Another Macrium Secure Boot Question

JLArranz · Jan 24, 2026

I use to do Rescue Media based in WinRE (Macrium default) and WinPE (started to do it around build 7675 for a problem in WinRE or in the produced Rescue Media, fixed long ago).

I have updated my UEFI Secure Boot. My UEFI had the "do not trust - AMI test" PK. I was thinking SB was on since ever but I found it off. With the Garlin's scripts I could replace the PK with the standard "Windows OEM" one and write the 2023 KEK and DB entries fine. I also did the 2011 revocations but the only visible result was the add of PCA 2011 to DBX, all 2011 keys including this were still in their places (I have the two KEKs). SkuSiPolicy, SVN and 2023 Boot Manager were correct and the scripts saying success. I would have left it so (that is what the scripts are for, big thanks :) ) but I was hoping to keep my previous bootable medias system: the Windows Recovery disk (turned into an iso) and several Macrium isos in a single multiboot pendrive with WinSetupFromUSB. To "un-revoke" 2011 I decided to return DBX to factory (the other alternative was to delete only PCA 2011 from DBX, but I thought the reset of DBX was better as it would re-populate fast and consistently, the re-population isn't happening, I have DBX in factory state -w/o SVN either-, and Idk if it's very consistent or very good, but I'm not having major problems).

"Today" I have learnt that WinSetupFromUSB is too old for 2023 but also that newer options like Ventoy sometimes work sometimes don't (according to the net, this system hasn't seen Ventoy). This computer has needed very little Macrium or Recovery disk so I've decided it isn't so bad to use them with Secure Boot off (the motherboard eases this: if there's a "light" Secure Boot violation -detected as a 0xC0000428 error in Winload.efi etc- your main option is going to the BIOS/UEFI setup). But I've been doing a lot of proofs.

Replacing only bootx64.efi gets my WinSetupFromUSB stick to present the menu, although neither of the isos work (all built months ago). Not doing this replacement causes a "strong" Secure Boot violation with a red Window. Additionally replacing WinSetupFromUSB's bootmgfw.efi does neither improve nor worsen anything. Neither of the two replacing options I've tried (only bootx64 or bootx64+bootmgfw) fixes the Macrium isos. The recovery media "iso" is divided in 4 files for the 4GB FAT32 limit so I haven't bothered with it.

I thought I needed to try the isos in a more standalone fashion, but my first attempt was a new WinSetupFromUSB pendrive with only one iso, it worked the same except that replacing boox64.efi doesn't get anything. Then I learnt you can do a bootable iso with diskpart (clean - create partition primary - active - format fs=ntfs quick - assign letter=f ; careful when selecting the disk!!!!) and copying the files (my iso extension is owned by ImgBurn, but opening an iso with Windows Explorer -right-click menu- is like inserting a drive with the iso contents, that you can copy dragging it with the mouse, then you right-click in the drive and "Eject" it). My only success with this technique has been booting a new Macrium WinRE iso produced after rebuilding the WIM like Macrium suggests ( Windows Security update for Secure Boot - Knowledgebase 8.0 - Macrium Reflect Knowledgebase ). Neither the previous ones I have stored nor a new one I did after the Secure Boot update but before rebuilding the WIM could boot with Secure Boot (w/ bootx64 bootmgfw replaced or not).

As for Macrium WinPE Rescue medias in pendrives prepped with diskpart, they act as if they weren't recognized as bootable (you select the entry, tap Enter, a slight blink in the screen and nothing more, you can choose another boot entry), either before or after applying the Macrium proposed Remedy for WinPE. These medias require Secure Boot off here.

Caledon Ken · Jan 25, 2026

SIW2 said:
If you are sure you want the cak 2023 could alternatively be copied from _ex folders
copy /y %windir%\Boot\EFI_EX\bootmgfw_EX.efi %systemdrive%\boot\macrium\WinREFiles\media\EFI\bootx64.efi
copy /y %windir%\Boot\EFI_EX\bootmgfw_EX.efi %systemdrive%\boot\macrium\WinREFiles\media\EFI\Microsoft\Boot\bootmgfw.efi

Are these commands to update the boot menu option for macrium or are they updating the macrium folder and from there you just rebuild the boot menu option and your USB Media. Sorry for the dumb question.

