Macrium Secure boot

man00 · May 13, 2026

I updated my system for the June thing that MS id suppose to do
now my macrium usb rescue disk won't boot. Is it safe to disable secure boot in bios
without screwing up everything and turning it back on when needed. I can not find how to update the rescue disk

PerpetualCycle · May 13, 2026

You can fix your macrium boot drive:

In an Administrator powershell window, mount your system partition and replace the necessary in the macrium boot builder area with the system partitions:

mountvol s: /s
copy s:\EFI\Boot\bootx64.efi C:\boot\macrium\WinREFiles\media\EFI\Boot\bootx64.efi
copy S:\EFI\Microsoft\Boot\bootmgfw.efi C:\boot\macrium\WinREFiles\media\EFI\Boot\bootx64.efi

Then rebuild your rescue media in macrium and try it

garlin · May 13, 2026

Instead of copying the files from the EFI partition (mountvol S:), the same files live under "\Windows\Boot\EFI_EX".

You should push files outward from "\Windows\Boot\EFI_EX", instead of pulling them from the EFI. Newer versions of the boot files will be installed by Windows Update under "\Windows\Boot".

Code:

copy C:\Windows\Boot\EFI_EX\bootmgfw_EX.efi C:\boot\macrium\WinREFiles\media\bootmgfw.efi
copy C:\Windows\Boot\EFI_EX\bootmgfw_EX.efi C:\boot\macrium\WinREFiles\media\EFI\Boot\bootx64.efi
copy C:\Windows\Boot\EFI_EX\bootmgfw_EX.efi C:\boot\macrium\WinREFiles\media\EFI\Microsoft\Boot\bootmgfw.efi

glasskuter · May 13, 2026

man00 said:
Is it safe to disable secure boot in bios
without screwing up everything and turning it back on when needed.

To answer your question. Yes it is safe to temporarily disable secure boot in order to boot from Macrium rescue usb.

Per Macrium "In the event that a disaster has occurred meaning that a rescue media restore is needed, we recommend temporarily disabling Secure Boot to enable the system to boot the rescue media and then performing a restore.
reference Managing the Boot Media Signing Certificate for Macrium Reflect Rescue Media

garlin · May 14, 2026

glasskuter said:
Per Macrium "In the event that a disaster has occurred meaning that a rescue media restore is needed, we recommend temporarily disabling Secure Boot to enable the system to boot the rescue media and then performing a restore.
reference Managing the Boot Media Signing Certificate for Macrium Reflect Rescue Media

That's really nice that Macrium X supports the option to pick a version of the Secure Boot files, but unfortunately you don't get that for Macrium v8.

You got to copy files by hand, or use a script.

man00 · May 14, 2026

Thanks folks, got it

glasskuter · May 14, 2026

garlin said:
That's really nice that Macrium X supports the option to pick a version of the Secure Boot files, but unfortunately you don't get that for Macrium v8.

Thanks for the correction. I just assumed he was on X. My bad for assuming.

oreyro · May 14, 2026

The validity period of the PCA 2011 certificate for the Windows Bootloader ends in June-October 2026..
The new UEFI CA 2023 certificate will expire in 2035.…

What is the difference between the old MacriumRescue.iso(PCA 2011) vs the new MacriumRescue.iso(UEFI CA 2023)?
You can check it yourself.
You just need to make MacriumRescue.iso(PCA 2011) and MacriumRescue.iso(UEFI CA 2023) for version 10.0.8750 (or for version 10.0.8731), then unpack the ISO archives and compare all the files of these two archives by checksum.
It will take about 30 minutes.
MacriumRescue.iso should be done on the basis of pe11Dec24x64.zip (WinPE ver. 26100)

A checksum comparison of the unpacked ISO archives v.10.0.8750(PCA 2011) vs 10.0.8750(UEFI CA 2023) shows that these archives differ in files:
MacriumRescue.iso\Boot\efisys_noprompt.bin
MacriumRescue.iso\Boot\efisys_prompt.bin
MacriumRescue.iso\EFI\Boot\bootx64.efi
MacriumRescue.iso\EFI\Microsoft\Boot\bootmgfw.efi
NOTE:
1. For MacriumRescue.iso ver. 10.0.8750(PCA 2011), these files have the old PCA 2011 certificate.
2. For MacriumRescue.iso ver. 10.0.8750(UEFI CA 2023), these files have a new UEFI CA 2023 certificate.
3. The files "efisys_noprompt.bin" and "efisys_prompt.bin" are archives containing the file "bootx64.efi"

How to use these files when creating MacriumRescue.iso ver. 8.0 – 8.1 ?
Unfortunately, pe11Dec24x64.zip was created for Macrium Reflect v10, and it is incompatible with Macrium Reflect ver. 8.0 – 8.1
However, you can try to create MacriumRescue.iso ver. 8.0 – 8.1 based on WinPE ADK 26100

Download and install the Windows ADK

Instructions on how to download and install the Windows ADK

learn.microsoft.com

... and then replace the old BootLoader files (PCA 2011) in them with the corresponding BootLoader files of the new version (UEFI CA 2023) from this Archive:
Macrium_bootloader_PCA2011_CA2023.zip (7,8Mb)
NOTE
The Archive contains files of the old and new versions of the BootLoader from MacriumRescue 10.0.8750 based on pe11Dec24x64.zip

garlin · May 14, 2026

The latest boot files are already provided under "C:\Windows\Boot", if you've updated to the current W11 Monthly Update (April 2026 or later). You don't need to download a ZIP file.

