Updating Windows bootable media to use the PCA2023 signed boot manager


Updating Windows bootable media to use the PCA2023 signed boot manager - Microsoft Support

support.microsoft.com support.microsoft.com

KB ID: 5053484



Introduction

The PowerShell script described in this article can be used to update Windows bootable media so that the media can be used on systems that trust the “Windows UEFI CA 2023” certificate. This certificate is described in KB5025885: How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932.

How to get the PowerShell script

Download icon
Download the Make2023BootableMedia.ps1 PowerShell script now

Description

The Make2023BootableMedia.ps1 PowerShell script updates boot manager support on Windows media to the boot manager signed by the new “Windows UEFI CA 2023” certificate. The input and output can be bootable media of the following type:

  • ISO CD/DVD image file,
  • USB flash drive,
  • a local drive path, or
  • a network drive path.
The latest Windows Assessment and Deployment Kit (Windows ADK) can be found on the Download and install the Windows ADK page and is necessary for this script to work properly.

Notes

  • The Make2023BootableMedia.ps1 script should be run from an elevated PowerShell prompt.
  • You must provide the script with a media source (-MediaPath) which has the latest servicing updates applied.

Syntax

PowerShell
Make2023BootableMedia.ps1
  • [-MediaPath <path>]
  • [-TargetType <type>]
  • [-ISOPath <path>]
  • [-USBDrive <drive:>]
  • [-FileSystem <type>]
  • [-NewMediaPath <path>]
  • [-StagingDir <path>]

Parameters

-MediaPath <path>The path to the media folder or ISO file to be used as baseline. The media folder can be a local drive path or a network share.
-TargetType <type>The type of media to be created (ISO, USB, or LOCAL).
  • ISO: Convert media specified in -MediaPath to 2023 bootable ISO file. Targets -ISOPath.
  • USB: Convert media specified in -MediaPath to 2023 bootable image and writes it to -USBDrive.
  • LOCAL: Convert media specified in -MediaPath to 2023 bootable image copied to -NewMediaPath.
-ISOPath <path>The path to the new ISO file to be created from -MediaPath.
-USBDrive <drive:>The drive letter to a target USB drive (example E:).
-FileSystem <type>This parameter is optional. It allows specifying the file system to format the USB drive with (FAT32 or ExFAT). The default is ExFAT.
-NewMediaPath <path>Required when TargetType is LOCAL. -MediaPath content is duplicated here and then updated.
-StagingDir <path>Overrides default temporary staging path used by this script. System %TEMP% is used by default with a random subfolder.

Example commands

Example 1: Copy baseline media directory, update, and create ISO

Make2023BootableMedia.ps1 -MediaPath C:\Media\Win10Media -TargetType ISO -ISOPath C:\Media\Win10_Updated.iso

Example 2: Copy baseline media ISO, update, and create ISO

Make2023BootableMedia.ps1 -MediaPath C:\Media\Win11.iso -TargetType ISO -ISOPath C:\Media\Win11_Updated.iso

Example 3: Copy baseline media share, update, and create ISO

Make2023BootableMedia.ps1 -MediaPath \\server\share\Win11_Media -TargetType ISO -ISOPath C:\Media\Win11_Updated.iso

Example 4: Copy baseline ISO from share, update, and create ISO

Make2023BootableMedia.ps1 -MediaPath \\server\share\Win11.iso -TargetType ISO -ISOPath C:\Media\Win11_Updated.iso

Example 5: Copy baseline from media directory, update, and create USB flash drive

Make2023BootableMedia.ps1 -MediaPath C:\Media\Win1124H2 -TargetType USB -USBDrive H:

Example 6: Copy baseline from ISO, update, and create USB flash drive

Make2023BootableMedia.ps1 -MediaPath C:\Media\Win11.iso -TargetType USB -USBDrive E:

Example 7: Copy baseline from media directory, update, and create new media directory

Make2023BootableMedia.ps1 -MediaPath C:\Media\Win1124H2 -TargetType LOCAL -NewMediaPath C:\Media\Win1124H2_Updated

