Windows 11 25H2 will not install with Secure Boot Enabled and only 2023 Keys
I am attempting to install Windows 11 using the ISO Downloaded from the Microsoft Website today.
I have followed guidance provided by Microsoft regarding secure boot keys.
The Keys i have installed are:
- PK Key
- Microsoft 2023 KEK Key
- Microsoft Option ROM UEFI CA 2023
- Microsoft UEFI CA 2023
- Windows UEFI CA 2023
Attempting to boot to a USB Drive made with Rufus, without checking any of the helper boxes, Violates Secure Boot
Attempting to boot to a USB Drive made with the Windows Media Creation tool also violates secure boot
Those two tests have the same result after running through the powershell script.
The following was tested against the ISO that had passed through the script, so should theoretically work with only 2023 certs:
PS C:\> Get-AuthenticodeSignature E:\efi\boot\bootx64.efi | Select-Object *
SignerCertificate : [Subject]
CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
[Issuer]
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
[Serial Number]
330000000AA08BE0095B22DCDC00000000000A
[Not Before]
15/05/2025 20:23:59
[Not After]
15/05/2026 20:23:59
[Thumbprint]
441FDC17A4C37612D191C63C70123778C1D761FD
TimeStamperCertificate : [Subject]
CN=Microsoft Time-Stamp Service, OU=nShield TSS ESN:521A-05E0-D947, OU=Microsoft Ireland
Operations Limited, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
[Issuer]
CN=Microsoft Time-Stamp PCA 2010, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
[Serial Number]
330000021771FB2EA5AF011DEA000100000217
[Not Before]
14/08/2025 19:48:23
[Not After]
13/11/2026 18:48:23
[Thumbprint]
69B28015A2ADDA169476A9077C56330337E048CB
Status : Valid
StatusMessage : Signature verified.
Path : E:\efi\boot\bootx64.efi
SignatureType : Authenticode
IsOSBinary : True
PS C:\Sigcheck> .\sigcheck64.exe -i E:\efi\boot\bootx64.efi
Sigcheck v2.91 - File version and signature viewer
Copyright (C) 2004-2026 Mark Russinovich
Sysinternals - www.sysinternals.com
e:\efi\boot\bootx64.efi:
Verified: Signed
Link date: 08:06 02/02/2008
Signing date: 03:26 13/02/2026
Catalog: e:\efi\boot\bootx64.efi
Signers:
Microsoft Windows
Cert Status: This certificate or one of the certificates in the certificate chain is not time valid.
Valid Usage: Code Signing, NT5 Crypto
Cert Issuer: Windows UEFI CA 2023
Serial Number: 33 00 00 00 0A A0 8B E0 09 5B 22 DC DC 00 00 00 00 00 0A
Thumbprint: 441FDC17A4C37612D191C63C70123778C1D761FD
Algorithm: sha256RSA
Valid from: 20:23 15/05/2025
Valid to: 20:23 15/05/2026
Windows UEFI CA 2023
Cert Status: Valid
Valid Usage: All
Cert Issuer: Microsoft Root Certificate Authority 2010
Serial Number: 33 00 00 00 1A 88 8B 98 00 56 22 84 C1 00 00 00 00 00 1A
Thumbprint: 45A0FA32604773C82433C3B7D59E7466B3AC0C67
Algorithm: sha256RSA
Valid from: 19:58 13/06/2023
Valid to: 20:08 13/06/2035
Microsoft Root Certificate Authority 2010
Cert Status: Valid
Valid Usage: All
Cert Issuer: Microsoft Root Certificate Authority 2010
Serial Number: 28 CC 3A 25 BF BA 44 AC 44 9A 9B 58 6B 43 39 AA
Thumbprint: 3B1EFD3A66EA28B16697394703A72CA340A05BD5
Algorithm: sha256RSA
Valid from: 22:57 23/06/2010
Valid to: 23:04 23/06/2035
Counter Signers:
Microsoft Time-Stamp Service
Cert Status: Valid
Valid Usage: Timestamp Signing
Cert Issuer: Microsoft Time-Stamp PCA 2010
Serial Number: 33 00 00 02 17 71 FB 2E A5 AF 01 1D EA 00 01 00 00 02 17
Thumbprint: 69B28015A2ADDA169476A9077C56330337E048CB
Algorithm: sha256RSA
Valid from: 19:48 14/08/2025
Valid to: 19:48 13/11/2026
Microsoft Time-Stamp PCA 2010
Cert Status: Valid
Valid Usage: Timestamp Signing
Cert Issuer: Microsoft Root Certificate Authority 2010
Serial Number: 33 00 00 00 15 C5 E7 6B 9E 02 9B 49 99 00 00 00 00 00 15
Thumbprint: 36056A5662DCADECF82CC14C8B80EC5E0BCC59A6
Algorithm: sha256RSA
Valid from: 19:22 30/09/2021
Valid to: 19:32 30/09/2030
Microsoft Root Certificate Authority 2010
Cert Status: Valid
Valid Usage: All
Cert Issuer: Microsoft Root Certificate Authority 2010
Serial Number: 28 CC 3A 25 BF BA 44 AC 44 9A 9B 58 6B 43 39 AA
Thumbprint: 3B1EFD3A66EA28B16697394703A72CA340A05BD5
Algorithm: sha256RSA
Valid from: 22:57 23/06/2010
Valid to: 23:04 23/06/2035
Company: Microsoft Corporation
Description: Boot Manager
Product: Microsoft® Windows® Operating System
Prod version: 10.0.28000.317
File version: 10.0.28000.317 (WinBuild.160101.0800)
MachineType: 64-bit
Seems that even in the latest Windows ISO, and even older ones, the certs aren't quite correct, so some show invalid/expired. Like why is the 2010 Production CA Cert that signed the bootx64.efi file expiring after the UEFI CA 2023 one, that seems rather wrong.
The Windows UEFI CA 2023 Cert shows it's expiry as 2035 not 2026, seems even more wrong
Is this expected behaviour for the Windows 11 Installer to require the 2011 Certs still regardless of the CVEs associated with it? Or is there an fundamental issue with the Current Windows Installer ISOs where the Signatures are incorrect?