• Re: Microsoft intends to kill your computer, no Secure Boot updates for you.

    From sticks@wolverine01@charter.net to alt.comp.os.windows-11,alt.comp.os.windows-10 on Wed Jun 10 18:23:49 2026
    From Newsgroup: alt.comp.os.windows-11

    On 5/20/2026 10:11 AM, ....winston wrote:
    On 05/20/2026 10:11 AM, sticks wrote:
    On 5/20/2026 8:50 AM, Frank Slootweg wrote:
    sticks <wolverine01@charter.net> wrote:
    On 5/19/2026 5:00 PM, sticks wrote:
    [...]
    Well I'll be damned.-a I then did a SFC /scannow and it did find some >>>>> errors and fixed them.-a Rebooted.-a Went into the event viewer and
    instead of the FPM-WMI error it had 4 entries.-a A pre-attestation
    check,
    a confirmation it is expected to pass attestation, TBS device
    identifier
    has been generated, and finally "The TPM was successfully provisioned >>>>> and is now ready for use."

    We'll see if it error faults again.

    All for naught.-a Back again this morning.-a Disappointing


    Log Name:-a-a-a-a-a System
    Source:-a-a-a-a-a-a-a Microsoft-Windows-TPM-WMI
    Date:-a-a-a-a-a-a-a-a-a 5/20/2026 6:53:06 AM
    Event ID:-a-a-a-a-a 1796
    Description:-a The Secure Boot update failed to update SBAT with error >>>> Unknown HResult Error code: 0x800700c1.

    -a-a If it's any consolation, I also get this error, twice a day, since at >>> least 15/01/2026.

    -a-a The error comes with a "For more information, please see..." link
    [1],
    but that only mentions Event ID 1795, not 1796. However the 'Change log' >>> of the document implies that 1796 *is* documented. Microsoft moves in
    mysterious ways! :-(

    -a-a I think that this 'Error' is nothing to worry about.
    -a-a IMO, if we got a dollar for every 'Error' in our Event Viewer
    logs, we
    would make Elon look like a pauper! :-)

    [1] 'Secure Boot DB and DBX variable update events'
    <https://support.microsoft.com/en-gb/topic/secure-boot-db-and-dbx-
    variable-update-events-37e47cf8-608b-4a87-8175-bdead630eb69>

    I know I can't do much more myself, and am not too worried about it.
    However, it does annoy me that the secure boot process is evidently
    missing some of the available data because of the update failure.-a I
    find it difficult to believe HP cannot figure out a way to fix this
    error.


    Run this a Powershell admin window

    ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

    -a- If the above command returns rCLtrue,rCY then your PC is using the new certificate


    If it returns true or false, the EventViewer error is normal.
    -aa. can't update(thus fails) if already present or not installed


    Thought I'd follow up on this. Both HP desktops have finally gotten an available bios update. After install, both return true to winston's powershell command, and both still have the same TPM-WMI error in the
    event log. still seems a weird way to do things...
    --
    Science DoesnrCOt Support Darwin. Scientists Do

    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Paul@nospam@needed.invalid to alt.comp.os.windows-11,alt.comp.os.windows-10 on Wed Jun 10 19:58:19 2026
    From Newsgroup: alt.comp.os.windows-11

    On Wed, 6/10/2026 7:23 PM, sticks wrote:
    On 5/20/2026 10:11 AM, ....winston wrote:
    On 05/20/2026 10:11 AM, sticks wrote:
    On 5/20/2026 8:50 AM, Frank Slootweg wrote:
    sticks <wolverine01@charter.net> wrote:
    On 5/19/2026 5:00 PM, sticks wrote:
    [...]
    Well I'll be damned.-a I then did a SFC /scannow and it did find some >>>>>> errors and fixed them.-a Rebooted.-a Went into the event viewer and >>>>>> instead of the FPM-WMI error it had 4 entries.-a A pre-attestation check,
    a confirmation it is expected to pass attestation, TBS device identifier >>>>>> has been generated, and finally "The TPM was successfully provisioned >>>>>> and is now ready for use."

    We'll see if it error faults again.

    All for naught.-a Back again this morning.-a Disappointing


    Log Name:-a-a-a-a-a System
    Source:-a-a-a-a-a-a-a Microsoft-Windows-TPM-WMI
    Date:-a-a-a-a-a-a-a-a-a 5/20/2026 6:53:06 AM
    Event ID:-a-a-a-a-a 1796
    Description:-a The Secure Boot update failed to update SBAT with error >>>>> Unknown HResult Error code: 0x800700c1.

    -a-a If it's any consolation, I also get this error, twice a day, since at >>>> least 15/01/2026.

    -a-a The error comes with a "For more information, please see..." link [1],
    but that only mentions Event ID 1795, not 1796. However the 'Change log' >>>> of the document implies that 1796 *is* documented. Microsoft moves in
    mysterious ways! :-(

    -a-a I think that this 'Error' is nothing to worry about.
    -a-a IMO, if we got a dollar for every 'Error' in our Event Viewer logs, we
    would make Elon look like a pauper! :-)

    [1] 'Secure Boot DB and DBX variable update events'
    <https://support.microsoft.com/en-gb/topic/secure-boot-db-and-dbx- variable-update-events-37e47cf8-608b-4a87-8175-bdead630eb69>

    I know I can't do much more myself, and am not too worried about it. However, it does annoy me that the secure boot process is evidently missing some of the available data because of the update failure.-a I find it difficult to believe HP cannot figure out a way to fix this error.


    Run this a Powershell admin window

    ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

    -a-a- If the above command returns rCLtrue,rCY then your PC is using the new certificate


    If it returns true or false, the EventViewer error is normal.
    -a-aa. can't update(thus fails) if already present or not installed

    Thought I'd follow up on this.-a Both HP desktops have finally gotten an available bios update.-a After install, both return true to winston's powershell
    command, and both still have the same TPM-WMI error in the event log.-a still
    seems a weird way to do things...

    Agree on the weird part.

    Tried to use a Linux today, on the Secure Boot machine, and I didn't know
    there was a new scheme for running a video card. There is some trick to
    load a firmware into a video card, to act as the driver. This is Not Supported on my video card, so that explains why the HD monitor was running at 1024x768. I had to remove around 20 packages from the package manager, ones
    that use the "new method", reboot, then use the Driver Manager, and it
    selected some legacy driver that does not use that method. and then
    the HD screen was running at 1920x1080 again.

