An option to update the dbx will be included in a future Rufus version https://github.com/pbatard/rufus/commit/fdde687d4681d58b6eaba8e25b1561bea0614eb5 I have a feeling we'll talk about this soonish again.
Hello dear friend. Thank you for your testing and your reports. I really don't know what happen with Micro$oft. It seems that they want, in all ways, that everyone have "updated" PCs to install Windows 11. That certification problem is related to the UEFI/Firmware version of PC Motherboard, so, as @Carlos Detweiller said: "many older machines won't get firmware updates anymore and stay on the old cert forever". This situation is really disappointing. The worst part is when they want people to use their "New" Windows 11, after throwing an "old" PC (according to them), buy another computer, and use a system that has many bugs (with every monthly update), restrictions, and useless stuff (AI, some apps, and more). But this is not the end, some stupid companies, like Autodesk, said that the support for Windows 10 ends this year. So people using Win10-LTSC in a Industry, Avionics, Automotive environments, that use Autodesk Fusion, must now use Windows 11. All because Autodesk wants to comply Microsoft's dictatorship. Totally disgusting. https://www.autodesk.com/support/te...Announcing-End-of-Support-for-Windows-10.html
@abbodi1406 Just an update. 24H2 ISO works without using NTLite custom profile. Used unattended answer file to do quick debug/testing. 23H2 with UpdBootFiles=1 doesn't work with secure boot on HyperV while 24H2 didn't complain at all. Both 23H2 and 24H2 were integrated with March CU 2025. I finally fixed the performance issue on my Ryzen machine. It was due to Windows Hello security not allowing newer Ryzen Chipset driver to removed even using uninstall tool. Used DriverStoreExplorer to wipe out all AMD drivers. Afterwards, I had to remove the PIN and redo fingerprint and Face enrollment with newly initialized TPM/Pluton and now I get a refreshed Windows Hello Sign-In. Also reverted AMD GPU driver to Dec 2024 due to some driver bugs in 25.3.1 WHQL. The NPU took a long to init, broken Mic array driver and Studio effects were super slow. Did a quick test, 24H2 all updates integrated without ISO took 19 mins while 23H2 took 25 mins as opposed to 2-3hrs for Home/Pro editions. Definitely new certs aren't accepted in build 22621 aka 23H2 while 24H2 does fine with and without secure boot. I think Windows 11 must be renamed to Windows Nah edition. Never saw weird bugs while testing Windows 10 Insider Builds on crappy pentium dual core than on certified Win 11 Business PC. EDIT: Re-did 23H2 with latest safe os and setup dynamic updates. Now you can enable secure boot post install in VMs and disable it during pre-install which fixes the dreaded error 0xc000000f
i have also same problem with update boot to Windows UEFI CA 2023 , after use W10UI v10.51 with UpdtBootFiles =1 create installation media it failed to boot when secure boot enabled , may i ask has any solution to fix ?
You can follow my above post. 24H2 doesn't have issues with secure boot only 23H2 does. Sadly, MSFT didn't release 23H2 v3 ISO which has secure boot fixed. Add latest safe os and setup dynamic updates and you can install 23H2 without secure boot and enable it post install. The PC/VM simply blocks the new UEFI cert 2023.
With 24H2 and UpdBootFiles=1 I had success when selecting and installing via ' Previous Version of Setup'. Also, check the BIOS to see if the pc has the 2023 PCA.
now i also disable secure boot in bios and install the windows use new Installation Media in Windows UEFI CA 2023, after it go back to bios and enable back , but my problem is 24H2 also cant boot if enable secure boot , excepted roll back to Windows Production PCA 2011, it will boot normally with out any issue.
how to check bios have 2023 PCA or not ? because i roll back to Windows Production PCA 2011, it can boot the Installation media with enable secure boot , if use W10UI v10.51 with UpdtBootFiles =1 update the Windows UEFI CA 2023 will get error booting if enable secure boot.
thanks for teaching , but my laptop dont have this settting in scure boot , just got enable and disable only, now if i install windows use installation media need disable secure boot first on bios , after it enable back once done log in windows.
no big deal if your ISO is from a trusted source as for how to fix it - update your UEFI firmware, which doesn't apply to EOL products some motherboards also allow you to manually upload trusted certificates in custom mode Ventoy in UEFI mode with the old bootloader should work as a workaround, I think upd: not really, boot.wim should support the old CA, otherwise the ISO wouldn't boot
Is there a 'Setup Mode' or a 'Delete all Secure boot variables' option ? if there are you can use https://github.com/pbatard/Mosby Either of these options will put secure boot in setup mode or you could search google to check if your motherboard can be put somehow into secure boot setup mode. Then you can use that tool to update the variables.