Replace en-US with your local language. ie. de-DE, fr-FR, es-ES

Code:

copy C:\Windows\Boot\DVD_EX\EFI\en-US\efisys_EX.bin E:\Boot\efisys_prompt.bin /y
copy C:\Windows\Boot\DVD_EX\EFI\en-US\efisys_noprompt_EX.bin E:\Boot\efisys_noprompt.bin /y
copy C:\Windows\Boot\EFI_EX\bootmgfw_EX.efi E:\EFI\Boot\bootx64.efi /y
copy C:\Windows\Boot\EFI_EX\bootmgfw_EX.efi E:\EFI\Microsoft\Boot\bootmgfw.efi /y

oreyro · May 15, 2026

garlin said:
You don't need to download a ZIP file.

We create MacriumRescue.iso (BOOT ISO) based on WinPE
Each version of WinPE has its own set of original files of certain versions.
Currently, there is only one version of the "new" BootLoader for WinPE with the UEFI CA2023 certificate - WinPE 10.1.26100.2454 (December 2024) i.e. pe11Dec24x64.zip (official file from Macrium)

This version of WinPE contains this BootLoad kit (UEFI CA2023 certificate) :
bootx64.efi ( "Boot Manager") 10.0.26100.30227
bootmgfw.efi ( "Boot Manager") 10.0.26089.1001
efisys_prompt.bin ("CD bootstrap application") 10.0.26100.1061
efisys_noprompt.bin ("CD bootstrap application") 10.0.26100.1061

If you replace these original files with "newer versions" then you are acting at your own risk.
..We only received problems from the "new" Microsoft update for April 2026...

man00 · May 15, 2026

I revoke this once but for some reason it returned, is it okay to just leave it

Secure Boot: ON
Virtualization Based Security: OFF
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
Microsoft Corporation KEK CA 2011
Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
Microsoft Corporation UEFI CA 2011
Microsoft Windows Production PCA 2011
Microsoft Option ROM UEFI CA 2023
Microsoft UEFI CA 2023
Windows UEFI CA 2023

UEFI DBX Certs
--------------
Microsoft Windows Production PCA 2011
Windows BootMgr SVN 7.0

EFI Files
---------
Disk 3: Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.

Registry: WindowsUEFICA2023Capable = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.

REQUIRED ACTION
===============

To revoke the [PCA 2011] cert, run the commands, run the commands:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x200 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

oreyro · May 16, 2026

man00 said:
I revoke this once but for some reason it returned, is it okay to just leave it

If you don't know what to do, then don't do anything.

... For testing, I made the Free version of Macrium 8.0.7175 based on ADK WinPE 10.1.26100.2454 .. and then replaced the bootloaders with the UEFI CA2023
I did not install Secure Boot, so this version is untested.
If you want, you can check this MacriumRescue.iso at your own risk.
MR_Free_8_0_7175_pe11_26100_UEFI_CA2023_x64_en.zip (383Mb)

man00 · May 16, 2026

Thanks my MacriumRescue works fine I just noticed I made this post in the wrong place....Sorry

oreyro · May 16, 2026

man00 said:
Thanks my MacriumRescue works fine I just noticed I made this post in the wrong place

Thanks for checking it out. It's hard to be the first.

Did you probably make a Backup, but didn't make a Recovery?
The final conclusion can be made only after a full check, in the "total System crash" mode, i.e., on a TEST disk.:
WARNING:
if you've never done a "Total System Crash", then do it only on the TEST disk!
Do not do a "Total System Crash" on your laptop, as you may lose your factory copy of Windows!
1. Backup all Windows partitions
100Mb(Active Service Partition)
16Mb(Service Partition)
40-100Gb(Windows File, Data, and Programs section)
500Mb(Service Recovery Partition)
Save the backup to disk D (or E, F, etc.)
2. Run the Windows 11 installation from a Windows bootable flash drive, and delete all four Windows partitions during the dialog.
Then abort the Windows installation and turn off the computer.
3. Download from a USB flash drive MacriumRescue.iso (UEFI CA2023) and restore Backup(item 1)

Macrium Secure boot

Well-known member

​

My Computer

Syzygy

My Computers

Well-known member

My Computer

aka Mama Glass

My Computers

Well-known member

My Computer

Well-known member

My Computer

aka Mama Glass

My Computers

New member

My Computer

Well-known member

My Computer

New member

My Computer

Well-known member

My Computer

New member

My Computer

Well-known member

My Computer

New member

My Computer

Similar threads