Windows 11 Double-checking updated Microsoft Secure Boot keys

Question

Hi,

In https://techcommunity.microsoft.com/blog/windows-itpro-blog/updating-microsoft-secure-boot-keys/4055324 there is a recipe containing three steps for the Microsoft Secure Boot keys update process:
Step 1) Install the updated certificate definitions to the DB
Step 2) Update the Boot Manager on your device
Step 3) Enable recovation

Before proceeding step 3 'enable revocation', I want to be 100% sure, that the system has been updated properly because the documentation might not double-check all possible permutations.

Who can help me with this? The following contains information, check of certificates on ESP, on system partition and on recovery partition, and questions.

Check of certificates on ESP
First, in Step 2, the check of the certificate of "EFI\Microsoft\Boot\bootmgfw.efi" on ESP was successful, because it shows the 'Windows UEFI CA 2023' certificate as issuer.

mountvol s: /S
$cert = Get-PfxCertificate -FilePath "S:\EFI\Microsoft\Boot\bootmgfw.efi"
$cert.Issuer
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
$cert.GetExpirationDateString()
20.08.2025 21:30:17
mountvol s: /D  

The other files on ESP seems okay as well. One question is the BOOT.SDI file:

Question 1: Why it is asking for a password, when processing the get-pfxcertificate?

mountvol s: /S
# BOOT.SDI has a password?
$cert = Get-PfxCertificate -FilePath "S:\BOOT\BOOT.SDI"
Enter password:

# s:\EFI\Microsoft\Boot\bootmgfw.efi
$cert = Get-PfxCertificate -FilePath "s:\EFI\Microsoft\Boot\bootmgfw.efi"
$cert.Issuer
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US

$cert = Get-PfxCertificate -FilePath "s:\EFI\Microsoft\Boot\bootmgr.efi"
$cert.Issuer
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US

$cert = Get-PfxCertificate -FilePath "s:\EFI\Microsoft\Boot\SecureBootRecovery.efi"
$cert.Issuer
CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
mountvol s: /D  

The Windows 11 installation is on a Laptop with two disks 0 and 1.

diskpart > list disk

  Datenträger ###  Status         Größe    Frei     Dyn  GPT
  ---------------  -------------  -------  -------  ---  ---
  Datenträger 0    Online          953 GB   953 GB        *
  Datenträger 1    Online         3726 GB      0 B        *

Windows11 is installed on disk 1.

diskpart > list partition
  Volume ###  Bst  Bezeichnung  DS     Typ         Größe    Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
  Volume 0     C   Windows-SSD  NTFS   Partition   3723 GB  Fehlerfre  Startpar
  Volume 1         SYSTEM_DRV   FAT32  Partition    260 MB  Fehlerfre  System
  Volume 2         WINRE_DRV    NTFS   Partition   2047 MB  Fehlerfre  Versteck

The UEFI partition is on disk 1 partition 2.

$UEFIPartitionsArray = @()
$diskCount = (Get-Disk).Count
for ($i = 0; $i -lt $diskCount; $i=$i+1) {
	$partitions = Get-Partition -DiskNumber $i -ErrorAction SilentlyContinue
        if ($partitions) {
		$partitionCount = ($partitions).Count
		for ($j = 0; $j -lt $partitionCount; $j=$j+1) {
			$partition = $partitions[$j].GptType
			if ($partition -imatch 'EBD0A0A2-B9E5-4433-87C0-68B6B72699C7') {$UEFIPartitionsArray += "$i,$j"}
		}
        }
}
Write-Output $UEFIPartitionsArray
1,2

BCD output shows Windows Start Manager is on C:

bcdedit /enum

Windows-Start-Manager
---------------------
Bezeichner              {bootmgr}
device                  partition=C:
path                    \EFI\Microsoft\Boot\bootmgfw.efi
description             Windows Boot Manager
locale                  en-us
inherit                 {globalsettings}
isolatedcontext         Yes
default                 {current}
resumeobject            {eaa42b36-d5fa-11ef-8d61-b73d7aac6eb7}
displayorder            {current}
                        {73cf08be-8d26-11ef-b186-00d49e89c870}
toolsdisplayorder       {memdiag}
timeout                 0
displaybootmenu         No

