Posts: 267
Threads: 15
Joined: Nov 2024
Reputation:
50
(06-18-2026, 11:09 AM)Epictetus Wrote: (06-18-2026, 10:43 AM)al3x Wrote: But was the 2011 cert already revoked for your XPS? Normally this will happen later this year unless you already force this manually.
When I check the SB status on my XPS, I get the green tick. That means the 2023 certs are in place, but not I guess, that the 2011 certs have necessarily been revoked. So .... ?
If you want you can check with this package:
https://github.com/cjee21/Check-UEFISecureBootVariables
- Download the package from this link and unzip the whole thing to a temporary folder on your Desktop
- Then open 'Check UEFI PK, KEK, DB and DBX.cmd' with admin rights (right click, run as administrator)
- It will give you detailed information about the current state of your UEFI CA certificates
Here's an example output from my PC, which has Secure Boot enabled and is ready (green checkmarks under all "Current" headings):
![[Image: duoMgjBJ_t.png]](https://thumbs2.imgbox.com/2f/a2/duoMgjBJ_t.png)
For me, the old 2011 certs are not revoked so far (revoke is false). I think this will probably be the same for you, that’s why you can still boot from ISOs with the 2011 cert.
Hope that helps 
Posts: 67
Threads: 7
Joined: Apr 2026
Reputation:
9
(06-18-2026, 09:31 AM)al3x Wrote: Maybe Ventoy has problems with the injection of its own cert with 2023 ISOs? Have you tried any other ISOs via Ventoy that already have the new 2023 cert? If those work, maybe HBS can change something that helps Ventoy. If those don’t work as well, I hope that Ventoy will fix that soon  I do not have any other ISOs with the new cert. A few other ISOs just hang at the start with "Press any key...".
For now I am using an HBS-ED without the cert, and will turn off Secure Boot as required.
Posts: 72
Threads: 3
Joined: Sep 2025
Reputation:
5
(06-18-2026, 11:31 AM)al3x Wrote: (06-18-2026, 11:09 AM)Epictetus Wrote: When I check the SB status on my XPS, I get the green tick. That means the 2023 certs are in place, but not I guess, that the 2011 certs have necessarily been revoked. So .... ?
If you want you can check with this package:
https://github.com/cjee21/Check-UEFISecureBootVariables
- Download the package from this link and unzip the whole thing to a temporary folder on your Desktop
- Then open 'Check UEFI PK, KEK, DB and DBX.cmd' with admin rights (right click, run as administrator)
- It will give you detailed information about the current state of your UEFI CA certificates
Here's an example output from my PC, which has Secure Boot enabled and is ready (green checkmarks under all "Current" headings):
For me, the old 2011 certs are not revoked so far (revoke is false). I think this will probably be the same for you, that’s why you can still boot from ISOs with the 2011 cert.
Hope that helps
Thanks. I will give that a go and report back. But maybe not till tomorrow.
Posts: 72
Threads: 3
Joined: Sep 2025
Reputation:
5
(06-18-2026, 12:17 PM)Epictetus Wrote: (06-18-2026, 11:31 AM)al3x Wrote: If you want you can check with this package:
https://github.com/cjee21/Check-UEFISecureBootVariables
- Download the package from this link and unzip the whole thing to a temporary folder on your Desktop
- Then open 'Check UEFI PK, KEK, DB and DBX.cmd' with admin rights (right click, run as administrator)
- It will give you detailed information about the current state of your UEFI CA certificates
Here's an example output from my PC, which has Secure Boot enabled and is ready (green checkmarks under all "Current" headings):
For me, the old 2011 certs are not revoked so far (revoke is false). I think this will probably be the same for you, that’s why you can still boot from ISOs with the 2011 cert.
Hope that helps
Thanks. I will give that a go and report back. But maybe not till tomorrow.
Yes - I get the same result. Looks like Ventoy will need to update itself fairly soon and rely ONLY on the 2023 certs.
Posts: 67
Threads: 7
Joined: Apr 2026
Reputation:
9
(06-18-2026, 08:35 AM)Bespoken Wrote: Following up on the above; an interesting situation developed after the BIOS and Win 11 was updated for CA 2023 and the old CA 2011 revoked, and Secure Boot enabled in the BIOS.
1. An HBS-ED created with CA 2023
- boots normally from the Windows Menu
- boots normally from a USB
- fails when launched from Ventoy (Secure Boot version check failed)
2. An HBS-ED created without CA 2023
- boots normally from the Windows Menu
- fails to boot from a USB (Secure Boot failure)
- boots normally when launched from Ventoy
Both both normally when Secure Boot is off.
The results from booting from Ventoy is unexpected, and strange.
Get-SecureBootSVN returns 9.0 for all SVN's.
