Windows 11 25H2 Installs Can Be A Breeze With This Rufus Tool Tip

For years now, folks have been using Rufus to bypass Windows 11's onerous installation requirements. Got a system without Secure Boot or a functional TPM? No problem! Some buzz was going around that this was no longer possible with Windows 11 25H2, but we're happy to report that it still works the same as before—thanks to a bugfix patch by the developers.

Here's the deal: Microsoft (probably) didn't intentionally break Rufus with the 25H2 release. Instead, a bug in the software caused it to throw an "Assertion failed!" error when attempting to make Windows install media from the Microsoft-provided Windows 11 25H2 install images. At the time, the developer advised a user to avoid this by selecting the "first bypass on the WUE dialog," which bypasses the checks for Windows 11's minimum requirements: 4GB of RAM, Secure Boot, and TPM 2.0. It doesn't disable the use of these features, merely the checks that look for them before it will allow you to install.

rufus three dialogs
What you'll see using an older Windows install image.

Fortunately, this issue has already been patched and in the latest Rufus 4.11 version, released just two days ago, there's a new option in the Windows User Experience dialog to "Use 'Windows CA 2023' signed bootloaders (requires a compatible target PC.)" This is required because of the revocation of the old 2011 Secure Boot certificates, which was done due to the discovery of UEFI bootkits (like Blacklotus) that could bypass secure boot. It was this functionality that was breaking Rufus, and it has now been fixed, which we can confirm.

use windows ca 2023 signed bootloaders
The new checkbox in the updated Rufus.

That last bit is the gotcha, though—"requires a compatible target PC." You see, systems that didn't get patched firmware don't have the new certificate, and so they will throw the exact same kind of security violation that a patched machine trying to boot the old media would have done. This type of security violation is typically a critical halt, meaning that you absolutely can not install from this media with Secure Boot enabled. You'll have to get updated install media or disable Secure Boot on your machine, which is obviously not recommended by security wonks (although your author certainly hasn't had any problems in nigh-on 15 years.)

If you're planning to do a fresh install of Windows 11 on hardware with the latest firmware updates, you'll want to make sure you have the latest installation image. You can get that file directly from Microsoft, and that is in fact the safest place to get it. You can grab the image from this site here (scroll down to "Download Windows 11 Disk Image (ISO) for x64 devices".) Oh, and you can get Rufus from its website.