Checking Boot/Recovery Media CA-2023 Status
Backup/Restore, Cool Tools, Insider stuff, Recent Activity, Secure Boot, WED Blog, Windows 11

Checking Boot/Recovery Media CA-2023 Status

Leave a comment

Here’s an interesting consequence of the switchover in the Secure Boot chain of trust from CA-2011 to CA-2023. Once that occurs, you can’t boot from install, repair and recovery media that doesn’t support CA-2023. The PC firmware will reject it as “non-compliant.” What that means is with the revocation of CA-2011 upcoming in June, it’s time to start checking boot/recovery media CA-2023 status. When you can, it’s also time to replace older non-compliant media with newer, compliant versions.

I had Copilot write me a PowerShell Script that did 3 key things:
1. It checked to make sure drive G: (default letter for my UFDs) was present and accounted for
2. It showed me the top-level directory so I could see what I was dealing with (handy to distinguish installers, repair tools, etc.)
3. If it found EFI files, it reported Yes/No on their CA-2023 compliance.

After Checking Boot/Recovery Media CA-2023 Status, Then…?

The TL;DR answer to this question is: replace it if needed, keep it otherwise. I also used this opportunity to label my UFDs so I would know what I had in the future. I found all kinds of interesting stuff, including:

  • An MSI flash drive for my “new” MAG Tomahawk B550 mobo, a UEFI updater for v 2.90 on the ASRock B550 Extreme4+
  • Multiple Macrium Reflect and Hasleo Backup Suite rescue UFDs
  • A copy of the Windows DaRT (Diagostics and Recovery Toolset)
  • Multiple Windows Installer UFDs, mostly via MCT, some from UUPDump

Here’s the interesting thing: NONE of these items is CA-2023 compliant. Copilot says, in fact, that MS has not yet released an installer or repair ISO that includes the CA-2023 boot files in the EFI partition (see lead-in graphic bottom portion). I’d planned to update my dozen or so bootable UFDs today if I could. Looks like I’ll be waiting a while…

Key Takeaway

If you revoke CA-2011 support on any or all of your Windows PCs, you put yourself in the position of having to go into UEFI and turn off Secure Boot sometimes. When might that be? Whenever you want or need to use media to boot that PC for repair, recovery or installation. Good to know! That’s not the kind of thing I’d like sprung on me as a total surprise. Bet you feel the same way, too…

Facebooklinkedin
Facebooklinkedin

Leave a Reply

Your email address will not be published. Required fields are marked *