Repeated testing did not produce the same results, maybe I made an error recording the results on the initial test. The revised test with Secure Boot enabled on a PC with CA 2011 revoked:
1. HBS-ED with CA 2023
- fails boot from a USB (Security error, Secure Boot Version check failed. Current version is 7.0, minimum allowed is 9.0)
- fails when launched from Ventoy (Secure Boot version check failed)
Additional activities:
1. Used Garlin's script to update the USB's with the updated CA 2023. USB's now boots.
2. Used Imgburn to create an ISO from the updated USB, then added the ISO to the Ventoy stick.
3. Launched the updated ISO from Ventoy. It will not run in regular mode but will boot in wimboot mode.
Conclusion:
It seems that HSB does not create the USB correctly with the CA 2023 cert.
Posts: 428
Threads: 48
Joined: Oct 2025
Reputation:
21
@ Bespoken,
(Yesterday, 05:33 AM)Bespoken Wrote: Conclusion:
It seems that HSB does not create the USB correctly with the CA 2023 cert.
I am confused. HBS-EDs and Ventoy USB boot USBs are different creatures altogether.
From my final success report after updating my 2019 Dell 8930 SE using Garlin's scripts, I get the following for the SVN entry:
Quote:EFI Files
---------
Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
\\.\HarddiskVolume4\EFI\Microsoft\Boot\bootmgfw.efi
File Version: 28000.342, SVN 9.0
Registry: "WindowsUEFICA2023Capable" = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.
Note that I have SVN 9.0
@Garlin does NOT recommend revoking the 2011 Certificates, though he has provided a script to do so. He advises waiting until MS revokes them later this year.
I did not revoke the 2011 Certificates, because @Garlin knows far more than me! I followed his advice. I am content to permit my computer to boot from whatever certificates it likes. What I do know is that my computer is now booting primarily from the 2023 Certificates now, which was such very welcome news to me last week.
Have a great day.
Regards,
Phil
Posts: 72
Threads: 3
Joined: Sep 2025
Reputation:
5
(Yesterday, 06:17 AM)garioch7 Wrote: @Bespoken,
(Yesterday, 05:33 AM)Bespoken Wrote: Conclusion:
It seems that HSB does not create the USB correctly with the CA 2023 cert.
I am confused. HBS-EDs and Ventoy USB boot USBs are different creatures altogether.
From my final success report after updating my 2019 Dell 8930 SE using Garlin's scripts, I get the following for the SVN entry:
Quote:EFI Files
---------
Windows Boot Manager [Windows UEFI CA 2023] is ALLOWED.
\\.\HarddiskVolume4\EFI\Microsoft\Boot\bootmgfw.efi
File Version: 28000.342, SVN 9.0
Registry: "WindowsUEFICA2023Capable" = 2
[Windows UEFI CA 2023] in UEFI DB, and Windows starting from CA 2023 Boot Manager.
Note that I have SVN 9.0
@Garlin does NOT recommend revoking the 2011 Certificates, though he has provided a script to do so. He advises waiting until MS revokes them later this year.
I did not revoke the 2011 Certificates, because @Garlin knows far more than me! I followed his advice. I am content to permit my computer to boot from whatever certificates it likes. What I do know is that my computer is now booting primarily from the 2023 Certificates now, which was such very welcome news to me last week.
Have a great day.
Regards,
Phil
Agreed. There does not seem to be a good reason to revoke the 2011 certs yourself just yet.
Posts: 67
Threads: 7
Joined: Apr 2026
Reputation:
9
(Yesterday, 06:17 AM)garioch7 Wrote: @Bespoken,
(Yesterday, 05:33 AM)Bespoken Wrote: Conclusion:
It seems that HSB does not create the USB correctly with the CA 2023 cert.
I am confused. HBS-EDs and Ventoy USB boot USBs are different creatures altogether.
The testing was not properly recorded and scripted. There should be no confusion though. The created Emergency Disk is written to a USB and also exported as an ISO which is then written to a Ventoy USB.Booting from the ED USB and trying to launch the ED ISO from the Ventoy USB produce the same failure. So not really two different creatures.
Posts: 67
Threads: 7
Joined: Apr 2026
Reputation:
9
(Yesterday, 06:17 AM)garioch7 Wrote: @Garlin does NOT recommend revoking the 2011 Certificates, though he has provided a script to do so. He advises waiting until MS revokes them later this year.
I did not revoke the 2011 Certificates, because @Garlin knows far more than me! I followed his advice. I am content to permit my computer to boot from whatever certificates it likes. What I do know is that my computer is now booting primarily from the 2023 Certificates now, which was such very welcome news to me last week. I was late to the @Garlin thres and reading 200+ pages of posts was not practical. On the first page he indicates that revoking the 2011 cert was Optional, and I chose to do this ahead of time. Now there is no going back. What is done is done.
But wait for it. You should run the @Garlin "check-uefi.bat -bootmedia" on your PC with the ED USB inserted. The result for the removable bootable USB may surprise you as I expect it will say "Boot File [Windows UEFI CA 2023] is BANNED.". I am having a long email exchange with @support about this.
|
![[Image: duoMgjBJ_t.png]](https://images2.imgbox.com/2f/a2/duoMgjBJ_o.png)