UEFI fireware has been updated, still same, i use USB Installation media, not use ISO, enable secure boot still can boot if i roll back Windows Production PCA 2011, just the new Windows UEFI CA 2023 updated the installation media booting error if i enable secure boot.
for laptop just have enable and disable secure boot only, on desktop maybe can choose it, now i just can roll back for Windows Production PCA 2011 on the installation media.
Not all BIOS has updated certificates/dbx files and old PCs will not accept 2023 cert file on laptops. It thinks 2011 cert is still safe. Haha. What you can do is add safeos and dynamic updates for 24H2 without update boot files to get updated winpe/boot.wim that is aligned with March 2025 update so that it won't throw boot media incorrect error
can't boot 19045.5737 in VMware WS 17.6.3 with secure boot enabled, UpdtBootFiles=1 in W10UI config file VBS is disabled in VMware WS settings VMware WS hasn't been updated to support CA 2023? upd: 26100.3775 boots fine with UpdtBootFiles=1, weird
I dont think this is actually related to W10UI but since I was using it Im asking here. During the night (consumer) and few hours ago (Business) I ran W10UI.cmd v10.51 process W11-24H2-EN (complete stock untouched geniune ISOs) It would appear 14028 implies a faulty update file but it worked in 9/10 index and in Boot.wim it failed to find source with error "Error: 0x800f081f" "Package_for_RollupFix: The source files could not be found." Is this beacuse something faulty with my ssd or mounted wims or something else? The log doesnt tell that much to me I'll add that I ran script on Business this morning and it failed to mount Index7 but a rerun after it worked. Edit: Ran script on my much older/slower Server 2019 with no errors for Install.wim but Boot.wim errors are still there I have all following updates Spoiler: updates 1/10: defender-dism-x64.cab 2/10: Windows11.0-KB5048779-x64.cab [OOBE] 3/10: windows11.0-KB5050575-x64_ae49edf83bd6a86deffdf42f84803e000bb7bb69.cab 4/10: Windows11.0-KB5054979-x64-NDP481.cab [NetFx] 5/10: windows11.0-kb5054981-x64_4e25402830fd6863eb840ce751fc65812e15ccf8.cab [Setup DU] 6/10: windows11.0-kb5055671-x64_896616712b59f152393be3c3ac1fcb5399eaff83.cab [SafeOS DU] 7/10: Windows11.0-KB5043113-x64_inout.cab [SSU] 8/10: Windows11.0-KB5058538-x64_inout.cab [SSU] 9/10: Windows11.0-KB5043080-x64.wim [LCU] 10/10: Windows11.0-KB5055523-x64.wim [LCU] Only on Index 7 I recieve follow errors (copied from script window) Spoiler: Install.wim First process Code: ============================================================ Installing updates... ============================================================ Deployment Image Servicing and Management tool Version: 10.0.26100.2454 Image Version: 10.0.26100.3476 Processing 1 of 3 - Adding package Package_for_KB5048779~31bf3856ad364e35~amd64~~26100.2448.1.2 [==========================100.0%==========================] Processing 2 of 3 - Adding package Package_for_KB5050575~31bf3856ad364e35~amd64~~26100.1588.1.0 [==========================100.0%==========================] Processing 3 of 3 - Adding package Package_for_DotNetRollup_481~31bf3856ad364e35~amd64~~10.0.9300.1 [==========================100.0%==========================] The operation completed successfully. Deployment Image Servicing and Management tool Version: 10.0.26100.2454 Image Version: 10.0.26100.3476 Processing 1 of 1 - Adding package Package_for_RollupFix~31bf3856ad364e35~amd64~~26100.1742.1.10 [==========================100.0%==========================] The operation completed successfully. Deployment Image Servicing and Management tool Version: 10.0.26100.2454 Image Version: 10.0.26100.3476 Processing 1 of 1 - Adding package Package_for_RollupFix~31bf3856ad364e35~amd64~~26100.3775.1.17 [==========================100.0%==========================] An error occurred - Package_for_RollupFix Error: 0x800736cc Error: 14028 A component's file does not match the verification information present in