Did you manually update your Secure Boot Keys ?

Secure boot etc is an abomination for anybody other than coprporate / office users and bog standard home users. Most people on these types of Forums like experimenting / testing things with their computers - in which case secure boot just gets in the way.

cheers
jimbo

drminer said:

I wish I had not gone ahead and revoked the Production PCA 2011 certificate. I now realize that any form of in-place repair will reinstall the older 2011-signed bootloader files into the EFI partition, and the system will not boot with Secure Boot enabled. So, if I have to do an in-place repair, I will have to disable Secure Boot first, and then the repair is complete, manually install copies of the 2023-signed bootloader into the EFI partition. This will all be fixed in June 2026. But in the meantime, I seem to have made my life more difficult. At least, I am protected from BlackLotus!

Click to expand...

This shouldn't be a worry for long since Microsoft is planning to start revoking trust in 2011 boot files starting in January of '26 anyway, the "Enforcement Phase". When they start that it seems obvious they'd have a way to deal with those that are revoked.

Steve C said:

How many people have screwed up their PCs following the above instructions? I'm waiting to see what is issued via Windows update.

Click to expand...

Anyone with a reasonably late model device should check their motherboard mfr's support website for an updated BIOS. One dated August or later of this year is quite likely to have the 2023 certificates as defaults, which can make this almost completely irrelevant.

And none of these things are likely to completely screw up anybody's PC. Trust me, if they could be so easily screwed up I would have done it since I've made every mistake possible futzing about with this on my systems. As I've found, all they ever have to do is disable Secure Boot and they're back in Windows and functioning. And BTW, that's exactly where it will end up eventually if it happens to be one Microsoft has determined can't be updated automatically.

At any rate, most of the drama here revolves around the scripts used to report out contents of the secure boot variables in firmware and which don't make changes to firmware or Windows boot files. As far as I can tell, the Microsoft commands (registry adds and scheduled tasks) being used to do the actual updates are the same ones Microsoft will use to roll out updates automatically. Any system they have problems running on correctly, e.g., it's not getting an updated signed KEK because their system/motherboard OEM isn't furnishing one, is quite likely to be left running with SB disabled in the future anyway without some sort of intervention.

drminer said:

I wish I had not gone ahead and revoked the Production PCA 2011 certificate. I now realize that any form of in-place repair will reinstall the older 2011-signed bootloader files into the EFI partition, and the system will not boot with Secure Boot enabled. So, if I have to do an in-place repair, I will have to disable Secure Boot first, and then the repair is complete, manually install copies of the 2023-signed bootloader into the EFI partition. This will all be fixed in June 2026. But in the meantime, I seem to have made my life more difficult. At least, I am protected from BlackLotus!

Click to expand...

You just need to make your Windows 11 installation media bootable with CA 2023. Here's how:

Insert your Win 11 installation USB. Make note of the drive letter.

Execute the three commands from an elevated command prompt, one at a time.

Replace D with your USB drive letter.

COPY D:\EFI\MICROSOFT\BOOT\BCD D:\EFI\MICROSOFT\BOOT\BCD.BAK

bcdboot c:\windows /f UEFI /s D: /bootex

COPY D:\EFI\MICROSOFT\BOOT\BCD.BAK D:\EFI\MICROSOFT\BOOT\BCD

On the third command, say yes to replacing existing file. Now your drive is bootable.

Source

EDIT: See post #1265

Scott said:

You just need to make your Windows 11 installation media bootable with CA 2023. Here's how:

Insert your Win 11 installation USB. Make note of the drive letter.

Execute the three commands from an elevated command prompt, one at a time.

Replace D with your USB drive letter.

COPY D:\EFI\MICROSOFT\BOOT\BCD D:\EFI\MICROSOFT\BOOT\BCD.BAK

bcdboot c:\windows /f UEFI /s D: /bootex

COPY D:\EFI\MICROSOFT\BOOT\BCD.BAK D:\EFI\MICROSOFT\BOOT\BCD

On the third command, say yes to replacing existing file. Now your drive is bootable.

Source

How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support

support.microsoft.com

Click to expand...

The issue is not about making the installation drive bootable. The issue is that a new or repaired installation will have bootloaders that are signed with a revoked certificate, and Secure Boot will prevent the new installation (or repaired installation) from booting. The default bootloaders are still the old ones. This will be the case for some months.

drminer said:

The issue is that a new or repaired installation will have bootloaders that are signed with a revoked certificate

Click to expand...

I'm sorry, I should have elaborated more clearly. The above procedure I posted replaces the revoked certificate with the
new certificate, so it will install (or repair) Windows with the new certificate and update the bootloader accordingly.

Scott said:

You just need to make your Windows 11 installation media bootable with CA 2023. Here's how:

Insert your Win 11 installation USB. Make note of the drive letter.

Execute the three commands from an elevated command prompt, one at a time.

Replace D with your USB drive letter.

