Solved Secure Boot question

garlin · Dec 2, 2025

If you never updated the 24H2 or 25H2 ISO's, or even want to install 21H2... you can always temporarily disable Secure Boot to boot from the DVD or USB device. Secure Boot is never required to install Windows. It's recommended that you enable it, whenever possible.

In fact, before Rufus acquired a MS-signed boot file, Paul Batard used to argue with users and tell them to disable Secure Boot if their BIOS was incompatible with Rufus. And he would say turn Secure Boot on after Windows was installed.

That will still work next year.

pseymour · Dec 2, 2025

Scott said:
I found a shortcut for that today. New feature?

Not new, but it used to be under the developer options.

View attachment 155351

Scott · Dec 2, 2025

XxXxX said:
but also means i can re-install Windows 11 24H2 and/or 25H2

You can build ISO's with the new cert through UUP dump, which pulls all the pieces from the MS servers.

XxXxX · Dec 2, 2025

i wonder how many people are able or willing to do all of that when all that is needed is to leave the 2011 cert in place
until MS sort it out as the 2011 cert has been in place for the last 15 years another few months is not going to cause any major issues.

but the 2023 cert can be used as default while the 2011 cert is still in place.
best of luck Steve ..

Scramjet · Dec 3, 2025

I was about to do part B and I thought about the Registry was still showing "inprogress" after I done it yesterday. After reading these posts just now, I did run the commands with the script and seen that cert 2023 was ALLOWED. So I checked the registry and it is now showing UPDATED. So I don't think I need to do anything further.
Greatly appreciate all your guidance though this matter.

Cheers

Thierry 83200 · Dec 3, 2025

For me, it's okay.

Scramjet · Dec 3, 2025

I decided to try same thing on my new ASUS Vivobook. Secure Boot is already enabled so I ran the upgrade to get cert 2023. All went well but after the 2 reboots the registry is still showing IEFICA2023Status as "NotStarted".
Should I wait for that to change to "inprogress" before I proceed to Part B ?

cheers

XxXxX · Dec 3, 2025

Scramjet said:
I decided to try same thing on my new ASUS Vivobook. Secure Boot is already enabled so I ran the upgrade to get cert 2023. All went well but after the 2 reboots the registry is still showing IEFICA2023Status as "NotStarted".
Should I wait for that to change to "inprogress" before I proceed to Part B ?

cheers

repeat part A please
leave about 5 minutes between the two restarts for part A.

after the second restart check the registry
then check with this PowerShell command

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match "Windows UEFI CA 2023"

if the output comes back as 'True'
then proceed with part B.

best of luck Steve ..

Scramjet · Dec 3, 2025

XxXxX said:
repeat part A please
leave about 5 minutes between the two restarts for part A.

after the second restart check the registry
then check with this PowerShell command

if the output comes back as 'True'
then proceed with part B.

best of luck Steve ..

Thanks for the reply. I will do that and report back

Scramjet · Dec 3, 2025

I done part A and rebooted twice within 5 minutes and checked to see if 2023 cert was available and it came back "true".
I opened regedit and the servicing is still showing NotStarted. WindowsUEFICA2023Capable 0x000001 (1)

Even if it is not started, should I proceed with Part B?

XxXxX · Dec 3, 2025

Scramjet said:
I done part A and rebooted twice within 5 minutes and checked to see if 2023 cert was available and it came back "true".
I opened regedit and the servicing is still showing NotStarted. WindowsUEFICA2023Capable 0x000001 (1)

Even if it is not started, should I proceed with Part B?

if the PowerShell CMD comes back 'true'
then please proceed to part B.

after restarting check the registry for this.

best of luck Steve ..

Scramjet · Dec 3, 2025

XxXxX said:
if the PowerShell CMD comes back 'true'
then please proceed to part B.

after restarting check the registry for this.
View attachment 155407

best of luck Steve ..

Thanks for the reply. The registry is showing InProgress just like it did on this system. I will wait for it to change to Updated.
Greatly appreciate all the help. I will post again when it is Updated and is showing as ALLOWED.

Cheers

Scramjet · Dec 3, 2025

Updated on the VivoBook. I now have 2023 certificates on 2 of my systems. I may try the Z270 system tomorrow.

Thanks again for all the help and guidance.

cheers

Solved Secure Boot question

Well-known member

My Computer

putting the mental back in experimental

My Computer

Well-known member

My Computers

Just a Computer User

My Computers

Well-known member

My Computer

Active member

Attachments

My Computer

Well-known member

My Computer

Just a Computer User

My Computers

Well-known member

My Computer

Well-known member

My Computer

Just a Computer User

My Computers

Well-known member

My Computer

Well-known member

My Computer

Similar threads