    It seems some video card company <cough>, is angling for us to have to
    buy some of those "cheep $400 video cards" :-) Just to have continued driver support.
    I would certainly want a rich man to be able to afford another
    leather jacket for presentations. The problem with schemes along
    these lines, is it is going to make some laptop owners "very angry".

    Thank goodness for innovation. "Where-ever it strikes".

    Paul



    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Daniel70@daniel47@nomail.afraid.org to alt.comp.os.windows-11,alt.comp.os.windows-10 on Thu Jun 11 23:09:09 2026
    From Newsgroup: alt.comp.os.windows-11

    On 11/06/2026 8:53 pm, Daniel70 wrote:
    On 11/06/2026 9:58 am, Paul wrote:
    On Wed, 6/10/2026 7:23 PM, sticks wrote:

    <Snip>

    Thought I'd follow up on this.-a Both HP desktops have finally
    gotten an available bios update.-a After install, both return true
    to winston's powershell command, and both still have the same
    TPM-WMI error in the event log.-a still seems a weird way to do
    things...

    Agree on the weird part.

    Tried to use a Linux today, on the Secure Boot machine, and I didn't
    know there was a new scheme for running a video card. There is some
    trick to load a firmware into a video card, to act as the driver.
    This is Not Supported on my video card, so that explains why the HD
    monitor was running at 1024x768. I had to remove around 20 packages
    from the package manager, ones that use the "new method", reboot,
    then use the Driver Manager, and it selected some legacy driver that
    does not use that method. and then the HD screen was running at
    1920x1080 again.

    It seems some video card company <cough>,

    "video card company" .... or is MS just trying to support their Mates
    .... by making YOU have to *but* a new Computer ... or Video Card at the
    very least??

    s/but/buy!!

    is angling for us to have to buy some of those "cheep $400 video
    cards" :-) Just to have continued driver support. I would certainly
    want a rich man to be able to afford another leather jacket for
    presentations. The problem with schemes along these lines, is it is
    going to make some laptop owners "very angry".

    Thank goodness for innovation. "Where-ever it strikes".

    Paul
    --
    Daniel70
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From ....winston@winstonmvp@gmail.com to alt.comp.os.windows-11,alt.comp.os.windows-10 on Thu Jun 11 22:19:08 2026
    From Newsgroup: alt.comp.os.windows-11

    On 06/10/2026 7:58 PM, Paul wrote:
    On Wed, 6/10/2026 7:23 PM, sticks wrote:
    On 5/20/2026 10:11 AM, ....winston wrote:
    On 05/20/2026 10:11 AM, sticks wrote:
    On 5/20/2026 8:50 AM, Frank Slootweg wrote:
    sticks <wolverine01@charter.net> wrote:
    On 5/19/2026 5:00 PM, sticks wrote:
    [...]
    Well I'll be damned.-a I then did a SFC /scannow and it did find some >>>>>>> errors and fixed them.-a Rebooted.-a Went into the event viewer and >>>>>>> instead of the FPM-WMI error it had 4 entries.-a A pre-attestation check,
    a confirmation it is expected to pass attestation, TBS device identifier
    has been generated, and finally "The TPM was successfully provisioned >>>>>>> and is now ready for use."

    We'll see if it error faults again.

    All for naught.-a Back again this morning.-a Disappointing


    Log Name:-a-a-a-a-a System
    Source:-a-a-a-a-a-a-a Microsoft-Windows-TPM-WMI
    Date:-a-a-a-a-a-a-a-a-a 5/20/2026 6:53:06 AM
    Event ID:-a-a-a-a-a 1796
    Description:-a The Secure Boot update failed to update SBAT with error >>>>>> Unknown HResult Error code: 0x800700c1.

    -a-a If it's any consolation, I also get this error, twice a day, since at
    least 15/01/2026.

    -a-a The error comes with a "For more information, please see..." link [1],
    but that only mentions Event ID 1795, not 1796. However the 'Change log' >>>>> of the document implies that 1796 *is* documented. Microsoft moves in >>>>> mysterious ways! :-(

    -a-a I think that this 'Error' is nothing to worry about.
    -a-a IMO, if we got a dollar for every 'Error' in our Event Viewer logs, we
    would make Elon look like a pauper! :-)

    [1] 'Secure Boot DB and DBX variable update events'
    <https://support.microsoft.com/en-gb/topic/secure-boot-db-and-dbx- variable-update-events-37e47cf8-608b-4a87-8175-bdead630eb69>

    I know I can't do much more myself, and am not too worried about it. However, it does annoy me that the secure boot process is evidently missing some of the available data because of the update failure.-a I find it difficult to believe HP cannot figure out a way to fix this error.


    Run this a Powershell admin window

    ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

    -a-a- If the above command returns rCLtrue,rCY then your PC is using the new certificate


    If it returns true or false, the EventViewer error is normal.
    -a-aa. can't update(thus fails) if already present or not installed

    Thought I'd follow up on this.-a Both HP desktops have finally gotten an
    available bios update.-a After install, both return true to winston's powershell
    command, and both still have the same TPM-WMI error in the event log.-a still
    seems a weird way to do things...

    Agree on the weird part.

    Tried to use a Linux today, on the Secure Boot machine, and I didn't know there was a new scheme for running a video card. There is some trick to
    load a firmware into a video card, to act as the driver. This is Not Supported
    on my video card, so that explains why the HD monitor was running at 1024x768.
    I had to remove around 20 packages from the package manager, ones
    that use the "new method", reboot, then use the Driver Manager, and it selected some legacy driver that does not use that method. and then
    the HD screen was running at 1920x1080 again.

    It seems some video card company <cough>, is angling for us to have to
    buy some of those "cheep $400 video cards" :-) Just to have continued driver support.
    I would certainly want a rich man to be able to afford another
    leather jacket for presentations. The problem with schemes along
    these lines, is it is going to make some laptop owners "very angry".

    Thank goodness for innovation. "Where-ever it strikes".

    Paul




    Doesn't sound like a Secure Boot issue.

    How old is that Secure Boot machine that 'tried to use' Linux?
    How old is its video card.

