Windows 11 Pro 25H2 fully up-to-date (26200.7623) and the MR v8.1.8631 "WinRE" Rescue Media are booting fine with Secure Boot enabled, but not the MR "WinPE" media. WinRE is enabled and seems fine.
I've done a partial reform of the Secure Boot subsystem w/o the 2011 revocations. I've appended a "verbose" report at the end. In essence:
- I've replaced the initial non valid PK with the MS generic one.
- I've appended the new 2023 KEK and DB items.
- Windows Boot Manager is updated to 2023.
- I've done the DBX updates, but I have neither revoked the 2011 certs nor appended the Windows BootMgr SVN.
- I've installed the (new) SkuSiPolicy.p7b policy (for VBS).
Macrium directions:
Macrium Reflect X
knowledgebase.macrium.com
I got to generate my CA2023-compatible MR "WinRE" media rebuilding the WIM as told by Macrium. I did it as iso file first (when possible I like to generate an iso instead of a physical media, as I can save and backup the iso w/o relying on a USB stick or any additional piece of hw; of course I need the physical pendrive to boot, but if it fails I can do another from the iso), prepped a USB stick with diskpart (clean - create partition primary - active - format fs=fat32 quick - assign letter=f ; in this order if it matters, particularly "active" before "format"; fs=ntfs does also work but fat32 is more correct afaik), mounted the iso, and copied its files to the prepped USB stick. It might not be the world's simplest method but it's the way I've done it and it works.
I haven't got any "WinPE" Macrium Reflect USB stick that can boot with Secure Boot enabled, even not after following Macrium's directions for "WinPE" media (calling the MR uninstaller in Control Panel -> Programs and Features, tick only "remove Windows PE component files" and click OK, the MR Rescue Media builder will d/l the applicable "WinPE" from Microsoft next time you build a "WinPE" media, and in fact it asked to confirm a 1.17 GB d/l from Microsoft upon doing it). The stored and new isos and "direct" physical pendrives I've tried, have booted with SB disabled, but not with SB enabled. I know it isn't urgent to fulfill this (at February 1st year 2026) specially since I already have a WinRE one, in physical USB stick and in iso plus known-good method to build another one from it, but I'd like to be able to do a WinPE one too.
I've tried doing "WinPE" isos and afterwards "burning" them to USB sticks prepped as described above, and I have also tried recording physical USB sticks directly from the MR Rescue Media builder. You can do the latter to USB sticks w/o any partition or previously partitioned and formatted (I've tried FAT32 and NTFS with the same results). MR states
here that "
Note: USB flash/HDD media will be created non-destructively. The rescue media files will be added to an existing partition or a new partition will be created for the files.", nowhere it's said that the existing partition should be empty, although I've only tried with empty partitions or unpartitioned pendrives (in the latter case MR creates a 1GB FAT32 partition with the files inside).
With whatever method, my computer doesn't seem to recognize the WinPE media produced as bootable (with Secure Boot enabled), as pressing F7 for the one-time Boot Menu and selecting the USB stick does nothing but a slight blink in the screen, after which I can choose a boot entry again. This is another symptom of this:
Code:
PS C:\Temporal> .\Check_UEFI-CA2023.ps1 -BootMedia
[...]
Bootable Media
--------------
USB Drive F:
Boot File [Production PCA 2011] is ALLOWED.
No hay ninguna imagen coincidente.
The message in Spanish "No hay ninguna imagen coincidente" means "No matching images found", what means the following according to the
Google's IA:
The "no matching images found" error during Windows installation usually means
the product key embedded in the firmware (BIOS) does not match the edition of Windows on your installation media (USB/ISO), often requiring a clean install with matching media (e.g., Home vs. Pro) or the removal of ei.cfg to allow edition selection.
Key Causes and Solutions:
Mismatching Media and Key: If your computer came with Windows 10 Home, but you are using an Education/Pro ISO, this error will appear.
Solution: Download the correct installation media using the Microsoft Media Creation Tool.
ei.cfg File Restriction: The installation USB may contain an ei.cfg file that forces a specific edition.
Solution: Navigate to the sources folder on your USB drive and delete the ei.cfg file. This allows you to select the correct edition during setup.
Corrupt Installation Media: The USB drive or ISO file might be corrupted.
Solution: Re-download the ISO and recreate the bootable USB.
Docker/Virtualization Error: If running Docker, this means the image is not built for Windows architecture.
Solution: Switch to Linux containers, or ensure you are using Windows-compatible images.
