Rufus 4.10 Brings Dark Mode and Windows UEFI CA 2023 Media Support

Rufus 4.10 lands with a built-in dark theme, support for Microsoft’s new Windows UEFI CA 2023 signing model, the ability to save a USB stick back to ISO (UDF only), improved VHD/VHDX error reporting, and a handful of reliability fixes that matter to technicians, imaging engineers, and power users alike. The update tightens Rufus’s handling of the evolving Windows 11 installation landscape—most notably by making it straightforward to produce media that is compatible with Microsoft’s renewed Secure Boot trust chain—while also addressing several long-standing usability pain points.

Background / Overview​

Rufus is a compact, portable utility used to format drives and create bootable USB media from ISO and other disk image formats. It is widely used by enthusiasts, system builders, and IT staff to produce installation media for Windows and Linux, recover systems, and prepare drives for firmware or BIOS updates. Over time, Rufus has evolved beyond a simple imaging tool into a utility that understands Windows installer nuances (WIM handling, UEFI/BIOS boot structures, and Secure Boot intricacies), and its beta channel frequently introduces practical features aimed at real-world deployment scenarios.
Why this release matters now: Microsoft’s Windows servicing and Secure Boot ecosystems have been changing—new update flows, boot manager signing rotations, and the arrival of Windows 11 version 25H2 ISOs mean that imaging tools must adapt to avoid boot failures and servicing headaches. Rufus 4.10 positions itself to bridge those gaps by offering explicit options for the new signing model and addressing several corner-case reliability issues encountered in production imaging workflows.

---

What’s new in Rufus 4.10 — at a glance​

• Dark Mode: Native dark theme for the UI, reducing eye strain during extended imaging sessions and aligning Rufus with modern desktop aesthetics.
• Windows CA 2023 compatible media: Rufus can now produce installation media compatible with Microsoft’s Windows UEFI CA 2023 certificate model—but this requires a Windows 11 25H2 ISO to be provided by the user. This option helps avoid Secure Boot boot-time failures on systems that have received the new UEFI certificate updates.
• Save an existing drive to ISO (UDF-only): Ability to capture a USB drive back to an ISO image using UDF format—useful for archiving configured installers or cloning customized sticks.
• Improved VHD/VHDX error reporting: Better diagnostics when saving images into virtual disk formats to ease triage when writes fail.
• Improved persistence support for Linux Mint: Fixes and tweaks for persistence creation on Mint-based images.
• Timezone/DBX reporting fix, long-path crash fix, ISO-mode file system selection fix: Reliability and correctness fixes to reduce false Secure Boot DBX notifications, avoid crashes with very deep ISO paths, and address UI behavior in ISO mode.

Multiple independent outlets and community trackers list the same changelog and confirm availability through official channels, indicating the release is broadly distributed and recognized by mainstream software portals.

---

Technical context: why Windows CA 2023 and 25H2 matter​

Microsoft rotated UEFI/boot signing authorities to address long-term key expiry and to harden the boot chain after CVE-related mitigation work. The new signing model—often referred to in documentation as Windows UEFI CA 2023 (or PCA2023/UEFI CA 2023)—introduces new certificates and an update path for firmware-level trust anchors (the Secure Boot DB variable) and for boot manager binaries. Devices need to adopt the new certificates and, in some cases, a new boot manager to remain able to boot and receive updates in future servicing cycles. Microsoft documented the mitigation and deployment guidance in its KBs and enterprise guidance pages. These documents explain the two-step approach: (1) add the new UEFI CA 2023 certificate to the firmware DB, and (2) update the boot manager so devices start using the 2023-signed boot manager. Monitoring registry flags and staged rollouts are recommended for enterprises.
Why Rufus adding “Windows CA 2023 compatible media” helps: Microsoft supplied scripts and guidance to make existing ISOs compatible with the new signing model, but those workflows require extra scripting and manual steps. Rufus’s integration simplifies that path and lets users create USB media that are already configured for the 2023 certificate set—provided the ISO itself uses or is compatible with the new format (which is why Rufus requires a Windows 11 25H2 ISO to exercise this mode). That reduces a common source of boot-time surprises when deploying freshly created Windows installation USBs to machines that have had their firmware trust anchors updated.

---

Deep dive: feature-by-feature analysis​

Dark Mode — more than cosmetic​

The addition of Dark Mode is small but meaningful. For administrators who create many installers in dimly lit environments (labs, server rooms, or home workshops), a native dark theme reduces glare and consistent contrast problems with standard Windows light themes. It also indicates that maintainers are actively incorporating community contributions (the implementation credits indicate a community PR contribution). This is a pure user-experience win with zero compatibility cost.

