Error when creating new ISO with Updated Secure Boot Certs

mvalpreda

New Member
Messages
28
Reaction score
5
Did a new Windows 11 25H2 ISO and saw the option for the new secure boot certs - so I added that option to the ISO. Added the lastest 2026-06 (optional) updates as well. Went to boot on a PC and it immediately goes to

Recovery
You PC/Device needs to be repaired
An unexpected error has occured.
Error code: 0xc043001

Secure Boot is enabled.

If I turn off Secure Boot, it gets a little further but then says I am missing \windows\System32\drivers\nvstor.sys after a few minutes. If I use an RTM ISO, it boots fine.

Is this because the BIOS on the machine is old? Or something else going on?
 
Depends, check what the Host is and use that boot manager/sector for the image.

Host's Secure Boot readiness can be seen either by loading C:\Windows as the target and going to Updates / Secure Boot tab.
Or glance at Images page, under C:\Windows operating system, click Secure Boot Host Readiness.

If it states 2011, use that for the image as well.
 
The proper terminology is boot manager (or boot file). "Boot sector" sounds like something from DOS.

A boot device can only have one boot manager (or boot file). If your BIOS hasn't added the new CA 2023 certs, you can't use the newer (CA 2023) boot manager when Secure Boot is enabled. In that case, don't choose the new boot manager.

PC example 1:
- Has CA 2011 certs installed, but missing CA 2023 certs​
- Must not choose new boot manager (accept default of CA 2011 boot file from the ISO)​

PC example 2:
- Has both CA 2011 and CA 2023 certs installed​
- Can choose either default or new boot manager (both are valid)​

PC example 3:
- Has both CA 2011 and CA 2023 certs, but CA 2011 has been revoked (banned)
- Must choose new boot manager​

NTLite might highlight that a prepared image won't be able to boot on the same host, but if you're using this ISO for another device, that PC might not have the same Secure Boot certs installed. You can make a new ISO with a different boot manager, or just temporarily disable Secure Boot to install Windows and then re-enable it after installation.
 
Thanks garlin for that. I just looked and the PC I am running NTLite on does not have Secure Boot enabled. I'm going to enable that, then make sure I have the new certs installed.
 
Oh....just saw in NTLite
Boot sector: 2011 Windows (Expiring)
So....need to get that updated. Would think that is automatic with updates or something.

EDIT - I checked and it says they are installed....but because Secure Boot is off, that is maybe my issue.
 
Sorry....what I was saying is that PC I ran NTLite on did not have Secure Boot enabled. The PC that I was trying to install Windows 11 does have Secure Boot enabled, but would not boot with it enabled or disabled with the first ISO I created.

I have since enabled Secure Boot on the PC I run NTLite on and going to try creating an ISO again with the new boot manager/certs/etc. Windows 11 25H2 + 2026-06 CU Preview (6/19/2026). Choosing the defaults that NTLite does for updates and adding Windows Package Manager. Then under Secure Boot choosing 2011 for now....since I don't think this PC I want to rebuild has the latest certs installed.
 
The proper terminology is boot manager (or boot file). "Boot sector" sounds like something from DOS.
The ISO has a separate option for an actual boot sector, unfortunately it needs to be updated as well, Create ISO gives a choice if 2023 is detected.
Of course if you know that's mistaken, please review how the Create ISO presents it on an updated ISO and let me know what to correct.
Thanks.
 
If you have a physical DVD, there is a special boot sector. But everyone uses some tool to convert the ISO image into an USB drive, and the BIOS doesn't use a boot sector on removable USB drives. I honestly don't know what happens if you were to create an actual physical DVD, because no one discusses that procedure.

Instead the UEFI searches on a FAT32 filesystem, for a file named bootmfgw.efi or bootx64.efi (as the fallback if bootmgfw.efi is missing). This file chain boots into winload.efi, which ultimately starts up Windows.

For Windows, bootmgfw.efi and bootx64.efi are identical files, but are sometimes copied to into different locations if the boot media is WinPE-based (bootx64.efi) or WinRE-based (bootmgfw.efi). WinRE implies basically you get a copy of almost all of the extra files (ie. fonts, policy files).

Every W10 22H2 and W11 release has both sets of boot files in parallel folders, \Windows\Boot\EFI and \Windows\Boot\EFI_EX. The only difference being which signing cert is used for each version. The ISO defaults to having the CA 2011 version written to \EFI\Boot\bootx64.efi.

What Rufus or the official MS script Make2023BootableMedia.ps1 does is pick boot files from the EFI_EX (CA 2023) folder.

Suppose we're outside of NTLite or another tool. If you have a pre-existing USB boot device you can switch the boot manager with:

WinPE:
copy C:\Windows\Boot\EFI_EX\bootmgfw_EX.efi E:\EFI\boot\bootx64.efi

WinPE:
bcdboot /s E: /f UEFI /bootex

The difference being if you used bcdboot, don't forget to preserve the original BCD file under \EFI\Microsoft\Boot, because it will get overwritten. Technically you could just remember exactly which files that bcdboot copies, but it's easily to run bcdboot. The rules for updating the boot media equally apply to if you're using Macrium or Hasleo to build a recovery USB.

Old Macrium 8 is too dumb (because it's outdated) to known about the new boot files. Macrium X and Hasleo do know about them.
 
Back
Top