On 05/20/2026 10:11 AM, sticks wrote:
On 5/20/2026 8:50 AM, Frank Slootweg wrote:Run this a Powershell admin window
sticks <wolverine01@charter.net> wrote:
On 5/19/2026 5:00 PM, sticks wrote:[...]
Well I'll be damned.-a I then did a SFC /scannow and it did find some >>>>> errors and fixed them.-a Rebooted.-a Went into the event viewer and
instead of the FPM-WMI error it had 4 entries.-a A pre-attestation
check,
a confirmation it is expected to pass attestation, TBS device
identifier
has been generated, and finally "The TPM was successfully provisioned >>>>> and is now ready for use."
We'll see if it error faults again.
All for naught.-a Back again this morning.-a Disappointing
Log Name:-a-a-a-a-a System
Source:-a-a-a-a-a-a-a Microsoft-Windows-TPM-WMI
Date:-a-a-a-a-a-a-a-a-a 5/20/2026 6:53:06 AM
Event ID:-a-a-a-a-a 1796
Description:-a The Secure Boot update failed to update SBAT with error >>>> Unknown HResult Error code: 0x800700c1.
-a-a If it's any consolation, I also get this error, twice a day, since at >>> least 15/01/2026.
-a-a The error comes with a "For more information, please see..." link
[1],
but that only mentions Event ID 1795, not 1796. However the 'Change log' >>> of the document implies that 1796 *is* documented. Microsoft moves in
mysterious ways! :-(
-a-a I think that this 'Error' is nothing to worry about.
-a-a IMO, if we got a dollar for every 'Error' in our Event Viewer
logs, we
would make Elon look like a pauper! :-)
[1] 'Secure Boot DB and DBX variable update events'
<https://support.microsoft.com/en-gb/topic/secure-boot-db-and-dbx-
variable-update-events-37e47cf8-608b-4a87-8175-bdead630eb69>
I know I can't do much more myself, and am not too worried about it.
However, it does annoy me that the secure boot process is evidently
missing some of the available data because of the update failure.-a I
find it difficult to believe HP cannot figure out a way to fix this
error.
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')
-a- If the above command returns rCLtrue,rCY then your PC is using the new certificate
If it returns true or false, the EventViewer error is normal.
-aa. can't update(thus fails) if already present or not installed
On 5/20/2026 10:11 AM, ....winston wrote:
On 05/20/2026 10:11 AM, sticks wrote:
On 5/20/2026 8:50 AM, Frank Slootweg wrote:Run this a Powershell admin window
sticks <wolverine01@charter.net> wrote:
On 5/19/2026 5:00 PM, sticks wrote:[...]
Well I'll be damned.-a I then did a SFC /scannow and it did find some >>>>>> errors and fixed them.-a Rebooted.-a Went into the event viewer and >>>>>> instead of the FPM-WMI error it had 4 entries.-a A pre-attestation check,
a confirmation it is expected to pass attestation, TBS device identifier >>>>>> has been generated, and finally "The TPM was successfully provisioned >>>>>> and is now ready for use."
We'll see if it error faults again.
All for naught.-a Back again this morning.-a Disappointing
Log Name:-a-a-a-a-a System
Source:-a-a-a-a-a-a-a Microsoft-Windows-TPM-WMI
Date:-a-a-a-a-a-a-a-a-a 5/20/2026 6:53:06 AM
Event ID:-a-a-a-a-a 1796
Description:-a The Secure Boot update failed to update SBAT with error >>>>> Unknown HResult Error code: 0x800700c1.
-a-a If it's any consolation, I also get this error, twice a day, since at >>>> least 15/01/2026.
-a-a The error comes with a "For more information, please see..." link [1],
but that only mentions Event ID 1795, not 1796. However the 'Change log' >>>> of the document implies that 1796 *is* documented. Microsoft moves in
mysterious ways! :-(
-a-a I think that this 'Error' is nothing to worry about.
-a-a IMO, if we got a dollar for every 'Error' in our Event Viewer logs, we
would make Elon look like a pauper! :-)
[1] 'Secure Boot DB and DBX variable update events'
<https://support.microsoft.com/en-gb/topic/secure-boot-db-and-dbx- variable-update-events-37e47cf8-608b-4a87-8175-bdead630eb69>
I know I can't do much more myself, and am not too worried about it. However, it does annoy me that the secure boot process is evidently missing some of the available data because of the update failure.-a I find it difficult to believe HP cannot figure out a way to fix this error.
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')
-a-a- If the above command returns rCLtrue,rCY then your PC is using the new certificate
If it returns true or false, the EventViewer error is normal.
-a-aa. can't update(thus fails) if already present or not installed
Thought I'd follow up on this.-a Both HP desktops have finally gotten an available bios update.-a After install, both return true to winston's powershell
command, and both still have the same TPM-WMI error in the event log.-a still
seems a weird way to do things...
On 11/06/2026 9:58 am, Paul wrote:
On Wed, 6/10/2026 7:23 PM, sticks wrote:
<Snip>
Thought I'd follow up on this.-a Both HP desktops have finally
gotten an available bios update.-a After install, both return true
to winston's powershell command, and both still have the same
TPM-WMI error in the event log.-a still seems a weird way to do
things...
Agree on the weird part.
Tried to use a Linux today, on the Secure Boot machine, and I didn't
know there was a new scheme for running a video card. There is some
trick to load a firmware into a video card, to act as the driver.
This is Not Supported on my video card, so that explains why the HD
monitor was running at 1024x768. I had to remove around 20 packages
from the package manager, ones that use the "new method", reboot,
then use the Driver Manager, and it selected some legacy driver that
does not use that method. and then the HD screen was running at
1920x1080 again.
It seems some video card company <cough>,
"video card company" .... or is MS just trying to support their Mates
.... by making YOU have to *but* a new Computer ... or Video Card at the
very least??
--is angling for us to have to buy some of those "cheep $400 video
cards" :-) Just to have continued driver support. I would certainly
want a rich man to be able to afford another leather jacket for
presentations. The problem with schemes along these lines, is it is
going to make some laptop owners "very angry".
Thank goodness for innovation. "Where-ever it strikes".
Paul
On Wed, 6/10/2026 7:23 PM, sticks wrote:
On 5/20/2026 10:11 AM, ....winston wrote:
On 05/20/2026 10:11 AM, sticks wrote:
On 5/20/2026 8:50 AM, Frank Slootweg wrote:Run this a Powershell admin window
sticks <wolverine01@charter.net> wrote:
On 5/19/2026 5:00 PM, sticks wrote:[...]
Well I'll be damned.-a I then did a SFC /scannow and it did find some >>>>>>> errors and fixed them.-a Rebooted.-a Went into the event viewer and >>>>>>> instead of the FPM-WMI error it had 4 entries.-a A pre-attestation check,
a confirmation it is expected to pass attestation, TBS device identifier
has been generated, and finally "The TPM was successfully provisioned >>>>>>> and is now ready for use."
We'll see if it error faults again.
All for naught.-a Back again this morning.-a Disappointing
Log Name:-a-a-a-a-a System
Source:-a-a-a-a-a-a-a Microsoft-Windows-TPM-WMI
Date:-a-a-a-a-a-a-a-a-a 5/20/2026 6:53:06 AM
Event ID:-a-a-a-a-a 1796
Description:-a The Secure Boot update failed to update SBAT with error >>>>>> Unknown HResult Error code: 0x800700c1.
-a-a If it's any consolation, I also get this error, twice a day, since at
least 15/01/2026.
-a-a The error comes with a "For more information, please see..." link [1],
but that only mentions Event ID 1795, not 1796. However the 'Change log' >>>>> of the document implies that 1796 *is* documented. Microsoft moves in >>>>> mysterious ways! :-(
-a-a I think that this 'Error' is nothing to worry about.
-a-a IMO, if we got a dollar for every 'Error' in our Event Viewer logs, we
would make Elon look like a pauper! :-)
[1] 'Secure Boot DB and DBX variable update events'
<https://support.microsoft.com/en-gb/topic/secure-boot-db-and-dbx- variable-update-events-37e47cf8-608b-4a87-8175-bdead630eb69>
I know I can't do much more myself, and am not too worried about it. However, it does annoy me that the secure boot process is evidently missing some of the available data because of the update failure.-a I find it difficult to believe HP cannot figure out a way to fix this error.
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')
-a-a- If the above command returns rCLtrue,rCY then your PC is using the new certificate
If it returns true or false, the EventViewer error is normal.
-a-aa. can't update(thus fails) if already present or not installed
Thought I'd follow up on this.-a Both HP desktops have finally gotten an
available bios update.-a After install, both return true to winston's powershell
command, and both still have the same TPM-WMI error in the event log.-a still
seems a weird way to do things...
Agree on the weird part.
Tried to use a Linux today, on the Secure Boot machine, and I didn't know there was a new scheme for running a video card. There is some trick to
load a firmware into a video card, to act as the driver. This is Not Supported
on my video card, so that explains why the HD monitor was running at 1024x768.
I had to remove around 20 packages from the package manager, ones
that use the "new method", reboot, then use the Driver Manager, and it selected some legacy driver that does not use that method. and then
the HD screen was running at 1920x1080 again.
It seems some video card company <cough>, is angling for us to have to
buy some of those "cheep $400 video cards" :-) Just to have continued driver support.
I would certainly want a rich man to be able to afford another
leather jacket for presentations. The problem with schemes along
these lines, is it is going to make some laptop owners "very angry".
Thank goodness for innovation. "Where-ever it strikes".
Paul
Back on topic.
