Issues after revoking the "Windows Production CA 2011" certificate

Question

A few months ago, I followed the instructions from KB5025885 and completed the 4-step mitigation deployment. Now, my EFI files are signed with the "Windows UEFI CA 2023" certificate, and the "Windows Production CA 2011" certificate has been revoked.

However, I have encountered an issue: I can't perform major version updates (e.g., updating from 23H2 to 24H2) via OTA, nor can I install the update using the official ISO images when Secure Boot is enabled. Currently, all images are still signed with the old certificate, and I understand that the "Windows UEFI CA 2023" certificate hasn't been widely added to UEFI firmware yet.

I can complete the update manually by following the steps in the "Updating Windows install media" section to update the boot certificate. However, this means I won’t be able to update via OTA or use the system recovery function in the future unless I disable Secure Boot.

Is there a better solution to this issue? Also, is there a clear timeline for updating the boot manager signature in the official ISO images?

Thank you!

Answer 1

Hello York Waugh,

Thank you for posting in Q&A forum.

As a temporary workaround, you might want to try turning off Secure Boot while updating and then switch it back on once you're done. It's not the best solution, but it could help bridge the gap. And there is no clear timeline yet, please be patient and stay tuned for official information.

I hope the information above is helpful.

If you have any questions or concerns, please feel free to let us know.

Best Regards,

Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.