Another Macrium Secure Boot Question

kelper · Jan 22, 2026

I did just that.

Bree · Jan 22, 2026

OldMainframeGuy said:
My version of Macrium 8 is up to date so I'm going to presume by recreating the recovery media the correct certificates will be propagated.

Macrium have just added another month to the extended support for Reflect v8.1.

Bree said:
~~Update: The end date for Extended Support has now been revised to 22 Jan 2026~~, meaning that we may yet see another update for v8.
Update 22 Jan 2026: extended support has been revised again. It now ends on 27 Feb 2026.

Latest Macrium Reflect 8 updates - post #1

I suspect the reason they keep revising the end date (twice now) is that they're still working on a final update to deal with the CA 2011 revocation.

andrew129260 · Jan 22, 2026

Bree said:
Macrium have just added another month to the extended support for Reflect v8.1.

Latest Macrium Reflect 8 updates - post #1

I suspect the reason they keep revising the end date (twice now) is that they're still working on a final update to deal with the CA 2011 revocation.

Pretty nice of them honestly.

SIW2 · Jan 22, 2026

kelper said:
I did just that.

You might be missing winre.wim

that is another barrel of eels

what do you get from

admin cmd prompt

reagentc -info

nikki605 · Jan 22, 2026

OldMainframeGuy said:
Pardon my naive question but won't simply recreating the USB boot drive with Macrium "Create Rescue Media" implement the correct certificate (assuming you've already got the 2023 cert on your PC)? If it matters I'm referring to the commercial (paid) version of Macrium 8.

I have the free version 8 and no, that does not work.

kelper · Jan 23, 2026

SIW2 said:
You might be missing winre.wim

that is another barrel of eels

what do you get from

admin cmd prompt

reagentc -info

It was disabled; good call. I enabled it but still get that error when booting into Hasleo or Macrium Recovery.

itsme1 · Jan 23, 2026

hgratt said:
FWIW, over the last month or so I’ve been experimenting with Haselo free on a gifted older win 10 laptop. I’ve successfully made a dozen or more images and have successfully restored at least six of the images using their recovery usb media. While I’m not quite ready to switch over yet on my win 11 computers, you may want to try it out and see if the Haselo recovery usb can boot on a win 11 machine with the new certificates. Info on the web claims their recovery media should be compatible with Secure Boot activated.

Yes, everything's working for me. The 2023 certificates are applied, and the SVN and SkuSiPolicy.p7b are applied. I haven't revoked the 2011 PCA certificate yet. I can boot the Hasleo Backup rescue disk. It's the latest stable version of Hasleo Backup. When I create the rescue disk, I don't check the "Download WinPE component" option."

Anibor_11 · Jan 23, 2026

itsme1 said:
When I create the rescue disk, I don't check the "Download WinPE component" option."

So you´re creating a WinRE with an updated bootloader, that will almost always boot. Try with a WinPE, download the files. Secure Boot will probably block it. .

itsme1 · Jan 23, 2026

Anibor_11 said:
So you´re creating a WinRE with an updated bootloader, that will almost always boot. Try with a WinPE, download the files. Secure Boot will probably block it. .

The "Download WinPE component" option is unchecked by default. I've always done it this way, and I mentioned that I don't check this option because it might not work.

I just tested it with downloaded WinPE files. Secure Boot doesn't block it. But it doesn't start because of the SVN I applied. I get this message: "current svn 2.0, minimum allowed is 7.0". The WinPE SVN is 2.0. If I hadn't applied SVN 7.0, the WinPE 2.0 SVN would have started because I didn't revoke the PCA 2011 certificate.

neldog · Jan 23, 2026

garlin said:
You can disable Secure Boot regardless of which option (WinPE/ADK or WinRE) was used to create the backup.

Here's a PowerShell script you can run as Administrator. It checks what is currently allowed by UEFI (CA 2011 or CA 2023). If your UEFI is set for CA 2023, then it will copy over that boot file to Windows or any mounted USB stick as needed. Only USB drives that have a boot file will be checked, anything else that is a plain data drive will be ignored.

If nothing needs to be done, it will inform you of that.

Hi garlin - Does this look good to you? Thanks...

PowerShell 7.5.4
PS C:\Users\neldog\Documents\Computer Files\Dell Tower Plus EBT2250\Secure Boot UEFI\New Garlin Scripts\New Garlin Jan 15> .\Check_UEFI-CA2023.ps1 -BootMedia
Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
Microsoft Windows PCA 2010
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 7.0

EFI Files
---------
Disk 0: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

Disk 0: SkuSiPolicy.p7b (for VBS) is CURRENT.