Windows-Startladeprogramm
-------------------------
Bezeichner              {current}
device                  partition=C:
path                    \Windows\system32\winload.efi
description             Windows 11
locale                  en-us
inherit                 {bootloadersettings}
isolatedcontext         Yes
allowedinmemorysettings 0x15000075
osdevice                partition=C:
systemroot              \Windows
resumeobject            {eaa42b36-d5fa-11ef-8d61-b73d7aac6eb7}
nx                      OptIn
bootmenupolicy          Standard

Windows-Startladeprogramm
-------------------------
Bezeichner              {73cf08be-8d26-11ef-b186-00d49e89c870}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Windows 11
locale                  de-DE
inherit                 {bootloadersettings}
recoverysequence        {73cf08c0-8d26-11ef-b186-00d49e89c870}
displaymessageoverride  Recovery
recoveryenabled         Yes
isolatedcontext         Yes
allowedinmemorysettings 0x15000075
osdevice                partition=C:
systemroot              \Windows
resumeobject            {73cf08bd-8d26-11ef-b186-00d49e89c870}
nx                      OptIn
bootmenupolicy          Standard
hypervisorlaunchtype    Auto

Disk 1 contains the UEFI partition. As double check, yes, it's the 2023 certificate.

# Check certificate of bootx64.efi on uefi partition
Set-Partition -DiskNumber 1 -PartitionNumber 1 -NewDriveLetter Z
$cert = Get-PfxCertificate -FilePath "Z:\EFI\Boot\bootx64.efi"
$cert.Issuer
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
$cert.GetExpirationDateString()
20.08.2025 21:30:17
Remove-PartitionAccessPath -DiskNumber 1 -PartitionNumber 1 -AccessPath "Z:"

Check of certificates on system partition

Question2: On the system partition C: why are the boot executables signed with the 'Microsoft Windows Production PCA 2011' only and not with a 2023 certificate? How can it be changed manually?

# Check certificate of "c:\EFI\Microsoft\Boot\bootmgfw.efi" on system partition
$cert = Get-PfxCertificate -FilePath "c:\EFI\Microsoft\Boot\bootmgfw.efi"
$cert.Issuer
# CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
$cert.GetExpirationDateString()
# 11.09.2025 22:04:06

# Check certificate of recovery app "C:\windows\boot\efi\securebootrecovery.efi" on system partition
$cert = Get-PfxCertificate -FilePath "C:\windows\boot\efi\securebootrecovery.efi"
$cert.issuer
CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
$cert.getexpirationdatestring()
11.09.2025 22:04:06

Check of certificates on recovery partition

Question3: Disk 1 contains a recovery partition. Why are the relevant boot executables signed with the 'Microsoft Windows Production PCA 2011' only and not with a 2023 certificate? How can it be changed manually?

# Check certificate of winre.wim on recovery partition
Set-Partition -DiskNumber 1 -PartitionNumber 4 -NewDriveLetter Z
# cd z:
# get-childitem -force
$cert = Get-PfxCertificate -FilePath "Z:\Recovery\WindowsRE\winre.wim"
CN=Microsoft Root Certificate Authority 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
$cert.Issuer
$cert.getexpirationdatestring()
21.06.2027 19:43:35
Remove-PartitionAccessPath -DiskNumber 1 -PartitionNumber 4 -AccessPath "Z:"

Question 4: Actually creating a recovery drive on usb media fails with "Cannot create a recovery drive on this PC". How to fix?

reagentc /info
Konfigurationsinformationen zur Windows-Wiederherstellungsumgebung (WinRE) und
zur Systemwiederherstellung:

    WinRE-Status:                          Disabled
    WinRE-Ort:
    Startkonfigurationsdaten-ID:           73cf08c0-8d26-11ef-b186-00d49e89c870
    Ort des Wiederherstellungsimages:
    Index des Wiederherstellungsimages:    0
    Ort des benutzerdefinierten Images:
    Index des benutzerdefinierten Images:  0

REAGENTC.EXE: Vorgang erfolgreich.

