Windows 11 with VeraCrypt and SecureBoot enabled, doesn't work with newer Laptops with only UEFI CA 2023 Certificates

[MG4o]

Expected behavior

Encrypting a Windows 11 device with VeraCrypt system encryption and keeping Secure Boot enabled using VeraCrypt-DCS.

After successful VeraCrypt pre-boot authentication, the system should continue booting into Windows.

Observed behavior

The device freezes after successful VeraCrypt authentication:

Success
Start 0 ...

The device only boots into Windows after disabling Secure Boot.

When restoring the OEM/factory Secure Boot keys, the device does not reach the VeraCrypt authentication screen and fails earlier with:

Secure Boot Violation
Invalid signature detected.
Check Secure Boot Policy in Setup.

Steps to reproduce

1. Use a Windows 11 x64 device whose OEM/factory Secure Boot configuration uses only the 2023 Secure Boot certificate chain
2. Install VeraCrypt 1.26.29
3. Encrypt the Windows system drive C:
4. Execute the VeraCrypt-DCS Secure Boot script with the correct manufacturer certificates
5. Boot the device with Secure Boot enabled
6. Successfully authenticate in the VeraCrypt pre-boot environment
7. The system gets stuck at:

Success
Start 0 ...

Additional findings

The OEM/factory Secure Boot configuration appears to use the newer 2023 Secure Boot certificate chain.

However, the VeraCrypt-DCS bootloader files installed by VeraCrypt 1.26.29 are still signed by:

CN=Microsoft Corporation UEFI CA 2011

Example files:

S:\EFI\VeraCrypt\DcsBoot.efi
S:\EFI\BOOT\bootx64.efi

PowerShell output for both files shows:

Subject : CN=Microsoft Windows UEFI Driver Publisher, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Issuer  : CN=Microsoft Corporation UEFI CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Not After : 26.06.2026 21:35:19

This results in two different failure modes:

1. With OEM/factory Secure Boot keys restored:
   • The device fails before the VeraCrypt authentication screen with Secure Boot Violation.
   • This appears to happen because the VeraCrypt DCS bootloader is still signed by Microsoft Corporation UEFI CA 2011, which is not trusted by this factory Secure Boot configuration.
2. After running the VeraCrypt-DCS Secure Boot script:
   • VeraCrypt pre-boot authentication starts and succeeds.
   • The system then freezes at Success / Start 0 ....
   • Comparing the Secure Boot variables with dumpEfiVars.exe shows that the VeraCrypt-DCS script installs the older Microsoft 2011 certificates, but does not preserve the required 2023 Secure Boot certificate chain.

Thesis

This looks like a compatibility problem between VeraCrypt-DCS and newer Secure Boot configurations.

VeraCrypt 1.26.29 release notes mention support for Microsoft UEFI CA 2023 signed EFI bootloaders. However, on this fresh installation the actually installed DCS EFI files are still signed by Microsoft Corporation UEFI CA 2011.

On systems whose OEM/factory Secure Boot configuration no longer trusts the 2011 Microsoft UEFI CA, VeraCrypt system encryption with Secure Boot enabled appears to fail.

The VeraCrypt-DCS Secure Boot script seems to work around the first problem by installing 2011-based certificates, allowing VeraCrypt authentication to start. But it appears to break the 2023 Secure Boot trust chain required by the Windows boot process on this device.

Questions

1. Is the VeraCrypt-DCS Secure Boot script still supported?
2. Will the VeraCrypt-DCS Secure Boot script updated with new the new UEFI CA 2023 Certificate?

Your Environment

Freshly bought Lenovo ThinkPad L16 Gen3 (21XC0019GE)

VeraCrypt version: 1.26.29

Operating system and version: Windows 11 25H2 Build 26200.8655

BIOS-Version: R3GET19W (1.19 )

System type: 64-bit, UEFI/GPT

[idrassi]

Thank you for the detailed report. There are two different Secure Boot paths mixed here, so I want to separate them.

VeraCrypt 1.26.29 does include Microsoft-signed EFI bootloader sets for both the 2011 and 2023 Microsoft Secure Boot CAs. One important detail is that VeraCrypt current 2023 loader set requires two entries in the firmware active db: Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023. This is because not all VeraCrypt EFI components are signed by the same 2023 CA.

If VeraCrypt installed the 2011-signed files, it means that at install/repair time VeraCrypt didn't detect the 2023 trust set required by VeraCrypt current 2023 loader set. Changing BIOS Secure Boot settings afterwards doesn't rewrite the files already installed on the EFI System Partition: a VeraCrypt Repair/Reinstall is needed after changing the firmware Secure Boot database.

The VeraCrypt-DCS Secure Boot script is a legacy custom key script and shouldn't be used as a workaround for the normal 1.26.29 Secure Boot path. That script replaces the Secure Boot variables and currently enrolls the older 2011 Microsoft certificates, but not the 2023 Microsoft KEK/db certificates. On a 2023-only system, this can allow the VeraCrypt loader to start but then break the Windows Boot Manager handoff, which matches the Success / Start 0 ... failure you describe.