    Back on topic.
    @Paul and @sticks
    There are other powershell commands in admin mode that can be run for additional information on installation/updating 2023 certs.

    get-securebootuefi -decoded -name DB | Where-Object {$_.Subject -match
    "2023"} | Select subject

    get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject -match "2023"} | Select subject


    For this Secure Boot enabled device(Win10 Pro ESU) with a 4th Gen
    i7-4770 chip(yes, quite old) on a Asus Z87 Sabertooth mobo, last
    UEFI/Bios March 2017) the results for the above commands are:

    PS C:\WINDOWS\system32> get-securebootuefi -decoded -name DB |
    Where-Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
    CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US


    PS C:\WINDOWS\system32> get-securebootuefi -decoded -name KEK |
    Where-Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US


    Fyi...for those interested in an explanation of DB and KEK certs
    "DB (Allowed Signature Database): The list of certificates and trusted software the PC is allowed to run. The new 2023 DB certificates are used
    to sign modern Windows boot components."
    "KEK (Key Exchange Key): Often called the "master authority." The KEK
    gives Microsoft (and your hardware manufacturer) the permission to
    update your DB and DBX (revocation) lists without requiring a full
    manual BIOS flash".
    --
    ...w-i|#-o-#-n|#
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From sticks@wolverine01@charter.net to alt.comp.os.windows-11,alt.comp.os.windows-10 on Thu Jun 11 21:26:33 2026
    From Newsgroup: alt.comp.os.windows-11

    On 6/11/2026 9:19 PM, ....winston wrote:

    Back on topic.
    @Paul and @sticks
    There are other powershell commands in admin mode that can be run for additional information on installation/updating 2023 certs.

    get-securebootuefi -decoded -name DB | Where-Object {$_.Subject -match "2023"} | Select subject

    get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject -match "2023"} | Select subject


    For this Secure Boot enabled device(Win10 Pro ESU) with a 4th Gen
    i7-4770 chip(yes, quite old) on a Asus Z87 Sabertooth mobo, last UEFI/
    Bios March 2017) the results for the above commands are:

    PS C:\WINDOWS\system32> get-securebootuefi -decoded -name DB | Where-
    Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
    CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US


    PS C:\WINDOWS\system32> get-securebootuefi -decoded -name KEK | Where- Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US


    Fyi...for those interested in an explanation of DB and KEK certs
    "DB (Allowed Signature Database): The list of certificates and trusted software the PC is allowed to run. The new 2023 DB certificates are used
    to sign modern Windows boot components."
    "KEK (Key Exchange Key): Often called the "master authority." The KEK
    gives Microsoft (and your hardware manufacturer) the permission to
    update your DB and DBX (revocation) lists without requiring a full
    manual BIOS flash".

    For the first command I only get your first entry, the second command I
    get the same as yours. That ok?
    --
    Science DoesnrCOt Support Darwin. Scientists Do

    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Paul@nospam@needed.invalid to alt.comp.os.windows-11,alt.comp.os.windows-10 on Fri Jun 12 00:42:46 2026
    From Newsgroup: alt.comp.os.windows-11

    On Thu, 6/11/2026 10:19 PM, ....winston wrote:
    On 06/10/2026 7:58 PM, Paul wrote:
    On Wed, 6/10/2026 7:23 PM, sticks wrote:
    On 5/20/2026 10:11 AM, ....winston wrote:
    On 05/20/2026 10:11 AM, sticks wrote:
    On 5/20/2026 8:50 AM, Frank Slootweg wrote:
    sticks <wolverine01@charter.net> wrote:
    On 5/19/2026 5:00 PM, sticks wrote:
    [...]
    Well I'll be damned.-a I then did a SFC /scannow and it did find some >>>>>>>> errors and fixed them.-a Rebooted.-a Went into the event viewer and >>>>>>>> instead of the FPM-WMI error it had 4 entries.-a A pre-attestation check,
    a confirmation it is expected to pass attestation, TBS device identifier
    has been generated, and finally "The TPM was successfully provisioned >>>>>>>> and is now ready for use."

    We'll see if it error faults again.

    All for naught.-a Back again this morning.-a Disappointing


    Log Name:-a-a-a-a-a System
    Source:-a-a-a-a-a-a-a Microsoft-Windows-TPM-WMI
    Date:-a-a-a-a-a-a-a-a-a 5/20/2026 6:53:06 AM
    Event ID:-a-a-a-a-a 1796
    Description:-a The Secure Boot update failed to update SBAT with error >>>>>>> Unknown HResult Error code: 0x800700c1.

    -a-a-a If it's any consolation, I also get this error, twice a day, since at
    least 15/01/2026.

    -a-a-a The error comes with a "For more information, please see..." link [1],
    but that only mentions Event ID 1795, not 1796. However the 'Change log' >>>>>> of the document implies that 1796 *is* documented. Microsoft moves in >>>>>> mysterious ways! :-(

    -a-a-a I think that this 'Error' is nothing to worry about.
    -a-a-a IMO, if we got a dollar for every 'Error' in our Event Viewer logs, we
    would make Elon look like a pauper! :-)

    [1] 'Secure Boot DB and DBX variable update events'
    <https://support.microsoft.com/en-gb/topic/secure-boot-db-and-dbx- variable-update-events-37e47cf8-608b-4a87-8175-bdead630eb69>

    I know I can't do much more myself, and am not too worried about it. However, it does annoy me that the secure boot process is evidently missing some of the available data because of the update failure.-a I find it difficult to believe HP cannot figure out a way to fix this error.


    Run this a Powershell admin window

    ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

    -a-a-a- If the above command returns rCLtrue,rCY then your PC is using the new certificate


    If it returns true or false, the EventViewer error is normal.
    -a-a-aa. can't update(thus fails) if already present or not installed

    Thought I'd follow up on this.-a Both HP desktops have finally gotten an >>> available bios update.-a After install, both return true to winston's powershell
    command, and both still have the same TPM-WMI error in the event log.-a still
    seems a weird way to do things...

    Agree on the weird part.

    Tried to use a Linux today, on the Secure Boot machine, and I didn't know
    there was a new scheme for running a video card. There is some trick to
    load a firmware into a video card, to act as the driver. This is Not Supported
    on my video card, so that explains why the HD monitor was running at 1024x768.
    I had to remove around 20 packages from the package manager, ones
    that use the "new method", reboot, then use the Driver Manager, and it
    selected some legacy driver that does not use that method. and then
    the HD screen was running at 1920x1080 again.

