Forum Discussion
WDS: PXE-Boot a client with CA2023 certificate and CA2011 revoked
Hi Microsoft,
we try to PXE-Boot Notebooks that have SecureBoot enabled and have the CA2023 certificates. Furthermore the Clients have CA2011 Certificates revoked.
Our Environment / Setup:
WDS-Server:
- Fresh installed Windows Server 2025 (24H2) with latest cumulative Update (2026-05).
- WDS-Serverrole enabled.
- WDS configured and boot-image attached
When booting a client with SecureBoot disabled, booting works.
But when SecureBoot is enabled we get the shown message:
When having a look at the files in the WDS Folder
c:\RemoteInstall\boot\x64
I can see that there are still the EFi-Files signed with the old 2011 CA...
So it is necessary to have EFI-Files (especially for WDS!) which are signed with CA 2023.
I already tried to use wdsmgfw.efi and bootmgfw.efi Files from a winpe.wim from a Win 11 ADK 2025, but then I get errors like "0xc0000704".
Disabling SecureBoot works, but is just a workaround. We need a fix for that Issue....
1 Reply
think you have to exchange the files you are sending out from your DHCP
for x64 boot\x64\wdsmgfw.efi
for arm boot\arm64\wdsmgfw.efi
the PXE boot files are e.g. on a windows 11 boot iso you can download from Microsoft as a recovery mediaen-us_windows_11_business_editions_version_25h2_x64_dvd_41c521e7.iso\sources\boot.wim\1\Windows\Boot\