@Paul and @sticks
There are other powershell commands in admin mode that can be run for additional information on installation/updating 2023 certs.
get-securebootuefi -decoded -name DB | Where-Object {$_.Subject -match "2023"} | Select subject
get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject -match "2023"} | Select subject
For this Secure Boot enabled device(Win10 Pro ESU) with a 4th Gen
i7-4770 chip(yes, quite old) on a Asus Z87 Sabertooth mobo, last UEFI/
Bios March 2017) the results for the above commands are:
PS C:\WINDOWS\system32> get-securebootuefi -decoded -name DB | Where-
Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US
PS C:\WINDOWS\system32> get-securebootuefi -decoded -name KEK | Where- Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US
Fyi...for those interested in an explanation of DB and KEK certs
"DB (Allowed Signature Database): The list of certificates and trusted software the PC is allowed to run. The new 2023 DB certificates are used
to sign modern Windows boot components."
"KEK (Key Exchange Key): Often called the "master authority." The KEK
gives Microsoft (and your hardware manufacturer) the permission to
update your DB and DBX (revocation) lists without requiring a full
manual BIOS flash".
On 06/10/2026 7:58 PM, Paul wrote:
On Wed, 6/10/2026 7:23 PM, sticks wrote:
On 5/20/2026 10:11 AM, ....winston wrote:
On 05/20/2026 10:11 AM, sticks wrote:
On 5/20/2026 8:50 AM, Frank Slootweg wrote:Run this a Powershell admin window
sticks <wolverine01@charter.net> wrote:
On 5/19/2026 5:00 PM, sticks wrote:[...]
Well I'll be damned.-a I then did a SFC /scannow and it did find some >>>>>>>> errors and fixed them.-a Rebooted.-a Went into the event viewer and >>>>>>>> instead of the FPM-WMI error it had 4 entries.-a A pre-attestation check,
a confirmation it is expected to pass attestation, TBS device identifier
has been generated, and finally "The TPM was successfully provisioned >>>>>>>> and is now ready for use."
We'll see if it error faults again.
All for naught.-a Back again this morning.-a Disappointing
Log Name:-a-a-a-a-a System
Source:-a-a-a-a-a-a-a Microsoft-Windows-TPM-WMI
Date:-a-a-a-a-a-a-a-a-a 5/20/2026 6:53:06 AM
Event ID:-a-a-a-a-a 1796
Description:-a The Secure Boot update failed to update SBAT with error >>>>>>> Unknown HResult Error code: 0x800700c1.
-a-a-a If it's any consolation, I also get this error, twice a day, since at
least 15/01/2026.
-a-a-a The error comes with a "For more information, please see..." link [1],
but that only mentions Event ID 1795, not 1796. However the 'Change log' >>>>>> of the document implies that 1796 *is* documented. Microsoft moves in >>>>>> mysterious ways! :-(
-a-a-a I think that this 'Error' is nothing to worry about.
-a-a-a IMO, if we got a dollar for every 'Error' in our Event Viewer logs, we
would make Elon look like a pauper! :-)
[1] 'Secure Boot DB and DBX variable update events'
<https://support.microsoft.com/en-gb/topic/secure-boot-db-and-dbx- variable-update-events-37e47cf8-608b-4a87-8175-bdead630eb69>
I know I can't do much more myself, and am not too worried about it. However, it does annoy me that the secure boot process is evidently missing some of the available data because of the update failure.-a I find it difficult to believe HP cannot figure out a way to fix this error.
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')
-a-a-a- If the above command returns rCLtrue,rCY then your PC is using the new certificate
If it returns true or false, the EventViewer error is normal.
-a-a-aa. can't update(thus fails) if already present or not installed
Thought I'd follow up on this.-a Both HP desktops have finally gotten an >>> available bios update.-a After install, both return true to winston's powershell
command, and both still have the same TPM-WMI error in the event log.-a still
seems a weird way to do things...
Agree on the weird part.
Tried to use a Linux today, on the Secure Boot machine, and I didn't know
there was a new scheme for running a video card. There is some trick to
load a firmware into a video card, to act as the driver. This is Not Supported
on my video card, so that explains why the HD monitor was running at 1024x768.
I had to remove around 20 packages from the package manager, ones
that use the "new method", reboot, then use the Driver Manager, and it
selected some legacy driver that does not use that method. and then
the HD screen was running at 1920x1080 again.
It seems some video card company <cough>, is angling for us to have to
buy some of those "cheep $400 video cards" :-) Just to have continued driver support.
I would certainly want a rich man to be able to afford another
leather jacket for presentations. The problem with schemes along
these lines, is it is going to make some laptop owners "very angry".
Thank goodness for innovation. "Where-ever it strikes".
-a-a-a Paul
Doesn't sound like a Secure Boot issue.
How old is that Secure Boot machine that 'tried to use' Linux?
How old is its video card.
Back on topic.
@Paul and @sticks
There are other powershell commands in admin mode that can be run for additional information on installation/updating 2023 certs.
get-securebootuefi -decoded -name DB | Where-Object {$_.Subject -match "2023"} | Select subject
get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject -match "2023"} | Select subject
For this Secure Boot enabled device(Win10 Pro ESU) with a 4th Gen i7-4770 chip(yes, quite old) on a Asus Z87 Sabertooth mobo, last UEFI/Bios March 2017) the results for the above commands are:
PS C:\WINDOWS\system32> get-securebootuefi -decoded -name DB | Where-Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US
PS C:\WINDOWS\system32> get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US
Fyi...for those interested in an explanation of DB and KEK certs
"DB (Allowed Signature Database): The list of certificates and trusted software the PC is allowed to run. The new 2023 DB certificates are used to sign modern Windows boot components."
"KEK (Key Exchange Key): Often called the "master authority." The KEK gives Microsoft (and your hardware manufacturer) the permission to update your DB and DBX (revocation) lists without requiring a full manual BIOS flash".
get-securebootuefi -decoded -name DB | Where-Object {$_.Subject -match "2023"} | Select subject
get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject -match "2023"} | Select subject
[MSI] MPG B550 Gaming Plus (MS-7C56) \
Infineon TPM 2.0 \
Ryzen 7 5700G 8C 16T CPU \
BIOS version 7/13/2024 AMI 1i0 \
DDR4 RAM (four sticks) \
\___ Both have been used for Secure Boot test.
[ASUS] ROG STRIX B550-F Gaming Wifi II / Secure Boot is now turned off on both.
fTPM (no header for a physical TPM 2.0) / They're PCA2023. One has failed a media Secure Boot
Ryzen 9 5950X 16C 32T CPU / where the media was still signed with PCA2011 and
BIOS version 1/4/2026 AMI 3636 / at a guess, that is revoked.
DDR4 RAM (four sticks) /
[Asus] P9X79 <=== used for testing non-Secure-Boot behaviors
no TPM at all (UEFI/CSM BIOS)
4930K 6C 12T (HEDT, 42 PCIe lanes) This machine has W10 and W11 and can test what
BIOS Version 12/24/2013 AMI 4608 miserable performance others might see. It has
DDR3 RAM (eight sticks) a mixture of HDD and SSDs for test. Mouse click to response, takes 1 second.
On 06/12/2026 12:42 AM, Paul wrote:
get-securebootuefi -decoded -name DB | Where-Object {$_.Subject -match "2023"} | Select subject
get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject -match "2023"} | Select subject
[MSI] MPG B550 Gaming Plus (MS-7C56)-a-a-a \
Infineon TPM 2.0-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a \
Ryzen 7 5700G 8C 16T CPU-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a \
BIOS version 7/13/2024-a AMI 1i0-a-a-a-a-a-a-a-a-a-a-a \
DDR4 RAM (four sticks)-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a \
-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a \___ Both have been used for Secure Boot test.
[ASUS] ROG STRIX B550-F Gaming Wifi II-a-a-a-a-a-a /-a-a-a Secure Boot is now turned off on both.
fTPM (no header for a physical TPM 2.0)-a-a-a-a /-a-a-a-a They're PCA2023. One has failed a media Secure Boot
Ryzen 9 5950X 16C 32T CPU-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a /-a-a-a-a-a where the media was still signed with PCA2011 and
BIOS version 1/4/2026-a AMI 3636-a-a-a-a-a-a-a-a-a-a /-a-a-a-a-a-a at a guess, that is revoked.
DDR4 RAM (four sticks)-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a /
[Asus] P9X79-a <=== used for testing non-Secure-Boot behaviors
no TPM at all-a (UEFI/CSM BIOS)
4930K 6C 12T-a-a (HEDT, 42 PCIe lanes)-a-a-a-a-a-a-a-a-a-a-a-a-a-a This machine has W10 and W11 and can test what
BIOS Version 12/24/2013-a AMI 4608-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a miserable performance others might see. It has
DDR3 RAM (eight sticks)-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a a mixture of HDD and SSDs for test. Mouse click to response, takes 1 second.
Did you run the get-securebootuefi on any of these devices or other devices(no virtual machines, but only devices with Windows 10 ESU or Win11 25H2 as the installed to metal o/s)?
If so, what were the results?
On Sat, 6/13/2026 9:16 PM, ....winston wrote:
On 06/12/2026 12:42 AM, Paul wrote:
get-securebootuefi -decoded -name DB | Where-Object {$_.Subject -match "2023"} | Select subject
get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject -match "2023"} | Select subject
[MSI] MPG B550 Gaming Plus (MS-7C56)-a-a-a \
Infineon TPM 2.0-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a \
Ryzen 7 5700G 8C 16T CPU-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a \
BIOS version 7/13/2024-a AMI 1i0-a-a-a-a-a-a-a-a-a-a-a \
DDR4 RAM (four sticks)-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a \
-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a \___ Both have been used for Secure Boot test.