    It seems some video card company <cough>, is angling for us to have to
    buy some of those "cheep $400 video cards" :-) Just to have continued driver support.
    I would certainly want a rich man to be able to afford another
    leather jacket for presentations. The problem with schemes along
    these lines, is it is going to make some laptop owners "very angry".

    Thank goodness for innovation. "Where-ever it strikes".

    -a-a-a Paul




    Doesn't sound like a Secure Boot issue.

    How old is that Secure Boot machine that 'tried to use' Linux?
    How old is its video card.

    Back on topic.
    @Paul and @sticks
    There are other powershell commands in admin mode that can be run for additional information on installation/updating 2023 certs.

    get-securebootuefi -decoded -name DB | Where-Object {$_.Subject -match "2023"} | Select subject

    get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject -match "2023"} | Select subject


    For this Secure Boot enabled device(Win10 Pro ESU) with a 4th Gen i7-4770 chip(yes, quite old) on a Asus Z87 Sabertooth mobo, last UEFI/Bios March 2017) the results for the above commands are:

    PS C:\WINDOWS\system32> get-securebootuefi -decoded -name DB | Where-Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
    CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US


    PS C:\WINDOWS\system32> get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US


    Fyi...for those interested in an explanation of DB and KEK certs
    "DB (Allowed Signature Database): The list of certificates and trusted software the PC is allowed to run. The new 2023 DB certificates are used to sign modern Windows boot components."
    "KEK (Key Exchange Key): Often called the "master authority." The KEK gives Microsoft (and your hardware manufacturer) the permission to update your DB and DBX (revocation) lists without requiring a full manual BIOS flash".


    [MSI] MPG B550 Gaming Plus (MS-7C56) \
    Infineon TPM 2.0 \
    Ryzen 7 5700G 8C 16T CPU \
    BIOS version 7/13/2024 AMI 1i0 \
    DDR4 RAM (four sticks) \
    \___ Both have been used for Secure Boot test.
    [ASUS] ROG STRIX B550-F Gaming Wifi II / Secure Boot is now turned off on both.
    fTPM (no header for a physical TPM 2.0) / They're PCA2023. One has failed a media Secure Boot
    Ryzen 9 5950X 16C 32T CPU / where the media was still signed with PCA2011 and
    BIOS version 1/4/2026 AMI 3636 / at a guess, that is revoked. DDR4 RAM (four sticks) /

    [Asus] P9X79 <=== used for testing non-Secure-Boot behaviors
    no TPM at all (UEFI/CSM BIOS)
    4930K 6C 12T (HEDT, 42 PCIe lanes) This machine has W10 and W11 and can test what
    BIOS Version 12/24/2013 AMI 4608 miserable performance others might see. It has
    DDR3 RAM (eight sticks) a mixture of HDD and SSDs for test. Mouse click to response, takes 1 second.

    The top two are unlikely to ever see a working SBAT response.
    Even though the middle one got a BIOS update relatively recently.

    The middle machine occasionally runs an AI, using a 58GB downloaded model.
    The answers are just a dodgy as the one you get that is
    data center powered on your own machine. There is no apparent
    benefit from running it locally.

    [Picture] Run-Queries-With-Network-Cable-Disconnected.gif

    https://postimg.cc/k20gzLYy

    https://imgur.com/a/It9jbsL

    Paul
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From ....winston@winstonmvp@gmail.com to alt.comp.os.windows-11,alt.comp.os.windows-10 on Sat Jun 13 21:16:22 2026
    From Newsgroup: alt.comp.os.windows-11

    On 06/12/2026 12:42 AM, Paul wrote:
    get-securebootuefi -decoded -name DB | Where-Object {$_.Subject -match "2023"} | Select subject

    get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject -match "2023"} | Select subject




    [MSI] MPG B550 Gaming Plus (MS-7C56) \
    Infineon TPM 2.0 \
    Ryzen 7 5700G 8C 16T CPU \
    BIOS version 7/13/2024 AMI 1i0 \
    DDR4 RAM (four sticks) \
    \___ Both have been used for Secure Boot test.
    [ASUS] ROG STRIX B550-F Gaming Wifi II / Secure Boot is now turned off on both.
    fTPM (no header for a physical TPM 2.0) / They're PCA2023. One has failed a media Secure Boot
    Ryzen 9 5950X 16C 32T CPU / where the media was still signed with PCA2011 and
    BIOS version 1/4/2026 AMI 3636 / at a guess, that is revoked.
    DDR4 RAM (four sticks) /

    [Asus] P9X79 <=== used for testing non-Secure-Boot behaviors
    no TPM at all (UEFI/CSM BIOS)
    4930K 6C 12T (HEDT, 42 PCIe lanes) This machine has W10 and W11 and can test what
    BIOS Version 12/24/2013 AMI 4608 miserable performance others might see. It has
    DDR3 RAM (eight sticks) a mixture of HDD and SSDs for test. Mouse click to response, takes 1 second.


    Did you run the get-securebootuefi on any of these devices or other
    devices(no virtual machines, but only devices with Windows 10 ESU or
    Win11 25H2 as the installed to metal o/s)?

    If so, what were the results?
    --
    ...w-i|#-o-#-n|#
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Paul@nospam@needed.invalid to alt.comp.os.windows-11,alt.comp.os.windows-10 on Mon Jun 15 06:11:03 2026
    From Newsgroup: alt.comp.os.windows-11

    On Sat, 6/13/2026 9:16 PM, ....winston wrote:
    On 06/12/2026 12:42 AM, Paul wrote:
    get-securebootuefi -decoded -name DB | Where-Object {$_.Subject -match "2023"} | Select subject

    get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject -match "2023"} | Select subject




