Overview

To upgrade to EgoSecure Full Disk Encryption (FDE) 26.1.0.1 or later in a UEFI CA 2023 compliant environment, a sequential two-step upgrade is required. Due to Secure Boot, SBAT enforcement, and certificate compatibility constraints, a direct upgrade to FDE 26.1.0.1 or later is not supported for systems running publicly released FDE versions 22 or technical preview versions of FDE 25, unless the system is already fully compliant with UEFI CA 2023 requirements.

Required Upgrade Sequence

To ensure a stable and supported transition, the upgrade must be performed in the following sequence:

1. Upgrade to FDE 26.1.0.0
2. Enable and verify UEFI CA 2023 compatibility
3. Upgrade to FDE 26.1.0.1 or later

This intermediate step is required to introduce a modern, SBAT-independent bootloader and to allow the operating system to stage and activate the UEFI CA 2023 certificates.

Background and Technical Constraints

Systems utilizing the SBAT\OptOut workaround (set to 1 or True) are restricted from receiving new Secure Boot security updates, even if Secure Boot is enabled. To migrate to the new UEFI CA 2023 standard, the system must process the latest revocations, which requires disabling the OptOut setting.

However, re-enabling SBAT protections while using older, 2011-signed SHIM based bootloader (such as Full Disk Encryption 22 and older) would result in a "Security Violation" and a system boot failure. By updating to FDE 26.1.0.0 first, the system transitions to a modern bootloader that is independent of SBAT versioning. This allows Secure Boot to remain enabled and SBAT\OptOut to remain disabled safely. 

In this state, the operating system can successfully stage the UEFI CA 2023 certificates. Once the Windows UEFI CA 2023 certificate is present and active in the system firmware, the final upgrade to FDE 26.1.0.1 or later can be performed.

System Readiness Verification for UEFI CA 2023

Run the following command in an elevated PowerShell window to verify if the Windows UEFI CA 2023 certificate is active in the firmware:

if ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023') { Write-Host "SUCCESS: 2023 Certificate is Active" -ForegroundColor Green } else { Write-Host "PENDING: Certificate Not Found" -ForegroundColor Red }

For a detailed walkthrough of these requirements, please refer to the Microsoft Secure Boot Playbook.

Upgrade Sequence

The upgrade process must be performed in the following steps to safely transition from legacy boot components to a UEFI CA 2023 compliant environment. Each step builds on the previous one and is required to maintain a valid Secure Boot chain.

Step 1: Upgrade to FDE 26.1.0.0

The primary goal is to migrate from the legacy SHIM-based bootloader (FDE 22 and older) to the modern FDE 26 architecture.

• Deploy FDE 26.1.0.0: Upgrade the system to this version. Refer to the FDE Update Guide for detailed installation instructions. 
• SBAT Independence: Because FDE 26 uses a proprietary bootloader, it is not restricted by the SBAT revocation rules that affected version 22 and older.
• Restore Security Defaults: Once the update is complete, you can safely re-enable full security protections:
  • Action: Ensure Secure Boot is set to Enabled in the BIOS.
  • Action: If the SBAT\OptOut registry workaround was previously used (value set to 1), reset it to 0 (False).

Step 2: Enable UEFI CA 2023 Compatibility

Before deploying the final 2023-signed FDE version, the operating system and firmware must be synchronized to support the new keys.

• Verify Windows Version: Ensure machines are running Windows 11 (23H2, 24H2 or newer) or Windows 10 (version 22H2 and newer, including 21H2 LTSC).
  

  Windows 11 22H2 has reached End of Service. Upgrading the OS is required to ensure the Secure Boot migration logic is present. You may use the Windows 11 Installation Assistant to force an upgrade if the version is not offered automatically.

   
• Install Latest Cumulative Updates: Apply the latest monthly security patches to ensure the deployment environment is stable.
• Enforce Certificate Update: If the PowerShell check from the Overview still returns PENDING, you must manually trigger the certificate rollout. Open an Administrator Command Prompt and run:

• reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f
  Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

  Review the Deployment using registry keys section of the Registry key updates for Secure Boot: Windows devices with IT-managed updates Microsoft support article for more details on how to force the Secure-Boot updates.

  Secure-Boot must be ON for this to work.

   
• Monitor Progress: Watch the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot\AvailableUpdates registry value.
  • 0x4100: A restart is pending.
  • 0x4000: Success. The system is now UEFI CA 2023 capable.
  • Troubleshooting: Check Event Viewer > Windows Logs > System under Event ID: 1801 for any error messages.

Step 3: Upgrade to FDE 26.1.0.1 or later

Once the system is confirmed as UEFI CA 2023 capable (0x4000), you may proceed with the final FDE upgrade at your convenience.

• Deploy FDE 26.1.0.1 or later: Refer to the FDE Update Guide for final deployment.
• This version is fully signed with the 2023 certificate, ensuring long-term compliance beyond the 2026 expiration of the 2011 CA. Details are available in the When Secure Boot certificates expire on Windows devices article.