[ASUS] ROG STRIX B550-F Gaming Wifi II-a-a-a-a-a-a /-a-a-a Secure Boot is now turned off on both.
fTPM (no header for a physical TPM 2.0)-a-a-a-a /-a-a-a-a They're PCA2023. One has failed a media Secure Boot
Ryzen 9 5950X 16C 32T CPU-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a /-a-a-a-a-a where the media was still signed with PCA2011 and
BIOS version 1/4/2026-a AMI 3636-a-a-a-a-a-a-a-a-a-a /-a-a-a-a-a-a at a guess, that is revoked.
DDR4 RAM (four sticks)-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a /
[Asus] P9X79-a <=== used for testing non-Secure-Boot behaviors
no TPM at all-a (UEFI/CSM BIOS)
4930K 6C 12T-a-a (HEDT, 42 PCIe lanes)-a-a-a-a-a-a-a-a-a-a-a-a-a-a This machine has W10 and W11 and can test what
BIOS Version 12/24/2013-a AMI 4608-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a miserable performance others might see. It has
DDR3 RAM (eight sticks)-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a a mixture of HDD and SSDs for test. Mouse click to response, takes 1 second.
Did you run the get-securebootuefi on any of these devices or other devices(no virtual machines, but only devices with Windows 10 ESU or Win11 25H2 as the installed to metal o/s)?
If so, what were the results?
OK, so lets do that. First I have to turn Secure Boot back on.
This will be on the 5950X. Then I can select the Win10 on the same
machine, and see what is cooking over there.
First Win11.
msinfo32 (as administrator)
BIOS Mode: UEFI
Secure Boot State: ON
PCR7 Configuration: Binding Possible
Device Security
Secure Boot - Looks like a power button circle, with the tick at the top, and green
checkmark on the side. Text reads:
"Secure Boot is on and all required certificate updates have been applied.
No further certificate changes are needed." [SBAT status being ignored]
Yes, this is an Administrator Terminal, but currently, either "value" can show
up for the current working directory, for either terminal type.
PS C:\Users\bullwinkle> get-securebootuefi -decoded -name DB | Where-Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US
PS C:\Users\bullwinkle> get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US
# Updates were stuck on the W11, due to (apparently) the recovery partition size.
# I Resized it using a Macrium backup and restore/resize without breaking it.
PS C:\Users\bullwinkle> reagentc /info
Windows Recovery Environment (Windows RE) and system reset configuration Information:
Windows RE status: Enabled
Windows RE location: \\?\GLOBALROOT\device\harddisk0\partition5\Recovery\WindowsRE
Boot Configuration Data (BCD) identifier: 8f4fa731-3780-11ef-8ce3-b963a4dceb9a
Recovery image location:
Recovery image index: 0
Custom image location:
Custom image index: 0
Windows RE Version: 10.0.26100.8455
DISKPART> list part
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 System 100 MB 1024 KB
Partition 2 Reserved 16 MB 101 MB
Partition 3 Primary 108 GB 117 MB
Partition 5 Recovery 2068 MB 108 GB <=== Win11 is using its Recovery Partition
Partition 4 Primary 127 GB 110 GB <=== Win10 is using C: for the purpose "Access is Denied"
Winver on box reads as: 26200.8655
Oh, and the box logs in without using a password (local account) :-) Don't ask me how that happened, I haven't a clue.
*******
Now, we'll hop over to the Win10 side, and see what it says. The Win10 does not
have a Recovery partition. I hope it doesn't break anything. Doing a backup before heading over...
msinfo32 (as administrator)
BIOS Mode: UEFI
Secure Boot State: ON
PCR7 Configuration: Binding Possible
Device Security
Secure Boot - Looks like a power button circle, with the tick at the top, and green
checkmark on the side. Text reads:
"Secure boot is on, preventing malicious software from loading
when your device starts up."
"Your device meets the requirements for standard hardware security."
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Windows\system32> get-securebootuefi -decoded -name DB | Where-Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US
PS C:\Windows\system32> get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US
PS C:\Windows\system32> reagentc /info
Windows Recovery Environment (Windows RE) and system reset configuration Information:
Windows RE status: Enabled
Windows RE location: \\?\GLOBALROOT\device\harddisk0\partition4\Recovery\WindowsRE <=== this is the C: drive of W10
Boot Configuration Data (BCD) identifier: 8f4fa72c-3780-11ef-8ce3-b963a4dceb9a
Recovery image location:
Recovery image index: 0
Custom image location:
Custom image index: 0
REAGENTC.EXE: Operation Successful.
Winver reads: 19045.7417 22H2 Windows 10 Home (my only ESU_
Box login requires password.
Paul
Comment:
Afaik, both o/s need to be updated. When Secure Boot and TPM present and enabled
(and if this a a dual boot) it is using the same UEFI/BIOS)....it would indicate
anything flashed into the mobo's firmware module would be common for both os especially
since Secure boot runs at the hardware level in the devices UEFI.
On Sat, 6/13/2026 9:16 PM, ....winston wrote:
On 06/12/2026 12:42 AM, Paul wrote:
get-securebootuefi -decoded -name DB | Where-Object {$_.Subject
-match "2023"} | Select subject
get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject
-match "2023"} | Select subject
[MSI] MPG B550 Gaming Plus (MS-7C56) \
Infineon TPM 2.0 \
Ryzen 7 5700G 8C 16T CPU \
BIOS version 7/13/2024 AMI 1i0 \
DDR4 RAM (four sticks) \
\___ Both have been used for Secure Boot test.
[ASUS] ROG STRIX B550-F Gaming Wifi II / Secure Boot is now turned
off on both.
fTPM (no header for a physical TPM 2.0) / They're PCA2023. One has
failed a media Secure Boot
Ryzen 9 5950X 16C 32T CPU / where the media was still signed with
PCA2011 and
BIOS version 1/4/2026 AMI 3636 / at a guess, that is revoked.
DDR4 RAM (four sticks) /
[Asus] P9X79 <=== used for testing non-Secure-Boot behaviors
no TPM at all (UEFI/CSM BIOS)
4930K 6C 12T (HEDT, 42 PCIe lanes) This machine has W10 and W11 and
can test what
BIOS Version 12/24/2013 AMI 4608 miserable performance others might
see. It has
DDR3 RAM (eight sticks) a mixture of HDD and SSDs for test. Mouse
click to response, takes 1 second.
Did you run the get-securebootuefi on any of these devices or other
devices(no virtual machines, but only devices with Windows 10 ESU or
Win11 25H2 as the installed to metal o/s)?
If so, what were the results?
OK, so lets do that. First I have to turn Secure Boot back on.
This will be on the 5950X. Then I can select the Win10 on the same
machine, and see what is cooking over there.
First Win11.
msinfo32 (as administrator)
BIOS Mode: UEFI
Secure Boot State: ON
PCR7 Configuration: Binding Possible
Device Security
Secure Boot - Looks like a power button circle, with the tick at
the top, and green checkmark on the side. Text reads:
"Secure Boot is on and all required certificate
updates have been applied. No further certificate
changes are needed." [SBAT status being ignored]
Yes, this is an Administrator Terminal, but currently, either "value"
can show
up for the current working directory, for either terminal type.
PS C:\Users\bullwinkle> get-securebootuefi -decoded -name DB |
Where-Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US
PS C:\Users\bullwinkle> get-securebootuefi -decoded -name KEK |
Where-Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US
# Updates were stuck on the W11, due to (apparently) the recovery
partition size. # I Resized it using a Macrium backup and
restore/resize without breaking it.
PS C:\Users\bullwinkle> reagentc /info
Windows Recovery Environment (Windows RE) and system reset
configuration
Information:
Windows RE status: Enabled
Windows RE location:
\\?\GLOBALROOT\device\harddisk0\partition5\Recovery\WindowsRE Boot
Configuration Data (BCD) identifier:
8f4fa731-3780-11ef-8ce3-b963a4dceb9a Recovery image location:
Recovery image index: 0 Custom image location:
Custom image index: 0
Windows RE Version: 10.0.26100.8455
DISKPART> list part
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 System 100 MB 1024 KB
Partition 2 Reserved 16 MB 101 MB
Partition 3 Primary 108 GB 117 MB
Partition 5 Recovery 2068 MB 108 GB <=== Win11 is
using its Recovery Partition Partition 4 Primary 127
GB 110 GB <=== Win10 is using C: for the purpose "Access is
Denied"
Winver on box reads as: 26200.8655
Oh, and the box logs in without using a password (local account) :-)
Don't
ask me how that happened, I haven't a clue.
*******
Now, we'll hop over to the Win10 side, and see what it says. The
Win10 does not
have a Recovery partition. I hope it doesn't break anything. Doing a
backup
before heading over...
msinfo32 (as administrator)
BIOS Mode: UEFI
Secure Boot State: ON
PCR7 Configuration: Binding Possible
Device Security
Secure Boot - Looks like a power button circle, with the tick at
the top, and green checkmark on the side. Text reads:
"Secure boot is on, preventing malicious software
from loading when your device starts up."
"Your device meets the requirements for standard
hardware security."
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Windows\system32> get-securebootuefi -decoded -name DB |
Where-Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US
D
PS C:\Windows\system32> get-securebootuefi -decoded -name KEK |
Where-Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US
PS C:\Windows\system32> reagentc /info
Windows Recovery Environment (Windows RE) and system reset
configuration
Information:
Windows RE status: Enabled
Windows RE location:
\\?\GLOBALROOT\device\harddisk0\partition4\Recovery\WindowsRE
<=== this is the C: drive of W10 Boot Configuration Data (BCD)
identifier: 8f4fa72c-3780-11ef-8ce3-b963a4dceb9a Recovery image
location: Recovery image index: 0 Custom image location:
Custom image index: 0
REAGENTC.EXE: Operation Successful.
Winver reads: 19045.7417 22H2 Windows 10 Home (my only ESU_
Box login requires password.
