ASUS Machine winload.efi with CA 2011 Cert - Needs CA 2023 Cert - I think


starchase

Well-known member
Member
Local time
9:56 PM
Posts
413
OS
Windows 11 Home, ver 25H2 build 26200.8246
My ongoing problem, this ASUS desktop won't boot when using updated USB Bootmedia, Media that boots OK on my 2 laptops. The cert showing on the ASUS Windows\System32\Boot]winload.efi shows the CA 2011 cert.

On the USB Media the EFI\Boot\bootx64.efi file has the CA 2023 cert. In the D:\EFI\Microsoft\Boot\ there is a bootmgfw.efi with the CA 2023 cert and a bootmgr.efi file with the CA 2011 cert.

The ASUS machine has just had Garlin's Updates (the latest revision) put on it but has yet to have the CA 2011 cert revoked.

And yet the only way I can get the Hasloe or Macrium Reflect rescue disks to boot on the ASUS is to clear all Secure Boot Keys.

Even though both rescue disks boot fine on my 2 laptops.

And the HP laptop C:\Windows\System32\Boot folder with the winload.efi has just the CA 2011 cert in that file! And I have revoked the CA 2011 cert on both laptops.

If the bottom line means I need to disable Secure Boot on the ASUS just to be able to use the rescue media I can live with that; it is no great effort to reapply Garlin's scripts to update to the CA 2023 certs.

But this is really annoying I can't figure out what is so different with the ASUS machine compared to the laptops.
ASUS Boot Error Code.webp
 
Windows Build/Version
Windows 25H2 build 26200.8655

My Computers My Computers

  • At a glance

    Windows 11 Home, ver 25H2 build 26200.8246Intel Core i5 5200U @ 2.20GH4 GBIntel HD Graphics 5500 on board
    OS
    Windows 11 Home, ver 25H2 build 26200.8246
    Computer type
    Laptop
    Manufacturer/Model
    Hewlett-Packard Spectre 13-4001 x360 convertable
    CPU
    Intel Core i5 5200U @ 2.20GH
    Motherboard
    Hewlett-Packard 802D
    Memory
    4 GB
    Graphics Card(s)
    Intel HD Graphics 5500 on board
    Sound Card
    Intel Smart Sound Technology (Intel SST)
    Hard Drives
    Micron 256GB M.2 2280 NGFF SSD MTFDDAV256TBN, (SATA 6.0 Gb/s)
    Keyboard
    Model # G01KB
    Antivirus
    Microsoft Defender
    Other Info
    born on date: 25 Feb 2016
  • At a glance

    Win 11 Home 25H2 build 26200.7922Intel Core i7 4th Gen 4790 (3.60GHz), Haswell...Samsung 16 GB DDR3 (8GB in 2 modules)NVIDIA GeForce GTX 760, 3GB, and on-board Int...
    Operating System
    Win 11 Home 25H2 build 26200.7922
    Computer type
    PC/Desktop
    Manufacturer/Model
    Asus Desktop model M32AD-US019S (DOM: 6/9/2014 )
    CPU
    Intel Core i7 4th Gen 4790 (3.60GHz), Haswell 22nm Technology, SOCKET 1150
    Motherboard
    H81M-E/M51AD/DP_MB
    Memory
    Samsung 16 GB DDR3 (8GB in 2 modules)
    Graphics card(s)
    NVIDIA GeForce GTX 760, 3GB, and on-board Intel HD Graphics 4600 Rev 6
    Monitor(s) Displays
    HP EliteDisplay E241i LED; HP EliteDisplay E243
    Hard Drives
    Samsung 500GB SSD, 870 EVO (SATA 6.0 )
    Micron 250GB SSD, CT250MX500
    Toshiba HDD, 3GB (original drive w/PC)
    Case
    ASUS
    Keyboard
    ASUS-------------------------
    Antivirus
    MS Defender
    Other Info
    Additional Laptops:

    HEWLETT PACKARD
    HP OmniBook X Flip NGAI (Next Gen AI),
    Model: 16-as0023dx
    PT# B5UH1UA#ABA Product #: B5UH1UA
    delivered and setup 7/25/25
    16" 2K Touch-Screen Laptop
    Intel Core Ultra 7 256V '24 Series 2 - CPU
    Boost Clock Frequency 4.8 gigahertz; Neural Processing Unit (NPU) Yes;
    16GB Memory, LPDDR5X
    1TB SSD PCIe 4.0
    Graphics: Intel Arc 140V
    1 x HDMI 2.1
    1 x Thunderbolt 4
    2K Touch-Screen display, LED, IPS; 1920 x 1200 (Full HD+)
    USB Ports: 1 x USB-C 3.1, 2 x USB-A 3.1
    Wi-Fi 6E
    weight 4.15 pounds

    DELL
    Model:I7591-7483BLK-PUS 2-in-1 (7000 Series)
    purchased 12/3/2019,
    15.6 inch 2-IN-1;
    4K Ultra HD Touch-Screen, 3840 x 2160,
    Intel Core i7 10510U CPU 1.80GHz,
    16GB RAM DDR4 SDRAM 2400 megahert (2 slots),
    dedicated graphics Nvidia GeForce MX250 2 GB Graphics,
    PCIe 512GB Intel SSD + 32GB Optane Memory (Intel Optane Memory H10 with solid-state storage),
    wireless-AX & Bluetooth
    Battery: 68wh, Type 4VGMP 4 cell
1. The Secure Boot certs will restrict which boot files are allowed to boot, based on the boot file's signing cert.

2. If you have revoked CA 2011 (still optional for now), the boot manager is also restricted by the SVN (which a minimum version number).

