Windows Boot Manager Security Validation or Internal Error
Fix the Secure Boot boot manager validation error from the 2011-to-2023 UEFI CA certificate migration (CVE-2023-24932) - check readiness and stage the 2023 certificate offline with NTLite.
If a PC stops at "Windows Boot Manager - the boot manager encountered a security validation or internal error", the firmware is refusing a boot manager whose signature is no longer trusted. It is the visible side of the Secure Boot 2011-to-2023 certificate migration (CVE-2023-24932). This guide explains what the error means, how to get the machine booting again, and how NTLite checks your image or live system for readiness and stages the 2023 certificate offline so deployments never hit it.
What the Error Means
The exact wording varies by firmware - "windows bootmgr encountered a security validation or internal error", "boot manager encountered a security validation", a secure boot violation, or an SVN message - but the cause is the same. Secure Boot lets the firmware run only boot code signed by a certificate it trusts (the db allow-list) and not revoked by the forbidden list (dbx). When the boot manager you are launching is signed by a certificate that has been revoked, or carries a Secure Version Number below the firmware's floor, the firmware blocks it and shows this error instead of booting.
This is the consequence of CVE-2023-24932 (the BlackLotus UEFI bootkit). To close it, Microsoft is replacing the 2011 Secure Boot certificates with 2023 ones and revoking the old boot manager in dbx. Mismatched media - an installer USB built with an old boot manager booted on a PC that already took the revocation - is the usual trigger.
The 2011-to-2023 Certificate Migration
Microsoft is retiring three 2011 certificates and replacing each with a 2023 one:
- Windows Production PCA 2011 -> Windows UEFI CA 2023 - signs the Windows boot manager
- Microsoft Corporation UEFI CA 2011 -> Microsoft UEFI CA 2023 + Option ROM UEFI CA 2023 - signs third-party boot loaders, EFI apps, and option ROMs
- Microsoft Corporation KEK CA 2011 -> KEK 2K CA 2023 - the key that signs
db/dbxupdates
A new install also writes the 2023-signed boot manager (the _EX boot set) and, on a full migration, adds the old Production PCA 2011 to dbx and raises an anti-rollback SVN. Once that revocation lands, any media still carrying the 2011-signed boot manager produces the validation error.
Why It Is Happening Now
The 2011 certificates are expiring through 2026, so Microsoft accelerated the rollout and query volume for this error is climbing:
- KEK CA 2011 - June 24, 2026: after this, a machine without the 2023 KEK can no longer receive
db/dbxupdates - UEFI CA 2011 - June 2026: third-party UEFI apps and option ROMs signed by it stop being trusted
- Windows Production PCA 2011 - October 2026 (Oct 19): the boot-manager signing certificate
Expiry by itself does not stop an existing disk from booting - a signature made before a certificate expires stays valid. What blocks a boot is the optional dbx revocation of the old boot manager. The real cost of skipping the update is that the machine stops receiving new boot-security protections (no boot manager updates, no db/dbx updates).
Check Readiness With NTLite
NTLite reads the Secure Boot state of a source ISO, a mounted Windows image, and the live machine it runs on, then reports exactly where each stands in the migration. Load an image (or just run NTLite on the PC you want to audit) and open the Secure Boot tab on the Updates page. It identifies the boot-manager signer (2011 vs 2023), reads the certificate-deployment state from the registry, parses the on-image update payload, and - on the live host - queries the UEFI firmware db/dbx and the deployment event log.
Each finding is plain-language: whether the 2023 certificate is staged, whether the machine is already booting from the 2023 boot manager, and whether the image is new enough to carry the deployment machinery at all. The host section folds the live firmware verdict in next to the offline-image checks, so you can compare the PC you are building on against the image you are building. Every control and readout on the tab is documented in the Secure Boot reference.
Secure Boot is not a separate chore tacked on at the end. The readiness checks run inside update integration and Create ISO, and the cert staging is set once from the loaded image, then rides the normal Apply and ISO build - configure it and move on.
Fix It: Stage the 2023 Certificate
NTLite can stage the 2023 certificate two ways - into an image you are building, or onto the live machine it is running on. Both write the same Secure Boot staging value, and Windows then deploys the certificate over the next boots through its own Secure-Boot-Update servicing. No per-machine commands either way.
On an Offline Image (ISO / WIM)
The durable fix: build media that already carries the 2023 boot manager and queues the deployment, so every machine you install reaches the new state on its own.
- Load your Windows ISO or image in NTLite
- If the Secure Boot tab reports the image predates the certificate update, integrate the latest cumulative update first on the Updates page (the tab names the build you need - see the support table below)
- On the Secure Boot tab, enable the 2023 certificate deployment - NTLite writes the staging value into the image's registry
- Apply and build the ISO; each installed machine applies the certificate over its first boots
Deploy all the image files, not just install.wim. The boot manager and the EFI boot files sit outside install.wim, so a USB built by copying only the updated install.wim onto the original media keeps the old 2011 boot manager - and that is precisely what trips the validation error. Use the full ISO that NTLite produces, or copy every file from it.