Paul
Paul wrote:
On Sat, 6/13/2026 9:16 PM, ....winston wrote:
On 06/12/2026 12:42 AM, Paul wrote:
get-securebootuefi -decoded -name DB | Where-Object {$_.Subject
-match "2023"} | Select subject
get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject
-match "2023"} | Select subject
[MSI] MPG B550 Gaming Plus (MS-7C56) \
Infineon TPM 2.0 \
Ryzen 7 5700G 8C 16T CPU \
BIOS version 7/13/2024 AMI 1i0 \
DDR4 RAM (four sticks) \
\___ Both have been used for Secure Boot test.
[ASUS] ROG STRIX B550-F Gaming Wifi II / Secure Boot is now turned
off on both.
fTPM (no header for a physical TPM 2.0) / They're PCA2023. One has
failed a media Secure Boot
Ryzen 9 5950X 16C 32T CPU / where the media was still signed with
PCA2011 and
BIOS version 1/4/2026 AMI 3636 / at a guess, that is revoked.
DDR4 RAM (four sticks) /
[Asus] P9X79 <=== used for testing non-Secure-Boot behaviors
no TPM at all (UEFI/CSM BIOS)
4930K 6C 12T (HEDT, 42 PCIe lanes) This machine has W10 and W11 and
can test what
BIOS Version 12/24/2013 AMI 4608 miserable performance others might
see. It has
DDR3 RAM (eight sticks) a mixture of HDD and SSDs for test. Mouse
click to response, takes 1 second.
Did you run the get-securebootuefi on any of these devices or other
devices(no virtual machines, but only devices with Windows 10 ESU or
Win11 25H2 as the installed to metal o/s)?
If so, what were the results?
OK, so lets do that. First I have to turn Secure Boot back on.
This will be on the 5950X. Then I can select the Win10 on the same
machine, and see what is cooking over there.
First Win11.
msinfo32 (as administrator)
BIOS Mode: UEFI
Secure Boot State: ON
PCR7 Configuration: Binding Possible
Device Security
Secure Boot - Looks like a power button circle, with the tick at
the top, and green checkmark on the side. Text reads:
"Secure Boot is on and all required certificate
updates have been applied. No further certificate
changes are needed." [SBAT status being ignored]
Yes, this is an Administrator Terminal, but currently, either "value"
can show
up for the current working directory, for either terminal type.
PS C:\Users\bullwinkle> get-securebootuefi -decoded -name DB |
Where-Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US
PS C:\Users\bullwinkle> get-securebootuefi -decoded -name KEK |
Where-Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US
# Updates were stuck on the W11, due to (apparently) the recovery
partition size. # I Resized it using a Macrium backup and
restore/resize without breaking it.
PS C:\Users\bullwinkle> reagentc /info
Windows Recovery Environment (Windows RE) and system reset
configuration
Information:
Windows RE status: Enabled
Windows RE location:
\\?\GLOBALROOT\device\harddisk0\partition5\Recovery\WindowsRE Boot
Configuration Data (BCD) identifier:
8f4fa731-3780-11ef-8ce3-b963a4dceb9a Recovery image location:
Recovery image index: 0 Custom image location:
Custom image index: 0
Windows RE Version: 10.0.26100.8455
DISKPART> list part
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 System 100 MB 1024 KB
Partition 2 Reserved 16 MB 101 MB
Partition 3 Primary 108 GB 117 MB
Partition 5 Recovery 2068 MB 108 GB <=== Win11 is
using its Recovery Partition Partition 4 Primary 127
GB 110 GB <=== Win10 is using C: for the purpose "Access is
Denied"
Winver on box reads as: 26200.8655
Oh, and the box logs in without using a password (local account) :-)
Don't
ask me how that happened, I haven't a clue.
*******
Now, we'll hop over to the Win10 side, and see what it says. The
Win10 does not
have a Recovery partition. I hope it doesn't break anything. Doing a
backup
before heading over...
msinfo32 (as administrator)
BIOS Mode: UEFI
Secure Boot State: ON
PCR7 Configuration: Binding Possible
Device Security
Secure Boot - Looks like a power button circle, with the tick at
the top, and green checkmark on the side. Text reads:
"Secure boot is on, preventing malicious software
from loading when your device starts up."
"Your device meets the requirements for standard
hardware security."
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Windows\system32> get-securebootuefi -decoded -name DB |
Where-Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US
D
PS C:\Windows\system32> get-securebootuefi -decoded -name KEK |
Where-Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US
PS C:\Windows\system32> reagentc /info
Windows Recovery Environment (Windows RE) and system reset
configuration
Information:
Windows RE status: Enabled
Windows RE location:
\\?\GLOBALROOT\device\harddisk0\partition4\Recovery\WindowsRE
<=== this is the C: drive of W10 Boot Configuration Data (BCD)
identifier: 8f4fa72c-3780-11ef-8ce3-b963a4dceb9a Recovery image
location: Recovery image index: 0 Custom image location:
Custom image index: 0
REAGENTC.EXE: Operation Successful.
Winver reads: 19045.7417 22H2 Windows 10 Home (my only ESU_
Box login requires password.
Paul
I am runnig Window 11 Pro and I am on 8457. I can not get updated and downloaded the cumulative update to 8655 but it will not update. Checking Device Security reports all is fine with certificates, etc.
diskpart shows:
Partition 4 Recovery 755MB 113GB
Partition 5 Recovery 800MB 114GB
Do I need to try and increase the size of the Recover Partitions?
I recognize this is not a lot of info.
<Bill>
Paul wrote:
On Sat, 6/13/2026 9:16 PM, ....winston wrote:
On 06/12/2026 12:42 AM, Paul wrote:
get-securebootuefi -decoded -name DB | Where-Object {$_.Subject
-match "2023"} | Select subject
get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject
-match "2023"} | Select subject
[MSI] MPG B550 Gaming Plus (MS-7C56) \
Infineon TPM 2.0 \
Ryzen 7 5700G 8C 16T CPU \
BIOS version 7/13/2024 AMI 1i0 \
DDR4 RAM (four sticks) \
\___ Both have been used for Secure Boot test.
[ASUS] ROG STRIX B550-F Gaming Wifi II / Secure Boot is now turned
off on both.
fTPM (no header for a physical TPM 2.0) / They're PCA2023. One has
failed a media Secure Boot
Ryzen 9 5950X 16C 32T CPU / where the media was still signed with
PCA2011 and
BIOS version 1/4/2026 AMI 3636 / at a guess, that is revoked.
DDR4 RAM (four sticks) /
[Asus] P9X79 <=== used for testing non-Secure-Boot behaviors
no TPM at all (UEFI/CSM BIOS)
4930K 6C 12T (HEDT, 42 PCIe lanes) This machine has W10 and W11 and
can test what
BIOS Version 12/24/2013 AMI 4608 miserable performance others might
see. It has
DDR3 RAM (eight sticks) a mixture of HDD and SSDs for test. Mouse
click to response, takes 1 second.
Did you run the get-securebootuefi on any of these devices or other
devices(no virtual machines, but only devices with Windows 10 ESU or
Win11 25H2 as the installed to metal o/s)?
If so, what were the results?
OK, so lets do that. First I have to turn Secure Boot back on.
This will be on the 5950X. Then I can select the Win10 on the same
machine, and see what is cooking over there.
First Win11.
msinfo32 (as administrator)
BIOS Mode: UEFI
Secure Boot State: ON
PCR7 Configuration: Binding Possible
Device Security
Secure Boot - Looks like a power button circle, with the tick at
the top, and green checkmark on the side. Text reads:
"Secure Boot is on and all required certificate
updates have been applied. No further certificate
changes are needed." [SBAT status being ignored]
Yes, this is an Administrator Terminal, but currently, either "value"
can show
up for the current working directory, for either terminal type.
PS C:\Users\bullwinkle> get-securebootuefi -decoded -name DB |
Where-Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US
PS C:\Users\bullwinkle> get-securebootuefi -decoded -name KEK |
Where-Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US
# Updates were stuck on the W11, due to (apparently) the recovery
partition size. # I Resized it using a Macrium backup and
restore/resize without breaking it.
PS C:\Users\bullwinkle> reagentc /info
Windows Recovery Environment (Windows RE) and system reset
configuration
Information:
Windows RE status: Enabled
Windows RE location:
\\?\GLOBALROOT\device\harddisk0\partition5\Recovery\WindowsRE Boot
Configuration Data (BCD) identifier:
8f4fa731-3780-11ef-8ce3-b963a4dceb9a Recovery image location:
Recovery image index: 0 Custom image location:
Custom image index: 0
Windows RE Version: 10.0.26100.8455
DISKPART> list part
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 System 100 MB 1024 KB
Partition 2 Reserved 16 MB 101 MB
Partition 3 Primary 108 GB 117 MB
Partition 5 Recovery 2068 MB 108 GB <=== Win11 is
using its Recovery Partition Partition 4 Primary 127
GB 110 GB <=== Win10 is using C: for the purpose "Access is
Denied"
Winver on box reads as: 26200.8655
Oh, and the box logs in without using a password (local account) :-)
Don't
ask me how that happened, I haven't a clue.
*******
Now, we'll hop over to the Win10 side, and see what it says. The
Win10 does not
have a Recovery partition. I hope it doesn't break anything. Doing a
backup
before heading over...
msinfo32 (as administrator)
BIOS Mode: UEFI
Secure Boot State: ON
PCR7 Configuration: Binding Possible
Device Security
Secure Boot - Looks like a power button circle, with the tick at
the top, and green checkmark on the side. Text reads:
"Secure boot is on, preventing malicious software
from loading when your device starts up."
"Your device meets the requirements for standard
hardware security."
