Solved ASUS TUF GAMING B760M USB WITH RUFUS

Hello, Everyone!

I have a tuf gaming b760m wifi motherboard, could you explain to me why it is a real hell to make a usb with rufus, and give one failure after another for the secure boot keys? I know there is a strict security conflict between the rufus loader (UEFI:NTFS) and the default ASUS secure boot keys. is there any solution? apart from formatting the USB in fat32, downloading a copy of Windows, using Anyburn, reconfiguring the .iso so that there are 4GB partitions and no error ones, etc.

Why so much trouble?

When you build an USB with the latest Rufus, you're now offered a choice of using the newer or older boot files, depending on whether your PC has successfully added the CA 2023 Secure Boot certs.

If you're not sure if that's happened, then temporarily disable Secure Boot and boot the Rufus USB. After you're done installing Windows, then re-enable Secure Boot.

Thanks garlin

@Boyaca Also, have you updated to the latest BIOS?

Yes, I updated the BIOS to the latest version.
It is very complicated, due to the restrictions imposed by ASUS and the 13th and 14th generation Intel processors.

Gemini says:
The "hell" you are experiencing with your TUF GAMING B760M-PLUS WIFI board and Rufus is due to a strict security conflict between the Rufus bootloader (UEFI:NTFS) and ASUS Secure Boot default keys.
Modern ASUS motherboards with 13th and 14th generation Intel chipsets come from the factory with ultra-restrictive Secure Boot policies. If Rufus formats your USB in NTFS format (required if the Windows ISO has an install.wim file larger than 4 GB), it adds a small intermediate driver so that the BIOS can read that format. ASUS BIOS detects that this driver is not signed by the official Microsoft key and blocks booting immediately due to "security violation"

ASUS crash: When trying to boot, the TUF BIOS detects the UEFI:NTFS code. Since Rufus' digital signature is not included in your ASUS board's factory key database (DB), the system stops booting to protect you from suspected "malicious software."

Depending on how your Secure Boot is configured, 1 of 4 combinations is possible:


The rules apply to all PC's, regardless of your CPU or motherboard generation. Rufus has to pick a boot file which is CA 2011 or CA 2023. It can't guess for you (because you might be creating the USB for a different PC).

Enter the UEFI menu, and list the Secure Boot keys for UEFI CA 2023. Figure out if you need those boot files.

Thanks Garlin
This is how it is configured.

PCA 2011 is revoked, so you must always use the CA 2023 boot files, when creating any bootable USB drive. That's what I suspected.

Thanks for all Garlin.

Thanks for the help. I’ve completed the checks and everything is now working correctly.

After reviewing my Secure Boot configuration and running the full UEFI certificate report, I confirmed the following:

• Secure Boot is enabled
• My firmware contains both CA 2011 and CA 2023 certificates
• The Microsoft Windows Production PCA 2011 entry is correctly marked as revoked
• The Windows UEFI CA 2023 and Microsoft UEFI CA 2023 certificates are present and valid
• DBX is fully updated (v1.6.0 – 2025‑10‑14)

Because PCA 2011 is revoked on my system, I recreated my installation USB using CA 2023 boot files, and the system booted without any issues.

I also reset my Secure Boot keys (Clear PK/KEK/DB → restore to Standard), which ensured the firmware regenerated the correct Microsoft keys. After that, the installation proceeded normally.

Everything is now working as expected.Thanks again for pointing me in the right direction.