025

Thanks for responding. I make full images fairly frequently, and I have one for the latest windows version, which I assume means that the windows image and the recovery USB I just made will contain the 2023 certificate. So, if I understand you, after the 2011 certificate revocation on June 2026 I should be able to boot from the recovery usb and have the restored image be bootable. To be sure, after that date, I will be making another recovery media for the newest OS version and then make a new image. I assume this resolves both problems 1 and 2.

Thanks,
Harvey

man00 · Dec 19, 2025

garlin said:
When you use the WinRE build method, it will capture whatever Secure Boot boot file is in place at the time.

Problem 1:
Suppose you started with CA 2011 certs, and made a boot USB. It's captured the CA 2011 boot file.
Later on you revoke the CA 2011 cert, so CA 2011 isn't allowed to boot. This requires you to remake the USB drive after the revocation.

In reality, you probably don't need to start over but copy over a new boot file from the \Windows\Boot\EFI_EX folder.

Problem 2:
Regardless of what boot file is on the USB drive, the Windows image you're backing up has its own version of the boot file.

Suppose you started with CA 2011 certs, and backed up this image. It has the CA 2011 boot file.

But later on, when you want to perform a restore, it's happening after you banned the CA 2011 boot file. So the restored image won't boot, because the restore only has a copy of the old boot file. You can temporarily disable Secure Boot to get Windows running, and then replace the one boot file.

Conclusion:
If you're a Macrium user, right after making the Secure Boot updates, you need to immediately perform TWO TASKS:

1. Redo the recovery USB (or simply replace the boot file on it)
2. Make a new backup (or be ready to replace the boot file when it gets restored).

What's likely going to happen is a large number of users will be stuck with Problems 1 or 2. They didn't realize they need to update the USB recovery drive and/or the backup image. But don't panic. As you pointed out, disable Secure Boot and your PC will allow any version of Windows to boot. Fix the boot file problem, and then enable Secure Boot again.

Whether Macrium will issue a clear guide to help users solve their problems is unknown at this time.

I hope they won't charge extra for the guide/help

glasskuter · Dec 19, 2025

@garlin Correct me if I am wrong, but I understood that WINRE boot media created in the free version of Macrium will no longer work since it will not includee the required ADK that can address revocations. (It was one of the Macrium 8.1 versions that addressed all that secure boot and revocations crap) Whether or not the user could create WINPE rescue media, then turn off secure boot before booting from it, I can not say as I have never tried it myself..

While I am one of Macrium's biggest fans (I used it today) I would steer anyone who doesn't want to pay to play to the free Haselo Backup Suite rather than the very old free version of Macrium. Haselo is's easy as pie and continuously updated to work with later versions of Windows.

garlin · Dec 20, 2025

OK, here's the dirty secret... you can formally run bootbcd on the target USB, using your Windows system to fix the drive. It doesn't matter if you used the ADK or WinRE method to create the drive. Informally, you just copy over the existing \EFI\Boot\bootx64.efi on the USB.

IMO, Macrium has a duty to add detection of the boot file into their app. Both to detect an inserted Recovery drive, and confirm "yep it will boot on the current system" or "go update it for me (using some recommended method)". What would be nice would be a "repair" option, where it checks your UEFI status and copies the right boot file on your behalf.

If your Windows isn't updated to June 2025, they should detect that and insist you go install Windows updates for your own sake.

The original logic behind ADK vs WinRE, was in the months before April 2024, the latest boot files weren't always rolled into Windows. They were provided in the ADK for IT pros, who are building custom ISO's. But since Secure Boot migration is coming to every supported W10/11 PC, the required files are now part of the Monthly Update and have been provided since 24H2 released.

So the ADK is no longer needed as the source for these files. Unless you're stuck on a legacy Windows release older than W10 22H2 or W11.

I already wrote an example script to "fix" USB drives. Once you understand the logic for checking the UEFI status, it's not a difficult programming exercise.

garlin · Dec 20, 2025

It turns out Macrium 8 users are missing the boat:

In Macrium Reflect 10.0.8731, a new option has been added to this page to configure the 'Boot Media Signing Certificate'. This new option accounts for changes that Microsoft are gradually rolling out to update UEFI boot systems. These updates involve, among other things, revoking the existing Windows Production PCA 2011 code signing certificate and replacing it with the newer “Windows UEFI CA 2023” signing certificate. It is important that rescue media is built with files signed with the same certificate that is active on the system where the rescue media is being used. This is primarily a concern for systems where the Windows Production PCA 2011 certificate has been revoked, and will not effect systems where the Windows Production PCA 2011 certificate is still installed.

Option Description
Choose the best option for this computer This option will automatically select the correct certificate for the system where the rescue media is being built. This is the recommended options when creating rescue media that will primarily be used on the system where it is created.
Windows Production PCA 2011 This option should be selected when rescue media will be used on a different system to where the rescue media is created that does not have the Windows UEFI CA 2023 certificate installed into the UEFI Secure Boot Allowed Signature Database.
Windows UEFI CA 2023 This option should be selected when rescue media will be used on a different system to where the rescue media is created and the Windows Production PCA 2011 certificate has been revoked.

10.0.8731 was released on Nov 19, 2025. Alright, my ranting on Macrium is done for the year...
You free users on Macrium 8 probably need that boot file script...

glasskuter · Dec 20, 2025

@garlin You understand it. I've been around the block a few times and lay no claim to understanding ANY of it and it pi$$e$ me off that I can't.
Biggest mental block I have ever had that wouldn't eventually soak in.

hgratt · Dec 20, 2025

So, not as easy as I was hoping. Summing up then, it appears that:

1. Without running additional scripts, etc., Macrium 8.0 free will have issues after June 2026.
2. It’s still not clear if turning secure boot off, booting from the recovery USB, then restoring an image and then turning secure boot back on will work. Specifically, if I make an image with the latest 25H2 version (now or after June 2026)), will the secure boot on/off methodology work without any additional user interventions?
3. I assume that Haselo free will properly handle all this without user intervention, correct?