the component manifest. The DISM log file can be found at C:\windows\Logs\DISM\DismLCU.log Second process, reinstalling cumulative updates Code: ============================================================ Reinstalling cumulative update(s)... ============================================================ Deployment Image Servicing and Management tool Version: 10.0.26100.2454 Image Version: 10.0.26100.3476 Processing 1 of 3 - Adding package Package_for_DotNetRollup_481~31bf3856ad364e35~amd64~~10.0.9300.1 [==========================100.0%==========================] Processing 2 of 3 - Adding package Package_for_RollupFix~31bf3856ad364e35~amd64~~26100.1742.1.10 [==========================100.0%==========================] Processing 3 of 3 - Adding package Package_for_RollupFix~31bf3856ad364e35~amd64~~26100.3775.1.17 [==========================100.0%==========================] An error occurred - Package_for_RollupFix Error: 0x800736cc Error: 14028 The command completed with errors. For more information, refer to the log file. The DISM log file can be found at C:\windows\Logs\DISM\DismNetFx3.log And for Boot I get these errors Spoiler: Boot.wim 1/2 Index 1 Code: ============================================================ Installing updates... ============================================================ Deployment Image Servicing and Management tool Version: 10.0.26100.2454 Image Version: 10.0.26100.3476 Processing 1 of 1 - Adding package Package_for_RollupFix~31bf3856ad364e35~amd64~~26100.1742.1.10 [==========================100.0%==========================] Package_for_RollupFix: The source files could not be found. Use the "Source" option to specify the location of the files that are required to restore the feature. For more information on specifying a source location, see https://go.microsoft.com/fwlink/?LinkId=243077. Error: 0x800f081f Error: 0x800f081f DISM failed. No operation was performed. For more information, review the log file. The DISM log file can be found at C:\windows\Logs\DISM\DismLCU_boot.log Deployment Image Servicing and Management tool Version: 10.0.26100.2454 Image Version: 10.0.26100.3476 Processing 1 of 1 - Adding package Package_for_RollupFix~31bf3856ad364e35~amd64~~26100.3775.1.17 [==========================100.0%==========================] The operation completed successfully. Index 2 Code: ============================================================ Installing updates... ============================================================ Deployment Image Servicing and Management tool Version: 10.0.26100.2454 Image Version: 10.0.26100.3476 Processing 1 of 1 - Adding package Package_for_RollupFix~31bf3856ad364e35~amd64~~26100.1742.1.10 [==========================100.0%==========================] Package_for_RollupFix: The source files could not be found. Use the "Source" option to specify the location of the files that are required to restore the feature. For more information on specifying a source location, see https://go.microsoft.com/fwlink/?LinkId=243077. Error: 0x800f081f Error: 0x800f081f DISM failed. No operation was performed. For more information, review the log file. The DISM log file can be found at C:\windows\Logs\DISM\DismLCU_boot.log Deployment Image Servicing and Management tool Version: 10.0.26100.2454 Image Version: 10.0.26100.3476 Processing 1 of 1 - Adding package Package_for_RollupFix~31bf3856ad364e35~amd64~~26100.3775.1.17 [==========================100.0%==========================] The operation completed successfully.
Neither to me since the error occur for one index, probably a glitch or some file got corrupted during servicing or mounting boot.wim error is expected and harmless because WinPE does not keep the Baseline files it could be fixed by ignore installing KB5043080 if already installed, but there are too many scenarios to predict with w11 24H2
yea I wont care about the boot.wim errormsg. I also figured something bugged out on the first run but final ISO seems to work fine in a VM anyway.