Secure Boot
Reference for the Secure Boot tab: audit the 2011-to-2023 UEFI CA certificate migration and stage the 2023 certificate across ISO, image, and live host.
The Secure Boot tab audits and fixes the 2011-to-2023 UEFI certificate migration (CVE-2023-24932) across a source ISO, a mounted image, and the live host - it reports where each stands, then lets you stage the 2023 certificate so deployments avoid the boot manager security validation error. This page documents every control and readout on the tab and its dialog. For the background, the per-version support table, and the fix walkthrough, see the Secure Boot 2023 Migration guide.
Where It Lives
Open it from the Updates page, Secure Boot tab. The tab works on whatever target is loaded - a mounted offline image, or this PC's live Windows. A separate read-only Secure Boot - Readiness dialog appears when you want the host verdict while a different image is loaded (covered at the end).
Reading the Tab
The tab is a two-column grid - Name (the finding or control) and State (its status word) - under up to two banded sections:
- Image - the offline image being edited (the band suffix shows the source path)
- Host - this PC's live firmware readout (the band suffix shows the motherboard model)
A Summary card above the grid carries the plain-language verdict and any advisory. Each band groups its Staging controls (what you queue) above the readouts (what the tab found). The Refresh ribbon button re-runs the audit; Reset reverts every queued Secure Boot setting to the image or live baseline.
Staging: What You Can Queue
Update boot manager
A checkbox under the Boot Manager group. It queues replacing the image's 2011-signed boot manager with the 2023-signed one. It is disabled when the image carries no 2023 boot-manager source; an already-2023 image shows Current: 2023 Windows with nothing to toggle. The result row previews the signer the boot manager will have after Apply (2023 Windows / 2011 Windows), with the full certificate name and version on hover.
Deploy the 2023 certificate
A checkbox tree. The parent stages the certificate db-add; the children add the optional, irreversible hardening steps and gate on the parent.
| Control | What it stages | Reversible? |
|---|---|---|
| Deploy certificate: 2023 | Stages the 2023 certificate for deployment on first boot; the existing 2011 boot manager keeps working. | Yes, until applied |
| Revoke 2011 | Adds the 2011 boot-manager certificate to the firmware dbx. 2011-signed boot managers and media can no longer boot on a host this is fully deployed to. | Irreversible |
| Anti-rollback | Raises the boot manager minimum Security Version Number so firmware refuses older boot managers. | Irreversible |
| Skip device check | Forces the update past the firmware applicability check (the Arm64/Qualcomm known-issue hold). Set only when you know the firmware is fixed. | n/a |
Revoke 2011 and Anti-rollback are irreversible once applied to firmware. Revoking the 2011 certificate stops media still signed only by it from booting; the anti-rollback increment makes firmware refuse lower-SVN boot managers, so you must update all bootable media for the machine first or older recovery and install drives stop booting. NTLite confirms each before staging it.
The same intent is also exposed as a single choice on the Create ISO Secure Boot option (the combined values NTLite can stage):
| Choice | Meaning |
|---|---|
| Not staged | No certificate update staged (clearing cancels a revertible staged value). |
| Deploy certificate: 2023 | Deploy the 2023 certificates (reversible). |
| Deploy certificate: 2023 - Revoke 2011 | Deploy, plus revoke the 2011 certificate in dbx. |
| Deploy certificate: 2023 - Anti-rollback | Deploy, plus the SVN anti-rollback increment. |
| Deploy certificate: 2023 - Revoke 2011 - Anti-rollback | Full hardening: deploy, revoke, and anti-rollback. |
Automatic-deployment flags
These toggles steer how Windows auto-deploys the certificates after install:
| Toggle | What it does |
|---|---|
| Block automatic certificate deployment | Windows Update will not auto-deploy the 2023 certificates. |
| Opt in to the Microsoft-managed certificate rollout | Microsoft schedules the deployment via its controlled rollout (requires telemetry; not applicable to Server). |
| Skip device check | Forces the certificate update to proceed on firmware the applicability check would otherwise hold back - set only when you know the firmware is fixed. |
Host-only actions
When this PC is the loaded target, two extra repair actions appear:
| Action | What it does |
|---|---|
| Repair the Secure Boot update task | Recreates or re-enables the Secure Boot update task so a staged migration can continue. A disabled or deleted task permanently stalls it. This repairs the task; it does not run it (the deployment applies on later restarts). |
| Deploy the Secure Boot recovery loader to the EFI partition | Copies securebootrecovery.efi to the EFI System Partition so the 2023 certificate can be reapplied if firmware Secure Boot settings are reset. |
Servicing-task buttons
Inline word-buttons on the servicing-task row act on the Windows Secure-Boot-Update task directly:
- Run - fires the task now to advance the next staged step instead of waiting on the schedule
- Disable - halts the migration on this host (confirmed first)
- Enable - re-enables a disabled task
- Remove / Undo - queue or un-queue removal of the in-image servicing task
Readouts: What the Tab Reports
Allowed and Revoked Signatures
Two lists per band. Allowed Signatures are the certificates the firmware will trust to boot; Revoked Signatures are the ones it refuses (dbx). Each entry shows a short token (2023 Windows, 2011 Windows, 2011 Third-party, 2023 Option ROM) with the full certificate name and any expiry on hover - the 2011 Windows certificate expires October 2026, the 2011 third-party UEFI CA June 2026.