For other contexts (e.g., file search), ensure indexing is running or check folder permissions.
From these possible causes, only "Corrupt Installation Media" is similar, although the medias aren't "corrupt", rather either they're incorrect and/or "Secure Boot" blocks them (either correctly or in error).
======================================================================
I've tried to follow these advices:
Will post this once again:
You can manually update macrium so it uses the 2023 bootmgr files when it makes a rescue media.
Assuming you have you macrium boot files in the default location c:\boot, then make the following changes in an elevated command window:
Admin Command Prompt Type:
mountvol s: /s
copy s:\EFI\Boot\bootx64.efi c:\boot\macrium\WinREFiles\media\EFI\bootx64.efi
copy S:\EFI\Microsoft\Boot\bootmgfw.efi c:\boot\macrium\WinREFiles\media\EFI\Microsoft\Boot\bootmgfw.efi
This will copy the 2023 signed boot files from your EFI partition to the files macrium uses to generate rescue media. Whenever you make a new rescue media, it will have the correct 2023 CA signed files
This whole situation is why Microsoft recommended not to ban the 2011 CA prematurely. Users shouldn't have to endure this. They never should have made that announcement until they had it a little more together.
If you are sure you want the cak 2023 could alternatively be copied from _ex folders
copy /y %windir%\Boot\EFI_EX\bootmgfw_EX.efi %systemdrive%\boot\macrium\WinREFiles\media\EFI\bootx64.efi
copy /y %windir%\Boot\EFI_EX\bootmgfw_EX.efi %systemdrive%\boot\macrium\WinREFiles\media\EFI\Microsoft\Boot\bootmgfw.efi
But I don't have a C:\boot\macrium\WinREFiles folder:
The "equivalent" one seems to be C:\boot\macrium\WA11KFiles ???, but
EFI\Microsoft\boot folders
(C:\boot\macrium\WA11KFiles\media\EFI\Microsoft\boot
G:\EFI\Microsoft\Boot (iso "WinPE")
H:\EFI\Microsoft\Boot (iso "WinRE"))
I suppose this is fine, as the older isos I keep (done months or years before starting my current "Secure Boot 2023 adventure" and all booting fine in their age) have this same difference between "WinRE" and "WinPE".
I have tried
this (main MS page about the CA2023 update, epigraph "Updating Windows install media"). This remedy seems conceived for the "Windows Recovery disk", although my "CA2023 compatible Windows Recovery disk" hasn't needed this (it boots fine with Secure Boot enabled w/o any modification). As you can see, the MS proposed commands copy "WinRE" files in the "WinPE" media (I've added one to keep the updated BCD as BCD.NEW in case it's useful, I've little idea about the BCD in general and no idea about why these commands preserve the previous BCD). With Secure Boot enabled, the computer tries to boot from this modified disk, unlike from the original one (that only does a slight blink in the screen), but it ends up raising a 0xC0000428 error in winload.efi.
F:\EFI\Microsoft\Boot (physical pendrive MS treated)
======================================================================
This is how my computer's Secure Boot is in this moment. Notice that this is a
"verbose" report, that also tells which are the factory defaults, besides the current state:
Code:
Windows 11 25H2 (26200.7623)
Secure Boot: ON
Virtualization Based Security: ON
BitLocker on (C:) OFF
BIOS Firmware
-------------
Fanless Mini PC Quieter2
Version: 10.1
Date: 2021-07-24
Factory Default UEFI PK Cert
----------------------------
DO NOT TRUST - AMI Test PK
UEFI PK Cert
------------
Windows OEM Devices PK
Factory Default UEFI KEK Certs
------------------------------
Microsoft Corporation KEK CA 2011
UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023
Factory Default UEFI DB Certs
-----------------------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023
Factory Default UEFI DBX Certs
------------------------------
(NONE)
EFI_CERT_SHA256_GUID Signatures: 77
UEFI DBX Certs
--------------
(NONE)
Windows BootMgr SVN is MISSING.
EFI_CERT_SHA256_GUID Signatures: 481
EFI Files
---------
Disk 0: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
bootmgfw.efi File version: 26100.30227
Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.
Disk 0: SkuSiPolicy.p7b (for VBS) is CURRENT.
AUDIT REPORT
============
1. [Production PCA 2011] is missing from UEFI DBX
2. Windows BootMgr SVN is missing from UEFI DBX
REQUIRED ACTION
===============
To revoke the [PCA 2011] cert, run the commands, run the commands:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x280 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
PS C:\Windows\System32>
.
