Please guide me on Secure Boot what to do?

ISO would be used mostly on unsupported hardware. I just want to know what boxes to tick/check.
 
Last edited:
If you have an unsupported PC, where no BIOS update exists to support CA 2023 certs, and your OEM has not submitted a signed KEK file to MS, then there isn't much you can do from Windows.

Your BIOS might be updated through manual methods of applying a KEK cert file (sometimes) or by deleting all certs and replacing them.

For unsupported PC's, uncheck "Update boot manager" and leave everything untouched. NTLite is simply pre-defining a set of reg keys that affect the Secure Boot update task in Windows. The task is smart and won't do anything that will harm your PC.

But if you have a mix of unsupported PC's, and they're not all the same model, it's better to figure out the Secure Boot issues locally. NTLite wants to be helpful, but running the Secure Boot task this way will trigger some expected TPM-WMI errors. Those can be safely ignored, but some users will spend too much time trying to guess if they're critical messages or not.

At this point in time (June 2026), most supported PC's should have the CA 2023 certs installed in place. The only pending action is revoking PCA 2011, for which MS has not announced when they will force it. Some of these settings are moot, unless you've been blocking Monthly Updates for the past half-year.
 
Thanks garlin - I was watching this thread for an answer :)

I'm still somewhat confused about this though. I also have a mix of older, unsupported PCs and newer PCs, with BIOS already updated, that support these new certs. Will I be able to have one build for all of my PCs?

So far, I did one build with the Secure Boot requirement disabled. This allowed me to install it on older PCs, but Secure Boot still worked on newer, compatible PCs. Does this change because of these new certs? I don't mind ignoring some errors, by the way.

Thank you!
 
The problem is while the later W10 22H2 & W11 releases all have both sets of Secure Boot files, only one of them can be picked as the boot file on the USB. You have a 50/50 chance of getting it right.

What I would for an universal solution is to build an ISO, assuming it is CA 2023. This will obviously fail to boot on an unsupported PC. But that's OK, you can always temporarily disable Secure Boot. Windows will install itself correctly and not put the wrong boot manager into place.

When you're done installing, re-enable Secure Boot. Unfortunately there is no way to dynamic switch back and forth, unless you're using Ventoy and have two parallel ISO's (one using CA 2011 to boot, one using CA 2023 to boot). But I wouldn't waste that much effort.

If you have an older PC, temporarily disable Secure Boot. It's not a requirement to install Windows.
 
Ah, OK. I already have to disable Secure Boot on those old machines (pre 7th gen Intel), I don't care, they don't do anything crucial. As long as I can boot and install my build on those, they can run without Secure Boot enabled. I only care about Secure Boot on my main two desktops and my laptop and they support the new certs and have updated BIOS'es. But I'd prefer not to have two builds.

So I'll do what you said and build an ISO with CA 2023 so my main PCs will have Secure Boot and the old ones will not.

Thank you, as always :)
 
ISO would be used mostly on unsupported hardware. I just want to know what boxes to tick/check.
You can also check the current Host's status by expanding the Host row on the bottom of that screenshot.
Or on the Image page under C:\Windows there is Secure Boot row.

That will show you your current state, then you can shape the image to be the same, that way you are certain it will boot.
Most important is Allowed / Revoked certificates lists.
 
If you have an unsupported PC, where no BIOS update exists to support CA 2023 certs, and your OEM has not submitted a signed KEK file to MS, then there isn't much you can do from Windows.

Your BIOS might be updated through manual methods of applying a KEK cert file (sometimes) or by deleting all certs and replacing them.

For unsupported PC's, uncheck "Update boot manager" and leave everything untouched. NTLite is simply pre-defining a set of reg keys that affect the Secure Boot update task in Windows. The task is smart and won't do anything that will harm your PC.

But if you have a mix of unsupported PC's, and they're not all the same model, it's better to figure out the Secure Boot issues locally. NTLite wants to be helpful, but running the Secure Boot task this way will trigger some expected TPM-WMI errors. Those can be safely ignored, but some users will spend too much time trying to guess if they're critical messages or not.

At this point in time (June 2026), most supported PC's should have the CA 2023 certs installed in place. The only pending action is revoking PCA 2011, for which MS has not announced when they will force it. Some of these settings are moot, unless you've been blocking Monthly Updates for the past half-year.
this helped me out tho what should i do. hope there will be newer updates about this.
 
The Secure Boot migration to CA 2023 only needs to be completed once on each PC.

All of the certs are written to the UEFI's NVRAM, and stay persistent unless you go into the BIOS and reset all keys, or delete individual keys. If you wipe and reinstall Windows, the Secure Boot variables keep their settings.

What happens afterwards is you should keep up with the latest Monthly Updates, because the Windows boot manager gets a SVN version number, and older boot managers (because you haven't updated the install image) will eventually be banned for security reasons.

If you mess up, the workaround is temporarily disable Secure Boot so you can boot from the USB and finish installing Windows. Then fix your cert or boot manager problems, before enabling Secure Boot again. It sounds scary until you realize it's OK to temporarily disable it to allow booting, if you're careful and minimizing other Windows activities while Secure Boot is off.
 
