- Overview
- Why Does This Matter for Macrium Reflect?
Overview
Windows updates released on and after February 13 2024 included the ability to apply the Windows UEFI CA 2023 certificate to UEFI Secure Boot Allowed Signature Database, as detailed here. For the majority of systems updated past February 13 2024, this certificate has been added to the Secure Boot Allowed Signature Database alongside the previous certificate, Windows Production PCA 2011.
Microsoft has indicated that the Windows Production PCA 2011 certificate may be revoked in the future, meaning that Windows boot managers will require the Windows UEFI CA 2023 certificate to boot successfully on UEFI systems with Secure Boot enabled.
To ensure that Macrium Reflect rescue media can continue to be used following this revokation, we have included additional options that enable either certificate to be selected when creating the rescue media.
What is Secure Boot?
Secure Boot is a feature of UEFI firmware and is described in section 32 of the UEFI specification. This knowledge base article will not extensively detail Secure Boot but briefly summarize why it impacts the new 'Boot Media Signing Certificate' options in Macrium Reflect X 10.0.8731 and above.
For the purposes of this knowledge base article, Unified Extensible Firmware Interface (UEFI) is an interface between the system's firmware and the operating system. UEFI is responsible for the early stages of booting an operating system through a UEFI application called Windows Boot Manager. To ensure the security and integrity of the UEFI application, they include a digital certificate from the publisher of the application, similar to applications in Windows.
If the digital certificate for the UEFI application cannot be verified against the certificates in the UEFI Secure Boot Allowed Signature Database, then the operating system will not be able to boot.
Why Does This Matter for Macrium Reflect?
To enable images to be recovered to non-booting and bare metal systems, Macrium Reflect can create rescue media. This rescue media is a bootable media based on Windows PE or Windows RE and contains a version of Macrium Reflect. In the event of a disaster, this rescue media can be used to boot the computer and restore an image.
The rescue media includes a Windows Boot Manager UEFI application; as a result, this Windows Boot Manager requires the correct signature that can be used to validate the Windows Boot Manager against the certificates in the UEFI Secure Boot Allowed Signature Database.
In short, Macrium Reflect needs to create the rescue media with the correct digital certificate to enable the rescue media to boot on systems that have Secure Boot enabled.
Does This Effect Me?
As we mentioned in the 'Overview' section of this knowledge base, the new certificate has been rolled out to Windows 10 and 11 systems starting February 13 2024. The majority of systems that have been updated past February 13 2024 will have both the PCA 2011 certificate and the Windows UEFI CA 2023 certificate, meaning that existing rescue media will continue to work until the PCA 2011 certificate is revoked.
When the certificate is revoked, or to proactively prepare for the change, the steps below should be followed to recreate existing rescue media:
| Rescue Media Version | Action |
| Windows RE | Windows RE rescue media can simply be recreated to ensure that the correct certificate is included once the certificate change has occured on the system. |
| Windows PE 11 64-bit | Windows PE 11 rescue media can be recreated to ensure that the correct certificate for the system is being used. This is defined by the new options in the 'Boot Media Signing Certificate' section of the rescue media options. Before recreating the Windows PE 11 rescue media, you should clear the rescue media cache by following the steps here. |
| Windows PE 10 64-bit | The rescue media should be recreated using Windows PE 11 64-bit or Windows RE. Before recreating the Windows PE 11 rescue media, you should clear the rescue media cache by following the steps here. |
| Windows PE 10 32-bit | There is no 32-bit version of Windows PE 11, so Windows RE sould be used. |
| Windows PE 5 and below | These WIMs are primarily included for rescue media compatibility with legacy systems. As a result, the majority of systems these rescue media are used on will be legacy BIOS and will not have Secure Boot implemented. Legacy UEFI systems will most likely not have the Windows UEFI CA 2023 certificate implemented and be unaffected by these changes. |
If the PCA 2011 certificate has already been revoked, an error similar to the following may be displayed:
We have also received reports from users that the error can occur without any error message being dispalyed, with the rescue media simply failing to boot. If the rescue media is failing to boot without any indication of the cause, we recommend contacting our Support Team here.
In the event that a disaster has occurred meaning that a rescue media restore is needed, we recommend temporarily disabling Secure Boot to enable the system to boot the rescue media and then performing a restore as described here. Once the system has been restored, we recommend recreating the rescue media as described below:
Recreating Rescue Media
Macrium Reflect X 10.0.8731 now includes an additional option for rescue media that enables different certificates to be selected.
To view these options, launch the Macrium Rescue Media builder by selecting the 'Rescue' button on the quick actions menu at the top of Macrium Reflect or by selecting the 'Create Rescue Media...' option in the 'Other Tasks' menu on the top bezel:
 |
 |
In the Macrium Rescue Media Builder, select 'Advanced':
The window that opens will display additional options for the Macrium Reflect rescue media. When the Windows PE 11 base WIM has been selected as described here, the certificate can be changed using the radio buttons under the 'Boot Media Signing Cerificate':
The available options are shown below:
| Option | Description |
| Choose the best option for this computer | This option will automatically select the correct certificate for the system where the rescue media is being built. This is the recommended options when creating rescue media that will primarily be used on the system where it is created. |
| Windows Production PCA 2011 | This option should be selected when rescue media will be used on a different system to where the rescue media is created that does not have the Windows UEFI CA 2023 certificate installed into the UEFI Secure Boot Allowed Signature Database. |
| Windows UEFI CA 2023 | This option should be selected when rescue media will be used on a different system to where the rescue media is created and the Windows Production PCA 2011 certificate has been revoked. |
Clear Rescue Media Cache
If you have previously created Windows PE 11 rescue media with versions of Macrium Reflect X versions earlier than Macrium Reflect X 10.0.8731, the rescue media cache will need to be cleared to ensure that the latest version of the Windows PE 11 components can be downloaded.
To do this, open the Windows Control Panel select ‘Programs and Features’. Select ‘Macrium Reflect <Edition>’ from the list of installed programs, then select ‘Uninstall’:
In the window that opens, deselect all checkboxes except 'Remove Windows PE component files':
Click 'OK' to remove the Windows PE components. The Windows PE 11 rescue media can then be recreated. The first time that the rescue media is recreated, you will be prompted to redownload the latest Windows PE 11 components from Microsoft:
