I purchased a Lenovo ThinkPad T14 Gen 5 laptop from the Lenovo Outlet last week. As part of the setup, I upgraded the BIOS from 1.14 to 1.15. I started getting the message “System has self-healed by restoring BIOS from backup” on every boot.
For some reason, turning Boot Mode from Quick to Diagnostics, then back to Quick, stopped the self-healing message. But then I noticed that Secure Boot was not enabled. I’m not sure if it came that way or if it got disabled during the BIOS upgrade. I enabled Secure Boot in the BIOS, but then every boot showed this message with Error code 0xc000000f:
![After enabling secure boot 01_thumb[3]](https://www.mcbsys.com/wp-content/uploads/2025/08/After-enabling-secure-boot-01_thumb3.png "After enabling secure boot 01_thumb[3]")
If I pressed Esc, the OS would load, but something wasn’t right.
ChatGPT took me down lots of dead-end paths, but it did help me discover an anomaly. There are two copies of bootmgfw.efi on a system, one in the EFI partition and one on the main partition under C:\Windows. The anomaly was that these were different. Both had valid Microsoft digital signatures, but the one in the EFI partition was signed with a certificate that expired last year on October 10, 2024. To check and fix that from the OS:
1. From an administrative command prompt, mount the EFI system partition as drive T:, then copy the bootmgfw.efi file to the local drive so you can access it from Windows Explorer.
mountvol T: /s
copy T:\EFI\Microsoft\Boot\bootmgfw.efi C:\temp
2. In Windows Explorer, right-click on C:\temp\bootmgfw.efi and select Properties. On the Digital Signatures tab, highlight the signature and click Details. Note the Signing time. Click View Certificate and note the Valid from/to dates. You might also check the Certification Path tab to confirm that the certificate was issued by Microsoft.
3. Now check the same things on this file: C:\Windows\Boot\EFI\bootmgfw.efi.
In this case, I found that bootmgfw.efi on the EFI partition was older and signed by an now-expired certificate.
4. (At your own risk!) Run
bcdboot C:\Windows /s T: /f UEFI
to update the record in the EFI partition from the one in C:\Windows.
After that, I was able to reboot without getting the 0xc000000f error.
I had downgraded the Lenovo BIOS to 1.14 to try to fix the certificate error. That hadn’t helped, but after the EFI repair, I upgraded the BIOS and I was still able to boot in Secure Mode without error.
Interestingly, at this point, the bootmgfw.efi certificates are again slightly different, though both still current. My guess is that my bcdboot command above updated the EFI partition from Windows, then the BIOS update replaced that update with a slightly older version.
My current T:\EFI\Microsoft\Boot\bootmgfw.efi was signed June 13, 2025 by a certificate that is valid through May 15, 2026:
![Laptop EFI 2_thumb[2]](https://www.mcbsys.com/wp-content/uploads/2025/08/Laptop-EFI-2_thumb2.png "Laptop EFI 2_thumb[2]")
The C:\Windows\Boot\EFI\bootmgfw.efi file (in Windows 11 23H2 with the August 2025 cumulative update applied) was signed July 30, 2025 with a certificate that is valid until June 17, 2026.
My guess is that the Lenovo Outlet imaged this refurbished PC with an older EFI record. A certificate that expired in 2024 is not necessarily invalid for Windows 11 23H2, but it seemed to cause problems with Secure Boot. Somehow the BIOS upgrade to 1.15 failed to update the EFI—perhaps because Secure Boot was not enabled. Once I used bcdboot to update the EFI partition, Secure Boot was fixed and the BIOS upgrade worked.
A Note on Self-Healing
I’m not clear how the Lenovo BIOS self-healing feature works. This message as part of a BIOS upgrade seems normal—it’s updating the self-healing image:
This message occurring on each boot does not seem normal—it should not have to self-heal to boot every time:
Related Post
I’ve blogged about the dreaded INACCESSBILE BOOT DEVICE message here.