SIW2 · Jan 25, 2026

updating the macrium folder and from there you just rebuild your USB Media.

yes if you are sure you want the 2023 files on the usb stick.

the boot menu option

uses the files on your current esp

If you are not sure whether you want 2011 or 2023 files for the usb stick, copy them from the esp instead of from the _ex folders

in my little simple pe batch file i have been doing it like this ( though obviously with a different destination)

could be done like this or just manually

Code:

@echo off
vol Z: Y: X: W: V: U: T: S: R: Q: P: O: N: M: L: K: J: I: H: G: F: E: D: C: 1>nul 2>%temp%\VErr.txt
for /F "tokens=5 delims=. " %%A in (%temp%\VErr.txt) do set NL=%%A
mountvol %NL% /s
copy /Y %NL%\EFI\Boot\bootx64.efi "%systemdrive%\boot\macrium\WinREFiles\media\EFI\Boot\bootx64.efi"
copy /Y %NL%\EFI\Microsoft\Boot\bootmgfw.efi "%systemdrive%\boot\macrium\WinREFiles\media\EFI\Microsoft\Boot\bootmgfw.efi"
mountvol %NL% /d
pause

Caledon Ken · Jan 25, 2026

Your skill set is miles above mine.

My current "esp" meaning?

Not even sure what the difference between 2011 and 2023 is so I'm off to look that up.

Thank you

Caledon Ken · Jan 25, 2026

Okay the 2011's expiry so I'm not sure why if we are doing this would anyone "want" the 2011 files.

I know in the last year I went through and rebuilt all USB media for about 25 clients. What a process. Of course disable secure boot is an alternative.

I do want to update the boot option so I'm looking forward to definition of "esp". I think it is the media you create with media creation tool.

SIW2 · Jan 25, 2026

esp = efi system partition

it is typically the first partition on a gpt disk. It is where the boot critical files live

Bree · Jan 25, 2026

Caledon Ken said:
Not even sure what the difference between 2011 and 2023 is so I'm off to look that up.

Some light reading for you....

Windows Secure Boot certificate expiration and CA updates - Microsoft Support

support.microsoft.com

Caledon Ken · Jan 26, 2026

So a more basic question about these certificates.

If an everyday user does not use Macrium of some other app that requires "Rescue / Boot" media will Windows update perform the necessary updates to all "Internal" boot files to update these certificates?

and if so, if those using "Rescue / Boot" won't it naturally update once they recreate their media?

I'm obviously missing something. Are these threads just trying to be ahead of the game?

Sorry for all the questions?

hgratt · Jan 26, 2026

PerpetualCycle said:
Will post this once again:

You can manually update macrium so it uses the 2023 bootmgr files when it makes a rescue media.

Assuming you have you macrium boot files in the default location c:\boot, then make the following changes in an elevated command window:

Admin Command Prompt Type:

mountvol s: /s
copy s:\EFI\Boot\bootx64.efi c:\boot\macrium\WinREFiles\media\EFI\bootx64.efi
copy S:\EFI\Microsoft\Boot\bootmgfw.efi c:\boot\macrium\WinREFiles\media\EFI\Microsoft\Boot\bootmgfw.efi

This will copy the 2023 signed boot files from your EFI partition to the files macrium uses to generate rescue media. Whenever you make a new rescue media, it will have the correct 2023 CA signed files

This whole situation is why Microsoft recommended not to ban the 2011 CA prematurely. Users shouldn't have to endure this. They never should have made that announcement until they had it a little more together.

Am I correct in assuming that after executing these commands, one should unmount the volume via:

mountvol s: /d

Or by restarting the computer?

OldNavy · Jan 26, 2026

This all looks so complicated i can see Microsoft getting themselves in to a giant mess when hundereds of millions of computers start updating.

kelper · Jan 26, 2026

I have followed all the ways to update rescue media for Macrium Reflect and, by deduction, Hasleo and yet neither will boot unless I disable Secure Boot. No big deal.

JLArranz · Jan 26, 2026

Caledon Ken said:
So a more basic question about these certificates.

