Windows UEFI CA 2023 Secure Boot certificate

A

AWimAwayAWimAway

New Member
Messages
8
Reaction score
1
Hi,

I'm trying to configure my .iso to use the Windows UEFI CA 2023 secure boot cert rather then the Windows production PCA 2011 due to the exploit.

As I'm somewhat new to NTLite is anyone able to give me a step by step way to implement these steps?

Thank you kindly.
 
Yes. Because the Secure Boot files have been included in the CU's offered to W10 21H2/LTSC 2021, since April 2024.
 
Thank you so much, it works perfectly! :)

In "Clean update backup" I don't use the "None" option but rather "DISM Compatible", in case the information is useful to another user.
 
Hi,
i make a new image from windows 11 24H2 and include latest updates 26100.7171 Aktivate the button update boot manager.
But my inventory tool say that the certificates not aktivate

Is there anythin where i missing to do?
thanks
 
This NTLite feature only picks which version of the boot manager file (CA 2011 or CA 2023) to copy as the install media's \EFI\Boot\bootx64.efi.

It does not change any of the installed PC's Secure Boot settings. W10 or 11 images released or updated after April 2024 will have both sets of EFI files available, and when you create an ISO image, one of the two must be picked.

If your BIOS's last firmware update added the UEFI CA 2023 cert, or you followed the MS instructions for manually adding it, then you can select the newer CA 2023 boot file on the ISO. Otherwise continue to use the older CA 2011 boot file.
 
garlin said:
This NTLite feature only picks which version of the boot manager file (CA 2011 or CA 2023) to copy as the install media's \EFI\Boot\bootx64.efi.

It does not change any of the installed PC's Secure Boot settings. W10 or 11 images released or updated after April 2024 will have both sets of EFI files available, and when you create an ISO image, one of the two must be picked.

If your BIOS's last firmware update added the UEFI CA 2023 cert, or you followed the MS instructions for manually adding it, then you can select the newer CA 2023 boot file on the ISO. Otherwise continue to use the older CA 2011 boot file.
Click to expand...
Hi sorry i hope i understand right.

So secure boot feature is active
The new Certifcates are in the BIOS ( i can see them in the UEFI BIOS Menü )
We deploy our Systems via SoftwareDeploy Tools. Ther is no way i can choose any bootfile i only inject the Image i made with ntlite
?!
Thanks
 
If you don't do anything to the Windows image, then CA 2011 boot file will be the one used (because it's shipped as the default one). To force a change to the CA 2023 boot file, then you check the "Update boot manager" slider.

1. From the Updates screen, add any Monthly CU.
2. Now, the "Update boot manager" option will be unlocked.

1764871321500.png
 
You must log in or register to reply here.
Back
Top