On the Live Host
To migrate the machine you are on, load its running Windows installation - your live C:\Windows - as the target on the Image page, then open the Secure Boot tab. It reads the live firmware and registry state, and enabling the 2023 deployment writes the staging value straight into the running system. Apply with a reboot; NTLite can also run the Windows Secure-Boot-Update task on the spot so it advances now instead of waiting on the schedule. The certificate and db/dbx steps apply over the next boots, and the boot-manager swap takes effect after the restart.
Does My Windows Get the Update?
The certificate-deployment machinery ships in cumulative updates released on or after November 11, 2025, and only on serviced branches. NTLite's Secure Boot tab reports this per loaded image and names the exact update; the table below is the same data:
| Windows branch | Gets the 2023 cert update? | First cumulative update |
|---|---|---|
| Windows 11 24H2 / 25H2, Server 2025 | Yes | KB5068861 (25H2+ in-box) |
| Windows 11 23H2 (and 22H2 via shared servicing) | Yes | KB5068865 |
| Windows 10 22H2 (ESU), LTSC 2021 | Yes | KB5068781 |
| Windows 10 LTSC 2019, Server 2019 | Yes | KB5068791 |
| Windows 10 LTSB 2016, Server 2016 | Yes | KB5068864 |
| Windows Server 2022 | Yes | KB5068787 |
| Windows 7 / 8 / 8.1, Windows 10 below 22H2, Windows 11 21H2 (22000), Server 23H2 | No | Out of servicing |
- Windows 10 22H2 without an ESU subscription is excluded from Microsoft's managed rollout - integrate the LTSC/ESU servicing update or move the machine to Windows 11
- Server 2012 / 2012 R2 receive the certificates through their ESU monthly rollups
- Builds newer than 25H2 carry the certificate machinery in-box - no extra update needed
Get a Blocked Machine Booting (Manual)
If a PC already shows the error and you need it up now, before rebuilding media:
- Use current media. Rebuild the installer USB from a fresh ISO (or an NTLite-built one) so it carries the 2023-signed boot manager. This is the clean fix and keeps Secure Boot on.
- Reset Secure Boot keys to factory defaults in the firmware (BIOS/UEFI) setup. This restores the original trust set so a known-good boot manager loads again - useful when a partial update left the machine in a mixed state.
- Temporarily disable Secure Boot in firmware to boot once, then apply the updates and re-enable it. Treat this as a stopgap, not a destination.
Windows ships securebootrecovery.efi (post-July-2024 updates) that reapplies the Windows UEFI CA 2023 to db if the firmware Secure Boot settings were reset. It is the recovery path Microsoft documents for a machine that lost the 2023 certificate.
Verify
- Re-open the Secure Boot tab - the boot manager should report the Windows UEFI CA 2023 signer
- On the live host, the migration shows complete once the system is booting from the 2023-signed boot manager
- Boot the media you built - it should pass Secure Boot validation with Secure Boot enabled
Frequently Asked Questions
Do I need to download the Windows UEFI CA 2023 certificate?
No. There is no certificate file to download and install by hand. The 2023 certificate ships inside a Windows cumulative update, and the actual enrollment happens through the SecureBoot registry staging that Windows - or NTLite, offline - writes. In NTLite you enable the deployment on the Secure Boot tab and Apply; you never fetch a .cer or .bin yourself.
Does my version of Windows get the 2023 Secure Boot update?
Only serviced branches, through a cumulative update released on or after November 11, 2025. Windows 11 23H2/24H2/25H2, the current Windows 10 LTSC and ESU branches, and Server 2019/2022/2025 qualify. Windows 7/8/8.1, Windows 10 below 22H2, Windows 11 21H2, and Server 23H2 never receive it. The support table above lists the exact first update per branch.
Will my PC still boot if I skip the update?
Yes. An existing disk keeps booting - a signature made before a certificate expires stays valid, and expiry alone does not block a boot. What blocks a boot is the optional dbx revocation of the old 2011 boot manager. Skipping the update means the machine stops receiving new boot-security protections, not that it stops booting.
Is enabling the certificate deployment reversible?
Adding the 2023 certificate to the database is additive and safe. Revoking the old Production PCA 2011 in dbx is irreversible: once applied, media still signed only by the 2011 certificate stops booting on that machine. NTLite flags the irreversible step before it is staged, so you choose it deliberately.
Next Steps
Save the cert-staging step into a preset and reuse it on every build. Download NTLite to get started, and see the Updates and Apply reference pages for the integration and build steps.