Share via

Issues after revoking the "Windows Production CA 2011" certificate

CyrilShi 0 Reputation points
2025-09-22T10:01:07.57+00:00

Issues after revoking the "Windows Production CA 2011" certificate

A few months ago, I followed the instructions from KB5025885 and completed the 4-step mitigation deployment. Now, my EFI files are signed with the "Windows UEFI CA 2023" certificate, and the "Windows Production CA 2011" certificate has been revoked.

However, I have encountered an issue: I can't perform major version updates (e.g., updating from 23H2 to 24H2) via OTA, nor can I install the update using the official ISO images when Secure Boot is enabled. Currently, all images are still signed with the old certificate, and I understand that the "Windows UEFI CA 2023" certificate hasn't been widely added to UEFI firmware yet.

I can complete the update manually by following the steps in the "Updating Windows install media" section to update the boot certificate. However, this means I won’t be able to update via OTA or use the system recovery function in the future unless I disable Secure Boot.

Is there a better solution to this issue? Also, is there a clear timeline for updating the boot manager signature in the official ISO images?

Windows for business | Windows Client for IT Pros | Devices and deployment | Set up, install, or upgrade
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Domic Vo 22,685 Reputation points Independent Advisor
    2025-09-22T10:35:24.5766667+00:00

    Dear CyrilShi,

    Thank you for reaching out and for your diligence in implementing the mitigation steps outlined in KB5025885. We understand the challenges you're facing after revoking the "Windows Production CA 2011" certificate and transitioning to the "Windows UEFI CA 2023" certificate.

    Here are recommendations you may try:

    1. Secure Boot Compatibility As of now, most official ISO images and OTA update packages are still signed with the Windows Production CA 2011 certificate. Since this certificate has been revoked in your environment, Secure Boot will block these images unless manually updated.
    2. Manual Workaround You’ve correctly followed the guidance in the “Updating Windows install media” section to re-sign boot files. While effective, this approach limits future OTA updates and recovery options unless Secure Boot is disabled.
    3. Recommended Interim Solution For environments where Secure Boot must remain enabled, we recommend continuing with manual media updates until broader firmware support for Windows UEFI CA 2023 is available. Alternatively, consider temporarily disabling Secure Boot during major updates, then re-enabling it post-installation.

    Let me know how it goes, and if this answer helps, feel free to hit “Accept Answer” so others can benefit too 😊 T&B, Domic Vo

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.