Secure Boot helps prevent bootkit malware in the boot sequence. Disabling Secure Boot puts a device at risk of being infected by bootkit malware. Fixing the Secure Boot bypass described in CVE-2023-24932 requires revoking boot managers. This could cause issues for some device boot configurations.

The PowerShell script described in this article can be used to update Windows bootable media so that the media can be used on systems that trust the “Windows UEFI CA 2023” certificate.

Learn how to change settings to enable Secure Boot if you are not able to upgrade to Windows 11 because your PC is not currently Secure Boot capable.

Start your device from the USB drive that was created with Recovery Drive. The process to boot from a USB drive may vary by manufacturer, so refer to your device's manual if needed. Create a recovery drive to reinstall Windows in case you experience a major issue such as hardware failure.

This security update was updated August 13, 2019 to include the bootmgfw.efi file to avoid startup failures on IA64-based versions of Windows 7 SP1 and Windows Server 2008 R2 SP1.

Most PCs use the F2, F10, ESC, or DEL key to begin the BIOS Setup. Look for a tab in the BIOS Setup Utility that is labeled Boot Order, Boot Options, or Boot. Following the directions on the screen, use the arrow keys to go to the Boot Order, then press Enter.

Fixes an issue in which a computer crashes in the BIOS on a Windows 8.1 or Windows Server 2012 R2-based computer.

Plan and perform Secure Boot certificate updates across your device fleet through preparation, monitoring, deployment, and remediation. In this section.

The Allowed Signature Database (DB) and the Disallowed Signature Database (DBX) determine which code can run in the UEFI environment before the OS starts. The DB includes certificates managed by Microsoft and the OEM, while the DBX is updated by Microsoft with the latest revocations.

Fixes an issue in which the F11 and F12 keys do not work when you try to install a 64-bit version of Windows 7 Service Pack 1 (SP1) or of Windows Server 2008 R2 Service Pack 1 (SP1) on an EFI-based computer.