Overview

To ensure maximum system uptime and a seamless security transition, Matrix42 recommends a two-step "Safe-Path" update. To upgrade to EgoSecure Full Disk Encryption (FDE) 26.1.0.1, systems must first be verified as UEFI CA 2023 capable, which requires the Secure-Boot setting to be ON. If your system does not yet support this standard, you must update to FDE 26.1.0.0 as an intermediary step. This will allow you to keep Secure-Boot setting ON for the entire upgrade.

How to check if the system is UEFI CA 2023 capable?
Run the following command in an elevated PowerShell window to verify if the Windows UEFI CA 2023 certificate is active in the firmware:

if ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023') { Write-Host "SUCCESS: 2023 Certificate is Active" -ForegroundColor Green } else { Write-Host "PENDING: Certificate Not Found" -ForegroundColor Red }

For a detailed walkthrough of these requirements, please refer to the Microsoft Secure Boot Playbook.

Step 1: Upgrade to FDE 26.1.0.0

The primary goal is to migrate from the legacy SHIM-based bootloader (FDE 22) to the modern FDE 26 architecture.

• Deploy FDE 26.1.0.0: Upgrade the system to this version. Refer to the FDE Update Guide for detailed installation instructions. 
• SBAT Independence: Because FDE 26 uses a proprietary bootloader, it is not restricted by the SBAT revocation rules that affected version 22.
• Restore Security Defaults: Once the update is complete, you can safely re-enable full security protections:
  • Action: Ensure Secure Boot is set to Enabled in the BIOS.
  • Action: If the SBAT\OptOut registry workaround was previously used (value set to 1), reset it to 0 (False).

Step 2: Enable UEFI CA 2023 Compatibility

Before deploying the final 2023-signed FDE version, the operating system and firmware must be synchronized to support the new keys.

• Verify Windows Version: Ensure machines are running Windows 11 23H2 or 24H2.
  

  Windows 11 22H2 has reached End of Service. Upgrading the OS is required to ensure the Secure Boot migration logic is present. You may use the Windows 11 Installation Assistant to force an upgrade if the version is not offered automatically.

   
• Install Latest Cumulative Updates: Apply the latest monthly security patches to ensure the deployment environment is stable.
• Enforce Certificate Update: If the PowerShell check from the Overview still returns PENDING, you must manually trigger the certificate rollout. Open an Administrator Command Prompt and run:

• reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f
  Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

  Read the Deployment using registry keys section of the Registry key updates for Secure Boot: Windows devices with IT-managed updates Microsoft support article for more details on how to force the Secure-Boot updates.

  Secure-Boot must be ON for this to work.

   
• Monitor Progress: Watch the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot\AvailableUpdates registry value.
  • 0x4100: A restart is pending.
  • 0x4000: Success. The system is now UEFI CA 2023 capable.
  • Troubleshooting: Check Event Viewer > Windows Logs > System under Event ID: 1801 for any error messages.

Step 3: Upgrade to FDE 26.1.0.1

Once the system is confirmed as UEFI CA 2023 capable (0x4000), you may proceed with the final FDE upgrade at your convenience.

• Deploy FDE 26.1.0.1: Refer to the FDE Update Guide for final deployment.
• This version is fully signed with the 2023 certificate, ensuring long-term compliance beyond the 2026 expiration of the 2011 CA. Details are available in the When Secure Boot certificates expire on Windows devices article.