Boot Manager and KEK
Boot Manager reports which certificate authority the running or in-image boot manager is signed by (2023 Windows vs 2011 Windows), with the full name on hover. On the host, a separate Boot Manager (ESP) reads the actual signer on the EFI System Partition and flags it if it contradicts the registry migration state. The Key Exchange Key (KEK) row shows whether the 2023 KEK is present - without it, firmware cannot receive 2023-signed certificate updates.
Servicing task, Events, and Migration progress
Servicing task shows whether the Secure-Boot-Update task is Enabled, Disabled, or Missing, with its last run and result. Events (TPM-WMI) is a collapsible timeline of the firmware deployment events (cert added, dbx revoked, handoff error, reboot pending, complete). Certificate migration reports the steps remaining and the step currently processing; a disabled or missing task is called out because it stalls the migration.
Staging progression states
When a value is already staged, the tab describes exactly where it is:
| The tab shows | Meaning |
|---|---|
| No certificate update staged. | Nothing queued. |
| All 2023 certificates staged for deployment; applies on next boots. | Deploy queued, no revocation. |
| All 2023 certificates staged with PCA 2011 dbx revocation; applies on next boots. (Irreversible) | Deploy plus 2011 revocation. |
| All 2023 certificates staged with the SVN anti-rollback increment; applies on next boots. | Deploy plus anti-rollback. |
| Certificate deployment partially applied; remaining steps are queued and apply over future boots, paced by Microsoft’s staged rollout. | In progress across boots. |
| Certificate deployment complete (0x4000); all deployable bits cleared. | Done. |
Summary Advisories
The Summary card states one verdict for the loaded target. The common image and host advisories:
| Situation | Advisory | Severity |
|---|---|---|
| Version predates the updates | This Windows version predates the Secure Boot certificate updates, so it cannot deploy the 2023 certificates yet. Integrate the latest cumulative update. | Warning |
| Branch out of servicing | This Windows version does not receive the 2023 Secure Boot certificate update support. The 2023-signed boot manager can still be applied. | Warning |
| Image ready | This image is ready for 2023 Secure Boot. No action needed. | OK |
| Deploy staged | 2023 Secure Boot certificate deployment is staged - it applies on the next restart. | Info |
| Host: setup mode | Setup Mode - Secure Boot is not enforcing. | Warning |
| Host: 2011 only | Apply the certificate update before the 2011 certificates expire (June/October 2026), or this PC may stop booting updated media. | Warning |
| Host: lockout risk | No boot signer is trusted: the 2011 certificate is revoked and the 2023 certificate is not trusted, which can prevent this PC from booting. | Critical |
| Host: migrated | Secure Boot is fully migrated to the 2023 certificates. No action needed. | OK |
State words follow a fixed severity scale: OK, Info, Warning, Critical. Only Warning and Critical findings render as inline rows; the rest fold into the readout and the Summary card.
The Host Readiness Dialog
When this PC is not the loaded target, NTLite can show a read-only Secure Boot - Readiness dialog: the same host readout and Summary as the tab's Host band, but as a snapshot with no staging controls. It carries a More info link (Open: Updates - Secure Boot) that closes the dialog and loads this PC's Windows so you can act on the findings, plus the same Run / Enable / Disable servicing-task buttons. To stage changes, load the live C:\Windows as the target on the Image page.
Related
Secure Boot 2023 Migration guide - the boot manager validation error explained, the per-version support table, and the step-by-step fix. Updates - the page that hosts this tab.