You can also check the current Host's status by expanding the Host row on the bottom of that screenshot.ISO would be used mostly on unsupported hardware. I just want to know what boxes to tick/check.
this helped me out tho what should i do. hope there will be newer updates about this.If you have an unsupported PC, where no BIOS update exists to support CA 2023 certs, and your OEM has not submitted a signed KEK file to MS, then there isn't much you can do from Windows.
Your BIOS might be updated through manual methods of applying a KEK cert file (sometimes) or by deleting all certs and replacing them.
For unsupported PC's, uncheck "Update boot manager" and leave everything untouched. NTLite is simply pre-defining a set of reg keys that affect the Secure Boot update task in Windows. The task is smart and won't do anything that will harm your PC.
But if you have a mix of unsupported PC's, and they're not all the same model, it's better to figure out the Secure Boot issues locally. NTLite wants to be helpful, but running the Secure Boot task this way will trigger some expected TPM-WMI errors. Those can be safely ignored, but some users will spend too much time trying to guess if they're critical messages or not.
At this point in time (June 2026), most supported PC's should have the CA 2023 certs installed in place. The only pending action is revoking PCA 2011, for which MS has not announced when they will force it. Some of these settings are moot, unless you've been blocking Monthly Updates for the past half-year.
The Secure Boot migration to CA 2023 only needs to be completed once on each PC.
All of the certs are written to the UEFI's NVRAM, and stay persistent unless you go into the BIOS and reset all keys, or delete individual keys. If you wipe and reinstall Windows, the Secure Boot variables keep their settings.
What happens afterwards is you should keep up with the latest Monthly Updates, because the Windows boot manager gets a SVN version number, and older boot managers (because you haven't updated the install image) will eventually be banned for security reasons.
If you mess up, the workaround is temporarily disable Secure Boot so you can boot from the USB and finish installing Windows. Then fix your cert or boot manager problems, before enabling Secure Boot again. It sounds scary until you realize it's OK to temporarily disable it to allow booting, if you're careful and minimizing other Windows activities while Secure Boot is off.

fixed it friend.Error 0x00000050 maps to FILE_EXISTS.
It makes more sense to post your preset (after removing any user passwords or license keys), to see what changes were made.
Never came across any games that 'require' it?, but I never play any games online either, so maybe that's it? I never have that thing enabled, likewise 'memory integrity' and 'tamper protection', along with 'Defender', all removed/disabled.Some games require Secure Boot to run. They don't actually need Secure Boot themselves, but enabling it allows Core Integrity's tighter security policy to block cheating apps from loading.
Completely disabling AV makes me nervous. Unless you have a total potato or don't use your PC for anything important then I see no benefit in it, only risks. If you catch malware that steals your logins, account numbers, IDs, keys, some kind of keylogger or screen capture malware, then your daily snapshots won't do you any good. This kind of malware is common, because it's lucrative. 2FA might help, but not always and how many people don't even bother with 2FA "because it's inconvenient". That sort of crap needs to be detected and stopped before it does its thing.Never came across any games that 'require' it?, but I never play any games online either, so maybe that's it? I never have that thing enabled, likewise 'memory integrity' and 'tamper protection', along with 'Defender', all removed/disabled.
I see no need for any AV today either, as I 'Macrium' daily, and restore when needed. It takes all of 2 minsI test latest Nvidia drivers this way
Install, test, then 9/10 times, restore back to how I have it.
I also use a lot of Linux stuff, and 'secure boot' is a royal mess with that, so it suits me to have it permanently disabled.
If 'any' game/app insisted I needed 'secure boot' to run, then it would be a game I won't play.