Windows 11 25H2 will not install with Secure Boot Enabled and only 2023 Keys

Michael Madell 0 Reputation points
2026-06-30T15:04:51.8333333+00:00

I am attempting to install Windows 11 using the ISO Downloaded from the Microsoft Website today.

I have followed guidance provided by Microsoft regarding secure boot keys.

The Keys i have installed are:

  • PK Key
  • Microsoft 2023 KEK Key
  • Microsoft Option ROM UEFI CA 2023
  • Microsoft UEFI CA 2023
  • Windows UEFI CA 2023

Attempting to boot to a USB Drive made with Rufus, without checking any of the helper boxes, Violates Secure Boot

Attempting to boot to a USB Drive made with the Windows Media Creation tool also violates secure boot

Those two tests have the same result after running through the powershell script.

The following was tested against the ISO that had passed through the script, so should theoretically work with only 2023 certs:


PS C:\> Get-AuthenticodeSignature E:\efi\boot\bootx64.efi | Select-Object *


SignerCertificate      : [Subject]
                           CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

                         [Issuer]
                           CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US

                         [Serial Number]
                           330000000AA08BE0095B22DCDC00000000000A

                         [Not Before]
                           15/05/2025 20:23:59

                         [Not After]
                           15/05/2026 20:23:59

                         [Thumbprint]
                           441FDC17A4C37612D191C63C70123778C1D761FD

TimeStamperCertificate : [Subject]
                           CN=Microsoft Time-Stamp Service, OU=nShield TSS ESN:521A-05E0-D947, OU=Microsoft Ireland
                         Operations Limited, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

                         [Issuer]
                           CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

                         [Serial Number]
                           330000021771FB2EA5AF011DEA000100000217

                         [Not Before]
                           14/08/2025 19:48:23

                         [Not After]
                           13/11/2026 18:48:23

                         [Thumbprint]
                           69B28015A2ADDA169476A9077C56330337E048CB

Status                 : Valid
StatusMessage          : Signature verified.
Path                   : E:\efi\boot\bootx64.efi
SignatureType          : Authenticode
IsOSBinary             : True

PS C:\Sigcheck> .\sigcheck64.exe -i E:\efi\boot\bootx64.efi
Sigcheck v2.91 - File version and signature viewer
Copyright (C) 2004-2026 Mark Russinovich
Sysinternals - www.sysinternals.com
e:\efi\boot\bootx64.efi:
        Verified:       Signed
        Link date:      08:06 02/02/2008
        Signing date:   03:26 13/02/2026
        Catalog:        e:\efi\boot\bootx64.efi
        Signers:
           Microsoft Windows
                Cert Status:    This certificate or one of the certificates in the certificate chain is not time valid.
                Valid Usage:    Code Signing, NT5 Crypto
                Cert Issuer:    Windows UEFI CA 2023
                Serial Number:  33 00 00 00 0A A0 8B E0 09 5B 22 DC DC 00 00 00 00 00 0A
                Thumbprint:     441FDC17A4C37612D191C63C70123778C1D761FD
                Algorithm:      sha256RSA
                Valid from:     20:23 15/05/2025
                Valid to:       20:23 15/05/2026
           Windows UEFI CA 2023
                Cert Status:    Valid
                Valid Usage:    All
                Cert Issuer:    Microsoft Root Certificate Authority 2010
                Serial Number:  33 00 00 00 1A 88 8B 98 00 56 22 84 C1 00 00 00 00 00 1A
                Thumbprint:     45A0FA32604773C82433C3B7D59E7466B3AC0C67
                Algorithm:      sha256RSA
                Valid from:     19:58 13/06/2023
                Valid to:       20:08 13/06/2035
           Microsoft Root Certificate Authority 2010
                Cert Status:    Valid
                Valid Usage:    All
                Cert Issuer:    Microsoft Root Certificate Authority 2010
                Serial Number:  28 CC 3A 25 BF BA 44 AC 44 9A 9B 58 6B 43 39 AA
                Thumbprint:     3B1EFD3A66EA28B16697394703A72CA340A05BD5
                Algorithm:      sha256RSA
                Valid from:     22:57 23/06/2010
                Valid to:       23:04 23/06/2035
        Counter Signers:
           Microsoft Time-Stamp Service
                Cert Status:    Valid
                Valid Usage:    Timestamp Signing
                Cert Issuer:    Microsoft Time-Stamp PCA 2010
                Serial Number:  33 00 00 02 17 71 FB 2E A5 AF 01 1D EA 00 01 00 00 02 17
                Thumbprint:     69B28015A2ADDA169476A9077C56330337E048CB
                Algorithm:      sha256RSA
                Valid from:     19:48 14/08/2025
                Valid to:       19:48 13/11/2026
           Microsoft Time-Stamp PCA 2010
                Cert Status:    Valid
                Valid Usage:    Timestamp Signing
                Cert Issuer:    Microsoft Root Certificate Authority 2010
                Serial Number:  33 00 00 00 15 C5 E7 6B 9E 02 9B 49 99 00 00 00 00 00 15
                Thumbprint:     36056A5662DCADECF82CC14C8B80EC5E0BCC59A6
                Algorithm:      sha256RSA
                Valid from:     19:22 30/09/2021
                Valid to:       19:32 30/09/2030
           Microsoft Root Certificate Authority 2010
                Cert Status:    Valid
                Valid Usage:    All
                Cert Issuer:    Microsoft Root Certificate Authority 2010
                Serial Number:  28 CC 3A 25 BF BA 44 AC 44 9A 9B 58 6B 43 39 AA
                Thumbprint:     3B1EFD3A66EA28B16697394703A72CA340A05BD5
                Algorithm:      sha256RSA
                Valid from:     22:57 23/06/2010
                Valid to:       23:04 23/06/2035
        Company:        Microsoft Corporation
        Description:    Boot Manager
        Product:        Microsoft® Windows® Operating System
        Prod version:   10.0.28000.317
        File version:   10.0.28000.317 (WinBuild.160101.0800)
        MachineType:    64-bit

Seems that even in the latest Windows ISO, and even older ones, the certs aren't quite correct, so some show invalid/expired. Like why is the 2010 Production CA Cert that signed the bootx64.efi file expiring after the UEFI CA 2023 one, that seems rather wrong.

The Windows UEFI CA 2023 Cert shows it's expiry as 2035 not 2026, seems even more wrong

Is this expected behaviour for the Windows 11 Installer to require the 2011 Certs still regardless of the CVEs associated with it? Or is there an fundamental issue with the Current Windows Installer ISOs where the Signatures are incorrect?

Windows for home | Windows 11 | Install and upgrade

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.