Fixes an issue in the Cdboot.efi, Cdboot_noprompt.efi, Efisys.bin, and Efisys_noprompt.bin files that causes a "Boot failed" error message. This issue occurs when you start a UEFI-enabled computer from the installation DVD of a 64-bit version of Windows 7 or Windows Server 2008 R2.

Secure Boot helps prevent bootkit malware in the boot sequence. Disabling Secure Boot puts a device at risk of being infected by bootkit malware. Fixing the Secure Boot bypass described in CVE-2023-24932 requires revoking boot managers. This could cause issues for some device boot configurations.

Controls which Secure Boot update actions to perform on the device. Setting the appropriate bitfield here initiates the deployment of new Secure Boot certificates and related updates.

To view the PCR7 binding status, run the Microsoft System Information (Msinfo32.exe) tool with administrative permissions. Then, deploy the update and restart the device to resume the BitLocker protection. When attempting to install this update, it might fail to install, and you might receive Error 0x800f0922.

Disabling Secure Boot significantly reduces device protection, removes safeguards against boot‑level malware, and can create new security and compliance risks. The recommended path is to ensure your device receives the updated 2023 Secure Boot certificates and any required OEM firmware updates.

Used for signing the Windows boot loader. Signs third-party boot loaders and EFI applications. * During renewal of the Microsoft Corporation UEFI CA 2011 certificate, two certificates separate boot loader signing from option ROM signing. This allows finer control over system trust.

Windows updates released on and after February 13, 2024 include the ability to apply the Windows UEFI CA 2023 certificate to UEFI Secure Boot Allowed Signature Database (DB). Updating the DB will enable devices to receive future boot loader updates that are included in monthly updates.

Plan and perform Secure Boot certificate updates across your device fleet through preparation, monitoring, deployment, and remediation. In this section.

Added the Note below the download link for the Make2023BootableMedia.ps1 PowerShell script. The PowerShell script described in this article can be used to update Windows bootable media so that the media can be used on systems that trust the “Windows UEFI CA 2023” certificate.

November 11, 2025: For versions of Windows 11 and Windows 10 still in support. This document describes the support for deploying, managing, and monitoring the Secure Boot certificate updates using the Microsoft Intune. The settings consist of: