Please guide me on Secure Boot what to do?
- Thread starter ttx9
- Start date
If you have an unsupported PC, where no BIOS update exists to support CA 2023 certs, and your OEM has not submitted a signed KEK file to MS, then there isn't much you can do from Windows.
Your BIOS might be updated through manual methods of applying a KEK cert file (sometimes) or by deleting all certs and replacing them.
For unsupported PC's, uncheck "Update boot manager" and leave everything untouched. NTLite is simply pre-defining a set of reg keys that affect the Secure Boot update task in Windows. The task is smart and won't do anything that will harm your PC.
But if you have a mix of unsupported PC's, and they're not all the same model, it's better to figure out the Secure Boot issues locally. NTLite wants to be helpful, but running the Secure Boot task this way will trigger some expected TPM-WMI errors. Those can be safely ignored, but some users will spend too much time trying to guess if they're critical messages or not.
At this point in time (June 2026), most supported PC's should have the CA 2023 certs installed in place. The only pending action is revoking PCA 2011, for which MS has not announced when they will force it. Some of these settings are moot, unless you've been blocking Monthly Updates for the past half-year.
Your BIOS might be updated through manual methods of applying a KEK cert file (sometimes) or by deleting all certs and replacing them.
For unsupported PC's, uncheck "Update boot manager" and leave everything untouched. NTLite is simply pre-defining a set of reg keys that affect the Secure Boot update task in Windows. The task is smart and won't do anything that will harm your PC.
But if you have a mix of unsupported PC's, and they're not all the same model, it's better to figure out the Secure Boot issues locally. NTLite wants to be helpful, but running the Secure Boot task this way will trigger some expected TPM-WMI errors. Those can be safely ignored, but some users will spend too much time trying to guess if they're critical messages or not.
At this point in time (June 2026), most supported PC's should have the CA 2023 certs installed in place. The only pending action is revoking PCA 2011, for which MS has not announced when they will force it. Some of these settings are moot, unless you've been blocking Monthly Updates for the past half-year.
Anonymous Internet User
Active Member
- Messages
- 225
- Reaction score
- 43
Thanks garlin - I was watching this thread for an answer 
I'm still somewhat confused about this though. I also have a mix of older, unsupported PCs and newer PCs, with BIOS already updated, that support these new certs. Will I be able to have one build for all of my PCs?
So far, I did one build with the Secure Boot requirement disabled. This allowed me to install it on older PCs, but Secure Boot still worked on newer, compatible PCs. Does this change because of these new certs? I don't mind ignoring some errors, by the way.
Thank you!
I'm still somewhat confused about this though. I also have a mix of older, unsupported PCs and newer PCs, with BIOS already updated, that support these new certs. Will I be able to have one build for all of my PCs?
So far, I did one build with the Secure Boot requirement disabled. This allowed me to install it on older PCs, but Secure Boot still worked on newer, compatible PCs. Does this change because of these new certs? I don't mind ignoring some errors, by the way.
Thank you!
The problem is while the later W10 22H2 & W11 releases all have both sets of Secure Boot files, only one of them can be picked as the boot file on the USB. You have a 50/50 chance of getting it right.
What I would for an universal solution is to build an ISO, assuming it is CA 2023. This will obviously fail to boot on an unsupported PC. But that's OK, you can always temporarily disable Secure Boot. Windows will install itself correctly and not put the wrong boot manager into place.
When you're done installing, re-enable Secure Boot. Unfortunately there is no way to dynamic switch back and forth, unless you're using Ventoy and have two parallel ISO's (one using CA 2011 to boot, one using CA 2023 to boot). But I wouldn't waste that much effort.
If you have an older PC, temporarily disable Secure Boot. It's not a requirement to install Windows.
What I would for an universal solution is to build an ISO, assuming it is CA 2023. This will obviously fail to boot on an unsupported PC. But that's OK, you can always temporarily disable Secure Boot. Windows will install itself correctly and not put the wrong boot manager into place.
When you're done installing, re-enable Secure Boot. Unfortunately there is no way to dynamic switch back and forth, unless you're using Ventoy and have two parallel ISO's (one using CA 2011 to boot, one using CA 2023 to boot). But I wouldn't waste that much effort.
If you have an older PC, temporarily disable Secure Boot. It's not a requirement to install Windows.
Anonymous Internet User
Active Member
- Messages
- 225
- Reaction score
- 43
Ah, OK. I already have to disable Secure Boot on those old machines (pre 7th gen Intel), I don't care, they don't do anything crucial. As long as I can boot and install my build on those, they can run without Secure Boot enabled. I only care about Secure Boot on my main two desktops and my laptop and they support the new certs and have updated BIOS'es. But I'd prefer not to have two builds.
So I'll do what you said and build an ISO with CA 2023 so my main PCs will have Secure Boot and the old ones will not.
Thank you, as always
So I'll do what you said and build an ISO with CA 2023 so my main PCs will have Secure Boot and the old ones will not.
Thank you, as always