Example 8: Copy baseline from ISO, update, and create new media directory

Make2023BootableMedia.ps1 -MediaPath H:\Media\Win11.iso -TargetType LOCAL -NewMediaPath R:\Win11_Updated

Example 9: Copy baseline from media directory, update, and create ISO using specified staging directory

Make2023BootableMedia.ps1 -MediaPath C:\Media\Win1124H2 -TargetType ISO -ISOPath C:\Media\Win1124H2_Updated.iso -StagingDir C:\Temp\Win1124H2
 
Click to expand...
This is the newly updated fix for boot media if you have applied the black lotus mitigation update. This updates your installed boot media (flashdrive with windows on it). This is a lot easier than the previous directions. We are getting closer to this being patched for all machines with a simple windows update.

For more details, use the linked article.
 

My Computers My Computers

System One System Two

  • At a glance

    Windows 11 ProRyzen 7 5700 X3D64 GB DDR4 3600mhz Gskill Ripjaws VRTX 4070 Super , 12GB VRAM Asus EVO Overclock
    OS
    Windows 11 Pro
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom Built
    CPU
    Ryzen 7 5700 X3D
    Motherboard
    MSI MPG B550 GAMING PLUS
    Memory
    64 GB DDR4 3600mhz Gskill Ripjaws V
    Graphics Card(s)
    RTX 4070 Super , 12GB VRAM Asus EVO Overclock
    Monitor(s) Displays
    Gigabyte M27Q (rev. 2.0) 2560 x 1440 @ 170hz HDR
    Hard Drives
    2TB Samsung nvme ssd
    4TB Western Digital nvme ssd
    PSU
    CORSAIR RMx SHIFT Series™ RM750x 80 PLUS Gold Fully Modular ATX Power Supply
    Case
    CORSAIR 3500X ARGB Mid-Tower ATX PC Case – Black
    Cooling
    ID-COOLING FROSTFLOW X 240 CPU Water Cooler
    Keyboard
    Logitech G213
    Mouse
    Logitech G203
    Internet Speed
    1.2gbps Fiber 😎

  • At a glance

    Chrome OSIntel Pentium Quad Core4GB LPDDR4
    Operating System
    Chrome OS
    Computer type
    Laptop
    Manufacturer/Model
    HP Chromebook
    CPU
    Intel Pentium Quad Core
    Memory
    4GB LPDDR4
    Monitor(s) Displays
    14 Inch HD SVA anti glare micro edge display
    Hard Drives
    64 GB emmc
I'll save everyone the trouble of scrolling down to the punch line....
Code: 
Copy-Item -Path $ex_bins_path"\bootmgr_EX.efi" -Destination $Temp_Media_To_Update_Path"\bootmgr.efi"
Copy-Item -Path $ex_bins_path"\bootmgfw_EX.efi" -Destination $Temp_Media_To_Update_Path"\efi\boot\bootx64.efi"
Copy-Item -Path $ex_dvd_path"\EFI\en-US\efisys_EX.bin" -Destination $Temp_Media_To_Update_Path"\efi\microsoft\boot\efisys_ex.bin"
Copy-Item -Path $ex_fonts_path"\*" -Destination $Temp_Media_To_Update_Path"\efi\microsoft\boot\fonts_ex\"
Copy-Item -Path $Temp_Media_To_Update_Path"\efi\microsoft\boot\fonts_ex\*" -Destination $Temp_Media_To_Update_Path"\efi\microsoft\boot\fonts"

PS. Dear MS, how about a script to validate whether an existing bootfile passes the test or not?
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
Do I copy the bootmgfw_2023.efi to my boot drive to update it or not?
 

