WDS: PXE-Boot a client with CA2023 certificate and CA2011 revoked

Hi Microsoft,

we try to PXE-Boot Notebooks that have SecureBoot enabled and have the CA2023 certificates. Furthermore the Clients have CA2011 Certificates revoked.

Our Environment / Setup:

WDS-Server:

• Fresh installed Windows Server 2025 (24H2) with latest cumulative Update (2026-05).
• WDS-Serverrole enabled.
• WDS configured and boot-image attached

When booting a client with SecureBoot disabled, booting works.

But when SecureBoot is enabled we get the shown message:

When having a look at the files in the WDS Folder

c:\RemoteInstall\boot\x64 

I can see that there are still the EFi-Files signed with the old 2011 CA...

So it is necessary to have EFI-Files (especially for WDS!) which are signed with CA 2023.

I already tried to use wdsmgfw.efi and bootmgfw.efi Files from a winpe.wim from a Win 11 ADK 2025, but then I get errors like "0xc0000704".

Disabling SecureBoot works, but is just a workaround. We need a fix for that Issue....