If an everyday user does not use Macrium of some other app that requires "Rescue / Boot" media will Windows update perform the necessary updates to all "Internal" boot files to update these certificates?

and if so, if those using "Rescue / Boot" won't it naturally update once they recreate their media?

I'm obviously missing something. Are these threads just trying to be ahead of the game?

Sorry for all the questions?

How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support

support.microsoft.com

How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support

support.microsoft.com

How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support

support.microsoft.com

It's explained in the MS page for which I've posted 3 links, to the upper part with the index just below and to two index-linked sections. I mean, imo there isn't a shortcut and you should read the whole page, that is long, but I'll do some introduction here.

The most important to avoid problems is understanding that not only the Windows disk contents matters. The UEFI BIOS itself is also updated (nothing matters for pure BIOS systems, but "the system" tends to leave the old behind...). Ideally both should be updated by MS or by the user at the same time "in armony", but errors happen. "Armony" is often damaged or destroyed by random events, sw errors, hw errors, user errors and what not. MS has opted to copy the necessary files through WU, including those whose destiny is the UEFI BIOS NVRAM ("the BIOS" in short and traditionally but I'm avoiding this term), and give instructions for a manual update of the Secure Boot subsystem (in the above linked page).

The whole "reform" is of two things or even three at the same time...

It depends on if there's a new UEFI BIOS update or not. This update might come with the new Secure Boot keys already installed what could save user work, cause issues or both (I'm calling just "keys" to what's actually a mix of keys, signatures and hashes). Very new systems could only have 2023 keys (I mean keys for the "2023 system").

W/o imaging apps or medias, you know the recovery means available is the restore points, that are anything but perfect in what they can do (changing the Windows disk contents), and that cannot do anything about the other item(s) involved, specially updating or reverting the UEFI BIOS version (it isn't metaphysically impossible that they could update, or revert, the Secure Boot keys in concordance with the changes in Windows, but I wouldn't way take it as granted, although I know little about System Restore in general and nothing about how does it perform with problems here).

That said, even w/o imaging, there're a lot of "metaphysically possible" resources to try to repair a Windows, remedies that can work in potentially any system, but the Secure Boot keys management in the UEFI BIOS isn't way uniform. I happen to have a good Windows 11 hw for this even if it isn't a lot clear (in Windows 10 I'm in CSM-UEFI-GPT... and of course no SB for the moment), but I've heard of at least a model whose SB UEFI interface is just Enabled/Disabled.

Secure Boot "keys" (the "authorizations" I speak about for terseness aren't "actions" taken by the keys, it's the user or the OS what can insert and delete keys, provided they fulfill the "authorization rules"):

- Platform Key (PK). This is like "the president". This key has a problem in some computers quite widespread: it's the "Do not trust. AMI test" not valid one (at least not way for 2023, but I had that PK and I found my SB disabled when I was thinking it was enabled, with my computer still 100% 2011, I visit very little this UEFI BIOS, if I had just enabled SB in this state, would Windows have booted? I just didn't try and Idk). It took me like 30 min or so to discover the method to change it, I had to delete the old PK before my UEFI BIOS could read and accept the replacement ("Windows OEM devices", a generic MS one) that had been written to the EFI partition by the Garlin's script. Idk if computers with a decent PK need to replace it for 2023.

- Key Exchange Key(s) (KEK). This or these are like "the CEO(s)", they are "authorized" by the PK. I have one for 2011 and one for 2023 and I believe this is common in computers w/ SB updated.

- DB (database of authorized, by the KEKs): keys signatures and hashes that identify univocally one sw booting element that is allowed to boot.

- DBX (database of excluded, by the KEKs): id but the element isn't allowed to boot, even if it's in the DB too. Its presence in the DBX takes precedence to not boot up.

With Secure Boot enabled, only elements that are in the DB and not in the DBX are allowed to boot. With Secure Boot disabled, there isn't such restriction. The inability to boot w/ SB enabled is sometimes detected "directly" and the motherboard takes a drastic action, like displaying a message for 10 seconds and shutting down. In my case, most times, it's detected as a 0xC0000428 error (inability to check the signature) in winload.efi. This is what the hw detects and it doesn't imply there's an actual problem with that concrete file. In this case my hw is a lot less "drastic": in practice it forces me to visit the UEFI (the other 2 options do nothing). Maybe this mandatory visit is on purpose: if you use a booting media and it doesn't boot with Secure Boot, a "kind of standard" fix is disabling SB temporarily.

