Did you manually update your Secure Boot Keys ?

Dirtyflash · Oct 30, 2025

This is what I have so far. Can I leave it as is? It's on a unsupported device.

Buddywh · Oct 30, 2025

Dirtyflash said:
This is what I have so far. Can I leave it as is? It's on a unsupported device.

It still needs the 2023 KEK certificate and to have a 2023 boot manage installed.

secondsight · Oct 31, 2025

Buddywh said:
If you need it, definitely make bootable media that uses the 2023 signed boot manager. Nothing with a 2011 signed boot manager will start now that the 2011 certificate is revokedd in DBX. There are instructions on doing this in several posts in this thread, even in the Microsoft document.

All the 2023 certs are in place.

Sorted....made USB Install Media on the machine with Rufus and latest 252H iso using the new "Use Windows CA 2023 Signed Bootloaders" feature.

I think I'm done now.....

.

gunrunnerjohn · Oct 31, 2025

secondsight said:
Sorted....made USB Install Media on the machine with Rufus and latest 252H iso using the new "Use Windows CA 2023 Signed Bootloaders" feature.

I think I'm done now..... .

View attachment 151074

Looks like you've arrived.

starchase · Nov 1, 2025

On my ASUS tower it now looks like a Windows Update has added some (all?) of the keys I need for the upcoming 2023 certs, in case others are worrying about it:

Code:

PS C:\temp> powershell -nop -ep bypass -f Check_EFIBootFile.ps1
Secure Boot: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011
    Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Microsoft Option ROM UEFI CA 2023
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023

UEFI DBX Certs
--------------

EFI Files
---------
    Disk 0: Boot Manager [Windows UEFI CA 2023] is ALLOWED.

    Registry: WindowsUEFICA2023Capable = 2
        [Windows UEFI CA 2023] is in UEFI DB, and Windows is starting from CA 2023 Boot Manager.
PS C:\temp>

bikemanAMD · Nov 1, 2025

Here is my Results

Could be script error, don't know on the bottom part, but everything else looks to be all good to me

Buddywh · Nov 1, 2025

starchase said:
On my ASUS tower it now looks like a Windows Update has added some (all?) of the keys I need for the upcoming 2023 certs, in case others are worrying about it:

.....

Are you saying Windows did it without your assistance like running commands in Powershell or whatever?

starchase · Nov 1, 2025

Buddywh said:
Are you saying Windows did it without your assistance like running commands in Powershell or whatever?

Yes, that is what I'm saying., except for running the original 2 scripts in the beginning of this thread. On sept 11, 2025 I ran the Check_EFIBootFile.ps1 and this is the result"

Code:

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\WINDOWS\system32> cd c:\temp
PS C:\temp> powershell -nop -ep bypass -f Check_EFIBootFile.ps1
Secure Boot: ON                                                                                                         BitLocker on (C:) OFF                                                                                                                                                                                                                           UEFI KEK Certs                                                                                                          --------------
    Microsoft Corporation KEK CA 2011

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Windows UEFI CA 2023

UEFI DBX Certs
--------------

EFI Files
---------
    Disk 0: Boot Manager [Production PCA 2011] is ALLOWED.

    Registry: WindowsUEFICA2023Capable = 1
        [Windows UEFI CA 2023] is in UEFI DB.

Bootable Media
--------------
    USB D: "MACRIUMBOOT"
        Boot File [Production PCA 2011] is ALLOWED.
There is no matching image.

PS C:\temp>

Then, for my level of expertise, instructions took turns that lost me so I decided to just wait it out. Out of curiosity I ran the script again and got the code I displayed above. I don't know if is all I need but perhaps Microsoft is on top of things!

Buddywh · Nov 1, 2025

starchase said:
Yes, that is what I'm saying., except for running the original 2 scripts in the beginning of this thread. On sept 11, 2025 I ran the Check_EFIBootFile.ps1 and this is the result"

....

Then, for my level of expertise, instructions took turns that lost me so I decided to just wait it out. Out of curiosity I ran the script again and got the code I displayed above. I don't know if is all I need but perhaps Microsoft is on top of things!

So Microsoft has started the process of actually pushing the certs into firmware.

What you have is all you really "need". But Microsoft will revoke trust in the 2011 certificate at some point in the future. You could do that now but then you'll have to get the new boot manager files onto your Macrium recovery drives too. There's instructions for doing it in several places if it bothers you.

man00 · Nov 2, 2025

So now my older Macrium backups will be worthless ?

Buddywh · Nov 2, 2025

man00 said:
So now my older Macrium backups will be worthless ?

If you have revoked trust in the 2011 certificates you'd have to update your Macrium recovery drives to use the 2023 certificate signed boot manager. There have been some instructions on how to do that posted here.

Macrium may have something on their support web site or on Macrium forums since this is going to be an issue... or raise similar questions at least... for a lot of people. If not, maybe someone should start asking now before it does become an issue for them.

gunrunnerjohn · Nov 2, 2025

man00 said:
So now my older Macrium backups will be worthless ?

Easy to fix USB drives for the 2023 Certs.

@garlin posted a simple script to fix bootable USB drives and install the 2023 cert. Here's the contents, and I've attached the file to the post.

