New Secure Boot certificates and ISOs
Posted by godless_prayer@reddit | sysadmin | View on Reddit | 8 comments
Hi!
Maybe it's a dumb question but do you handle the new Secure Boot certificate stuff in regard with the ISOs? I downloaded ISOs for Windows 11 and Server 2025 and there were still only the old CA 2011 certificates on those. Will there be newer ones in the near future? They won't boot in June 2026 or am I in the wrong here?
MeetJoan@reddit
You're not wrong to check, but the situation is less alarming than it sounds. Your existing ISOs will keep booting on current hardware after June - certificate expiration doesn't invalidate existing signatures, it just means Microsoft can no longer issue new binaries under the 2011 chain going forward.
The real issue is twofold: new hardware shipping in 2025-2026 may only have the 2023 CA in firmware, so older ISOs won't boot on those with Secure Boot enabled. And if Microsoft ever enforces the DBX revocation (adding the old PCA 2011 to the forbidden list), pre-2024 ISOs, WinPE images, and recovery USBs break with a 0xC0000428 error. They've been very slow to pull that trigger though.
For updated ISOs, Microsoft's 25H2 media is dual-signed and works on both old and new firmware. For existing media you want to update, there's a Make2023BootableMedia.ps1 script from Microsoft that re-signs your WIM files with the newer cert. Worth doing for any deployment or recovery media you rely on before the deadline.
The bigger priority for most orgs right now is getting WindowsUEFICA2023Capable = 2 on existing endpoints - that's the reliable indicator that a device has actually transitioned to the new chain, not just received the certificate.
LupusYps@reddit
I know I am highjacking the post, but do you have any insights what could cause the key you mentioned to stay "0" while the value of "UEFICA2023Status" is "Updated"? Mostly Hyper-V-VMs, Secureboot is enabled.
Obi_Wan_Hair@reddit
Correct me if I’m wrong but that would say the work has been successful.
LupusYps@reddit
Afaik the first key (...Capable) is the one telling you that the machine is using the new certs to boot if it is set to 2. The second key (...Status) is only focused on the new certs existing in the bios, not on them being used.
jeefAD@reddit
According to:
https://support.microsoft.com/en-us/topic/registry-key-updates-for-secure-boot-windows-devices-with-it-managed-updates-a7be69c9-4634-42e1-9ca1-df06f43f360d
For UEFICA2023Status:
"Initially the status is NotStarted. It changes to InProgress once the update begins, and finally to Updated when all new keys and the new boot manager have been deployed. If there is an error, then the UEFICA2023Error registry value is set to a non-zero code."
Suggests "Updated" signifies all new keys AND boot manager have been deployed. So yeah, does deployed also mean starting from?
The article does say re: WindowsUEFICA2023Capable: "For reference only – do not use this key when getting status on Secure Boot updates. Use the UEFICA2023Status key instead."
oo11xa@reddit
updated on your vm but not updated on the host
LupusYps@reddit
That's a good point, thanks! I will check on that.
Smart-Definition-651@reddit
Download the Make2023BootableMedia.ps1 script here :
https://support.microsoft.com/en-us/topic/updating-windows-bootable-media-to-use-the-pca2023-signed-boot-manager-d4064779-0e4e-43ac-b2ce-24f434fcfa0f
https://go.microsoft.com/fwlink/?linkid=2312820
I had to edit the original script, as I got an error (which was not the case with earlier scripts) concerning TS (timestamp) with oscdimg :
While using Notepad I removed the following lines :
49, 50, 956 en 957 (Function TS = TimeStamp)
In lijn 959, in the Run command, I only removed "-t$timestamp "
And now it works.
Since I had already added Microsoft Windows Production PCA 2011 to the dbx, I desperately needed to turn my downloaded install iso to a CA2023 iso to install windows 11 25H2.