Rufus 4.10 Adds Dark Mode and Windows UEFI CA 2023 Support

Rufus’ latest release sharpens a tool millions rely on for creating bootable USB media: version 4.10 arrives with a native dark mode, formal support for Microsoft’s Windows UEFI CA 2023 Secure Boot certificates (so you can build 25H2-compatible Windows 11 media), the ability to save an existing USB drive back to ISO (UDF only), improved VHD/VHDX error reporting, and a handful of reliability fixes that address long-path crashes, timezone DBX false positives, and persistence problems in Linux Mint.

Overview​

Rufus has long been the go-to utility for IT pros, power users, and hobbyists who need fast, reliable bootable USB creation. The 4.10 release keeps that tradition while addressing two types of user needs simultaneously: a modern UI expectation (dark theme), and a low-level compatibility requirement tied to Secure Boot certificate changes driven by Microsoft’s ecosystem-wide certificate refresh. The Secure Boot support is the change with the broadest operational impact — it touches firmware trust chains and the way installation media are accepted by UEFI firmware.

---

Background: why the Windows UEFI CA 2023 change matters​

Microsoft and the OEM ecosystem publish certificates that firmware trusts for Secure Boot. Those certificates are not permanent — they expire and must be rotated to maintain the ability to update signed boot components. Microsoft has been rolling out a new set of UEFI certificates (commonly referred to as Windows UEFI CA 2023 or PCA2023) to replace the older 2011-rooted certificates that are scheduled to phase out. Devices that never move to the 2023 certificates risk losing the ability to accept future Microsoft-signed boot component updates unless mitigations are applied. Microsoft’s deployment guidance makes this explicit and warns enterprises to plan staged rollouts and careful testing.
Key technical points from Microsoft’s guidance:

• The 2023 certificates are being added to Secure Boot databases (DB) so firmware will trust bootloaders signed with the new CA.
• Enterprises are advised to test updates on representative hardware before broad deployment; Microsoft supplies registry flags and servicing steps to control and verify the rollout.

---

What’s new in Rufus 4.10 — quick list​

• Dark Mode: native dark theme option to reduce eye strain and match system themes.
• Windows CA 2023 media creation: a creation mode that produces media compatible with Microsoft’s Windows UEFI CA 2023 signing expectations — requires a Windows 11 25H2 ISO.
• Save USB drive to ISO (UDF only): capture an existing UFD back into an ISO image for archiving or cloning.
• Improved error reporting for VHD/VHDX: clearer diagnostics when saving to virtual disk formats.
• Improved persistence for Linux Mint: fixes to make persistent storage on Mint-based sticks more reliable.
• Bug fixes: timezone-related false DBX update notices, inability to select file system in ISO mode, and crash handling for Windows ISOs with very long internal paths.

Multiple independent outlets and Rufus’ own release page confirm the same changelog, demonstrating consistent upstream communication and broad availability.

---

Dark mode: small but meaningful UX improvement​

The native dark mode addition is straightforward but noteworthy for a few reasons:

• It removes the need for third-party UI themes or system tweaks, delivering a polished option that follows Windows’ dark/light settings more reliably.
• For long imaging sessions or night-time troubleshooting, the dark UI reduces glare and can help focus on important log output.
• The change was contributed by the community and merged into the main codebase, reflecting Rufus’ active upstream maintenance model.

This is a low-risk, high-reward change for the broad user base — it neither affects disk formats nor Secure Boot behavior, but it improves user comfort and aligns Rufus with modern desktop UI expectations.

---

Deep dive: Windows CA 2023 support in Rufus — what it does and why you might need it​

What Rufus 4.10 delivers is an option to create Windows installation media that are aligned with Microsoft’s Windows UEFI CA 2023 signing model. Practically speaking, that means Rufus can construct a USB stick whose components (boot manager, signed binaries) match the expectations of systems that have already ingested the 2023 CA into their UEFI DB. Creating this media is only possible when the correct installation artifacts are present — specifically, Rufus requires a Windows 11 25H2 ISO (build artifacts produced for 25H2) to produce CA2023-capable media.
Why that requirement exists:

• The new boot manager binaries and signatures are present in Windows 11 25H2 ISOs (or later ISOs that include the 2023-signed boot components).
• Rufus doesn’t retroactively re-sign binaries; it bundles and writes what’s in the ISO and adjusts the structure so the resulting USB media is recognized as “2023-capable” by systems that have updated their Secure Boot DB.

