Did you manually update your Secure Boot Keys ?

KevTech · Sep 30, 2025

Almighty1 said:
You still have 9 months, Mosby takes less than 2 minutes flat and you will also learn something at the same time.

I followed MS instructions and it took me maybe 2 minutes max without having to disable or put secure boot into setup mode.
Everything you need can also be found in Microsoft github.

Akeo · Sep 30, 2025

Buddywh said:
should we make a practice of always updating our MOSBY USB should we need to repopulate the secure boot variables

EDIT: Re-read what you said. If you re-populated the variables from the UEFI firmware AND your UEFI firmware does not have the 2023 certs, then yes.

But for anyone reading this, please bear in mind that this is only if you went through the manual step of going into your UEFI firmware and deliberately choosing to restore the UEFI variables from the default ones provided by the manufacturer, which you should only ever do if you have a good reason to.

Buddywh · Sep 30, 2025

Akeo said:
No. Absolutely not.

The only reason to re-run Mosby is if the 2023 KEK expired (so in 2038), or if you need to install Secure Boot variables that are not in the Microsoft/UEFI officially published one at GitHub - microsoft/secureboot_objects: Secure boot objects recommended by Microsoft., because otherwise, your OS can and will have no trouble whatsoever updating your Secure Boot database for you.

Thanks... that answers so many other questions at the same time.

So all I have to do is never Restore Default Keys in the BIOS UEFI settings with my orphaned MoBo's. I know I shouldn't, but I also know mistakes happen.

Akeo · Sep 30, 2025

Shoot you replied before you saw my edit. Please bear in mind that the answer you quoted is wrong if you do the restore default variable in your UEFI firmware. Otherwise, in most cases, there really is no need to re-run Mosby before the KEKs expire... in 2038.

Buddywh · Sep 30, 2025

Akeo said:
... if you do the restore default variable in your UEFI firmware...

LOL... and that's what I am afraid I will do at some point in the future when I have a brain fart!

I was able to infer your second paragraph from the original paragraph which answered other questions too, so no problems.

Akeo · Sep 30, 2025

Buddywh said:
I am afraid I will do at some point in the future

Bear in mind that, if you do that, then it means that you no longer want to use a PK that can't be hacked, but instead are happy with reverting to using a PK that you share with many, many other people, and that could potentially be ex-filtered by bad actors from the manufacturer, whereas the one of the main points of Mosby is to protect you from that.

In short, whenever you choose to restore the keys to their default value, you should bear in mind that you are also indicating that you are happy with letting the manufacturer re-gain complete control of your platform.

KevTech · Sep 30, 2025

I feel it should be pointed out (and may have already been in this thread) that for most people you do not need to worry about revoking the 2011 cert yourself.
Per Microsoft this will happen automatically next year when the enforcement phase begins.

Buddywh · Sep 30, 2025

Akeo said:
Bear in mind that, if you do that, then it means that you no longer want to use a PK that can't be hacked, ....

Thanks very much for bringing my attention to that!

It answers another question I had: whether or not Restore Default Keys ALSO restores PK.

FIREMEDIC2700 · Sep 30, 2025

Just some advice go ahead and make a ca 2023 iso file of your os . and keep it as a backup cause if you enabled svn. and u want to do a clean install it will give you a error and not boot on a ca 2011 iso . i learned that the hard way today . thats why i made 3 iso files for my 3 os i use . if u dont know how to just follw the instructions on post 841 and u will be good to go

Margarita · Sep 30, 2025

Does anyone know if this new ISO version that has become available contains the updated boot files?

How to get the Windows 11 2025 version 25H2 Update

Windows Experience Blog: Windows is essential for more than a billion people to connect, learn, play and work, and today we are announcing the availability of the Windows 11 2025 Update (also known as Windows 11, version 25H2). This year’s annual feature update (version 25H2) will continue the...

www.elevenforum.com

FIREMEDIC2700 · Sep 30, 2025

Margarita said:
Does anyone know if this new ISO version that has become available contains the updated boot files?