Please restore the OEM Secure Boot keys, enable both Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023 if the Lenovo firmware exposes these options, then run VeraCrypt 1.26.29 Repair/Reinstall. Don't run the VeraCrypt-DCS Secure Boot script again after that.

After repair/reinstall, please provide the following output from an elevated PowerShell prompt. If drive letter S: is already used, replace it with another free drive letter.

reg query HKLM\SOFTWARE\VeraCrypt\Diagnostics\EfiBootLoader /s

# Quick readable-name check only. Some firmware stores db entries in a form
# where these strings may not be visible even when the keys are present.
$t = [Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).Bytes)
'Microsoft Corporation UEFI CA 2011',
'Microsoft Windows Production PCA 2011',
'Windows UEFI CA 2023',
'Microsoft UEFI CA 2023',
'Microsoft Option ROM UEFI CA 2023' |
  ForEach-Object { "$_ : $($t -match [regex]::Escape($_))" }

mountvol S: /S
try {
  'S:\EFI\VeraCrypt\DcsBoot.efi',
  'S:\EFI\VeraCrypt\DcsInt.dcs',
  'S:\EFI\Microsoft\Boot\bootmgfw_ms.vc' |
    ForEach-Object {
      $sig = Get-AuthenticodeSignature $_
      "$_ -> $($sig.SignerCertificate.Issuer)"
    }
}
finally {
  mountvol S: /D
}

If the firmware doesn't provide both 2023 CAs required by VeraCrypt current 2023 loader set, then it can't be used under Secure Boot on this machine without also trusting another CA set.

I will also look at improving VeraCrypt selection logic so it doesn't fall back to the 2011 loader set on systems whose active Secure Boot db no longer trusts the 2011 Microsoft UEFI CA.

The VeraCrypt-DCS custom-key script also needs to be clearly marked as legacy and unsupported for the 2023 Secure Boot transition.

[MG4o]

Thank you for the fast response. The problem has been fixed by enabling "Third-Party-Certificates" in the BIOS. Your diagnostic commands showed that before enabling this BIOS option, only the Windows UEFI CA 2023 was present. The two CA entries required by VeraCrypt’s current 2023 loader set, were missing. Because of that, VeraCrypt selected the 2011 loader set.

After enabling the Third-Party Certificates option in the BIOS, the firmware db contained both required Microsoft 2023 UEFI CAs, and VeraCrypt selected the 2023 loader set correctly.

It has been a while since I last installed VeraCrypt with Secure Boot, so I was still following the old VeraCrypt-DCS Secure Boot script procedure. I now know it's much easier to set up VeraCrypt with the latest update.

Before:

HKEY_LOCAL_MACHINE\SOFTWARE\VeraCrypt\Diagnostics\EfiBootLoader
	EfiBootLoaderResourceSet REG_DWORD 0x7db
	EfiBootLoaderFirmwareDbLastError REG_DWORD 0x0
	EfiBootLoaderSelectionReason REG_SZ firmware db does not contain both Microsoft 2023 UEFI CAs
	EfiBootLoaderSelectionTimeUtc REG_SZ 2026-06-17T06:29:20Z

Microsoft Corporation UEFI CA 2011 : False
Microsoft Windows Production PCA 2011 : True
Windows UEFI CA 2023 : True
Microsoft UEFI CA 2023 : False
Microsoft Option ROM UEFI CA 2023 : False

S:\EFI\VeraCrypt\DcsBoot.efi -> CN=Microsoft Corporation UEFI CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
S:\EFI\VeraCrypt\DcsInt.dcs -> CN=Microsoft Corporation UEFI CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
S:\EFI\Microsoft\Boot\bootmgfw_ms.vc -> CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

After:

HKEY_LOCAL_MACHINE\SOFTWARE\VeraCrypt\Diagnostics\EfiBootLoader
	EfiBootLoaderResourceSet REG_DWORD 0x7e7
	EfiBootLoaderFirmwareDbLastError REG_DWORD 0x0
	EfiBootLoaderSelectionReason REG_SZ firmware db contains Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023
	EfiBootLoaderSelectionTimeUtc REG_SZ 2026-06-17T06:58:09Z
	
Microsoft Corporation UEFI CA 2011 : True
Microsoft Windows Production PCA 2011 : True
Windows UEFI CA 2023 : True
Microsoft UEFI CA 2023 : True
Microsoft Option ROM UEFI CA 2023 : True

S:\EFI\VeraCrypt\DcsBoot.efi -> CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US
S:\EFI\VeraCrypt\DcsInt.dcs -> CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US
S:\EFI\Microsoft\Boot\bootmgfw_ms.vc -> CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US