Bootable Media
--------------
USB Drive D: "MACRIUM"
Boot File [Windows UEFI CA 2023] is ALLOWED.
USB Drive E: "26200-7462"
Boot File [Windows UEFI CA 2023] is ALLOWED.
boot.wim:2 Boot Manager [Windows UEFI CA 2023] is PRESENT.
install.swm:1 Boot Manager [Windows UEFI CA 2023] is PRESENT.
Skipping checks on next 6 install.swm images.

STATUS REPORT
-------------
Registry: UEFICA2023Status = Updated

SUCCESS: NO UPDATES ARE REQUIRED.

nikki605 · Jan 23, 2026

SIW2 said:
From what I can gather your usb needs the same boot files as your running system. If it has the other ones you need to turn off secure boot.

Why not copy the files from your esp partition onto the usb stick
\EFI\Boot\bootx64.efi
\EFI\Microsoft\Boot\bootmgfw.efi

mount the esp partition as e.g. letter z

at admin cmd prompt

mountvol z: /s

copy those two files from Z to whatever letter your usb stick is

If your usb stick is G

copy /y z:\EFI\Boot\bootx64.efi g:\EFI\Boot\bootx64.efi

copy /y z:\EFI\Microsoft\Boot\bootmgfw.efi g:\EFI\Microsoft\Boot\bootmgfw.efi

unmount esp partition

mountvol z: /d

Try that and see if it does the trcik . That is a guess , I dont know if anything else needs changing, Try it and find out.

@SIW2 SUCCESS!!! Copying both files worked like a charm! I can now boot the Macrium Reflect Free 8.0.7783 Rescue USB sticks on both of my PCs without turning off Secure Boot in the BIOS (UEFI). This will allow me to keep using the free version of Macrium Reflect. Thanks for the great suggestion!!

SIW2 · Jan 23, 2026

This will allow me to keep using the free version of Macrium Reflect. Thanks for the great suggestion!!

itsme1 · Jan 23, 2026

@Anibor_11
When I tested it, I created an ISO for Ventoy. Ventoy has a Windows mode for launching ISOs, which I didn't test with this Hasleo ISO using WinPE.

PerpetualCycle · Jan 23, 2026

Will post this once again:

You can manually update macrium so it uses the 2023 bootmgr files when it makes a rescue media.

Assuming you have you macrium boot files in the default location c:\boot, then make the following changes in an elevated command window:

Admin Command Prompt Type:

mountvol s: /s
copy s:\EFI\Boot\bootx64.efi c:\boot\macrium\WinREFiles\media\EFI\bootx64.efi
copy S:\EFI\Microsoft\Boot\bootmgfw.efi c:\boot\macrium\WinREFiles\media\EFI\Microsoft\Boot\bootmgfw.efi

This will copy the 2023 signed boot files from your EFI partition to the files macrium uses to generate rescue media. Whenever you make a new rescue media, it will have the correct 2023 CA signed files

This whole situation is why Microsoft recommended not to ban the 2011 CA prematurely. Users shouldn't have to endure this. They never should have made that announcement until they had it a little more together.

SIW2 · Jan 23, 2026

If you are sure you want the cak 2023 could alternatively be copied from _ex folders
copy /y %windir%\Boot\EFI_EX\bootmgfw_EX.efi %systemdrive%\boot\macrium\WinREFiles\media\EFI\Boot\bootx64.efi
copy /y %windir%\Boot\EFI_EX\bootmgfw_EX.efi %systemdrive%\boot\macrium\WinREFiles\media\EFI\Microsoft\Boot\bootmgfw.efi

Dirtyflash · Jan 23, 2026

Seems there multiple ways to update the bootloader on a Macrium USB Recovery Drive. " All roads lead to Rome ".

copy C:\Windows\Boot\EFI_EX\bootmgfw_EX.efi D:\EFI\Microsoft\Boot\bootmgfw.efi

copy C:\Windows\Boot\EFI_EX\bootmgfw_EX.efi D:\EFI\Boot\bootx64.efi

SIW2 · Jan 23, 2026

Is there an echo in here.

Dirtyflash · Jan 23, 2026

SIW2 said:
Is there an echo in here.

Nope, never noticed a batch script.

PerpetualCycle · Jan 23, 2026

SIW2 said:
Is there an echo in here.

Yeah like you did me LOL

PerpetualCycle · Jan 23, 2026

Dirtyflash said:
Seems there multiple ways to update the bootloader on a Macrium USB Recovery Drive. " All roads lead to Rome ".

copy C:\Windows\Boot\EFI_EX\bootmgfw_EX.efi D:\EFI\Microsoft\Boot\bootmgfw.efi

copy C:\Windows\Boot\EFI_EX\bootmgfw_EX.efi D:\EFI\Boot\bootx64.efi

That only works for a specific D: drive. The other methods allow you to create a boot media from the macrium menu with the correctly signed files.

Another Macrium Secure Boot Question

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Syzygy

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Syzygy

My Computers

Syzygy

My Computers

Similar threads