What about just disabling Secure Boot? The big problem of this happens if later on you have to or decide to enable it. You'll have the Windows boot updated to 2023 (b/c Windows can do it and does it, this part is just disk contents and it has advantages in itself) but not the UEFI BIOS, and Windows will not boot.

JLArranz · Jan 26, 2026

kelper said:
I have followed all the ways to update rescue media for Macrium Reflect and, by deduction, Hasleo and yet neither will boot unless I disable Secure Boot. No big deal.

In percentage my success has been low, and 0% with stored isos, but I have suceeded rebuilding the WIM for a new WinRE media, see Windows Security update for Secure Boot - Knowledgebase 8.0 - Macrium Reflect Knowledgebase and maybe my post #61. The link does also have directions for WinPE but they haven't worked here. Notice that I had my Secure Boot in an imperfect state. I've since managed to rebuild my updated DBX (w/o the 2011 "revocations" like I prefer for the moment) with a cjee21's script that mentions the case I was in (DBX returned to factory), but I haven't done new proofs.

PerpetualCycle · Jan 26, 2026

hgratt said:
Am I correct in assuming that after executing these commands, one should unmount the volume via:

mountvol s: /d

Or by restarting the computer?

Well you should try boot the computer with the rescue media you created so that will take care of it. You could unmount it as well dismount with that command,

hgratt · Jan 26, 2026

Thanks.

SIW2 · Jan 26, 2026

If you are using the 8.0 version of macrium seems like it copies the 2011 files from %windir%\boot folder.
If you are on 2011 that is fine. If you are on 2023 then either turn off secure boot
or copy the files from your live efi system partition onto the macium usb stick ( if you already have one )
and /or into %systemdrive%\boot\macrium\winrefiles so it will use them when it creates the usb stick

I dont know what all the other imaging/partitioning programs are doing at this point when they make their boot media
so it is probably wise to do the same for those.

It is easy to do. There are several posts from me and others on this thread explaining how.

If you have all your useful tools in one wim file then obviously only need to do it for that one usb stick

I have a little batch file that finds winre.wim then gathers the usual programs, adds a menu, integrates all that into the wim and also copies the boot files from the current esp. I prefer that to having lots of separate wims plus there are extra bits and bobs can be included like 7-zip, iso mounting etc

I have just done one with the latest winre it takes less than 2 minutes

I have set it up to look for the following on the running os
aomei backupper
aomei part assist
aomei fast recovery
diskgenius
macrium
hasleo backup
hasleo disk clone
hasleo data recovery
if found they can be included

could include almost anything but the wim gets bigger so I left out a few this time

can run a browser but they are bulky nowadays to include so I prefer to reach down to the browser in my installed os and run it from there

penetwork can include this for people using wireless. I dont use wireless so I dont know if it finds the ini automatically or if you have to browse to the ini

I presume the wireless.ini should be exported into the program files\penetwork program folder

neldog · Jan 26, 2026

SIW2 said:
If you are using the 8.0 version of macrium seems like it copies the 2011 files from %windir%\boot folder.
If you are on 2011 that is fine. If you are on 2023 then either turn off secure boot
or copy the files from your live efi system partition onto the macium usb stick ( if you already have one )
and /or into %systemdrive%\boot\macrium\winrefiles so it will use them when it creates the usb stick

I dont know what all the other imaging/partitioning programs are doing at this point when they make their boot media
so it is probably wise to do the same for those.

It is easy to do. There are several posts from me and others on this thread explaining how.

If you have all your useful tools in one wim file then obviously only need to do it for that one usb stick

I have a little batch file that finds winre.wim then gathers the usual programs, adds a menu, integrates all that into the wim and also copies the boot files from the current esp. I prefer that to having lots of separate wims plus there are extra bits and bobs can be included like 7-zip, iso mounting etc

I have just done one with the latest winre it takes less than 2 minutes

If I am on 2023 certs, which I think I am, can I copy from here:

copy /y %windir%\Boot\EFI_EX\bootmgfw_EX.efi %systemdrive%\boot\macrium\WinREFiles\media\EFI\bootx64.efi
& here:
copy /y %windir%\Boot\EFI_EX\bootmgfw_EX.efi %systemdrive%\boot\macrium\WinREFiles\media\EFI\Microsoft\Boot\bootmgfw.efi

Or does the copying have to be from the efi system partition?