My Computer My Computer

At a glance

Windows 1112th Gen Intel(R) Core(TM) i3-12100, 3300 Mhz...8.00 GBIntel(R) UHD Graphics 730
OS
Windows 11
Computer type
PC/Desktop
Manufacturer/Model
HP
CPU
12th Gen Intel(R) Core(TM) i3-12100, 3300 Mhz, 4 Core(s
Motherboard
HP
Memory
8.00 GB
Graphics Card(s)
Intel(R) UHD Graphics 730
Sound Card
Realtek High Definition Audio
Monitor(s) Displays
Generic PnP Monitor
Screen Resolution
1920 x 1080(p) (60.000Hz)
Hard Drives
SAMSUNG MZVL4512HBLU-00BH1
Keyboard
HP 510 Wireless KBMS Combo
Mouse
HP 510 Wireless KBMS Combo
Browser
Microsoft Edge
Antivirus
Windows Defender
Last edited:

My Computers My Computers

System One System Two Other systems

  • At a glance

    Win 11 Pro 25H2 26200.8655Intel® Core™ i7-14700KG.SKILL Ripjaws S5 Series 64GB (2 x 32GB) DDR5ASUS GeForce RTX 4070 Super 12GB
    OS
    Win 11 Pro 25H2 26200.8655
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self Built
    CPU
    Intel® Core™ i7-14700K
    Motherboard
    ASUS TUF Z690-PLUS WIFI BIOS 4505 11/29/25
    Memory
    G.SKILL Ripjaws S5 Series 64GB (2 x 32GB) DDR5
    Graphics Card(s)
    ASUS GeForce RTX 4070 Super 12GB
    Sound Card
    Sound Blaster AE-5 Plus
    Monitor(s) Displays
    ASUS TUF Gaming 27" 2K HDR Gaming
    Screen Resolution
    2560 x 1440
    Hard Drives
    Samsung 990 Pro 1TB NVMe (Win 11 25H2)
    SK hynix P41 500GB NVMe 25H2 DEV/Games
    SK hynix P41 2TB NVMe (x3)
    Crucial P3 Plus 4TB
    PSU
    Corsair RM850x Shift
    Case
    Antec Dark Phantom DP502 FLUX
    Cooling
    Corsair Nautilus 360 RS AIO
    Keyboard
    Logitech MK 320
    Mouse
    Razer Basilisk V3
    Internet Speed
    750Mbs
    Browser
    Firefox
    Antivirus
    Winows Security
    Other Info
    MR 8.1 Home

  • At a glance

    Win 11 Pro 25H2 26200.8655Intel Core i7-11700F64 GB DDR4MSI GeForce RTX 3060 Ventus 2X 12GB
    Operating System
    Win 11 Pro 25H2 26200.8655
    Computer type
    PC/Desktop
    Manufacturer/Model
    Self Built
    CPU
    Intel Core i7-11700F
    Motherboard
    Asus TUF Gaming Z590 Plus WiFi (BIOS 2803)
    Memory
    64 GB DDR4
    Graphics card(s)
    MSI GeForce RTX 3060 Ventus 2X 12GB
    Sound Card
    SoundBlaster Audigy Fx V2
    Monitor(s) Displays
    Samsung F27T350
    Screen Resolution
    1920x1080
    Hard Drives
    Samsung 980 Pro 1TB
    Samsung 970 EVO Plus 2TB
    Samsung 870 EVO 500GB SSD
    PSU
    Corsair HX750
    Case
    Cougar MX330-G Window
    Cooling
    Thermalright Frozen Edge 240 Black AIO
    Internet Speed
    350Mbps
    Browser
    Firefox
    Antivirus
    Windows Security
  • System Three
    Win 11 Pro 25H2 26200.8655
    ASUS PRIME Z370-P II BIOS 3004 7/12/21
    Intel Core i7-8700 CPU @ 3.20GHz
    32GB DDR4 RAM (4x8)
    iGPU Intel UHD Graphics 630
    Mid-Tower Desktop
Thanks and I was curious about that.
 

My Computer My Computer

At a glance

Windows 1112th Gen Intel(R) Core(TM) i3-12100, 3300 Mhz...8.00 GBIntel(R) UHD Graphics 730
OS
Windows 11
Computer type
PC/Desktop
Manufacturer/Model
HP
CPU
12th Gen Intel(R) Core(TM) i3-12100, 3300 Mhz, 4 Core(s
Motherboard
HP
Memory
8.00 GB
Graphics Card(s)
Intel(R) UHD Graphics 730
Sound Card
Realtek High Definition Audio
Monitor(s) Displays
Generic PnP Monitor
Screen Resolution
1920 x 1080(p) (60.000Hz)
Hard Drives
SAMSUNG MZVL4512HBLU-00BH1
Keyboard
HP 510 Wireless KBMS Combo
Mouse
HP 510 Wireless KBMS Combo
Browser
Microsoft Edge
Antivirus
Windows Defender
Make sure bootmgfw_2023.efi is copied from a folder named EFI_EX.