The following Get-SecureBootUEFI bit output indicates that there are 8 Microsoft certificates actually. (There are Laptop vendor certificates in addition). The detection method simply looks for the first 52 characters. The visualization of the string isn't optimal, but sufficient.

# Get the Secure Boot UEFI database as a string
$secureBootDB = [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI -Name db).bytes)

# Define the substring to search for
$substring = "Microsoft"

# Initialize an array to store the results
$results = @()

# Find all occurrences of the substring and extract the following 20 characters
$position = 0
while ($position -ne -1) {
    $position = $secureBootDB.IndexOf($substring, $position)
    if ($position -ne -1) {
        $start = $position
        $length = 52
        $result = $secureBootDB.Substring($start, [math]::Min($length, $secureBootDB.Length - $start))
        if ($result -ilike '*Microsoft Corporation*') {
            $results += $result
        }
        $position += $substring.Length
    }
}

# Display the results
$results
Microsoft Corporation1200U)Microsoft Root Certi
Microsoft Corporation1.0,U%Microsoft Windows Pr
Microsoft Corporation1;09U2Microsoft Corporatio
Microsoft Corporation Third Party Marketplace Root0
Microsoft Corporation1+0)U"Microsoft Corporatio
Microsof*?H??poration UEFI CA 20110?"0
Microsoft Corporation1200U)Microsoft Root Certi
Microsoft Corporation10Windows UEFI CA 2023

Question 5: With Step 3 'enable revocation' will the 'Microsof*?H??poration UEFI CA 2011' entry be removed as well or must it be removed manually? How?

I've checked Microsoft ISO builds

• https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewiso
  Windows 11 Client Insider Preview - Build 27774 English 64bit: Windows11_InsiderPreview_Client_x64_en-us_27774.iso
  For instance, \efi\boot\bootx64.efi is signed with CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` only.
• The windows iso created by the Media creation tool https://go.microsoft.com/fwlink/?linkid=2156295 - it does not contain UEFI 2023 CA signed boot loader bits as well.

Answer 1

I was able to achieve an improvement for question 4) Actually creating a recovery drive on usb media fails with "Cannot create a recovery drive on this PC".

Actually, the recovery bits are not signed with UEFI CA 2023. Beside that, the recovery partition seems okay, but it isn't assigned anymore. This can be changed by specifying disk and partition. In my case it's disk 1 and partition 4: reagentc /setreimage /path \\?\GLOBALROOT\device\harddisk1\partition4\Recovery\WindowsRE.

reagentc /info
Konfigurationsinformationen zur Windows-Wiederherstellungsumgebung (WinRE) und
zur Systemwiederherstellung:

    WinRE-Status:                          Disabled
    WinRE-Ort:
    Startkonfigurationsdaten-ID:           73cf08c0-8d26-11ef-b186-00d49e89c870
    Ort des Wiederherstellungsimages:
    Index des Wiederherstellungsimages:    0
    Ort des benutzerdefinierten Images:
    Index des benutzerdefinierten Images:  0

REAGENTC.EXE: Vorgang erfolgreich.

PS C:\Windows\System32> reagentc /enable
REAGENTC.EXE: Das Windows RE-Image wurde nicht gefunden.

PS C:\Windows\System32> reagentc /setreimage /path \\?\GLOBALROOT\device\harddisk1\partition4\Recovery\WindowsRE
Verzeichnis festgelegt auf: \\?\GLOBALROOT\device\harddisk1\partition4\Recovery\WindowsRE

REAGENTC.EXE: Vorgang erfolgreich.

