Create a 'Windows UEFI CA 2023'‐updated Windows 11 media - dcasota/Lenovo83BY GitHub Wiki
Update Februar 5th 2025
In https://support.microsoft.com/en-us/topic/updating-windows-bootable-media-to-use-the-pca2023-signed-boot-manager-d4064779-0e4e-43ac-b2ce-24f434fcfa0f there is a script which creates a 'Windows UEFI CA 2023'-updated Windows 11 media.
The source Windows11.iso in the following example has been created from the media creation tool https://go.microsoft.com/fwlink/?linkid=2156295](https://go.microsoft.com/fwlink/?linkid=2156295.
Start Make2023BootableMedia.ps1 and specify necessary parameters.
.\Make2023BootableMedia.ps1 -MediaPath "G:\Windows 11 builds\Windows11.iso" -TargetType ISO -ISOPath C:\users\xxxxx\Downloads\windows11_redacted.iso
Microsoft 'Windows UEFI CA 2023' Media Update Script - Version 1.1
Checking for required support tools
Initializing staging directory
Staging media
--->Mounting ISO from staged media
--->Mounting boot.wim from staged media
Updating staged media to use boot binaries signed with 'Windows UEFI CA 2023' certificate
Writing 'Windows UEFI CA 2023' bootable ISO media at location [C:\users\xxxxx\Downloads\windows11_redacted.iso]
OSCDIMG 2.56 CD-ROM and DVD-ROM Premastering Utility
Copyright (C) Microsoft, 1993-2012. All rights reserved.
Licensed only for producing Microsoft authorized content.
Scanning source tree (500 files in 49 directories)
Scanning source tree complete (970 files in 95 directories)
Computing directory information complete
Image file is 4956913664 bytes (before optimization)
Writing 970 files in 95 directories to C:\users\xxxxx\Downloads\windows11_redacted.iso
100% complete
Storage optimization saved 9 files, 522240 bytes (0% of image)
After optimization, image file is 4958582784 bytes
Space saved because of embedding, sparseness or optimization = 522240
Done.
Successfully created ISO [C:\users\xxxxx\Downloads\windows11_redacted.iso]
On the mounted windows11_redacted.iso, now the bootx64.efi is signed with the Windows UEFI CA 2023 certification.
$cert = Get-PfxCertificate -FilePath "F:\efi\boot\bootx64.efi"
PS C:\Windows\System32> $cert.Issuer
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
Check Windows11_redacted.iso on VMware Workstation
On a fresh installled Windows 11 virtual machine on VMware Workstation using the Windows11_redacted.iso, select 'Enable VBS support'.
With this, under firmware type UEFI, 'secure boot' automatically is selected as well.
If you deselect 'Enable VBS support', 'secure boot' remains selected.
Here some findings:
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
# True
mountvol s: /S
$cert = Get-PfxCertificate -FilePath "S:\EFI\Microsoft\Boot\bootmgfw.efi"
$cert.Issuer
# CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
$cert.GetExpirationDateString()
# 11/14/2024 8:20:09 PM
$cert = Get-PfxCertificate -FilePath "S:\EFI\Microsoft\Boot\bootmgr.efi"
$cert.Issuer
# CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
$cert = Get-PfxCertificate -FilePath "s:\EFI\Microsoft\Boot\SecureBootRecovery.efi"
$cert.Issuer
# CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
mountvol s: /D
Set-Partition -DiskNumber 0 -PartitionNumber 4 -NewDriveLetter Z
$cert = Get-PfxCertificate -FilePath "Z:\Recovery\WindowsRE\winre.wim"
$cert.Issuer
# CN=Microsoft Root Certificate Authority 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Remove-PartitionAccessPath -DiskNumber 0 -PartitionNumber 4 -AccessPath "Z:"
The status correlates to step1. Hence, step2 has to be applied.
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x100 /f
# Reboot twice
shutdown /r /t 0
After the second reboot, updates are being installed.
But, surprisingly nothing has changed. Same result as before the updates. See comment at borncity [1].
To BE CONTINUED.