COPY D:\EFI\MICROSOFT\BOOT\BCD D:\EFI\MICROSOFT\BOOT\BCD.BAK

bcdboot c:\windows /f UEFI /s D: /bootex

COPY D:\EFI\MICROSOFT\BOOT\BCD.BAK D:\EFI\MICROSOFT\BOOT\BCD

On the third command, say yes to replacing existing file. Now your drive is bootable.

Source

How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 - Microsoft Support

support.microsoft.com

Click to expand...

You can make Windows 11 installation media bootable with CA 2023 using latest Rufus 4.11 also.

Manu

Buddywh said:

It means the "Windows UEFI CA 2023" cert is updated. That's one of the four certs needed to replace those expiring in 2026.

Look back for a post by @Scott, #1104, for two commands that update all four and as well installs 2023 signed boot files. Once successfully completed it also resolves the ID 1801 error.

Or just wait and let Microsoft run the update for you according to the schedule they've put your system on.

Click to expand...

Thanks!
I ran these commands from that post.
So, basically as long as I do not update my BIOS (effectively resetting CMOS to factory), then I should in theory be good?

Globespy said:

as long as I do not update my BIOS (effectively resetting CMOS to factory), then I should in theory be good

Click to expand...

I think that depends on your particular BIOS behavior, it did when I tested it on my MoBo but some others have said it didn't on theirs. It's probably a good idea to assume it will though, at least for the first time, to be ready for it.

If it does ever get reset to default keys and Windows doesn't fix itt itself then boot up with Secure Boot disabled and re-run to two commands to re-install the certs and your back in business. But hopefully Microsoft will do this for us.

manu198075 said:

You can make Windows 11 installation media bootable with CA 2023 using latest Rufus 4.11 also.

Manu

Click to expand...

I just looked into this, and wanted to create a bootable USB Win 11 installation of the latest Win 11 23H2 Enterprise build I got from UUP Dump.
I have successfully updated this PC (target machine I am creating the bootable drive on) with the CA 2023 certificates using the guide @Scott provided, verifying with the 'True' results.

I have the latest Rufus 4.11p (portable), and I let it grab whatever updates it needed to get when it first opened.
Supposedly, this latest Rufus update should add the last option just before creating the bootable ISO to include the latest CA 2023 certificates, however it does not?



I'm guessing this is because the ISO I'm using has the outdated CA 2011 certificates (as per the pop-up just before creating), so how would I be able to use Rufus to build a bootable ISO according to your assertions?
Perhaps this only works for building a 25H2 ISO that already has the updates certificates built into the ISO?Otherwise, I would have to use the method described by @Scott to change these files before using Rufus?

drminer said:

The issue is not about making the installation drive bootable. The issue is that a new or repaired installation will have bootloaders that are signed with a revoked certificate, and Secure Boot will prevent the new installation (or repaired installation) from booting. The default bootloaders are still the old ones. This will be the case for some months.

Click to expand...

Shouldn't this work exactly the same for a mounted ISO?
I tried running an elevated command prompt changing the 'D' to the mounted drive letter I have 'L' and got access denied on the first command.
I then tried from an elevated terminal opened within the mounted ISO and got pretty much the same (below).
Any ideas? This is the latest UUPDUMP of Win 1123H2 Enterprise that I intend to use all the way through Nov 2026 since I'm perfectly happy with 23H2, want to skip the 24H2 dumpster fire and 'hope' in a year that 25H2 is actually decent!

drminer said:

I wish I had not gone ahead and revoked the Production PCA 2011 certificate. I now realize that any form of in-place repair will reinstall the older 2011-signed bootloader files into the EFI partition, and the system will not boot with Secure Boot enabled. So, if I have to do an in-place repair, I will have to disable Secure Boot first, and then the repair is complete, manually install copies of the 2023-signed bootloader into the EFI partition. This will all be fixed in June 2026. But in the meantime, I seem to have made my life more difficult. At least, I am protected from BlackLotus!

Click to expand...

I have done two in-place reinstalls to correct errant update issues, and my system is still booting fine with Secure Boot and the 2011 cert revoked.

Globespy said:

I just looked into this, and wanted to create a bootable USB Win 11 installation of the latest Win 11 23H2 Enterprise build I got from UUP Dump.
I have successfully updated this PC (target machine I am creating the bootable drive on) with the CA 2023 certificates using the guide @Scott provided, verifying with the 'True' results.

I have the latest Rufus 4.11p (portable), and I let it grab whatever updates it needed to get when it first opened.
Supposedly, this latest Rufus update should add the last option just before creating the bootable ISO to include the latest CA 2023 certificates, however it does not?

View attachment 150802

I'm guessing this is because the ISO I'm using has the outdated CA 2011 certificates (as per the pop-up just before creating), so how would I be able to use Rufus to build a bootable ISO according to your assertions?
Perhaps this only works for building a 25H2 ISO that already has the updates certificates built into the ISO?Otherwise, I would have to use the method described by @Scott to change these files before using Rufus?

Click to expand...