Code:

set /p id=Enter Destination Drive Letter with a colon:
echo %id%
pause

COPY %id%\EFI\MICROSOFT\BOOT\BCD %id%\EFI\MICROSOFT\BOOT\BCD.BAK
pause

bcdboot c:\windows /f UEFI /s %id% /bootex
pause

COPY %id%\EFI\MICROSOFT\BOOT\BCD.BAK %id%\EFI\MICROSOFT\BOOT\BCD
pause

starchase · Nov 2, 2025

@gunrunnerjohn Here is my result below. Anny issues with the BFSVC error shown? USB is on D.

Code:

C:\Users\theislands\Downloads\copy Key to Boot USB>set /p id=Enter Destination Drive Letter with a colon:
Enter Destination Drive Letter with a colon: d:

C:\Users\theislands\Downloads\copy Key to Boot USB>echo d:
d:

C:\Users\theislands\Downloads\copy Key to Boot USB>pause
Press any key to continue . . .

C:\Users\theislands\Downloads\copy Key to Boot USB>COPY d:\EFI\MICROSOFT\BOOT\BCD d:\EFI\MICROSOFT\BOOT\BCD.BAK
        1 file(s) copied.

C:\Users\theislands\Downloads\copy Key to Boot USB>pause
Press any key to continue . . .

C:\Users\theislands\Downloads\copy Key to Boot USB>bcdboot c:\windows /f UEFI /s d: /bootex
BFSVC Error: Could not open the BCD template store. Status = [c0000022]

C:\Users\theislands\Downloads\copy Key to Boot USB>pause
Press any key to continue . . .

C:\Users\theislands\Downloads\copy Key to Boot USB>COPY d:\EFI\MICROSOFT\BOOT\BCD.BAK d:\EFI\MICROSOFT\BOOT\BCD
        1 file(s) copied.

C:\Users\theislands\Downloads\copy Key to Boot USB>pause
Press any key to continue . . .

UPDATE: I ran it again as Administrator and got the desired result:
Bootable Media
--------------
USB D: "MACRIUMBOOT"
Boot File [Windows UEFI CA 2023] is ALLOWED.
There is no matching image.

PS C:\temp>

I tested and it does boot. Thanks.

bikemanAMD · Nov 2, 2025

Ok Made my Windows RE Updated Macirum Reflect Home X Rescue USB

Then used Copy to USB script

and this is the results

Code:

C:\>powershell -nop -ep bypass -f "C:\Check_EFIBootFile.ps1
Secure Boot: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------                                                                                    
 Microsoft Corporation KEK CA 2011                                                                                       
Microsoft Corporation KEK 2K CA 2023                                                                                                                                                                                                     
 UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Microsoft Option ROM UEFI CA 2023
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023

UEFI DBX Certs
--------------
    Microsoft Windows Production PCA 2011

EFI Files
---------
    Disk 0: Boot Manager [Windows UEFI CA 2023] is ALLOWED.

    Registry: WindowsUEFICA2023Capable = 2
        [Windows UEFI CA 2023] is in UEFI DB, and Windows is starting from CA 2023 Boot Manager.

Bootable Media
--------------
    USB G: "RESCUE"
        Boot File [Windows UEFI CA 2023] is ALLOWED

So i should be all set hopefully, hopefully next time i use the Rescue USB if needed, my ethernet adapter doesn't disappear when i reboot back to Normal Windows, like its done 2-3 other times when i used the Macrium Reflect X Rescue USB

TheObsessed · Nov 5, 2025

What's the thing with mine?
And do I need to worry abt the existing 2011 certs?
Why only one but not two 2023 certs?

secondsight · Nov 5, 2025

TheObsessed said:
What's the thing with mine?
And do I need to worry abt the existing 2011 certs?
Why only one but not two 2023 certs?

As I was told earlier...... Look back for a post by @Scott , #1104, for two commands that should get you the missing ones.

666pierog · Nov 10, 2025

Does i have already that keys?

Buddywh · Nov 10, 2025

666pierog said:
Does i have already that keys?
View attachment 152364

Missing the "Microsoft Option ROM UEFI CA 2023" key.

Look back for a post by @Scott , #1104, for two commands that should get you the missing one.

666pierog · Nov 10, 2025

Buddywh said:
Missing the "Microsoft Option ROM UEFI CA 2023" key.

Look back for a post by @Scott , #1104, for two commands that should get you the missi

Buddywh said:
Missing the "Microsoft Option ROM UEFI CA 2023" key.

Look back for a post by @Scott , #1104, for two commands that should get you the missing one.

Already done that but i dont get any update after that

Buddywh · Nov 10, 2025

666pierog said:
Already done that but i dont get any update after that

Did you run them as instructed? The first from a COMMAND window, with admin rights, the second from a PowerShell window also with admin rights. You get a response from the first one but no response from the second, it just returns a prompt.

Another way is to update to the BIOS for your motherboard. The board is new enough Asrock should include the 2023 keys as defaults by now.

Did you manually update your Secure Boot Keys ?

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

Attachments

My Computers

Well-known member

My Computers

Well-known member

My Computers

Member

Attachments

My Computer

Well-known member

My Computer

Member

My Computer

Well-known member

My Computers

Member

My Computer

Well-known member

My Computers

Similar threads