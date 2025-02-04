Back in February of 2024, Microsoft announced that it was rolling out new 2023 Secure Boot Certificate Authority (CA) or keys that would replace the previous one from 2011 when Windows 8 was around and the Secure Boot feature was first conceived.

The rollout began with the Patch Tuesday updates that month (KB5034765 for Windows 11 and KB5034763, and more for Windows 10). This was important since the 2011 certificates will be 15 years old in 2026, which is when they are set to expire.

Today, the company has published a PowerShell script to update the Windows bootable media such that it will be able to trust the new Windows UEFI CA 2023 certificate. It deals with the Black Lotus Secure Boot vulnerability tracked under ID CVE-2023-24932.

For those wondering, Certificate Authorities (CAs) or keys essentially help manage the authenticity and validity of various crucial components like bootloaders, drivers, firmware, and other applications.

About the new PowerShell script, Microsoft explains:

The PowerShell script described in this article can be used to update Windows bootable media so that the media can be used on systems that trust the “Windows UEFI CA 2023” certificate. The Make2023BootableMedia.ps1 PowerShell script updates boot manager support on Windows media to the boot manager signed by the new “Windows UEFI CA 2023” certificate. The input and output can be bootable media of the following type: ISO CD/DVD image file,

USB flash drive,

a local drive path, or

a network drive path.

The company has also asked users to note a few important details when performing the update:

The latest Windows Assessment and Deployment Kit (Windows ADK) can be found on the Download and install the Windows ADK page and is necessary for this script to work properly. Notes The Make2023BootableMedia.ps1 script should be run from an elevated PowerShell prompt.

You must provide the script with a media source (-MediaPath) which has the latest servicing updates applied.

You can find the full details about it here in the KB5053484 support article that Microsoft is maintaining on its official website.