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Windows\system32> get-securebootuefi -decoded -name DB |
Where-Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US
D
PS C:\Windows\system32> get-securebootuefi -decoded -name KEK |
Where-Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US
PS C:\Windows\system32> reagentc /info
Windows Recovery Environment (Windows RE) and system reset
configuration
Information:
Windows RE status: Enabled
Windows RE location:
\\?\GLOBALROOT\device\harddisk0\partition4\Recovery\WindowsRE
<=== this is the C: drive of W10 Boot Configuration Data (BCD)
identifier: 8f4fa72c-3780-11ef-8ce3-b963a4dceb9a Recovery image
location: Recovery image index: 0 Custom image location:
Custom image index: 0
REAGENTC.EXE: Operation Successful.
Winver reads: 19045.7417 22H2 Windows 10 Home (my only ESU_
Box login requires password.
Paul
I am runnig Window 11 Pro and I am on 8457. I can not get updated and downloaded the cumulative update to 8655 but it will not update. Checking Device Security reports all is fine with certificates, etc.
diskpart shows:
Partition 4 Recovery 755MB 113GB
Partition 5 Recovery 800MB 114GB
Do I need to try and increase the size of the Recover Partitions?
I recognize this is not a lot of info.
<Bill>
On 06/11/2026 10:26 PM, sticks wrote:
On 6/11/2026 9:19 PM, ....winston wrote:
Back on topic.
@Paul and @sticks
There are other powershell commands in admin mode that can be run for
additional information on installation/updating 2023 certs.
get-securebootuefi -decoded -name DB | Where-Object {$_.Subject -
match "2023"} | Select subject
get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject -
match "2023"} | Select subject
For this Secure Boot enabled device(Win10 Pro ESU) with a 4th Gen
i7-4770 chip(yes, quite old) on a Asus Z87 Sabertooth mobo, last
UEFI/ Bios March 2017) the results for the above commands are:
PS C:\WINDOWS\system32> get-securebootuefi -decoded -name DB | Where-
Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US
PS C:\WINDOWS\system32> get-securebootuefi -decoded -name KEK |
Where- Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US
Fyi...for those interested in an explanation of DB and KEK certs
"DB (Allowed Signature Database): The list of certificates and
trusted software the PC is allowed to run. The new 2023 DB
certificates are used to sign modern Windows boot components."
"KEK (Key Exchange Key): Often called the "master authority." The KEK
gives Microsoft (and your hardware manufacturer) the permission to
update your DB and DBX (revocation) lists without requiring a full
manual BIOS flash".
For the first command I only get your first entry, the second command
I get the same as yours.-a That ok?
With respect to CN=Microsoft Option ROM UEFI CA 2023
When not present, it can have a few reasons, the two most common in
simple answer form
- not yet deployed
- can't be deployed
One could force the attempt to deploy by changing the reg key HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\AvailableUpdates dword value to 0x5944 or 0x1844, exit regedit, then go to Task Scheduler(admin mode) and run the Secure Boot scheduled task, once done restart
twice(not shutdown, restart) then recheck.
If still missing, then it's likely related to firmware limitation or missing/non-existent support from the mobo or mobo manufacturer or
another possibility - the device never had the 2011 Option ROM 2011
There is quite a bit of variation for option ROM and KEK deployment.
-aThere are ancient 4th gen and later Intel machines(not capable of
running Win11 but running Win10 ESU) that have both Option ROM and KEK
2023 updates deployed while later devices(Intel 7th through 14th gen) running Win11 25H2 not having one or both(Option ROM, KEK 2023)
On 6/14/2026 2:56 AM, ....winston wrote:
On 06/11/2026 10:26 PM, sticks wrote:
On 6/11/2026 9:19 PM, ....winston wrote:
Back on topic.
@Paul and @sticks
There are other powershell commands in admin mode that can be run
for additional information on installation/updating 2023 certs.
get-securebootuefi -decoded -name DB | Where-Object {$_.Subject -
match "2023"} | Select subject
get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject -
match "2023"} | Select subject
For this Secure Boot enabled device(Win10 Pro ESU) with a 4th Gen
i7-4770 chip(yes, quite old) on a Asus Z87 Sabertooth mobo, last
UEFI/ Bios March 2017) the results for the above commands are:
PS C:\WINDOWS\system32> get-securebootuefi -decoded -name DB |
Where- Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US
PS C:\WINDOWS\system32> get-securebootuefi -decoded -name KEK |
Where- Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US >>>>
Fyi...for those interested in an explanation of DB and KEK certs
"DB (Allowed Signature Database): The list of certificates and
trusted software the PC is allowed to run. The new 2023 DB
certificates are used to sign modern Windows boot components."
"KEK (Key Exchange Key): Often called the "master authority." The
KEK gives Microsoft (and your hardware manufacturer) the permission
to update your DB and DBX (revocation) lists without requiring a
full manual BIOS flash".
For the first command I only get your first entry, the second command
I get the same as yours.-a That ok?
With respect to CN=Microsoft Option ROM UEFI CA 2023
When not present, it can have a few reasons, the two most common in
simple answer form
- not yet deployed
- can't be deployed
One could force the attempt to deploy by changing the reg key
HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\AvailableUpdates
dword value to 0x5944 or 0x1844, exit regedit, then go to Task
Scheduler(admin mode) and run the Secure Boot scheduled task, once
done restart twice(not shutdown, restart) then recheck.
If still missing, then it's likely related to firmware limitation or
missing/non-existent support from the mobo or mobo manufacturer or
another possibility - the device never had the 2011 Option ROM 2011
There is quite a bit of variation for option ROM and KEK deployment.
-a-aThere are ancient 4th gen and later Intel machines(not capable of
running Win11 but running Win10 ESU) that have both Option ROM and KEK
2023 updates deployed while later devices(Intel 7th through 14th gen)
running Win11 25H2 not having one or both(Option ROM, KEK 2023)
Mine is an intel core ultra 5 225 (arrow lake) processor which I think
is 2nd gen for the arrow lake, but it shows a launch date of Q1 2025 so
I assume these ultra processors would be considered a later device and
this is normal.
On 06/16/2026 9:05 AM, sticks wrote:
On 6/14/2026 2:56 AM, ....winston wrote:
On 06/11/2026 10:26 PM, sticks wrote:
On 6/11/2026 9:19 PM, ....winston wrote:
Back on topic.
@Paul and @sticks
There are other powershell commands in admin mode that can be run
for additional information on installation/updating 2023 certs.
get-securebootuefi -decoded -name DB | Where-Object {$_.Subject -
match "2023"} | Select subject
get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject -
match "2023"} | Select subject
For this Secure Boot enabled device(Win10 Pro ESU) with a 4th Gen
i7-4770 chip(yes, quite old) on a Asus Z87 Sabertooth mobo, last
UEFI/ Bios March 2017) the results for the above commands are:
PS C:\WINDOWS\system32> get-securebootuefi -decoded -name DB |
Where- Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
PS C:\WINDOWS\system32> get-securebootuefi -decoded -name KEK |
Where- Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US >>>>>
Fyi...for those interested in an explanation of DB and KEK certs
"DB (Allowed Signature Database): The list of certificates and
trusted software the PC is allowed to run. The new 2023 DB
certificates are used to sign modern Windows boot components."
"KEK (Key Exchange Key): Often called the "master authority." The
KEK gives Microsoft (and your hardware manufacturer) the permission >>>>> to update your DB and DBX (revocation) lists without requiring a
full manual BIOS flash".
For the first command I only get your first entry, the second
command I get the same as yours.-a That ok?
With respect to CN=Microsoft Option ROM UEFI CA 2023
When not present, it can have a few reasons, the two most common in
simple answer form
- not yet deployed
- can't be deployed
One could force the attempt to deploy by changing the reg key
HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\AvailableUpdates
dword value to 0x5944 or 0x1844, exit regedit, then go to Task
Scheduler(admin mode) and run the Secure Boot scheduled task, once
done restart twice(not shutdown, restart) then recheck.
If still missing, then it's likely related to firmware limitation or
missing/non-existent support from the mobo or mobo manufacturer or
another possibility - the device never had the 2011 Option ROM 2011
There is quite a bit of variation for option ROM and KEK deployment.
-a-aThere are ancient 4th gen and later Intel machines(not capable of
running Win11 but running Win10 ESU) that have both Option ROM and
KEK 2023 updates deployed while later devices(Intel 7th through 14th
gen) running Win11 25H2 not having one or both(Option ROM, KEK 2023)
Mine is an intel core ultra 5 225 (arrow lake) processor which I think
is 2nd gen for the arrow lake, but it shows a launch date of Q1 2025
so I assume these ultra processors would be considered a later device
and this is normal.
intel core ultra 5 225 - typically not classified with numerical gen
level. Instead of '2nd gen' it was classified iirc as Series 2.
Release wise, it's performance is plus or minus around the same point
and time as-14th Gen...better than 14th gen budget chips and worse than
14th gen mid-range.
-a- a good choice for a large quantity end-user consumer devices
On Mon, 6/15/2026 1:22 PM, Bill Bradshaw wrote:
Paul wrote:
On Sat, 6/13/2026 9:16 PM, ....winston wrote:
On 06/12/2026 12:42 AM, Paul wrote:
get-securebootuefi -decoded -name DB | Where-Object {$_.Subject
-match "2023"} | Select subject
get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject
-match "2023"} | Select subject
[MSI] MPG B550 Gaming Plus (MS-7C56) \
Infineon TPM 2.0 \
Ryzen 7 5700G 8C 16T CPU \
BIOS version 7/13/2024 AMI 1i0 \
DDR4 RAM (four sticks) \
\___ Both have been used for Secure Boot test.
[ASUS] ROG STRIX B550-F Gaming Wifi II / Secure Boot is now turned
off on both.
fTPM (no header for a physical TPM 2.0) / They're PCA2023. One has
failed a media Secure Boot
Ryzen 9 5950X 16C 32T CPU / where the media was still signed with
PCA2011 and
BIOS version 1/4/2026 AMI 3636 / at a guess, that is revoked.
