You are using an unsupported browser. Please update your browser to the latest version on or before July 31, 2020.
close
You are viewing the article in preview mode. It is not live at the moment.
Support is available Mon-Fri from 0800 to 1700 Central Time @ (833) 820-5172 Option 2
announcement close button
Home > Compute Articles > Software > Microsoft 2023 Secure Boot FAQ
Microsoft 2023 Secure Boot FAQ
print icon
Scott Cohen
Jun 10, 2026
views icon 51

Q: What is your official guidance on the Microsoft 2023 CA certificate transition:

A: Please refer to https://www.getac.com/us/legal/microsoft-secure-boot-certificate-transition-2023-ca-and-black/

 

Q: Why do I get secure boot error or black screen when I try to boot my OS?

A: You likely updated to 2023 certificates which updated the boot loader and a couple things may have occurred:

  1. If your unit is an In-Market device as devices in our above guidance:
    1. Secure boot in your bios has been reset to default.
    2. Motherboard has been replaced which would have the 2011 certificates (typically should only occur at repair center).
    3. You may be able to resolve this with the following instructions to apply the Windows UEFI CA 2023 certificate via external media (adapted from Microsoft’s guidance at https://support.microsoft.com/en-us/topic/how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d#bkmk_windows_install_media (at the bottom of the Updating Windows install media section). The documentation only indicates it updates the Windows UEFI CA 2023 and not the rest of the secure boot and boot related components):
      1. Enable secure boot (method to enable may vary depending on device).
      2. Format a usb drive with fat32
      3. Go to a device where the July 8, 2025, or later update has been applied.
      4. Connect the usb and get the drive letter.
      5. Assuming the drive letter is D (may be different on your system)
      6. md D:\EFI\BOOT
      7. copy C:\windows\boot\efi\securebootrecovery.efi D:\efi\boot\bootx64.efi
      8. Boot into the device where you reset the settings to default and press F10 to get to the boot menu.
      9. The usb drive should show up as an option to boot from.
      10. When you boot from the usb, the utility should automatically run and update the bios certificate.

 

Q: According to your official guidance I have an older In-Market device. Is there a firmware version available that includes the 2023 certificate in the default db?

A: There is not. Current and future firmware for In-Market devices do not include the 2023 certificates and just have the 2011 certificates in the default db.

 

Q: How do I update secure boot and boot manager?

A: Please refer to the following link to update the certificates via registry (also linked in our official guidance). This links directly to the mitigation steps, but it is recommended to read the whole article. https://support.microsoft.com/en-us/topic/how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d#bkmk_mitigation_guidelines


Here is an article that explains the registry changes and error conditions with those registry changes in the above article: https://support.microsoft.com/en-us/topic/registry-key-updates-for-secure-boot-windows-devices-with-it-managed-updates-a7be69c9-4634-42e1-9ca1-df06f43f360d

Feedback
1 out of 1 found this helpful

close button
scroll to top icon