Did you manually update your Secure Boot Keys ?

Sheikh · Oct 15, 2025

Buddywh said:
Doesn't the current default install of Windows 11 REQUIRE secure boot be enabled?

I really don't know since I use the same RUFUS created USB installation drive with all supportability checks disabled to work with my "antique" system; but done that way it will install. I don't really feel RUFUS is risky, it's open-sourced on GIThub and would be called out in a flash if it was. And it uses only Microsoft's source files for building the ISO.

Otherwise, you can build your own ISO but that would indeed be risky if I tried to do it!

Ummm...
My question was something else.

gunrunnerjohn · Oct 15, 2025

Buddywh said:
Doesn't the current default install of Windows 11 REQUIRE secure boot be enabled?by having UEFI/BIOS enabled

I really don't know since I use the same RUFUS created USB installation drive with all supportability checks disabled to work with my "antique" system; but done that way it will install. I don't really feel RUFUS is risky, it's open-sourced on GIThub and would be called out in a flash if it was. And it uses only Microsoft's source files for building the ISO.

Otherwise, you can build your own ISO but that would indeed be risky if I tried to do it!

The current version of Windows doesn't require secure boot being enabled, but it does require the machine support secure boot. It just checks for having UEFI/BIOS enabled.

Buddywh · Oct 15, 2025

Sheikh said:
Ummm...
My question was something else.

Well... the answer would be there is a definite problem doing a "clean install" if not updating the keys IF Windows Setup requires Secure Boot be enabled during an install.

But it seems to be mooted, now, by @gunrunnerjohn 's post! Even so, we don't know what MS will do going forward... but that's the same state I'm in with my antique system running Win11.

And the second part of y our question: even when you get it installed at some point in the future MS will go into an "enforcement" phase and only allow booting with the 2023 CA signed boot files. At that point you'll not be able to turn on Secure Boot... ever... if you have only the 2011 keys. This my understanding based on reading... and trying to comprehend... Microsofts articles on this.

Try3 · Oct 15, 2025

ElevenForumTutorials for Clean installs & In-place upgrades [aka Repair installs] both include steps for bypassing compatibility checks.
Clean Install Windows 11 - ElevenForumTutorials
Repair Install Windows 11 with an In-place Upgrade - ElevenForumTutorials
Upgrade to Windows 11 - ElevenForumTutorials

All the best,
Denis

gunrunnerjohn · Oct 15, 2025

Buddywh said:
Well... the answer would be there is a definite problem doing a "clean install" if not updating the keys IF Windows Setup requires Secure Boot be enabled during an install.

But it seems to be mooted, now, by @gunrunnerjohn 's post! Even so, we don't know what MS will do going forward... but that's the same state I'm in with my antique system running Win11.

And the second part of y our question: even when you get it installed at some point in the future MS will go into an "enforcement" phase and only allow booting with the 2023 keys. At that point you'll not be able to turn on Secure Boot... ever... if you have only the 2011 keys. This my understanding based on reading... and trying to comprehend... Microsofts articles on this.

In 2026, the 2011 keys will no longer work for anyone, they will have expired! So yes, you will need the 2023 keys to enable Secure Boot. My feeling is that Microsoft would "like" to require Secure Boot be turned on next year, but I'm not sure they'll be able to accomplish that if there are a lot of systems that they can't remotely update to prepare for the event.

SlicEnDicE · Oct 15, 2025

Buddywh said:
an "enforcement" phase and only allow booting with the 2023 keys. At that point you'll not be able to turn on Secure Boot... ever... if you have only the 2011 keys.

When that happens and Secureboot must be enabled becomes a hardcoded enforcement (not being able to install Windows anymore on unsupported hardware), I dump Windows and ALL it's software and services in a heartbeat and never look back. Bye bye MS.