Thanks...

SIW2 · Jan 26, 2026

If I am on 2023 certs, which I think I am, can I copy from here:

copy /y %windir%\Boot\EFI_EX\bootmgfw_EX.efi %systemdrive%\boot\macrium\WinREFiles\media\EFI\bootx64.efi
& here:
copy /y %windir%\Boot\EFI_EX\bootmgfw_EX.efi %systemdrive%\boot\macrium\WinREFiles\media\EFI\Microsoft\Boot\bootmgfw.efi

yes you could. There is a typo above could have been me every time I use code tags on here ot goes awry
should be
efi\boot
%systemdrive%\boot\macrium\WinREFiles\media\EFI\Boot\bootx64.efi
the other one is efi\microsoft\boot
%systemdrive%\boot\macrium\WinREFiles\media\EFI\Microsoft\Boot\bootmgfw.efi

The advantage of copying from the esp partition is you dont need to know which you are on. Whichever are on the esp work fror booting into your os , so copying from there should work for usb

you could run the batch file I posted if that is easier
the business at the beginning finds the next available letter
mounts esp to that letter
copies the boot files
unmounts the esp

copy the code and save it notepad as something sensible like copy-from-esp.cmd

Code:

@echo off
vol Z: Y: X: W: V: U: T: S: R: Q: P: O: N: M: L: K: J: I: H: G: F: E: D: C: 1>nul 2>%temp%\VErr.txt
for /F "tokens=5 delims=. " %%A in (%temp%\VErr.txt) do set NL=%%A
mountvol %NL% /s
copy /Y %NL%\EFI\Boot\bootx64.efi "%systemdrive%\boot\macrium\WinREFiles\media\EFI\Boot\bootx64.efi"
copy /Y %NL%\EFI\Microsoft\Boot\bootmgfw.efi "%systemdrive%\boot\macrium\WinREFiles\media\EFI\Microsoft\Boot\bootmgfw.efi"
mountvol %NL% /d
pause

it is more complicated for optical media there are a whole bunch of fonts which need renaming as well as different bootmgr.efi and efisys.bin

maybe it is this browser but using code tags on here messes it up

neldog · Jan 26, 2026

SIW2 said:
yes you could.

The advantage of copying from the esp partition is you dont need to know which you are on. Whichever are on the esp work fror booting into your os , so copying from there should work for usb

Thank you. That is what I needed to know. I like this way because it's a one and done - as long as you know just where you are at. This way Macrium software will pick it up each time I make the recovery USB. I do understand the advantage of using the esp if one is unsure, or they know for a fact that they are still on 2011.

neldog · Jan 26, 2026

SIW2 said:
you could run the batch file I posted if that is easier
the business at the beginning finds the next available letter
mounts esp to that letter
copies the boot files
unmounts the esp

copy the code and save it notepad as something sensible like copy-from-esp.cmd

Code:

@echo off vol Z: Y: X: W: V: U: T: S: R: Q: P: O: N: M: L: K: J: I: H: G: F: E: D: C: 1>nul 2>%temp%\VErr.txt for /F "tokens=5 delims=. " %%A in (%temp%\VErr.txt) do set NL=%%A mountvol %NL% /s copy /Y %NL%\EFI\Boot\bootx64.efi "%systemdrive%\boot\macrium\WinREFiles\media\EFI\Boot\bootx64.efi" copy /Y %NL%\EFI\Microsoft\Boot\bootmgfw.efi "%systemdrive%\boot\macrium\WinREFiles\media\EFI\Microsoft\Boot\bootmgfw.efi" mountvol %NL% /d pause

it is more complicated for optical media there are a whole bunch of fonts which need renaming as well as different bootmgr.efi and efisys.bin

maybe it is this browser but using code tags on here messes it up

NIce...

Another Macrium Secure Boot Question

Active member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

New member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Active member

My Computer

Active member

My Computer

Syzygy

My Computers

New member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Similar threads