DDR4 RAM (four sticks) /
[Asus] P9X79 <=== used for testing non-Secure-Boot behaviors
no TPM at all (UEFI/CSM BIOS)
4930K 6C 12T (HEDT, 42 PCIe lanes) This machine has W10 and W11
and can test what
BIOS Version 12/24/2013 AMI 4608 miserable performance others
might see. It has
DDR3 RAM (eight sticks) a mixture of HDD and SSDs for test. Mouse
click to response, takes 1 second.
Did you run the get-securebootuefi on any of these devices or other
devices(no virtual machines, but only devices with Windows 10 ESU
or Win11 25H2 as the installed to metal o/s)?
If so, what were the results?
OK, so lets do that. First I have to turn Secure Boot back on.
This will be on the 5950X. Then I can select the Win10 on the same
machine, and see what is cooking over there.
First Win11.
msinfo32 (as administrator)
BIOS Mode: UEFI
Secure Boot State: ON
PCR7 Configuration: Binding Possible
Device Security
Secure Boot - Looks like a power button circle, with the tick at
the top, and green checkmark on the side. Text
reads:
"Secure Boot is on and all required certificate
updates have been applied. No further certificate
changes are needed." [SBAT status being ignored]
Yes, this is an Administrator Terminal, but currently, either
"value" can show
up for the current working directory, for either terminal type.
PS C:\Users\bullwinkle> get-securebootuefi -decoded -name DB |
Where-Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US
PS C:\Users\bullwinkle> get-securebootuefi -decoded -name KEK |
Where-Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation,
C=US
# Updates were stuck on the W11, due to (apparently) the recovery
partition size. # I Resized it using a Macrium backup and
restore/resize without breaking it.
PS C:\Users\bullwinkle> reagentc /info
Windows Recovery Environment (Windows RE) and system reset
configuration
Information:
Windows RE status: Enabled
Windows RE location:
\\?\GLOBALROOT\device\harddisk0\partition5\Recovery\WindowsRE
Boot Configuration Data (BCD) identifier:
8f4fa731-3780-11ef-8ce3-b963a4dceb9a Recovery image location:
Recovery image index: 0 Custom image location:
Custom image index: 0
Windows RE Version: 10.0.26100.8455
DISKPART> list part
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 System 100 MB 1024 KB
Partition 2 Reserved 16 MB 101 MB
Partition 3 Primary 108 GB 117 MB
Partition 5 Recovery 2068 MB 108 GB <=== Win11 is
using its Recovery Partition Partition 4 Primary 127
GB 110 GB <=== Win10 is using C: for the purpose "Access is
Denied"
Winver on box reads as: 26200.8655
Oh, and the box logs in without using a password (local account) :-)
Don't
ask me how that happened, I haven't a clue.
*******
Now, we'll hop over to the Win10 side, and see what it says. The
Win10 does not
have a Recovery partition. I hope it doesn't break anything. Doing a
backup
before heading over...
msinfo32 (as administrator)
BIOS Mode: UEFI
Secure Boot State: ON
PCR7 Configuration: Binding Possible
Device Security
Secure Boot - Looks like a power button circle, with the tick at
the top, and green checkmark on the side. Text
reads:
"Secure boot is on, preventing malicious software
from loading when your device starts up."
"Your device meets the requirements for standard
hardware security."
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Windows\system32> get-securebootuefi -decoded -name DB |
Where-Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US
D
PS C:\Windows\system32> get-securebootuefi -decoded -name KEK |
Where-Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation,
C=US
PS C:\Windows\system32> reagentc /info
Windows Recovery Environment (Windows RE) and system reset
configuration
Information:
Windows RE status: Enabled
Windows RE location:
\\?\GLOBALROOT\device\harddisk0\partition4\Recovery\WindowsRE
<=== this is the C: drive of W10 Boot Configuration Data (BCD)
identifier: 8f4fa72c-3780-11ef-8ce3-b963a4dceb9a Recovery image
location: Recovery image index: 0 Custom image location:
Custom image index: 0
REAGENTC.EXE: Operation Successful.
Winver reads: 19045.7417 22H2 Windows 10 Home (my only ESU_
Box login requires password.
Paul
I am runnig Window 11 Pro and I am on 8457. I can not get updated
and downloaded the cumulative update to 8655 but it will not update.
Checking Device Security reports all is fine with certificates, etc.
diskpart shows:
Partition 4 Recovery 755MB 113GB
Partition 5 Recovery 800MB 114GB
Do I need to try and increase the size of the Recover Partitions?
I recognize this is not a lot of info.
<Bill>
701,193,948 19 May 2026 (Win11 2.02GB Recovery partition contents)
Used TestDisk 7.0 for a quick look 571,237,983 15-Jun-2026 (Win10
C:\Recovery\WindowsRE contents) Also via
using TestDisk 7 to get around permissions. (This Win10 is the OS
that doesn't have its own Recovery Partition.)
Neither of these seems large enough to be held up by my partition
dimensions,
unless it is the "amount of margin" the scheme uses for updates. It
doesn't
just jam in the 701 thing and see if it fits, it takes the in-coming
size, adds
a couple hundred meg and checks whether that will fit.
I made the room for the 701 one as 2.02GB, just because I wanted the
job
done and then on to the next thing.
When an update does not go in, it is held in a waiting area in the
root of C: and the folder has a dollar sign in it. This is the state
of my "already-installed" one on Win11 (it's also in the 2.02GB
Recovery partition).
C:\$WinREAgent
Rollback\
Scratch\
Backup\
winre.wim 701,193,948 19 May 2026
boot.sdi 3,170,304 14 June 2026
ReAgent.xml 1,109 14 June 2026
location.txt
[WinRE Location]
Partition offset=117890351104 <=== booby trap
equipped... (when you cannot figure out why it Disabled
itself) Relative path=\Recovery\WindowsRE OS Guid={8F4FA72F-3780-11EF-8CE3-B963A4DCEB9A}
And normally, where that is stored, it will have some
permissions to annoy you. For some reason right now, I
can get into the Backup folder without using TestDisk :-)
If your attempt to update it has failed, one of the places
it could current be waiting is C:\$WinREAgent , but it has
more hidey holes than that.
Paul
On 6/16/2026 9:35 AM, ....winston wrote:
On 06/16/2026 9:05 AM, sticks wrote:
On 6/14/2026 2:56 AM, ....winston wrote:
On 06/11/2026 10:26 PM, sticks wrote:
On 6/11/2026 9:19 PM, ....winston wrote:
Back on topic.
@Paul and @sticks
There are other powershell commands in admin mode that can be run >>>>>> for additional information on installation/updating 2023 certs.
get-securebootuefi -decoded -name DB | Where-Object {$_.Subject - >>>>>> match "2023"} | Select subject
get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject - >>>>>> match "2023"} | Select subject
For this Secure Boot enabled device(Win10 Pro ESU) with a 4th Gen >>>>>> i7-4770 chip(yes, quite old) on a Asus Z87 Sabertooth mobo, last
UEFI/ Bios March 2017) the results for the above commands are:
PS C:\WINDOWS\system32> get-securebootuefi -decoded -name DB |
Where- Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
PS C:\WINDOWS\system32> get-securebootuefi -decoded -name KEK |
Where- Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, >>>>>> C=US
Fyi...for those interested in an explanation of DB and KEK certs
"DB (Allowed Signature Database): The list of certificates and
trusted software the PC is allowed to run. The new 2023 DB
certificates are used to sign modern Windows boot components."
"KEK (Key Exchange Key): Often called the "master authority." The >>>>>> KEK gives Microsoft (and your hardware manufacturer) the
permission to update your DB and DBX (revocation) lists without
requiring a full manual BIOS flash".
For the first command I only get your first entry, the second
command I get the same as yours.-a That ok?
With respect to CN=Microsoft Option ROM UEFI CA 2023
When not present, it can have a few reasons, the two most common in
simple answer form
- not yet deployed
- can't be deployed
One could force the attempt to deploy by changing the reg key
HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\AvailableUpdates
dword value to 0x5944 or 0x1844, exit regedit, then go to Task
Scheduler(admin mode) and run the Secure Boot scheduled task, once
done restart twice(not shutdown, restart) then recheck.
If still missing, then it's likely related to firmware limitation or
missing/non-existent support from the mobo or mobo manufacturer or
another possibility - the device never had the 2011 Option ROM 2011
There is quite a bit of variation for option ROM and KEK deployment.
-a-aThere are ancient 4th gen and later Intel machines(not capable of >>>> running Win11 but running Win10 ESU) that have both Option ROM and
KEK 2023 updates deployed while later devices(Intel 7th through 14th
gen) running Win11 25H2 not having one or both(Option ROM, KEK 2023)
Mine is an intel core ultra 5 225 (arrow lake) processor which I
think is 2nd gen for the arrow lake, but it shows a launch date of Q1
2025 so I assume these ultra processors would be considered a later
device and this is normal.
intel core ultra 5 225 - typically not classified with numerical gen
level. Instead of '2nd gen' it was classified iirc as Series 2.
Release wise, it's performance is plus or minus around the same point
and time as-14th Gen...better than 14th gen budget chips and worse
than 14th gen mid-range.
-a-a- a good choice for a large quantity end-user consumer devices
I'm fine with the processor for what I use this machine for.-a My
question though was to make sure I understand your answer above about
later devices not having those other lines on the powershell result:
CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US
These two lines I don't get.-a I only get the Windows one:
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
For the later machines this is normal, right?
