Ventoy 1.1.14 patches the UEFI CA 2023 revocation that recently bricked bootable drives across modern systems. The update swaps in a fresh secure boot shim but forces users to manually enroll a new signing key during the first boot. On the management side, the release syncs VentoyPlugson and introduces a VTOY_SECURE_BOOT_POLICY flag for tighter deployment control. If you're relying on network booting instead of physical media, the release notes also point users toward the iVentoy PXE server alternative.

Ventoy 1.1.14 Ships with Fixed Secure Boot Shim and New Key Enrollment Requirement

The latest update patches a major UEFI CA 2023 compatibility issue, though sysadmins should watch out for the manual key step.

Ventoy has pushed out version 1.1.14, finally addressing the UEFI CA 2023 revocation that broke bootable media across countless systems. The release swaps out the old secure boot shim and forces a one-time key enrollment, though it brings some welcome control options along for the ride.

If you've been juggling Ventoy drives that suddenly stopped booting on modern motherboards, you know the deal. Several firmware vendors quietly updated their trust stores in 2023, dropping support for older UEFI signing certificates. Ventoy's previous shims got caught in the crossfire.

The Patch and What It Actually Means

The new release swaps in a freshly signed shim to restore compatibility with current UEFI implementations. You'll need to manually enroll the new signing key the first time you boot a drive on an affected machine. It's a minor chore, but skipping it will lock you out until you dig through your firmware's secure boot menu.

Head here to the official download page to grab the update. The changelog also mentions a synchronous update for VentoyPlugson, the companion management utility. If you're deploying these drives across a lab, keep in mind that the manual key step adds a tiny bit of friction. However, at the same time, it's the only reliable way to bypass the revoked certificate without compromising trust.

Policy Controls and a Side Note on PXE

On top of that, the global control plugin now ships with a VTOY_SECURE_BOOT_POLICY option. You can use this to dictate how Ventoy handles secure boot validation across different drives. Want to force it to respect your machine's policy? You can set that. Want to bypass it entirely for testing? The flag handles that too.

The release notes also drop a quick mention of iVentoy, the PXE server project that lets you boot operating systems over a network instead of plugging in a physical drive. It supports ARM64 UEFI, x86_64, and legacy BIOS. I've tinkered with network booting long enough to know it's not for everyone. Still worth knowing if you're tired of USB fatigue.

It's a pragmatic update. Ventoy isn't trying to reinvent boot media here. They're just keeping the doors open for systems that suddenly stopped recognizing their shims. The new key enrollment is annoying for zero-touch deployments, but necessary. If you manage a bunch of modern PCs, you'll want this in your toolkit.

Ventoy 1.1.14 is available now via the official GitHub release page. Pair it with the latest VentoyPlugson update, enroll your key on first boot, and you should be back in business. Head here to the iVentoy documentation if you want to explore the network booting alternative.