After you have applied a recent Monthly Update, the SVN might have gone up (June 2026 for example to SVN 9.0), and older versions of the boot file found on system or USB drives will be blocked. You need to copy a newer version of the boot file in place.

3. If you have Virtualization Based Security (VBS) and use an optional SkuSiPolicy.p7b file for additional protection, it can block older versions of winload.efi from running (right during boot). The solution is to remove the SkuSiPolicy.p7b file, or find an updated WinPE/WinRE image which is compatible.

This means the boot.wim needs to be patched. You can't simply swap out the winload.efi file from somewhere else. When winload.efi has changed, it implies that other key Windows files should be updated at the same time. Therefore you want to find an updated boot.wim.

If you backup vendor has an outdated boot.wim (which hasn't been updated), then temporarily remove SkuSiPolicy.p7b from the EFI.

Code:
mountvol S: /s
del S:\EFI\Microsoft\Boot\SkuSiPolicy.p7b
mountvol S: /d

Now you should be able to boot the USB drive.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
If you backup vendor has an outdated boot.wim (which hasn't been updated), then temporarily remove SkuSiPolicy.p7b from the EFI.

Code:
mountvol S: /s
del S:\EFI\Microsoft\Boot\SkuSiPolicy.p7b
mountvol S: /d

Now you should be able to boot the USB drive.
I ran the code and the bottom line is that it WORKED!!! After a hiccup. The first boot to the USB I got caught up in a BIOS loop. After I got it to shut down, then cleared the Secure Boot certs and then ran your Update script w/ the -bootmedia and verbose flags, I rebooted to set the update then rebooted, Secure Boot enabled, with the Hasleo recovery USB and got into the recovery software! I wonder if this will work with the Macrium Reflect Rescue Disk. I'll have to give that a try. Thanks very much for your help . . . again!
 

My Computers My Computers

  • At a glance

    Windows 11 Home, ver 25H2 build 26200.8246Intel Core i5 5200U @ 2.20GH4 GBIntel HD Graphics 5500 on board
    OS
    Windows 11 Home, ver 25H2 build 26200.8246
    Computer type
    Laptop
    Manufacturer/Model
    Hewlett-Packard Spectre 13-4001 x360 convertable
    CPU
    Intel Core i5 5200U @ 2.20GH
    Motherboard
    Hewlett-Packard 802D
    Memory
    4 GB
    Graphics Card(s)
    Intel HD Graphics 5500 on board
    Sound Card
    Intel Smart Sound Technology (Intel SST)
    Hard Drives
    Micron 256GB M.2 2280 NGFF SSD MTFDDAV256TBN, (SATA 6.0 Gb/s)
    Keyboard
    Model # G01KB
    Antivirus
    Microsoft Defender
    Other Info
    born on date: 25 Feb 2016
  • At a glance

    Win 11 Home 25H2 build 26200.7922Intel Core i7 4th Gen 4790 (3.60GHz), Haswell...Samsung 16 GB DDR3 (8GB in 2 modules)NVIDIA GeForce GTX 760, 3GB, and on-board Int...
    Operating System
    Win 11 Home 25H2 build 26200.7922
    Computer type
    PC/Desktop
    Manufacturer/Model
    Asus Desktop model M32AD-US019S (DOM: 6/9/2014 )
    CPU
    Intel Core i7 4th Gen 4790 (3.60GHz), Haswell 22nm Technology, SOCKET 1150
    Motherboard
    H81M-E/M51AD/DP_MB
    Memory
    Samsung 16 GB DDR3 (8GB in 2 modules)
    Graphics card(s)
    NVIDIA GeForce GTX 760, 3GB, and on-board Intel HD Graphics 4600 Rev 6
    Monitor(s) Displays
    HP EliteDisplay E241i LED; HP EliteDisplay E243
    Hard Drives
    Samsung 500GB SSD, 870 EVO (SATA 6.0 )
    Micron 250GB SSD, CT250MX500
    Toshiba HDD, 3GB (original drive w/PC)
    Case
    ASUS
    Keyboard
    ASUS-------------------------
    Antivirus
    MS Defender
    Other Info
    Additional Laptops:

    HEWLETT PACKARD
    HP OmniBook X Flip NGAI (Next Gen AI),
    Model: 16-as0023dx
    PT# B5UH1UA#ABA Product #: B5UH1UA
    delivered and setup 7/25/25
    16" 2K Touch-Screen Laptop
    Intel Core Ultra 7 256V '24 Series 2 - CPU
    Boost Clock Frequency 4.8 gigahertz; Neural Processing Unit (NPU) Yes;
    16GB Memory, LPDDR5X
    1TB SSD PCIe 4.0
    Graphics: Intel Arc 140V
    1 x HDMI 2.1
    1 x Thunderbolt 4
    2K Touch-Screen display, LED, IPS; 1920 x 1200 (Full HD+)
    USB Ports: 1 x USB-C 3.1, 2 x USB-A 3.1
    Wi-Fi 6E
    weight 4.15 pounds

    DELL
    Model:I7591-7483BLK-PUS 2-in-1 (7000 Series)
    purchased 12/3/2019,
    15.6 inch 2-IN-1;
    4K Ultra HD Touch-Screen, 3840 x 2160,
    Intel Core i7 10510U CPU 1.80GHz,
    16GB RAM DDR4 SDRAM 2400 megahert (2 slots),
    dedicated graphics Nvidia GeForce MX250 2 GB Graphics,
    PCIe 512GB Intel SSD + 32GB Optane Memory (Intel Optane Memory H10 with solid-state storage),
    wireless-AX & Bluetooth
    Battery: 68wh, Type 4VGMP 4 cell
Back
Top Bottom