Thanks @garlin and @glasskuter,
Harvey

Froggie · Dec 20, 2025

SECURE BOOT on'n'off will have no issues. OFF does not require any sort of certificate validation for BOOTing purposes. All should work fine until you decide how to handle your FREE Recovery Media as far as validation is concerned.

nikki605 · Dec 20, 2025

I use Macrium Reflect Free 8.0.7783 and just started following this topic. I updated the Secure Boot certificates on my Lenovo T490 a couple days ago so both the 2011 and 2023 certificates are present.

I typically do a full backup on Sunday mornings, so I will be doing one tomorrow. Reading post #2 from @garlin if I understand it correctly, I should create a new Macrium boot flash drive now before running the backup tomorrow. Am I understanding that correctly?

glasskuter · Dec 20, 2025

Macrium first addressed dealing with secure boot revocations in recovery media created in ver. 8.1.7544 or later.

Macrium Reflect X

knowledgebase.macrium.com

It's all this "maybe it will work when I need it, maybe it won't, should I do this or shouldn't I" that is the reason I do not suggest anyone use Macrium Free anymore. We rode that Macrium free train for many years but that comfortable ride is not free anymore and IMO our imaging should not be where we gamble. Those of us who are die-hard Macrium fans have chosen to stay with its paid version UNTIL Macrium's greed prices it out of the range of our pocketbooks. I, for one, will move on when it does.

There are very few decent free imaging apps left that are being actively developed. They have been discussed many times here. Some are more clunky and non-intuitive than others. Some are more feature-rich than others. Some can deal with device encryption/bitlocker. IMO the best balance of everything is in Haselo.

cereberus · Dec 20, 2025

Can't you just turn off secure boot temporarily when running Reflect restores?

glasskuter · Dec 20, 2025

cereberus said:
Can't you just turn off secure boot temporarily when running Reflect restores?

I've understood that is the case when using WinPE based recovery media or when Macrium is added to boot menu. But what the hell do I know? I have more holes in my understanding of this than my husband has in his shorts.

garlin · Dec 20, 2025

You can disable Secure Boot regardless of which option (WinPE/ADK or WinRE) was used to create the backup.

Here's a PowerShell script you can run as Administrator. It checks what is currently allowed by UEFI (CA 2011 or CA 2023). If your UEFI is set for CA 2023, then it will copy over that boot file to Windows or any mounted USB stick as needed. Only USB drives that have a boot file will be checked, anything else that is a plain data drive will be ignored.

If nothing needs to be done, it will inform you of that.

nikki605 · Jan 21, 2026

@garlin I found this in the Macrium Knowledgebase and tried the steps for Windows RE.

Macrium Reflect X

knowledgebase.macrium.com

I was hoping that step 6 which forces the WIM rebuild would make a difference, but it didn't. I still can't boot from the USB drive without first turning off Secure Boot in the BIOS (UEFI).

hgratt · Jan 22, 2026

nikki605 said:
@garlin I found this in the Macrium Knowledgebase and tried the steps for Windows RE.

Macrium Reflect X

Macrium Reflect X

knowledgebase.macrium.com

I was hoping that step 6 which forces the WIM rebuild would make a difference, but it didn't. I still can't boot from the USB drive without first turning off Secure Boot in the BIOS (UEFI).

FWIW, over the last month or so I’ve been experimenting with Haselo free on a gifted older win 10 laptop. I’ve successfully made a dozen or more images and have successfully restored at least six of the images using their recovery usb media. While I’m not quite ready to switch over yet on my win 11 computers, you may want to try it out and see if the Haselo recovery usb can boot on a win 11 machine with the new certificates. Info on the web claims their recovery media should be compatible with Secure Boot activated.

nikki605 · Jan 22, 2026

While searching the internet for solutions, I came across this and tried it. Didn't work. Still can't boot from the Rescue stick.

SIW2 · Jan 22, 2026

From what I can gather your usb needs the same boot files as your running system. If it has the other ones you need to turn off secure boot.

Why not copy the files from your esp partition onto the usb stick
\EFI\Boot\bootx64.efi
\EFI\Microsoft\Boot\bootmgfw.efi

mount the esp partition as e.g. letter z

at admin cmd prompt

mountvol z: /s

copy those two files from Z to whatever letter your usb stick is

If your usb stick is G

copy /y z:\EFI\Boot\bootx64.efi g:\EFI\Boot\bootx64.efi

copy /y z:\EFI\Microsoft\Boot\bootmgfw.efi g:\EFI\Microsoft\Boot\bootmgfw.efi

unmount esp partition

mountvol z: /d

Try that and see if it does the trcik . That is a guess , I dont know if anything else needs changing, Try it and find out.

OldMainframeGuy · Jan 22, 2026

Pardon my naive question but won't simply recreating the USB boot drive with Macrium "Create Rescue Media" implement the correct certificate (assuming you've already got the 2023 cert on your PC)? If it matters I'm referring to the commercial (paid) version of Macrium 8.

Another Macrium Secure Boot Question

New member

My Computers

Well-known member

My Computer

New member

My Computers

Well-known member

My Computer

aka Mama Glass

My Computers

Well-known member

My Computer

Well-known member

My Computer

aka Mama Glass

My Computers

New member

My Computers

Well-known member

My Computer

Well-known member

My Computers

aka Mama Glass

My Computers

Well-known member

My Computer

aka Mama Glass

My Computers

Well-known member

Attachments

My Computer

Well-known member

My Computers

New member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Similar threads