    [MSI] MPG B550 Gaming Plus (MS-7C56)-a-a-a \
    Infineon TPM 2.0-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a \
    Ryzen 7 5700G 8C 16T CPU-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a \
    BIOS version 7/13/2024-a AMI 1i0-a-a-a-a-a-a-a-a-a-a-a \
    DDR4 RAM (four sticks)-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a \
    -a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a \___ Both have been used for Secure Boot test.
    [ASUS] ROG STRIX B550-F Gaming Wifi II-a-a-a-a-a-a /-a-a-a Secure Boot is now turned off on both.
    fTPM (no header for a physical TPM 2.0)-a-a-a-a /-a-a-a-a They're PCA2023. One has failed a media Secure Boot
    Ryzen 9 5950X 16C 32T CPU-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a /-a-a-a-a-a where the media was still signed with PCA2011 and
    BIOS version 1/4/2026-a AMI 3636-a-a-a-a-a-a-a-a-a-a /-a-a-a-a-a-a at a guess, that is revoked.
    DDR4 RAM (four sticks)-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a /

    [Asus] P9X79-a <=== used for testing non-Secure-Boot behaviors
    no TPM at all-a (UEFI/CSM BIOS)
    4930K 6C 12T-a-a (HEDT, 42 PCIe lanes)-a-a-a-a-a-a-a-a-a-a-a-a-a-a This machine has W10 and W11 and can test what
    BIOS Version 12/24/2013-a AMI 4608-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a miserable performance others might see. It has
    DDR3 RAM (eight sticks)-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a a mixture of HDD and SSDs for test. Mouse click to response, takes 1 second.


    Did you run the get-securebootuefi on any of these devices or other devices(no virtual machines, but only devices with Windows 10 ESU or Win11 25H2 as the installed to metal o/s)?

    If so, what were the results?


    OK, so lets do that. First I have to turn Secure Boot back on.
    This will be on the 5950X. Then I can select the Win10 on the same
    machine, and see what is cooking over there.

    First Win11.

    msinfo32 (as administrator)
    BIOS Mode: UEFI
    Secure Boot State: ON
    PCR7 Configuration: Binding Possible

    Device Security
    Secure Boot - Looks like a power button circle, with the tick at the top, and green
    checkmark on the side. Text reads:

    "Secure Boot is on and all required certificate updates have been applied.
    No further certificate changes are needed." [SBAT status being ignored]

    Yes, this is an Administrator Terminal, but currently, either "value" can show up for the current working directory, for either terminal type.

    PS C:\Users\bullwinkle> get-securebootuefi -decoded -name DB | Where-Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
    CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US

    PS C:\Users\bullwinkle> get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US

    # Updates were stuck on the W11, due to (apparently) the recovery partition size.
    # I Resized it using a Macrium backup and restore/resize without breaking it.

    PS C:\Users\bullwinkle> reagentc /info
    Windows Recovery Environment (Windows RE) and system reset configuration Information:

    Windows RE status: Enabled
    Windows RE location: \\?\GLOBALROOT\device\harddisk0\partition5\Recovery\WindowsRE
    Boot Configuration Data (BCD) identifier: 8f4fa731-3780-11ef-8ce3-b963a4dceb9a
    Recovery image location:
    Recovery image index: 0
    Custom image location:
    Custom image index: 0
    Windows RE Version: 10.0.26100.8455

    DISKPART> list part

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 System 100 MB 1024 KB
    Partition 2 Reserved 16 MB 101 MB
    Partition 3 Primary 108 GB 117 MB
    Partition 5 Recovery 2068 MB 108 GB <=== Win11 is using its Recovery Partition
    Partition 4 Primary 127 GB 110 GB <=== Win10 is using C: for the purpose "Access is Denied"

    Winver on box reads as: 26200.8655

    Oh, and the box logs in without using a password (local account) :-) Don't
    ask me how that happened, I haven't a clue.

    *******

    Now, we'll hop over to the Win10 side, and see what it says. The Win10 does not have a Recovery partition. I hope it doesn't break anything. Doing a backup before heading over...

    msinfo32 (as administrator)
    BIOS Mode: UEFI
    Secure Boot State: ON
    PCR7 Configuration: Binding Possible

    Device Security
    Secure Boot - Looks like a power button circle, with the tick at the top, and green
    checkmark on the side. Text reads:

    "Secure boot is on, preventing malicious software from loading
    when your device starts up."
    "Your device meets the requirements for standard hardware security."

    Windows PowerShell
    Copyright (C) Microsoft Corporation. All rights reserved.

    Try the new cross-platform PowerShell https://aka.ms/pscore6

    PS C:\Windows\system32> get-securebootuefi -decoded -name DB | Where-Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
    CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US

    PS C:\Windows\system32> get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US

    PS C:\Windows\system32> reagentc /info
    Windows Recovery Environment (Windows RE) and system reset configuration Information:

    Windows RE status: Enabled
    Windows RE location: \\?\GLOBALROOT\device\harddisk0\partition4\Recovery\WindowsRE <=== this is the C: drive of W10
    Boot Configuration Data (BCD) identifier: 8f4fa72c-3780-11ef-8ce3-b963a4dceb9a
    Recovery image location:
    Recovery image index: 0
    Custom image location:
    Custom image index: 0

    REAGENTC.EXE: Operation Successful.

    Winver reads: 19045.7417 22H2 Windows 10 Home (my only ESU_

    Box login requires password.

    Paul



    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From ....winston@winstonmvp@gmail.com to alt.comp.os.windows-11,alt.comp.os.windows-10 on Mon Jun 15 09:31:12 2026
    From Newsgroup: alt.comp.os.windows-11

    On 06/15/2026 6:11 AM, Paul wrote:
    On Sat, 6/13/2026 9:16 PM, ....winston wrote:
    On 06/12/2026 12:42 AM, Paul wrote:
    get-securebootuefi -decoded -name DB | Where-Object {$_.Subject -match "2023"} | Select subject

    get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject -match "2023"} | Select subject




    [MSI] MPG B550 Gaming Plus (MS-7C56)-a-a-a \
    Infineon TPM 2.0-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a \
    Ryzen 7 5700G 8C 16T CPU-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a \
    BIOS version 7/13/2024-a AMI 1i0-a-a-a-a-a-a-a-a-a-a-a \
    DDR4 RAM (four sticks)-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a \
    -a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a \___ Both have been used for Secure Boot test.
    [ASUS] ROG STRIX B550-F Gaming Wifi II-a-a-a-a-a-a /-a-a-a Secure Boot is now turned off on both.
    fTPM (no header for a physical TPM 2.0)-a-a-a-a /-a-a-a-a They're PCA2023. One has failed a media Secure Boot
    Ryzen 9 5950X 16C 32T CPU-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a /-a-a-a-a-a where the media was still signed with PCA2011 and
    BIOS version 1/4/2026-a AMI 3636-a-a-a-a-a-a-a-a-a-a /-a-a-a-a-a-a at a guess, that is revoked.
    DDR4 RAM (four sticks)-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a /

    [Asus] P9X79-a <=== used for testing non-Secure-Boot behaviors
    no TPM at all-a (UEFI/CSM BIOS)
    4930K 6C 12T-a-a (HEDT, 42 PCIe lanes)-a-a-a-a-a-a-a-a-a-a-a-a-a-a This machine has W10 and W11 and can test what
    BIOS Version 12/24/2013-a AMI 4608-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a miserable performance others might see. It has
    DDR3 RAM (eight sticks)-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a-a a mixture of HDD and SSDs for test. Mouse click to response, takes 1 second.