Paul wrote:
On Mon, 6/15/2026 1:22 PM, Bill Bradshaw wrote:
Paul wrote:
On Sat, 6/13/2026 9:16 PM, ....winston wrote:
On 06/12/2026 12:42 AM, Paul wrote:
get-securebootuefi -decoded -name DB | Where-Object {$_.Subject
-match "2023"} | Select subject
get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject >>>>>>> -match "2023"} | Select subject
[MSI] MPG B550 Gaming Plus (MS-7C56) \
Infineon TPM 2.0 \
Ryzen 7 5700G 8C 16T CPU \
BIOS version 7/13/2024 AMI 1i0 \
DDR4 RAM (four sticks) \
\___ Both have been used for Secure Boot test.
[ASUS] ROG STRIX B550-F Gaming Wifi II / Secure Boot is now turned >>>>>> off on both.
fTPM (no header for a physical TPM 2.0) / They're PCA2023. One has >>>>>> failed a media Secure Boot
Ryzen 9 5950X 16C 32T CPU / where the media was still signed with
PCA2011 and
BIOS version 1/4/2026 AMI 3636 / at a guess, that is revoked.
DDR4 RAM (four sticks) /
[Asus] P9X79 <=== used for testing non-Secure-Boot behaviors
no TPM at all (UEFI/CSM BIOS)
4930K 6C 12T (HEDT, 42 PCIe lanes) This machine has W10 and W11
and can test what
BIOS Version 12/24/2013 AMI 4608 miserable performance others
might see. It has
DDR3 RAM (eight sticks) a mixture of HDD and SSDs for test. Mouse
click to response, takes 1 second.
Did you run the get-securebootuefi on any of these devices or other
devices(no virtual machines, but only devices with Windows 10 ESU
or Win11 25H2 as the installed to metal o/s)?
If so, what were the results?
OK, so lets do that. First I have to turn Secure Boot back on.
This will be on the 5950X. Then I can select the Win10 on the same
machine, and see what is cooking over there.
First Win11.
msinfo32 (as administrator)
BIOS Mode: UEFI
Secure Boot State: ON
PCR7 Configuration: Binding Possible
Device Security
Secure Boot - Looks like a power button circle, with the tick at
the top, and green checkmark on the side. Text
reads:
"Secure Boot is on and all required certificate
updates have been applied. No further certificate
changes are needed." [SBAT status being ignored]
Yes, this is an Administrator Terminal, but currently, either
"value" can show
up for the current working directory, for either terminal type.
PS C:\Users\bullwinkle> get-securebootuefi -decoded -name DB |
Where-Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US
PS C:\Users\bullwinkle> get-securebootuefi -decoded -name KEK |
Where-Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation,
C=US
# Updates were stuck on the W11, due to (apparently) the recovery
partition size. # I Resized it using a Macrium backup and
restore/resize without breaking it.
PS C:\Users\bullwinkle> reagentc /info
Windows Recovery Environment (Windows RE) and system reset
configuration
Information:
Windows RE status: Enabled
Windows RE location:
\\?\GLOBALROOT\device\harddisk0\partition5\Recovery\WindowsRE
Boot Configuration Data (BCD) identifier:
8f4fa731-3780-11ef-8ce3-b963a4dceb9a Recovery image location:
Recovery image index: 0 Custom image location:
Custom image index: 0
Windows RE Version: 10.0.26100.8455
DISKPART> list part
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 System 100 MB 1024 KB
Partition 2 Reserved 16 MB 101 MB
Partition 3 Primary 108 GB 117 MB
Partition 5 Recovery 2068 MB 108 GB <=== Win11 is
using its Recovery Partition Partition 4 Primary 127
GB 110 GB <=== Win10 is using C: for the purpose "Access is
Denied"
Winver on box reads as: 26200.8655
Oh, and the box logs in without using a password (local account) :-)
Don't
ask me how that happened, I haven't a clue.
*******
Now, we'll hop over to the Win10 side, and see what it says. The
Win10 does not
have a Recovery partition. I hope it doesn't break anything. Doing a
backup
before heading over...
msinfo32 (as administrator)
BIOS Mode: UEFI
Secure Boot State: ON
PCR7 Configuration: Binding Possible
Device Security
Secure Boot - Looks like a power button circle, with the tick at
the top, and green checkmark on the side. Text
reads:
"Secure boot is on, preventing malicious software
from loading when your device starts up."
"Your device meets the requirements for standard
hardware security."
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Windows\system32> get-securebootuefi -decoded -name DB |
Where-Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US
D
PS C:\Windows\system32> get-securebootuefi -decoded -name KEK |
Where-Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation,
C=US
PS C:\Windows\system32> reagentc /info
Windows Recovery Environment (Windows RE) and system reset
configuration
Information:
Windows RE status: Enabled
Windows RE location:
\\?\GLOBALROOT\device\harddisk0\partition4\Recovery\WindowsRE
<=== this is the C: drive of W10 Boot Configuration Data (BCD)
identifier: 8f4fa72c-3780-11ef-8ce3-b963a4dceb9a Recovery image
location: Recovery image index: 0 Custom image location:
Custom image index: 0
REAGENTC.EXE: Operation Successful.
Winver reads: 19045.7417 22H2 Windows 10 Home (my only ESU_
Box login requires password.
Paul
I am runnig Window 11 Pro and I am on 8457. I can not get updated
and downloaded the cumulative update to 8655 but it will not update.
Checking Device Security reports all is fine with certificates, etc.
diskpart shows:
Partition 4 Recovery 755MB 113GB
Partition 5 Recovery 800MB 114GB
Do I need to try and increase the size of the Recover Partitions?
I recognize this is not a lot of info.
<Bill>
701,193,948 19 May 2026 (Win11 2.02GB Recovery partition contents)
Used TestDisk 7.0 for a quick look 571,237,983 15-Jun-2026 (Win10
C:\Recovery\WindowsRE contents) Also via
using TestDisk 7 to get around permissions. (This Win10 is the OS
that doesn't have its own Recovery Partition.)
Neither of these seems large enough to be held up by my partition
dimensions,
unless it is the "amount of margin" the scheme uses for updates. It
doesn't
just jam in the 701 thing and see if it fits, it takes the in-coming
size, adds
a couple hundred meg and checks whether that will fit.
I made the room for the 701 one as 2.02GB, just because I wanted the
job
done and then on to the next thing.
When an update does not go in, it is held in a waiting area in the
root of C: and the folder has a dollar sign in it. This is the state
of my "already-installed" one on Win11 (it's also in the 2.02GB
Recovery partition).
C:\$WinREAgent
Rollback\
Scratch\
Backup\
winre.wim 701,193,948 19 May 2026
boot.sdi 3,170,304 14 June 2026
ReAgent.xml 1,109 14 June 2026
location.txt
[WinRE Location]
Partition offset=117890351104 <=== booby trap
equipped... (when you cannot figure out why it Disabled
itself) Relative path=\Recovery\WindowsRE OS
Guid={8F4FA72F-3780-11EF-8CE3-B963A4DCEB9A}
And normally, where that is stored, it will have some
permissions to annoy you. For some reason right now, I
can get into the Backup folder without using TestDisk :-)
If your attempt to update it has failed, one of the places
it could current be waiting is C:\$WinREAgent , but it has
more hidey holes than that.
Paul
I got the computer updated to 8655. I installed the downloaded cumulative update 5094126. Checked secure boot was on and all certificates had been applied. Shutdown and restarted the computer and ran the cumulative update 5094126 downloaded file and then checked and I was on 8655. So all is good for now. I have enlarged recovery partitions in the past so I will look at this. Fingures crossed.
<Bill>
For the later machines this is normal, right?
As note before, variation exists.
Not all devices 'get' everything...and that is 'normal'
Failure to deploy Option ROM and Microsoft UEFI certs is 'normally'/ typically caused by existing device hardware/firmware limitation.
Two approaches may offer subsequent deployment of those two certs.
-a1. Updating the firmware(OEM or mobo manufacture UEFI/BIOS
-a2. Resetting Secure Boot in the UEFI/BIOS (Restoring Factory or Installing Default Secure Boot Keys)
-aOne or both may provide deployment of the 2023 cert keys on next restart(after the Schedule task runs, and two restarts).
Whatever the end result...it would still be normal(the same condition
before #1/#2, after 1/2, or doing nothing)
On 6/16/2026 1:31 PM, ....winston wrote:
For the later machines this is normal, right?
As note before, variation exists.
Not all devices 'get' everything...and that is 'normal'
Failure to deploy Option ROM and Microsoft UEFI certs is 'normally'/
typically caused by existing device hardware/firmware limitation.
Two approaches may offer subsequent deployment of those two certs.
-a-a1. Updating the firmware(OEM or mobo manufacture UEFI/BIOS
-a-a2. Resetting Secure Boot in the UEFI/BIOS (Restoring Factory or
Installing Default Secure Boot Keys)
-a-aOne or both may provide deployment of the 2023 cert keys on next
restart(after the Schedule task runs, and two restarts).
Whatever the end result...it would still be normal(the same condition
before #1/#2, after 1/2, or doing nothing)
Thank you.-a Only thing I will do now is just check occasionally for
another bios update.-a It sounds like the rest will all work out.
You're welcome...in the meantime, fix your dual, and unnecessary two Recovery partitions using diskpart or 3rd party tools.
...and ensure you have a backup or know how to obtain winre.wim.
On 6/16/2026 7:12 PM, ....winston wrote:
You're welcome...in the meantime, fix your dual, and unnecessary two
Recovery partitions using diskpart or 3rd party tools.
...and ensure you have a backup or know how to obtain winre.wim.
I think you've got me mixed up with Bill in a offshoot of this thread.
You and Paul helped me fix my winre issues awhile ago when the
difficulties first began.-a Jeeze, that must be a couple years back by now.