The Secure Boot migration to CA 2023 only needs to be completed once on each PC.

All of the certs are written to the UEFI's NVRAM, and stay persistent unless you go into the BIOS and reset all keys, or delete individual keys. If you wipe and reinstall Windows, the Secure Boot variables keep their settings.

What happens afterwards is you should keep up with the latest Monthly Updates, because the Windows boot manager gets a SVN version number, and older boot managers (because you haven't updated the install image) will eventually be banned for security reasons.

If you mess up, the workaround is temporarily disable Secure Boot so you can boot from the USB and finish installing Windows. Then fix your cert or boot manager problems, before enabling Secure Boot again. It sounds scary until you realize it's OK to temporarily disable it to allow booting, if you're careful and minimizing other Windows activities while Secure Boot is off.
1782935719998.png
you know any cause of this tought? it gives error 0x00000050 at installation
 
Error 0x00000050 maps to FILE_EXISTS.

It makes more sense to post your preset (after removing any user passwords or license keys), to see what changes were made.
 
As garlin said, please attach "auto-saved.xml" from that ISO/Folder, it seems to be some combination as I could not replicate it from a simple guess.
If you stumble on the error again, at that moment would also be helpful to attach %temp%\ntlite.log
 
Error 0x00000050 maps to FILE_EXISTS.

It makes more sense to post your preset (after removing any user passwords or license keys), to see what changes were made.
fixed it friend.
was just a easy resolve issue
only thing im struggling rn is internet explorer, idrk what should i remove for do not let it popup at all but i will figure it out
 
Some games require Secure Boot to run. They don't actually need Secure Boot themselves, but enabling it allows Core Integrity's tighter security policy to block cheating apps from loading.
 
Some games require Secure Boot to run. They don't actually need Secure Boot themselves, but enabling it allows Core Integrity's tighter security policy to block cheating apps from loading.
Never came across any games that 'require' it?, but I never play any games online either, so maybe that's it? I never have that thing enabled, likewise 'memory integrity' and 'tamper protection', along with 'Defender', all removed/disabled.

I see no need for any AV today either, as I 'Macrium' daily, and restore when needed. It takes all of 2 mins ;) I test latest Nvidia drivers this way :) Install, test, then 9/10 times, restore back to how I have it.

I also use a lot of Linux stuff, and 'secure boot' is a royal mess with that, so it suits me to have it permanently disabled.

If 'any' game/app insisted I needed 'secure boot' to run, then it would be a game I won't play.
 
Last edited:
Any online PC game that has rampant cheating now requires Secure Boot. Activision even offers a "Call of Duty Secure Attestation Wizard", which you can run and informs if your PC meets requirements. The never-ending battle between cheats and anti-cheats has crossed over to having Core Integrity running.

Now everyone knows that enabling CI drops game performance, but that's the price of admission now.
 
Never came across any games that 'require' it?, but I never play any games online either, so maybe that's it? I never have that thing enabled, likewise 'memory integrity' and 'tamper protection', along with 'Defender', all removed/disabled.

I see no need for any AV today either, as I 'Macrium' daily, and restore when needed. It takes all of 2 mins ;) I test latest Nvidia drivers this way :) Install, test, then 9/10 times, restore back to how I have it.

I also use a lot of Linux stuff, and 'secure boot' is a royal mess with that, so it suits me to have it permanently disabled.

If 'any' game/app insisted I needed 'secure boot' to run, then it would be a game I won't play.
Completely disabling AV makes me nervous. Unless you have a total potato or don't use your PC for anything important then I see no benefit in it, only risks. If you catch malware that steals your logins, account numbers, IDs, keys, some kind of keylogger or screen capture malware, then your daily snapshots won't do you any good. This kind of malware is common, because it's lucrative. 2FA might help, but not always and how many people don't even bother with 2FA "because it's inconvenient". That sort of crap needs to be detected and stopped before it does its thing.

I had a "Steam friend" who "didn't need AV" and his 10+ yo Steam and Gmail accounts were taken over, maybe 3 years ago, most likely by the way of info stealing malware. He didn't have Steam Guard and no Gmail 2FA either "because it was inconvenient". And Steam and Google did not help, because from their end nothing illegitimate happened, passwords and email address were changed through normal channels, and he could no longer prove he owned the accounts. Steam didn't even close his compromised account, it reamined, and it sucked for him.

And yeah, he thought was safe because he didn't do anything funny or dangerous on the net, didn't download torrents, warez or anything.

That situation scared the sh*t out of me as my Steam account is 22 yo and it would suck to lose it.

"I used PCs for 30 years and never got malware" is not good logic either. My place was never on fire but that doesn't meant I shouldn't have a fire extinguisher on hand. Malware is getting more sophisticated every day and LMMs/AI will make this even worse now.

And before "Defender isn't any good anyway" - even if it only works 50% of the time that's better than 0% of the time.
 
Last edited:
Back
Top