The "EFI_EX" version is CA 2023, and the "EFI" version is CA 2011.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
What do I do with the Boot..efi file do I delete it or leave it. Is that in the Windows folder?
 

My Computer My Computer

At a glance

Windows 1112th Gen Intel(R) Core(TM) i3-12100, 3300 Mhz...8.00 GBIntel(R) UHD Graphics 730
OS
Windows 11
Computer type
PC/Desktop
Manufacturer/Model
HP
CPU
12th Gen Intel(R) Core(TM) i3-12100, 3300 Mhz, 4 Core(s
Motherboard
HP
Memory
8.00 GB
Graphics Card(s)
Intel(R) UHD Graphics 730
Sound Card
Realtek High Definition Audio
Monitor(s) Displays
Generic PnP Monitor
Screen Resolution
1920 x 1080(p) (60.000Hz)
Hard Drives
SAMSUNG MZVL4512HBLU-00BH1
Keyboard
HP 510 Wireless KBMS Combo
Mouse
HP 510 Wireless KBMS Combo
Browser
Microsoft Edge
Antivirus
Windows Defender
CA 2023:
Code: 
copy C:\Windows\Boot\EFI_EX\bootmgfw_EX.efi H:\EFI\boot\bootx64.efi

CA 2011 (if you need to revert):
Code: 
copy C:\Windows\Boot\EFI\bootmgfw.efi H:\EFI\boot\bootx64.efi
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
Thanks. Do I need to delete that Boot.efi file or not?
 
Last edited:

My Computer My Computer

At a glance

Windows 1112th Gen Intel(R) Core(TM) i3-12100, 3300 Mhz...8.00 GBIntel(R) UHD Graphics 730
OS
Windows 11
Computer type
PC/Desktop
Manufacturer/Model
HP
CPU
12th Gen Intel(R) Core(TM) i3-12100, 3300 Mhz, 4 Core(s
Motherboard
HP
Memory
8.00 GB
Graphics Card(s)
Intel(R) UHD Graphics 730
Sound Card
Realtek High Definition Audio
Monitor(s) Displays
Generic PnP Monitor
Screen Resolution
1920 x 1080(p) (60.000Hz)
Hard Drives
SAMSUNG MZVL4512HBLU-00BH1
Keyboard
HP 510 Wireless KBMS Combo
Mouse
HP 510 Wireless KBMS Combo
Browser
Microsoft Edge
Antivirus
Windows Defender
Copying over it replaces the current file. There's nothing more to do.
 

My Computer My Computer

At a glance

Windows 7
OS
Windows 7
Thank you for your help. :-)
 

My Computer My Computer

At a glance

Windows 1112th Gen Intel(R) Core(TM) i3-12100, 3300 Mhz...8.00 GBIntel(R) UHD Graphics 730
OS
Windows 11
Computer type
PC/Desktop
Manufacturer/Model
HP
CPU
12th Gen Intel(R) Core(TM) i3-12100, 3300 Mhz, 4 Core(s
Motherboard
HP
Memory
8.00 GB
Graphics Card(s)
Intel(R) UHD Graphics 730
Sound Card
Realtek High Definition Audio
Monitor(s) Displays
Generic PnP Monitor
Screen Resolution
1920 x 1080(p) (60.000Hz)
Hard Drives
SAMSUNG MZVL4512HBLU-00BH1
Keyboard
HP 510 Wireless KBMS Combo
Mouse
HP 510 Wireless KBMS Combo
Browser
Microsoft Edge
Antivirus
Windows Defender
You must log in or register to reply here.

Latest Support Threads

Latest Tutorials

Back
Top Bottom