    Did you run the get-securebootuefi on any of these devices or other devices(no virtual machines, but only devices with Windows 10 ESU or Win11 25H2 as the installed to metal o/s)?

    If so, what were the results?


    OK, so lets do that. First I have to turn Secure Boot back on.
    This will be on the 5950X. Then I can select the Win10 on the same
    machine, and see what is cooking over there.

    First Win11.

    msinfo32 (as administrator)
    BIOS Mode: UEFI
    Secure Boot State: ON
    PCR7 Configuration: Binding Possible

    Device Security
    Secure Boot - Looks like a power button circle, with the tick at the top, and green
    checkmark on the side. Text reads:

    "Secure Boot is on and all required certificate updates have been applied.
    No further certificate changes are needed." [SBAT status being ignored]

    Yes, this is an Administrator Terminal, but currently, either "value" can show
    up for the current working directory, for either terminal type.

    PS C:\Users\bullwinkle> get-securebootuefi -decoded -name DB | Where-Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
    CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US

    PS C:\Users\bullwinkle> get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US

    # Updates were stuck on the W11, due to (apparently) the recovery partition size.
    # I Resized it using a Macrium backup and restore/resize without breaking it.

    PS C:\Users\bullwinkle> reagentc /info
    Windows Recovery Environment (Windows RE) and system reset configuration Information:

    Windows RE status: Enabled
    Windows RE location: \\?\GLOBALROOT\device\harddisk0\partition5\Recovery\WindowsRE
    Boot Configuration Data (BCD) identifier: 8f4fa731-3780-11ef-8ce3-b963a4dceb9a
    Recovery image location:
    Recovery image index: 0
    Custom image location:
    Custom image index: 0
    Windows RE Version: 10.0.26100.8455

    DISKPART> list part

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 System 100 MB 1024 KB
    Partition 2 Reserved 16 MB 101 MB
    Partition 3 Primary 108 GB 117 MB
    Partition 5 Recovery 2068 MB 108 GB <=== Win11 is using its Recovery Partition
    Partition 4 Primary 127 GB 110 GB <=== Win10 is using C: for the purpose "Access is Denied"

    Winver on box reads as: 26200.8655

    Oh, and the box logs in without using a password (local account) :-) Don't ask me how that happened, I haven't a clue.

    *******

    Now, we'll hop over to the Win10 side, and see what it says. The Win10 does not
    have a Recovery partition. I hope it doesn't break anything. Doing a backup before heading over...

    msinfo32 (as administrator)
    BIOS Mode: UEFI
    Secure Boot State: ON
    PCR7 Configuration: Binding Possible

    Device Security
    Secure Boot - Looks like a power button circle, with the tick at the top, and green
    checkmark on the side. Text reads:

    "Secure boot is on, preventing malicious software from loading
    when your device starts up."
    "Your device meets the requirements for standard hardware security."

    Windows PowerShell
    Copyright (C) Microsoft Corporation. All rights reserved.

    Try the new cross-platform PowerShell https://aka.ms/pscore6

    PS C:\Windows\system32> get-securebootuefi -decoded -name DB | Where-Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
    CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US

    PS C:\Windows\system32> get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US

    PS C:\Windows\system32> reagentc /info
    Windows Recovery Environment (Windows RE) and system reset configuration Information:

    Windows RE status: Enabled
    Windows RE location: \\?\GLOBALROOT\device\harddisk0\partition4\Recovery\WindowsRE <=== this is the C: drive of W10
    Boot Configuration Data (BCD) identifier: 8f4fa72c-3780-11ef-8ce3-b963a4dceb9a
    Recovery image location:
    Recovery image index: 0
    Custom image location:
    Custom image index: 0

    REAGENTC.EXE: Operation Successful.

    Winver reads: 19045.7417 22H2 Windows 10 Home (my only ESU_

    Box login requires password.

    Paul




    Login without password on Win11
    - if so, indicates some form of bypass(Windows or 3rd party settings)
    was previously enabled(or configured). i.e. Windows in its default mode
    does not normally logon to a local(or any account) without a prompt for password or pin(Hello mode).

    5950X
    - apparently dual boot device with recent updates(26200.xxxx, 19045.xxxx)
    - results for DB and KEK show as updated with the DB and KEK certs.
    - each os should have a C:\Windows\System32\SecureBootUpdates folder
    with a variety of files, dates depending upon prior and current updating
    can be varied since all types of 2023 certs may not be pushed/deployed
    at the same time.

    Comment:
    Afaik, both o/s need to be updated. When Secure Boot and TPM present
    and enabled(and if this a a dual boot) it is using the same
    UEFI/BIOS)....it would indicate anything flashed into the mobo's
    firmware module would be common for both os especially since Secure boot
    runs at the hardware level in the devices UEFI.
    --
    ...w-i|#-o-#-n|#
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Paul@nospam@needed.invalid to alt.comp.os.windows-11,alt.comp.os.windows-10 on Mon Jun 15 10:33:20 2026
    From Newsgroup: alt.comp.os.windows-11

    On Mon, 6/15/2026 9:31 AM, ....winston wrote:

    Comment:
    Afaik, both o/s need to be updated. When Secure Boot and TPM present and enabled
    (and if this a a dual boot) it is using the same UEFI/BIOS)....it would indicate
    anything flashed into the mobo's firmware module would be common for both os especially
    since Secure boot runs at the hardware level in the devices UEFI.