Rufus from ver.4.10 has the ability to use CA 2023signed bootloader, but it requires Winows 11 25H2 iso. This is specified in the change log Rufus - Create bootable USB drives the easy way , where you have to click the FAQ FAQ Here part 1 is describing about Updating your UEFI firmware to install the newer Windows UEFI CA 2023 certificate and revoke the obsolete PCA 2011 one. If you look into Part 2 the first point itself says
"In Rufus, select a Windows 11 25H2 ISO (Note that Windows 11 24H2 ISOs will not work on account that Microsoft screwed up compatibility with Windows UEFI CA 2023 in those images. Only the Windows 11 25H2 ISOs are compatible with a Windows UEFI CA 2023 installation) " So using Rufus if you want to create a Windows 11 bootable media with CA 2023 signed bootloader you need to have 25H2 ISO. If you must stay with the UUPDump 23H2 build (Enterprise) for compatibility or specific reason: then consider manually rebuilding the ISO (or injecting the new boot-chain) method described by @Scott so that you can leverage the CA 2023 option in Rufus.

Manu

Globespy said:

This is the latest UUPDUMP of Win 1123H2 Enterprise that I intend to use all the way through Nov 2026 since I'm perfectly happy with 23H2

Click to expand...

Hey @Globespy, re-download your ISO from UUPdump, but before running the uup_download_windows.cmd file modify the
ConvertConfig.ini file, change UpdtBootFiles from 0 to 1, save and close. That will give you the updated cert.



I just downloaded the ISO and here's the output I got with the ISO mounted:

Looking for some help/simplification of this process

I followed this....... How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932
...to the letter.

I have ended up with this.......



The things that bother me is the BANNED statement in the EFI Files and Why I seem to have two references to
Microsoft Windows Production PCA 2011 certs, one in the DB and one in the DBX. (I thought it would just move it from DB to DBX)

Can anyone decode/explain this to me please?

The drives on the computer are configured as per diagram below and the computer is booting fine,
Any insight would be much appreciated.

secondsight said:

Looking for some help/simplification of this process

Click to expand...

The 2011 cert in DBX revokes trust in the 2011 cert in DB. So even though it's in DB a boot manager signed with a 2011 CERT can not validate with it and will fail to start Windows 11. That's why you need the 2023 CERT, so the 2023 Boot Manager it is starting from can be validated with it.

You're still missing three other 2023 cert's, one that's pretty important. Look back for a post by @Scott , #1104, for two commands that should get you all four.

BTW: for ultimate simplification in the process, just be sure you're in secure boot and that diagnostics reporting is enabled. Then Microsoft will update the keys for you according to the schedule they have you on.

Buddywh said:

The 2011 cert in DBX revokes trust in the 2011 cert in DB. So even though it's in DB a boot manager signed with a 2011 CERT can not validate with it and will fail to start Windows 11. That's why you need the 2023 CERT, so the 2023 Boot Manager it is starting from can be validated with it.

Click to expand...

Ok thanks so DB one is cancelled with dbx one and sucessfully revoked the Microsoft Windows Production 2011 PCA certificate. What about the BANNED part? I look at others in here and they show allowed. I suppose what I'm saying is does this look OK to you all or is there something left to do?

secondsight said:

Ok thanks so DB one is cancelled with dbx one and sucessfully revoked the Microsoft Windows Production 2011 PCA certificate. What about the BANNED part? I look at others in here and they show allowed. I suppose what I'm saying is does this look OK to you all or is there something left to do?

Click to expand...

There are several scripts on this thread, some don't get that part quite right. Look for script titled "Check_Mosby_EFIBootFile.ps1" and you're much more likely to get a correct report.

But also, as I said you're missing three other certs but those two commands I referenced should get them for you too.

Buddywh said:

There are several scripts on this thread, some don't get that part quite right. Look for script titled "Check_Mosby_EFIBootFile.ps1" and you're much more likely to get a correct report.

But also, as I said you're missing three other certs but those two commands I referenced should get them for you too.

Click to expand...

OK so there is progress :) It now looks like this picture below after your advice...... I can't find a link to the Mosby version (Check_Mosby_EFIBootFile.ps1). The only one I found seemed to have been removed. Does anyone know of one? Until then see below how it looks now.....

Buddywh said:

There are several scripts on this thread, some don't get that part quite right. Look for script titled "Check_Mosby_EFIBootFile.ps1" and you're much more likely to get a correct report.

But also, as I said you're missing three other certs but those two commands I referenced should get them for you too.

Click to expand...

OK so this is the output from Check_EFIBootFileUpdated.ps1 and this shows Allowed. I'm going to make bootable media now as per the experiences of others earlier in this thread.



Caffine required.....

secondsight said:

OK so this is the output from Check_EFIBootFileUpdated.ps1 and this shows Allowed. I'm going to make bootable media now as per the experiences of others earlier in this thread.

View attachment 151031

Caffine required.....

Click to expand...

If you need it, definitely make bootable media that uses the 2023 signed boot manager. Nothing with a 2011 signed boot manager will start now that the 2011 certificate is revokedd in DBX. There are instructions on doing this in several posts in this thread, even in the Microsoft document.

All the 2023 certs are in place.