How to repair the efi partition on PC after the Windows UEFI CA 2023 certificate is applied?

Question

How to repair the efi partition on PC after the Windows UEFI CA 2023 certificate is applied?

Jim Whitaker 211

I currently use:

bcdboot C:\windows /s S: /f UEFI

But after the Windows UEFI CA 2023 certificate is applied how would you repair or recreate the efi partition?

Microsoft has instructions for boot media here:

https://support.microsoft.com/en-us/topic/updating-windows-bootable-media-to-use-the-pca2023-signed-boot-manager-d4064779-0e4e-43ac-b2ce-24f434fcfa0f

But I can't find any articles on repairing the the PC efi partition.

0 comments

Answer accepted by question author

0 additional answers

Your answer

Answer 1

Emmanuel Santana 38,850 Independent Advisor

Hello. To rebuild the EFI partition after the Windows UEFI CA 2023 certificate is applied, use current Windows 11 installation media (build 22621.2500 or newer):

Boot from Windows 11 setup media and open Command Prompt (Shift + F10).

Run:

   diskpart
   list vol
   sel vol <EFI volume number>
   assign letter=S:
   exit

Format the EFI partition:
```
   format S: /fs:FAT32 /q
```
Recreate the boot files using the updated signed components:
```
   bcdboot C:\Windows /s S: /f UEFI
```
Restart the PC and verify Secure Boot completes without signature errors.

If Secure Boot still fails, clear and re-enroll platform keys (PK/KEK/DB) in the firmware, then repeat step 4.

For reference: https://support.microsoft.com/en-us/topic/d4064779-0e4e-43ac-b2ce-24f434fcfa0f

Jim Whitaker 211 Reputation points

2025-10-12T15:44:06.54+00:00

A follow up question: In https://support.microsoft.com/en-us/topic/how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d

They have this to fix boot media:

`COPY D:\EFI\MICROSOFT\BOOT\BCD D:\EFI\MICROSOFT\BOOT\BCD.BAK

bcdboot c:\windows /f UEFI /s D: /bootex

COPY D:\EFI\MICROSOFT\BOOT\BCD.BAK D:\EFI\MICROSOFT\BOOT\BCD`

Does that still work instead of using the Make2023BootableMedia.ps1 PowerShell script?
Emmanuel Santana 38,850 Reputation points Independent Advisor

2025-10-13T08:43:40.6266667+00:00

That method still works as long as your boot files already include the PCA2023-signed binaries. The copy-restore sequence in that article (temporarily renaming BCD and rebuilding it with bcdboot) only refreshes the store, it doesn’t inject the new Microsoft Windows UEFI CA 2023 signature by itself.

Make2023BootableMedia.ps1 differs because it actually stages the updated boot manager (bootmgfw.efi and related .efi files) and ensures their signature aligns with the PCA2023 chain. Without those updated files present, bcdboot will just reuse whatever’s in C:\Windows\Boot\EFI, which may still be the pre-revocation set.

So yes, your three-line command sequence is valid for re-pointing or repairing the BCD, but not for migrating to PCA2023 compliance unless the underlying boot binaries are current.
Jim Whitaker 211 Reputation points

2025-10-13T18:19:16.9266667+00:00

After Windows UEFI CA 2023 certificate is applied does the C:\Windows\Boot\EFI contain the new files so that bcdboot C:\Windows /s S: /f UEFI will work? There are no instructions anywhere on using Make2023BootableMedia.ps1 to repair the efi partition. That's my main concern because there have been cases where I'd have to repair it.
Emmanuel Santana 38,850 Reputation points Independent Advisor

2025-10-14T08:53:37.6133333+00:00
That's right, Jim. Once the PCA2023 update has been applied through Windows Update (KB5037591 or any cumulative post-May 2024), the folder C:\Windows\Boot\EFI will contain the updated, PCA2023-signed EFI binaries, bootmgfw.efi, bootmgr.efi, bootmgr.efi.mui, etc.

If you run this:

bcdboot C:\Windows /s S: /f UEFI

after that point will rebuild the EFI partition with the new chain automatically. You do not need to run Make2023BootableMedia.ps1 for a local repair; that script exists only for offline boot media (USB, recovery images, deployment WIMs).

Share via

How to repair the efi partition on PC after the Windows UEFI CA 2023 certificate is applied?

0 additional answers

Your answer