    That was to show the audience that the commands work the same way
    on both OSes. If any of the schemes was faulty, people would
    want to know that.

    The way I run the machines here, is there is only one set of settings
    of a machine. I do not flip SATA betweeb AHCI and RAID for example,
    as I change OSes. Any choices I make, have to work for both. If
    there is a stack of 16 SSDs in front of a machine, I can plug
    in any of those at any time... without a lot of forward planning required.
    I even have purchased video cards, with the intent that at least some
    of the materials can boot on any machine, because the video cards
    are all from the same generation (1030, 1050, 1080).

    No matter what people have put in my computer, it still has to work
    for my lifestyle, or... into the junk room it goes :-) I would hate
    to think I made a bad choice by buying a modern computer.

    Paul
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Bill Bradshaw@bradshaw@gci.net to alt.comp.os.windows-11,alt.comp.os.windows-10 on Mon Jun 15 09:22:02 2026
    From Newsgroup: alt.comp.os.windows-11

    Paul wrote:
    On Sat, 6/13/2026 9:16 PM, ....winston wrote:
    On 06/12/2026 12:42 AM, Paul wrote:
    get-securebootuefi -decoded -name DB | Where-Object {$_.Subject
    -match "2023"} | Select subject

    get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject
    -match "2023"} | Select subject




    [MSI] MPG B550 Gaming Plus (MS-7C56) \
    Infineon TPM 2.0 \
    Ryzen 7 5700G 8C 16T CPU \
    BIOS version 7/13/2024 AMI 1i0 \
    DDR4 RAM (four sticks) \
    \___ Both have been used for Secure Boot test.
    [ASUS] ROG STRIX B550-F Gaming Wifi II / Secure Boot is now turned
    off on both.
    fTPM (no header for a physical TPM 2.0) / They're PCA2023. One has
    failed a media Secure Boot
    Ryzen 9 5950X 16C 32T CPU / where the media was still signed with
    PCA2011 and
    BIOS version 1/4/2026 AMI 3636 / at a guess, that is revoked.
    DDR4 RAM (four sticks) /

    [Asus] P9X79 <=== used for testing non-Secure-Boot behaviors
    no TPM at all (UEFI/CSM BIOS)
    4930K 6C 12T (HEDT, 42 PCIe lanes) This machine has W10 and W11 and
    can test what
    BIOS Version 12/24/2013 AMI 4608 miserable performance others might
    see. It has
    DDR3 RAM (eight sticks) a mixture of HDD and SSDs for test. Mouse
    click to response, takes 1 second.


    Did you run the get-securebootuefi on any of these devices or other
    devices(no virtual machines, but only devices with Windows 10 ESU or
    Win11 25H2 as the installed to metal o/s)?

    If so, what were the results?


    OK, so lets do that. First I have to turn Secure Boot back on.
    This will be on the 5950X. Then I can select the Win10 on the same
    machine, and see what is cooking over there.

    First Win11.

    msinfo32 (as administrator)
    BIOS Mode: UEFI
    Secure Boot State: ON
    PCR7 Configuration: Binding Possible

    Device Security
    Secure Boot - Looks like a power button circle, with the tick at
    the top, and green checkmark on the side. Text reads:

    "Secure Boot is on and all required certificate
    updates have been applied. No further certificate
    changes are needed." [SBAT status being ignored]

    Yes, this is an Administrator Terminal, but currently, either "value"
    can show
    up for the current working directory, for either terminal type.

    PS C:\Users\bullwinkle> get-securebootuefi -decoded -name DB |
    Where-Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
    CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US

    PS C:\Users\bullwinkle> get-securebootuefi -decoded -name KEK |
    Where-Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US

    # Updates were stuck on the W11, due to (apparently) the recovery
    partition size. # I Resized it using a Macrium backup and
    restore/resize without breaking it.

    PS C:\Users\bullwinkle> reagentc /info
    Windows Recovery Environment (Windows RE) and system reset
    configuration
    Information:

    Windows RE status: Enabled
    Windows RE location:
    \\?\GLOBALROOT\device\harddisk0\partition5\Recovery\WindowsRE Boot
    Configuration Data (BCD) identifier:
    8f4fa731-3780-11ef-8ce3-b963a4dceb9a Recovery image location:
    Recovery image index: 0 Custom image location:
    Custom image index: 0
    Windows RE Version: 10.0.26100.8455

    DISKPART> list part

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 System 100 MB 1024 KB
    Partition 2 Reserved 16 MB 101 MB
    Partition 3 Primary 108 GB 117 MB
    Partition 5 Recovery 2068 MB 108 GB <=== Win11 is
    using its Recovery Partition Partition 4 Primary 127
    GB 110 GB <=== Win10 is using C: for the purpose "Access is
    Denied"

    Winver on box reads as: 26200.8655

    Oh, and the box logs in without using a password (local account) :-)
    Don't
    ask me how that happened, I haven't a clue.

    *******

    Now, we'll hop over to the Win10 side, and see what it says. The
    Win10 does not
    have a Recovery partition. I hope it doesn't break anything. Doing a
    backup
    before heading over...

    msinfo32 (as administrator)
    BIOS Mode: UEFI
    Secure Boot State: ON
    PCR7 Configuration: Binding Possible

    Device Security
    Secure Boot - Looks like a power button circle, with the tick at
    the top, and green checkmark on the side. Text reads:

    "Secure boot is on, preventing malicious software
    from loading when your device starts up."
    "Your device meets the requirements for standard
    hardware security."

    Windows PowerShell
    Copyright (C) Microsoft Corporation. All rights reserved.

    Try the new cross-platform PowerShell https://aka.ms/pscore6

    PS C:\Windows\system32> get-securebootuefi -decoded -name DB |
    Where-Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
    CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US
    D
    PS C:\Windows\system32> get-securebootuefi -decoded -name KEK |
    Where-Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US

    PS C:\Windows\system32> reagentc /info
    Windows Recovery Environment (Windows RE) and system reset
    configuration
    Information:

    Windows RE status: Enabled
    Windows RE location:
    \\?\GLOBALROOT\device\harddisk0\partition4\Recovery\WindowsRE
    <=== this is the C: drive of W10 Boot Configuration Data (BCD)
    identifier: 8f4fa72c-3780-11ef-8ce3-b963a4dceb9a Recovery image
    location: Recovery image index: 0 Custom image location:
    Custom image index: 0

    REAGENTC.EXE: Operation Successful.