Operational implications:

• If your fleet firmware has received Windows UEFI CA 2023 updates and you boot with older media that only include 2011-signed binaries, you could face signature mismatches or update/boot complications in certain scenarios.
• Conversely, creating CA2023 media and attempting to boot it on devices whose firmware has not yet been updated could also cause unpredictable behavior depending on OEM firmware idiosyncrasies. Microsoft emphasizes staged validation to avoid disruption.

Verdict: Rufus 4.10 makes it easier to create the new-style media, but responsibility for safe rollout — especially in enterprise environments — remains with the administrator.

---

How Rufus’ Windows CA 2023 mode interacts with Microsoft’s rollout guidance​

Microsoft’s guidance around CVE mitigations and PCA2023 rollout includes concrete steps for IT admins to install the updated certificate definitions into the UEFI DB and to validate that systems are “2023-capable.” Tools and registry keys referenced by Microsoft (for example, WindowsUEFICA2023Capable) let you confirm the DB update and whether a machine is starting from 2023-signed boot components. If you’re building CA2023 media with Rufus for use in an environment, follow Microsoft’s staged rollout recommendations before mass use.
Recommended enterprise checklist before broad deployment:

• Test on representative hardware first.
• Verify firmware/UEFI compatibility and whether the OEM has any caveats for new CA trust anchors.
• Ensure Windows devices have applied the necessary servicing updates that enable the DB change.
• Monitor the WindowsUEFICA2023Capable registry values and boot diagnostics per Microsoft’s guidance.

---

Save USB to ISO (UDF only) — practical uses and limitations​

Rufus 4.10 adds the ability to save an existing USB drive back into an ISO (UDF) image. This is a welcome utility feature for technicians who routinely:

• Archive a fully-prepared rescue or install stick for future redeployment.
• Clone a preconfigured installer with custom drivers or packages.
• Preserve a working environment before making destructive changes.

Limitations to note:

• The feature currently supports UDF-only images. Drives formatted with other filesystems may not be preserved identically.
• This is not a forensic-level imaging tool — it’s intended for practical archival/clone purposes, not for low-level disk forensics.

---

Improved VHD/VHDX error reporting and Linux Mint persistence​

Two smaller but useful changes landed in 4.10:

• Better error reporting when saving to VHD/VHDX: clearer diagnostics help admins understand why a VHD/VHDX creation failed (for example, permission problems or filesystem constraints).
• Persistence support improvements for Linux Mint: fixes to how persistence is created and maintained on Mint-based images. This benefits users who keep state across reboots on “live” USBs.

Both changes reduce friction for users who rely on Rufus for multi-distro USB creation and for building virtual-disk-based archives.

---

Reliability fixes worth calling out​

Rufus 4.10 fixes specific edge cases that have real operational impact:

• False DBX updates in some timezones: previously Rufus could report UEFI revocation (DBX) updates in certain timezones even when none occurred, causing confusion and unnecessary troubleshooting. This is fixed.
• ISO mode file system selection issue: resolved a situation where no file system could be selected in ISO mode.
• Crash on Windows ISOs with very long internal paths: handling improved to avoid crashes when encountering deeply nested paths in some Windows ISOs.

These fixes make the tool more predictable when used at scale or with customized ISO content.

---

Security and distribution cautions​

Rufus is a tiny, portable tool that has historically been distributed via its official website and GitHub releases. Because it is so widely used, impostor sites occasionally surface. Always verify downloads against the official sources and the release signatures provided on GitHub or Rufus’ website. The Rufus release page on GitHub is the canonical entry for release notes and signed assets; the official site rufus.ie points users to the same upstream artifacts.
Best practices:

• Download Rufus only from the official site (rufus.ie) or the verified GitHub releases for pbatard/rufus.
• Confirm file signatures or checksums where available.
• Avoid third-party sites or package repositories of unknown provenance unless you validate the binary signature.

---

Rufus and Windows 11 “bypass” capabilities — what’s true and what needs caution​

Rufus has been widely documented and used for creating Windows 11 installation media that relax certain setup checks (TPM, Secure Boot, RAM). Mainstream how‑to guides historically referenced Rufus’ “Extended Windows 11 installation” options that allow users to create installers that bypass TPM/Secure Boot checks when needed. This capability is a pragmatic feature for hobbyists and technicians working with legacy hardware, but it must be approached with care due to security and licensing implications.
Important caveats:

• The availability and UI placement of bypass options have changed across Rufus versions; behavior seen in older screenshots or guides may not map 1:1 to Rufus 4.10.
• Bypassing hardware requirements reduces platform security (disables hardware-backed protections) and may complicate future updates or support.
• Organizations should have policy-based guidance before removing platform protections, and home users should understand the trade-offs.

