Secure Boot has to be disabled to boot into NTLite custom image

F

filip_m

New Member
Messages
3
Reaction score
0
Hello, is anyone else having an issue where they have to disable secure boot to boot into the custom image? It was fine up until like a month ago. I do have to say I was just clicking away the NTLite updates. I tried updating the boot image option but it didn't help.
 
If you have an up-to-date W10 22H2 or W11 image, then the image has two parallel sets of boot files. One set of boot files is signed CA 2011 (EFI), the other is signed CA 2023 (EFI_EX).

Depending on your current UEFI settings, one of the two boot files is allowed for booting or both could be (in the case that Secure Boot is disabled, OR you have added CA 2023 but not revoked CA 2021).

Clicking on NTLite's boot file slider will select the CA 2023 version of the boot file.

You can run this PowerShell script on the host, to determine if a mounted DVD or USB drive has an allowed boot file.
Code: 
PS C:\Users\GARLIN\Downloads> .\Check_EFIBootFile.ps1
Secure Boot: ON
BitLocker on (C:) OFF

UEFI KEK Certs
--------------
    Microsoft Corporation KEK CA 2011
    Microsoft Corporation KEK 2K CA 2023

UEFI DB Certs
-------------
    Microsoft Corporation UEFI CA 2011
    Microsoft Windows Production PCA 2011
    Microsoft Option ROM UEFI CA 2023
    Microsoft UEFI CA 2023
    Windows UEFI CA 2023

UEFI DBX Certs
--------------
    Microsoft Windows Production PCA 2011

EFI Files
---------
    Disk 0: Boot Manager [Windows UEFI CA 2023] is ALLOWED.

    Registry: WindowsUEFICA2023Capable = 2
        [Windows UEFI CA 2023] is in UEFI DB, and Windows is starting from CA 2023 Boot Manager.

Bootable Media
--------------
    USB D: "NTLite"
        Boot File [Production PCA 2011] is BANNED.
        boot.wim:2    Boot Manager [Windows UEFI CA 2023] is PRESENT.
        install.wim:1 Boot Manager [Windows UEFI CA 2023] is PRESENT.
 

Attachments

Thanks for the quick reply. I loaded the image in NTLite and ran the powershell script. This is what I got.
1766131506448.png

Where do I find said boot image slider?
Thanks!
 
That script output means you're on the legacy CA 2011 setting, so you're not eligible to use the new boot file yet. You must follow the MS instructions to install the UEFI CA 2023 certificates first, before using the NTLite option to force a boot file change to the image.

If you want to proceed, with installing CA 2023 certs (but NOT revoke the CA 2011 cert), then run:
Code: 
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Run the check script again, to confirm you have added CA 2023 certs.
 
garlin said:
That script output means you're on the legacy CA 2011 setting, so you're not eligible to use the new boot file yet. You must follow the MS instructions to install the UEFI CA 2023 certificates first, before using the NTLite option to force a boot file change to the image.

If you want to proceed, with installing CA 2023 certs (but NOT revoke the CA 2011 cert), then run:
Code: 
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f
powershell Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Run the check script again, to confirm you have added CA 2023 certs.
Click to expand...
Well I ran the script again and there isnt any CA 2023 certs. However in the end I can see it says CA 2023 capable=0 so I think I dont have the required updates for the CA 2023
1766133794208.png
 
What is the model of your PC or motherboard? What version of Windows is the host running?
 
You must log in or register to reply here.
Back
Top