PS C:\Windows\System32> reagentc /info
Konfigurationsinformationen zur Windows-Wiederherstellungsumgebung (WinRE) und
zur Systemwiederherstellung:

    WinRE-Status:                          Disabled
    WinRE-Ort:
    Startkonfigurationsdaten-ID:           73cf08c0-8d26-11ef-b186-00d49e89c870
    Ort des Wiederherstellungsimages:
    Index des Wiederherstellungsimages:    0
    Ort des benutzerdefinierten Images:
    Index des benutzerdefinierten Images:  0

REAGENTC.EXE: Vorgang erfolgreich.

PS C:\Windows\System32> reagentc /enable
REAGENTC.EXE: Vorgang erfolgreich.

PS C:\Windows\System32> reagentc /info
Konfigurationsinformationen zur Windows-Wiederherstellungsumgebung (WinRE) und
zur Systemwiederherstellung:

    WinRE-Status:                          Enabled
    WinRE-Ort:                             \\?\GLOBALROOT\device\harddisk1\partition4\Recovery\WindowsRE
    Startkonfigurationsdaten-ID:           256ff03d-e333-11ef-b243-00d49e89c870
    Ort des Wiederherstellungsimages:
    Index des Wiederherstellungsimages:    0
    Ort des benutzerdefinierten Images:
    Index des benutzerdefinierten Images:  0

REAGENTC.EXE: Vorgang erfolgreich.

With this manual step, RecoveryDrive.exe does not fail anymore. The possibility is back to create an usb recovery media.

Februar 5th 2025:
In https://support.microsoft.com/en-us/topic/updating-windows-bootable-media-to-use-the-pca2023-signed-boot-manager-d4064779-0e4e-43ac-b2ce-24f434fcfa0f there is a script which creates a 'Windows UEFI CA 2023'-updated Windows 11 media. It needs to be downloaded together with the latest ADK. ADK has to be installed.

The source Windows11.iso in the following example has been created from the media creation tool https://go.microsoft.com/fwlink/?linkid=2156295](https://go.microsoft.com/fwlink/?linkid=2156295.

Start Make2023BootableMedia.ps1 and specify necessary parameters.

.\Make2023BootableMedia.ps1 -MediaPath "G:\Windows 11 builds\Windows11.iso" -TargetType ISO -ISOPath C:\users\xxxxx\Downloads\windows11_redacted.iso

Microsoft 'Windows UEFI CA 2023' Media Update Script - Version 1.1

Checking for required support tools
Initializing staging directory
Staging media
--->Mounting ISO from staged media
--->Mounting boot.wim from staged media
Updating staged media to use boot binaries signed with 'Windows UEFI CA 2023' certificate
Writing 'Windows UEFI CA 2023' bootable ISO media at location [C:\users\xxxxx\Downloads\windows11_redacted.iso]

OSCDIMG 2.56 CD-ROM and DVD-ROM Premastering Utility
Copyright (C) Microsoft, 1993-2012. All rights reserved.
Licensed only for producing Microsoft authorized content.


Scanning source tree (500 files in 49 directories)
Scanning source tree complete (970 files in 95 directories)

Computing directory information complete

Image file is 4956913664 bytes (before optimization)

Writing 970 files in 95 directories to C:\users\xxxxx\Downloads\windows11_redacted.iso

100% complete

Storage optimization saved 9 files, 522240 bytes (0% of image)

After optimization, image file is 4958582784 bytes
Space saved because of embedding, sparseness or optimization = 522240

Done.
Successfully created ISO [C:\users\xxxxx\Downloads\windows11_redacted.iso]

On the mounted windows11_redacted.iso, now the bootx64.efi is signed with the Windows UEFI CA 2023 certification.

$cert = Get-PfxCertificate -FilePath "F:\efi\boot\bootx64.efi"
PS C:\Windows\System32> $cert.Issuer
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US

With this it should be possible to update the local bits as well and to answer questions 2 and 3.