Buddywh · Oct 15, 2025

gunrunnerjohn said:
.... My feeling is that Microsoft would "like" to require Secure Boot be turned on next year, but I'm not sure they'll be able to accomplish that if there are a lot of systems that they can't remotely update to prepare for the event.

Do you mean for clean installs? Surely they wouldn't "like" to require it for existing installations, otherwise the numbers of people dropping PC's and Windows will be astronomical. Whether using RUFUS or one of methods linked by @Try3, bypassing supportability/compatibility checks would probably be too techy for most of them otherwise they might have gone to the trouble of updating their keys instead.

gunrunnerjohn · Oct 15, 2025

Buddywh said:
Do you mean for clean installs? Surely they wouldn't "like" to require it for existing installations, otherwise the numbers of people dropping PC's and Windows will be astronomical. Whether using RUFUS or one of methods linked by @Try3, bypassing supportability/compatibility checks would probably be too techy for most of them otherwise they might have gone to the trouble of updating their keys.

Well, it's pretty much all speculation what MSC will or won't require at this point. My sense from all I read is they're trying to get the Windows 11 universe using Secure Boot, but that may be my jaded view of what they're doing.

andyc56 · Oct 15, 2025

gunrunnerjohn said:
In 2026, the 2011 keys will no longer work for anyone, they will have expired!

According to this post by Akeo, it is the revocation of these certificates that will cause them not to work, not their expiration.

Akeo said:
Which means that you booted Debian 13, in 2027, even as you don't have the 2023 certs installed in your Secure Boot database, and even as the Debian bootloader uses certificates that have expired. And this is what you want, because (and this is the important part so I will really emphasise it) AS LONG AS SOMETHING HAS NOT BEEN EXPLICITLY REVOKED, IT WILL NOT STOP WORKING SIMPLY BECAUSE ONE OF THE CERTIFICATE HAS EXPIRED.

SlicEnDicE · Oct 15, 2025

I think not even MS themselves know what they are doing at the moment. Not only in Windows but as a whole, including their business model. One can expect anything from them atm, and most of it is bad for the customers. :ROFLMAO:

Buddywh · Oct 15, 2025

andyc56 said:
According to this post by Akeo, it is the revocation of these certificates that will cause them not to work, not their expiration.

I took @gunrunnerjohn to mean no longer work for signing new secure boot binaries. Which Microsoft will have to do when they are updated, and probably manufacturers of add-in devices for UEFI-aware drivers (GPU's? LAN cards? I'm not really sure about this).

After Oct. of 2026 it's almost a certainty that new ISO's downloaded from Microsoft will be signed with 2023 certificates only, and so require a 2023 key in DB to validate it. The third-party certificate expires in June of '26, so any new UEFI drivers from them will have to be signed with 2023 certs (I don't really know what that means in practical terms, BTW, so that's a bit speculative).

emilioarg · Oct 15, 2025

The 25h2 ISO does not boot on a virtual machine if secure boot is disabled...

gunrunnerjohn · Oct 15, 2025

emilioarg said:
The 25h2 ISO does not boot on a virtual machine if secure boot is disabled...

That's interesting, I hadn't heard that.

andyc56 said:
According to this post by Akeo, it is the revocation of these certificates that will cause them not to work, not their expiration.

And he's certainly the guy that would know, I retract my comment!

Sheikh · Oct 15, 2025

Buddywh said:
Well... the answer would be there is a definite problem doing a "clean install" if not updating the keys IF Windows Setup requires Secure Boot be enabled during an install.

But it seems to be mooted, now, by @gunrunnerjohn 's post! Even so, we don't know what MS will do going forward... but that's the same state I'm in with my antique system running Win11.

And the second part of y our question: even when you get it installed at some point in the future MS will go into an "enforcement" phase and only allow booting with the 2023 CA signed boot files. At that point you'll not be able to turn on Secure Boot... ever... if you have only the 2011 keys. This my understanding based on reading... and trying to comprehend... Microsofts articles on this.