Windows CA 2023 compatible media — mechanics and caveats​

• What it does: Rufus detects a Windows 11 25H2 ISO and offers a creation mode that produces media aligned with Microsoft’s PCA2023/UEFI CA 2023 signing expectations. This streamlines the process that Microsoft’s Make2023BootableMedia scripts previously handled.
• What you must supply: a Windows 11 25H2 ISO. Rufus will not magically convert older ISOs into fully 2023-capable media; it requires the correct ISO artifacts (25H2 build artifacts). Microsoft’s Release Preview guidance and mainstream reporting confirm that 25H2 ISOs were distributed for testing and subsequently made available for general download.
• Enterprise / firmware caveats: Not all OEM firmware implementations behave identically; some systems may not trust newly injected CAs, or might require OEM firmware updates. Microsoft’s guidance emphasizes cautious rollouts, representative device testing, and monitoring (e.g., registry flags such as WindowsUEFICA2023Capable). Enterprises should treat this as a staged migration and test thoroughly.

Risk notes: creating 2023-compatible media before your fleet’s firmware has the new DB entries can still cause confusion. Conversely, writing media that is not aligned with PCA2023 and then trying to boot it on machines that only trust the 2023 CA may lead to boot failures. The safest path is: (1) verify ISO provenance, (2) use Rufus’s 2023 mode only when you have a 25H2 ISO, and (3) test on a non-production machine first.

Save an existing drive to ISO (UDF only)​

Rufus can now capture a current USB stick back into an ISO image—but currently this is limited to UDF-formatted sticks. This is valuable for archiving a configured USB key (with drivers, scripts, or additional payloads) for later redeployment or auditing. The UDF-only limitation is important: some Linux live systems and older Windows preparers use different filesystems—Rufus will only capture UDF images into ISO form. Users who need exhaustive forensic clones should continue to use block-level imaging tools when a bit-for-bit clone is required.

VHD/VHDX error reporting and long-path fixes​

Improved error messages when writing to VHD/VHDX containers will save time in diagnosing failed saves (insufficient space, locking, path issues). Rufus also addresses a crash caused by Windows ISOs that live under very long file paths—a practical fix for administrators that keep ISOs deep inside archival folder structures. These are stability and debuggability improvements that reduce wasted time.

Persistence support for Linux Mint​

Rufus continues to expand its persistence support for Linux distributions; 4.10 specifically improves behavior for Linux Mint. This is a niche but meaningful improvement for users who rely on persistent live USB sessions rather than ephemeral live media.

---

Cross-checks and verification​

The new Rufus 4.10 changelog and distribution are reported by multiple software portals and community trackers, and the Rufus project’s official pages show recent entries consistent with the 4.10 changelog. Community commentary and forum threads echo the same changelog and stress the same 25H2 / PCA2023 dependencies, which aligns with Microsoft’s own documentation about the new UEFI CA 2023 certificate and mitigation guidance. These independent confirmations reduce the risk that the reported features are spurious or mischaracterized.
However, a cautionary note remains: when Rufus introduces features that affect Secure Boot or the boot chain, administrators should validate the binary origin and integrity before deploying at scale. Always download Rufus from the official site or the project's GitHub release assets and verify checksums or code signatures where available. Community reports in the past have shown cases where unofficial packaging (e.g., third-party package repositories) created confusion about authenticity—an industry lesson worth repeating.

---

Practical, step-by-step guidance for producing 2023-compatible Windows media with Rufus 4.10​

• Obtain a genuine Windows 11 25H2 ISO from Microsoft or an authorized distribution channel. Confirm the ISO build/version matches 25H2 expectations.
• Download Rufus 4.10 from the official Rufus site or GitHub releases and verify the checksum/signature when available. Do not use untrusted mirrors.
• Plug a test USB drive (back up any data first) and launch Rufus. Choose the 25H2 ISO as the source.
• If your target firmware and intended deployment require it, enable the Windows CA 2023 compatible media option in Rufus (this option is conditional on selecting a 25H2 ISO).
• Create the media and then test the created USB on a representative device. For Secure Boot-sensitive systems, test with firmware that has received the KB updates that add the PCA2023 certificate (or with firmware updated by OEMs). Monitor boot behavior and the WindowsUEFICA2023Capable registry flag after booting into Windows to confirm the device’s state.
• For enterprise rollouts, perform a staged rollout: pilot on a small set of hardware, validate backups and BitLocker recovery keys, and then expand. Microsoft recommends staged rollouts and monitoring for compatibility before broad deployment.