How to get the Windows 11 2025 version 25H2 Update

Windows Experience Blog: Windows is essential for more than a billion people to connect, learn, play and work, and today we are announcing the availability of the Windows 11 2025 Update (also known as Windows 11, version 25H2). This year’s annual feature update (version 25H2) will continue the...

www.elevenforum.com

no clue i guess u could do like i did make a iso and use rufus 4.10 and it will give u the option to make it the 2023 iso

Margarita · Sep 30, 2025

FIREMEDIC2700 said:
no clue i guess u could do like i did make a iso and use rufus 4.10 and it will give u the option to make it the 2023 iso

Thanx، I want to avoid using third-party tools, but If there is no other solution, I will use rufus

bikemanAMD · Sep 30, 2025

Except when i tried making 25H2 flash drive with Rufus to make 2023 Compatible, it crashed at the end of creating the USB Drive. During Part adding Customizations

Something about Microsoft Visual CC or something, and had option for Abort, Retry or Ignore.

Will to try again tomorrow with it.

Margarita · Sep 30, 2025

So I tried it on VMware and enabled revocation and added the “Windows Production CA 2011” certificate to the DBX.
The result was that ISO 25H2 refused to run, as if it didn't exist. Works only without revocation the certificate

bikemanAMD · Sep 30, 2025

Well i might be stuck not doing a clean install til after June 2026 lol, unless somehow can get flash drive to work properly with the revoked Windows Production CA 2011. Guess i'll at this point wait and see, and pray i won't need a clean install for a long while

FIREMEDIC2700 · Sep 30, 2025

hmmm . strange my ca 2011 is not revoked but i still used rufus to make the 25h2 iso to ca 2023 . ! think i got my iso for 25h2 from windows central website.

Microsoft's official Windows 11 version 25H2 RTM ISO media is now available — Download all 38 languages here for x64 or Arm64

The next version of Windows 11 is now generally available, and you can download the official offline ISO media for installation onto your computer directly from Microsoft's servers. All the links can be found here!

www.windowscentral.com

Part 2: Creating Windows 11 installation media that works on platforms where PCA 2011 has been revoked.

This task is a lot easier than the previous one. However it requires the use of Rufus v4.10 or later.

In Rufus, select a Windows 11 25H2 ISO (Note that Windows 11 24H2 ISOs will not work on account that Microsoft screwed up compatibility with Windows UEFI CA 2023 in those images. Only the Windows 11 25H2 ISOs are compatible with a Windows UEFI CA 2023 installation).
Click START and, on the Windows User Experience dialog make sure to check the Use 'Windows CA 2023' signed bootloaders option as well as the Remove requirement for 4GB+ RAM, Secure Boot and TPM 2.0 option, as Rufus 4.10 will produce an error otherwise (please note that, contrary to what you might believe, this option will still use TPM and Secure Boot if available as it's simply a "bypass if not present", NOT a "disable if present"), along with any other installer customisation option you wish to enable.
Let Rufus create the media and boot it on the target platform. Because Rufus ensured that the UEFI bootloaders on your media are the Windows UEFI CA 2023 signed ones, instead of the PCA 2011, you will then be able to proceed to a full installation of Windows without having to disable Secure Boot.

Margarita · Sep 30, 2025

I will try replacing the updated bootx64.efi file as I did with Macrium media using the solution provided by @KevTech.

itsme1 · Sep 30, 2025

A quick post before going to sleep.
When Microsoft revokes PCA 2011 in 2026, I think it will release an ISO on the same day, or a few days/weeks later at most, that will only support the 2023 certificate.

Margarita · Sep 30, 2025

bikemanAMD said:
Well i might be stuck not doing a clean install til after June 2026 lol, unless somehow can get flash drive to work properly with the revoked Windows Production CA 2011. Guess i'll at this point wait and see, and pray i won't need a clean install for a long while

I guess disabling Secure Boot until Windows is finished installing would be a last resort, but it will work.

FIREMEDIC2700 · Sep 30, 2025

margarita try that link i posted thats where i downloaded the iso from and it seemed to work . let me try it again and see what happens. but i had checked all the boxes not sure if that would make a diff.

Did you manually update your Secure Boot Keys ?

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computer

Active member

My Computer

Well-known member

My Computer

Active member

My Computer

Well-known member

My Computers

Active member

My Computer

Well-known member

My Computers

Well-known member

Part 2: Creating Windows 11 installation media that works on platforms where PCA 2011 has been revoked.​

My Computer

Active member

My Computer

Well-known member

My Computer

Active member

My Computer

Well-known member

My Computer

Similar threads

Part 2: Creating Windows 11 installation media that works on platforms where PCA 2011 has been revoked.