Thanks for the explanation

Sheikh · Oct 15, 2025

As I understand it, when we use a new ISO with old Secure Boot keys in UEFI, the system won’t boot and shows an error. This happens because UEFI checks the keys before booting to ensure one is not loading any malware or unauthorized software.

Currently, Microsoft doesn’t require users to enable Secure Boot to install Windows. So, by disabling Secure Boot, we can proceed with the installation. However, if they eventually mandate Secure Boot enablement, I believe they’ll provide a way for professionals to bypass it easily.

AK6DN · Oct 15, 2025

Sheikh said:
As I understand it, when we use a new ISO with old Secure Boot keys in UEFI, the system won’t boot and shows an error. This happens because UEFI checks the keys before booting to ensure one is not loading any malware or unauthorized software.

Currently, Microsoft doesn’t require users to enable Secure Boot to install Windows. So, by disabling Secure Boot, we can proceed with the installation. However, if they eventually mandate Secure Boot enablement, I believe they’ll provide a way for professionals to bypass it easily.

If you mean by 'use a new ISO' that means booting an ISO with the boot code signed by 2023 certificates, that can only boot if the 2023 certificates have been entered into the system DB database. Whether the older 2011 certificates are in the DB (or not) does not matter in that case.

Also, the expiration of the old 2011 certificates only means they can't be used to sign new software after that date in 2026. As long as that 2011 certificate remains in DB and is not in DBX it will allow software signed with it to boot. They expiration date on the 2011 certificate only means it can't be used to newly sign software after that date in 2026. It specifically does NOT mean that the 2011 certificate 'expires' on that date in 2026 so software signed by it is not bootable.

Come 2026 the 2011 certificate will expire, so Microsoft released the 2023 certificate which must be used to newly sign software starting in 2026. That means the 2023 certificate must be present in the DB to allow booting from software signed with 2023 certificates.

Until the 2011 certificate is entered into the DBX (or deleted from DB I suspect will also work) will software signed with the 2011 certificate refuse to boot.

That is my understanding now from following this thread, reading other online forums about this whole debacle.

Khoaimi · Oct 16, 2025

Buddywh said:
You're ready to start booting Windows with 2023 signed bootfiles, but you do need the KEK certificate and the Microsoft UEFI certificate. Hopefully Microsoft will eventually push them into BIOS for you... or so the experts have been telling us.

But check the manufacturer's support website for your motherboard or system (you didn't fill out your system specs) since the best option is to get an updated BIOS for it which includes all the certificates needed. Updates dated in September of '25 (or later) have a good chance of having them.

If it's un-supported by the manufacturer and Microsoft doesn't push the other certificates into BIOS for you then MOSBY is a very easy to use tool for doing it. Just download RUFUS 4.11 or later to make a bootable USB with UEFI Shell 2.2, then put it into SETUP mode, boot to it and run MOSBY.

My laptop is quite old (since 2020), the last bios update was 2021, I don't think the manufacturer will release a new bios update just to fix this error.
Luckily I read on the forum and manually updated successfully. It seems the problem has been solved.
Thank you for your feedback.

Steve C · Oct 16, 2025

If Microsoft don't figure out how to fix the issue via Windows Update then there are going to be millions of non-bootable PCs leaving the average user clueless what to do and a public relations disaster for Microsoft! I still intend to do nothing and see what happens.

RJARRRPCGP · Oct 16, 2025

ASRock, just this month, has a brand new BIOS for the B550 PG Velocita. It says that it has the new keys, including the KEK.

Stigg · Oct 16, 2025

Did you manually update your Secure Boot Keys ?

Software Developer

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computers

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Member

My Computer

Well-known member

My Computers

Software Developer

My Computers

Software Developer

My Computers

Well-known member

My Computers

Banned

Attachments

My Computer

Well-known member

My Computer

Well-known member

My Computers

Well-known member

My Computers

Similar threads