---

Enterprise checklist: safe deployment of Rufus-generated 25H2 media​

• Validate ISO provenance and checksums.
• Confirm Rufus binary integrity and download from official releases.
• Back up and verify BitLocker recovery keys for test systems before applying boot or certificate changes.
• Test on representative hardware with multiple OEMs, firmware revisions, and Secure Boot configurations.
• Monitor registry and device telemetry for the “Windows UEFI CA 2023” capability states (Microsoft-provided registry indicators).
• Maintain a rollback plan: recover images, maintain alternative boot methods (network PXE, Windows PE images), or have firmware-level reconfiguration instructions from OEMs.

---

Strengths and immediate benefits​

• Convenience and reliability improvements: Rufus 4.10 consolidates multiple steps previously performed with external scripts into an intuitive UI flow, saving time for technicians. Simple fixes—dark mode, long-path crash fixes, and improved error messages—have outsized daily value.
• Better alignment with Microsoft’s security model: By supporting Windows CA 2023 media creation, Rufus helps avoid a class of boot-time failures that would otherwise occur when a device trusts only the new signing authority. This reduces friction in patching and reimaging workflows.
• Community-driven polish: The changelog reflects contributions from community members and maintainers and demonstrates that Rufus remains responsive to real-world user needs (persistence, UDF-to-ISO capture, etc.).

---

Risks, limitations, and things to watch​

• Firmware variability: OEM firmware behavior varies. Some devices may not accept the new CA or may require firmware updates from the vendor. Test before mass deployment.
• ISO dependency: The PCA2023 option requires a Windows 11 25H2 ISO. Attempting to use that mode with older ISOs or unofficial ISOs can produce incompatible media. Always use official ISOs.
• Third-party distribution risk: Downloading Rufus from unofficial packages or mirrored repositories may expose you to tampered binaries. Verify checksums and prefer official sources. Community incidents in the past have shown the dangers of unverified packages.
• Operational policy: Enterprises should ensure imaging and Secure Boot changes are coordinated with change control and firmware update policies to avoid unexpected downtime. Microsoft explicitly recommends controlled rollouts for the UEFI CA 2023 transition.

---

Final assessment​

Rufus 4.10 is a pragmatic and well-targeted release that addresses both usability (dark mode, UDF-to-ISO, persistence tweaks) and an operationally important security transition (Windows UEFI CA 2023 media creation). For technicians, the release reduces friction for modern Windows 11 deployment scenarios—particularly where Secure Boot and boot manager signing changes are concerned. The addition is timely because Microsoft has documented the PCA2023 rollout and because Windows 11 25H2 ISOs are now available for distribution and imaging; Rufus’s 4.10 support shortens the path from official ISO to firmware-compatible USB media.
That said, the new capabilities come with practical caveats: verify ISO provenance, confirm firmware compatibility, test on representative hardware, and verify Rufus binaries before mass deployment. Where Secure Boot trust anchors or boot manager revocations are involved, careful staged testing and observability (e.g., registry flags and telemetry) remain essential to avoid widespread boot or update disruptions. Microsoft’s KBs and enterprise guidance should be followed in tandem with any Rufus-based workflow change.

---

Quick reference — what to do next​

• If you’re an enthusiast or a technician: download Rufus 4.10 from the official site, verify checksums, and use the new features in a test environment. Try the dark theme and validate UDF-to-ISO captures for archival needs.
• If you manage an enterprise imaging pipeline: coordinate with firmware/OEM update plans, pilot Rufus 4.10 with a controlled set of machines, verify Microsoft’s KB guidance is applied on those devices, and then consider integrating Rufus 4.10 into your media creation pipeline once validated.

Rufus 4.10 delivers meaningful, practical improvements. It is the kind of release that will not make headlines for sweeping changes, but for the everyday reductions in friction it offers to those who create and maintain bootable media. For organizations and advanced home users navigating the Windows 11 25H2 and UEFI CA 2023 transition, Rufus 4.10 is a welcome, pragmatic tool—provided it’s used with the due caution that any Secure Boot / imaging change requires.

---

Source: Neowin Rufus 4.10 is out with dark mode, new Secure Boot certificates support, and more