On 06/16/2026 12:26 PM, Bill Bradshaw wrote:
Paul wrote:
On Mon, 6/15/2026 1:22 PM, Bill Bradshaw wrote:
Paul wrote:
On Sat, 6/13/2026 9:16 PM, ....winston wrote:
On 06/12/2026 12:42 AM, Paul wrote:
get-securebootuefi -decoded -name DB | Where-Object {$_.Subject >>>>>>>> -match "2023"} | Select subject
get-securebootuefi -decoded -name KEK | Where-Object
{$_.Subject -match "2023"} | Select subject
[MSI] MPG B550 Gaming Plus (MS-7C56) \
Infineon TPM 2.0 \
Ryzen 7 5700G 8C 16T CPU \
BIOS version 7/13/2024 AMI 1i0 \
DDR4 RAM (four sticks) \
\___ Both have been used for Secure Boot test.
[ASUS] ROG STRIX B550-F Gaming Wifi II / Secure Boot is now
turned off on both.
fTPM (no header for a physical TPM 2.0) / They're PCA2023. One
has failed a media Secure Boot
Ryzen 9 5950X 16C 32T CPU / where the media was still signed
with PCA2011 and
BIOS version 1/4/2026 AMI 3636 / at a guess, that is revoked.
DDR4 RAM (four sticks) /
[Asus] P9X79 <=== used for testing non-Secure-Boot behaviors
no TPM at all (UEFI/CSM BIOS)
4930K 6C 12T (HEDT, 42 PCIe lanes) This machine has W10 and W11
and can test what
BIOS Version 12/24/2013 AMI 4608 miserable performance others
might see. It has
DDR3 RAM (eight sticks) a mixture of HDD and SSDs for test.
Mouse click to response, takes 1 second.
Did you run the get-securebootuefi on any of these devices or
other devices(no virtual machines, but only devices with Windows
10 ESU or Win11 25H2 as the installed to metal o/s)?
If so, what were the results?
OK, so lets do that. First I have to turn Secure Boot back on.
This will be on the 5950X. Then I can select the Win10 on the same
machine, and see what is cooking over there.
First Win11.
msinfo32 (as administrator)
BIOS Mode: UEFI
Secure Boot State: ON
PCR7 Configuration: Binding Possible
Device Security
Secure Boot - Looks like a power button circle, with the tick
at the top, and green checkmark on the side.
Text reads:
"Secure Boot is on and all required certificate
updates have been applied. No further
certificate changes are needed." [SBAT status being ignored]
Yes, this is an Administrator Terminal, but currently, either
"value" can show
up for the current working directory, for either terminal type.
PS C:\Users\bullwinkle> get-securebootuefi -decoded -name DB |
Where-Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation,
C=US CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US
PS C:\Users\bullwinkle> get-securebootuefi -decoded -name KEK |
Where-Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation,
C=US
# Updates were stuck on the W11, due to (apparently) the recovery
partition size. # I Resized it using a Macrium backup and
restore/resize without breaking it.
PS C:\Users\bullwinkle> reagentc /info
Windows Recovery Environment (Windows RE) and system reset
configuration
Information:
Windows RE status: Enabled
Windows RE location:
\\?\GLOBALROOT\device\harddisk0\partition5\Recovery\WindowsRE
Boot Configuration Data (BCD) identifier:
8f4fa731-3780-11ef-8ce3-b963a4dceb9a Recovery image location:
Recovery image index: 0 Custom image location:
Custom image index: 0
Windows RE Version: 10.0.26100.8455
DISKPART> list part
Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 System 100 MB 1024 KB
Partition 2 Reserved 16 MB 101 MB
Partition 3 Primary 108 GB 117 MB
Partition 5 Recovery 2068 MB 108 GB <=== Win11 is
using its Recovery Partition Partition 4 Primary 127 GB >>>>> 110 GB <=== Win10 is using C: for the purpose "Access is
Denied"
Winver on box reads as: 26200.8655
Oh, and the box logs in without using a password (local account)
:-) Don't
ask me how that happened, I haven't a clue.
*******
Now, we'll hop over to the Win10 side, and see what it says. The
Win10 does not
have a Recovery partition. I hope it doesn't break anything.
Doing a backup
before heading over...
msinfo32 (as administrator)
BIOS Mode: UEFI
Secure Boot State: ON
PCR7 Configuration: Binding Possible
Device Security
Secure Boot - Looks like a power button circle, with the tick
at the top, and green checkmark on the side.
Text reads:
"Secure boot is on, preventing malicious
software from loading when your device starts
up." "Your device meets the requirements for
standard hardware security."
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
Try the new cross-platform PowerShell https://aka.ms/pscore6
PS C:\Windows\system32> get-securebootuefi -decoded -name DB |
Where-Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation,
C=US CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US
D
PS C:\Windows\system32> get-securebootuefi -decoded -name KEK |
Where-Object {$_.Subject -match "2023"} | Select subject
Subject
-------
CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation,
C=US
PS C:\Windows\system32> reagentc /info
Windows Recovery Environment (Windows RE) and system reset
configuration
Information:
Windows RE status: Enabled
Windows RE location:
\\?\GLOBALROOT\device\harddisk0\partition4\Recovery\WindowsRE
<=== this is the C: drive of W10 Boot Configuration Data (BCD)
identifier: 8f4fa72c-3780-11ef-8ce3-b963a4dceb9a Recovery
image location: Recovery image index: 0 Custom image
location: Custom image index: 0
REAGENTC.EXE: Operation Successful.
Winver reads: 19045.7417 22H2 Windows 10 Home (my only ESU_
Box login requires password.
Paul
I am runnig Window 11 Pro and I am on 8457. I can not get updated
and downloaded the cumulative update to 8655 but it will not
update. Checking Device Security reports all is fine with
certificates, etc. diskpart shows:
Partition 4 Recovery 755MB 113GB
Partition 5 Recovery 800MB 114GB
Do I need to try and increase the size of the Recover Partitions?
I recognize this is not a lot of info.
<Bill>
701,193,948 19 May 2026 (Win11 2.02GB Recovery partition
contents) Used TestDisk 7.0 for a quick look 571,237,983 15-Jun-2026
(Win10
C:\Recovery\WindowsRE contents) Also via using TestDisk 7 to get
around permissions. (This Win10 is the OS
that doesn't have its own Recovery Partition.)
Neither of these seems large enough to be held up by my partition
dimensions,
unless it is the "amount of margin" the scheme uses for updates. It
doesn't
just jam in the 701 thing and see if it fits, it takes the in-coming
size, adds
a couple hundred meg and checks whether that will fit.
I made the room for the 701 one as 2.02GB, just because I wanted the
job
done and then on to the next thing.
When an update does not go in, it is held in a waiting area in the
root of C: and the folder has a dollar sign in it. This is the state
of my "already-installed" one on Win11 (it's also in the 2.02GB
Recovery partition).
C:\$WinREAgent
Rollback\
Scratch\
Backup\
winre.wim 701,193,948 19 May 2026
boot.sdi 3,170,304 14 June 2026
ReAgent.xml 1,109 14 June 2026
location.txt
[WinRE Location]
Partition offset=117890351104 <=== booby trap
equipped... (when you cannot figure out why it Disabled
itself) Relative path=\Recovery\WindowsRE OS
Guid={8F4FA72F-3780-11EF-8CE3-B963A4DCEB9A}
And normally, where that is stored, it will have some
permissions to annoy you. For some reason right now, I
can get into the Backup folder without using TestDisk :-)
If your attempt to update it has failed, one of the places
it could current be waiting is C:\$WinREAgent , but it has
more hidey holes than that.
Paul
I got the computer updated to 8655. I installed the downloaded
cumulative update 5094126. Checked secure boot was on and all
certificates had been applied. Shutdown and restarted the computer
and ran the cumulative update 5094126 downloaded file and then
checked and I was on 8655. So all is good for now. I have enlarged
recovery partitions in the past so I will look at this. Fingures
crossed. <Bill>
Progess!
Ensure if resizing the active Recovery Partition, the correct
partition is chosen.
...and only one is necessary. If both are adjacent to each other(e.g. partition 4 and 5, 4 is likely your active Recovery partition), then
no shrinkage of C:(Partition #3 likely) would be necessary - just
remove the unused Recovery partition, disable the current, and
recreate the new with the the entire available space(1555 MB) or
shrink C by 493 MB and create a 2048 MB(2GB) Recovery partition.
Those earlier requests for more data and pictures may still apply so interested parties can get a better idea of current condition and
provide better and more accurate input, suggestions, or cautions.
....winston wrote:
On 06/16/2026 12:26 PM, Bill Bradshaw wrote:
I got the computer updated to 8655. I installed the downloaded
cumulative update 5094126. Checked secure boot was on and all
certificates had been applied. Shutdown and restarted the computer
and ran the cumulative update 5094126 downloaded file and then
checked and I was on 8655. So all is good for now. I have enlarged
recovery partitions in the past so I will look at this. Fingures
crossed. <Bill>
Progess!
Ensure if resizing the active Recovery Partition, the correct
partition is chosen.
...and only one is necessary. If both are adjacent to each other(e.g.
partition 4 and 5, 4 is likely your active Recovery partition), then
no shrinkage of C:(Partition #3 likely) would be necessary - just
remove the unused Recovery partition, disable the current, and
recreate the new with the the entire available space(1555 MB) or
shrink C by 493 MB and create a 2048 MB(2GB) Recovery partition.
Those earlier requests for more data and pictures may still apply so
interested parties can get a better idea of current condition and
provide better and more accurate input, suggestions, or cautions.
I thought having 2 recoverys was strange. My other computers have 2 GB recovery partitions.
Thanks for the advice.
<Bill>
| Sysop: | Amessyroom |
|---|---|
| Location: | Fayetteville, NC |
| Users: | 70 |
| Nodes: | 6 (0 / 6) |
| Uptime: | 39:15:47 |
| Calls: | 948 |
| Calls today: | 2 |
| Files: | 1,325 |
| Messages: | 280,644 |