If you require bypass functionality for legitimate reasons (testing, lab hardware, unsupported upgrades), consult Rufus’ FAQ and use the tool with the latest build — older guides sometimes reference menu locations that have moved or changed.

---

How to approach creating Windows CA 2023 media with Rufus 4.10 (practical steps)​

The following is a condensed operational checklist for building CA2023-capable media; adapt it to your environment and validate on test hardware first.

• Obtain a verified Windows 11 25H2 ISO from Microsoft or an official channel (confirm checksums).
• Download Rufus 4.10 from the official site or the verified GitHub release and confirm the binary’s signature if you have strict supply-chain policies.
• Plug in a test USB drive and open Rufus (it’s portable — no install needed).
• Select the 25H2 ISO and choose Rufus’ Windows CA 2023 creation option if shown (Rufus detects a 25H2 ISO and exposes the mode).
• Create the USB and boot a non-production test device that already has the 2023 DB entry or is known to accept the 2023 CA.
• Validate boot success and, if applicable, check the system’s registry servicing flags per Microsoft’s guidance (WindowsUEFICA2023Capable).
• Only after passing tests, roll out widely with incremental deployment controls in place.

Note: If the target device firmware has not received the DB update or OEM guidance indicates incompatibility, postpone production usage until firmware/BIOS updates or OEM guidance are available.

---

Enterprise recommendations and risk mitigation​

For IT teams preparing for certificate rotations and Secure Boot changes:

• Maintain an inventory of firmware versions and OEM models to prioritize vendors that already support PCA2023.
• Use the Microsoft registry flags and servicing guidance to confirm which devices have the new CA injected and which have switched to 2023-signed boot managers.
• Stage media creation and test boots for a cross-section of models before mass use.
• Preserve old-style media during the transition so you can roll back if a device fails to boot with 2023-signed components.
• Keep clear communications with end users and help desks so they recognize when a support call is a Simple Boot-DB mismatch vs. a broader imaging failure.

---

Compatibility and limitations​

• Rufus’ CA2023 mode is dependent on ISO contents: Rufus cannot convert older Windows ISOs into a 2023-signed installer. You must start with a Windows 11 25H2 ISO (or later ISO that contains the 2023-signed boot manager).
• UEFI firmware behavior varies by OEM; some devices may need firmware updates to fully accept the new CA or to avoid corner-case Secure Boot interactions. Microsoft’s guidance is explicit about this and encourages OEM coordination.
• The “save to ISO” function supports UDF-only images — a useful but not universal archival capability.

---

Verdict — strengths, trade-offs, and risks​

Strengths:

• Rufus 4.10 is a pragmatic, user-driven update that addresses both aesthetic and operational needs: dark mode improves ergonomics while CA2023 support tackles a real, time-sensitive Secure Boot migration issue.
• The addition of the “save to ISO” feature and VHD/VHDX reporting improvements make Rufus more versatile for deployment workflows.
• Active maintenance, community contributions, and a clear changelog (GitHub) mean the project remains well-managed.

Trade-offs and risks:

• The Secure Boot/CA2023 space is complex and involves firmware-level trust anchors; misuse or premature deployment of 2023-style media can create boot problems on devices that are not yet "2023-capable." Administrators must follow Microsoft’s staged rollout guidance and validate across representative hardware.
• Security posture: utilities that help bypass Windows 11 hardware checks remain available through Rufus and other tools. These are powerful but lower platform security and should not be used casually on production endpoints.
• Distribution hygiene: because Rufus is so frequently downloaded, malicious impostor sites sometimes appear. Verify downloads against official channels.

---

Final thoughts​

Rufus 4.10 is a pragmatic release that balances day‑to‑day user experience improvements (dark mode, more robust error messaging) with a necessary adaptation to an evolving firmware trust landscape (Windows UEFI CA 2023 support). For technicians and IT administrators, the headline is this: Rufus now directly supports building the new style of Windows 11 media — but the when and how you deploy such media should be governed by careful testing and Microsoft’s servicing guidance. For home users and hobbyists, the update improves convenience and archiving workflows, while also reminding everyone to download Rufus from official channels and treat Secure Boot and bypass features with the respect they deserve.

---

---

Source: Neowin Rufus 4.10 is out with dark mode, new Secure Boot certificates support, and more