    Winver reads: 19045.7417 22H2 Windows 10 Home (my only ESU_

    Box login requires password.

    Paul

    I am runnig Window 11 Pro and I am on 8457. I can not get updated and downloaded the cumulative update to 8655 but it will not update. Checking Device Security reports all is fine with certificates, etc.

    diskpart shows:

    Partition 4 Recovery 755MB 113GB
    Partition 5 Recovery 800MB 114GB

    Do I need to try and increase the size of the Recover Partitions?

    I recognize this is not a lot of info.

    <Bill>






    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From ....winston@winstonmvp@gmail.com to alt.comp.os.windows-11,alt.comp.os.windows-10 on Mon Jun 15 20:48:31 2026
    From Newsgroup: alt.comp.os.windows-11

    On 06/15/2026 1:22 PM, Bill Bradshaw wrote:
    Paul wrote:
    On Sat, 6/13/2026 9:16 PM, ....winston wrote:
    On 06/12/2026 12:42 AM, Paul wrote:
    get-securebootuefi -decoded -name DB | Where-Object {$_.Subject
    -match "2023"} | Select subject

    get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject
    -match "2023"} | Select subject




    [MSI] MPG B550 Gaming Plus (MS-7C56) \
    Infineon TPM 2.0 \
    Ryzen 7 5700G 8C 16T CPU \
    BIOS version 7/13/2024 AMI 1i0 \
    DDR4 RAM (four sticks) \
    \___ Both have been used for Secure Boot test.
    [ASUS] ROG STRIX B550-F Gaming Wifi II / Secure Boot is now turned
    off on both.
    fTPM (no header for a physical TPM 2.0) / They're PCA2023. One has
    failed a media Secure Boot
    Ryzen 9 5950X 16C 32T CPU / where the media was still signed with
    PCA2011 and
    BIOS version 1/4/2026 AMI 3636 / at a guess, that is revoked.
    DDR4 RAM (four sticks) /

    [Asus] P9X79 <=== used for testing non-Secure-Boot behaviors
    no TPM at all (UEFI/CSM BIOS)
    4930K 6C 12T (HEDT, 42 PCIe lanes) This machine has W10 and W11 and
    can test what
    BIOS Version 12/24/2013 AMI 4608 miserable performance others might
    see. It has
    DDR3 RAM (eight sticks) a mixture of HDD and SSDs for test. Mouse
    click to response, takes 1 second.


    Did you run the get-securebootuefi on any of these devices or other
    devices(no virtual machines, but only devices with Windows 10 ESU or
    Win11 25H2 as the installed to metal o/s)?

    If so, what were the results?


    OK, so lets do that. First I have to turn Secure Boot back on.
    This will be on the 5950X. Then I can select the Win10 on the same
    machine, and see what is cooking over there.

    First Win11.

    msinfo32 (as administrator)
    BIOS Mode: UEFI
    Secure Boot State: ON
    PCR7 Configuration: Binding Possible

    Device Security
    Secure Boot - Looks like a power button circle, with the tick at
    the top, and green checkmark on the side. Text reads:

    "Secure Boot is on and all required certificate
    updates have been applied. No further certificate
    changes are needed." [SBAT status being ignored]

    Yes, this is an Administrator Terminal, but currently, either "value"
    can show
    up for the current working directory, for either terminal type.

    PS C:\Users\bullwinkle> get-securebootuefi -decoded -name DB |
    Where-Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
    CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US
    CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US

    PS C:\Users\bullwinkle> get-securebootuefi -decoded -name KEK |
    Where-Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US

    # Updates were stuck on the W11, due to (apparently) the recovery
    partition size. # I Resized it using a Macrium backup and
    restore/resize without breaking it.

    PS C:\Users\bullwinkle> reagentc /info
    Windows Recovery Environment (Windows RE) and system reset
    configuration
    Information:

    Windows RE status: Enabled
    Windows RE location:
    \\?\GLOBALROOT\device\harddisk0\partition5\Recovery\WindowsRE Boot
    Configuration Data (BCD) identifier:
    8f4fa731-3780-11ef-8ce3-b963a4dceb9a Recovery image location:
    Recovery image index: 0 Custom image location:
    Custom image index: 0
    Windows RE Version: 10.0.26100.8455

    DISKPART> list part

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 System 100 MB 1024 KB
    Partition 2 Reserved 16 MB 101 MB
    Partition 3 Primary 108 GB 117 MB
    Partition 5 Recovery 2068 MB 108 GB <=== Win11 is
    using its Recovery Partition Partition 4 Primary 127
    GB 110 GB <=== Win10 is using C: for the purpose "Access is
    Denied"

    Winver on box reads as: 26200.8655

    Oh, and the box logs in without using a password (local account) :-)
    Don't
    ask me how that happened, I haven't a clue.

    *******

    Now, we'll hop over to the Win10 side, and see what it says. The
    Win10 does not
    have a Recovery partition. I hope it doesn't break anything. Doing a
    backup
    before heading over...

    msinfo32 (as administrator)
    BIOS Mode: UEFI
    Secure Boot State: ON
    PCR7 Configuration: Binding Possible

    Device Security
    Secure Boot - Looks like a power button circle, with the tick at
    the top, and green checkmark on the side. Text reads:

    "Secure boot is on, preventing malicious software
    from loading when your device starts up."
    "Your device meets the requirements for standard
    hardware security."

    Windows PowerShell
    Copyright (C) Microsoft Corporation. All rights reserved.

    Try the new cross-platform PowerShell https://aka.ms/pscore6

    PS C:\Windows\system32> get-securebootuefi -decoded -name DB |
    Where-Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
    CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US
    CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US
    D
    PS C:\Windows\system32> get-securebootuefi -decoded -name KEK |
    Where-Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US

    PS C:\Windows\system32> reagentc /info
    Windows Recovery Environment (Windows RE) and system reset
    configuration
    Information:

    Windows RE status: Enabled
    Windows RE location:
    \\?\GLOBALROOT\device\harddisk0\partition4\Recovery\WindowsRE
    <=== this is the C: drive of W10 Boot Configuration Data (BCD)
    identifier: 8f4fa72c-3780-11ef-8ce3-b963a4dceb9a Recovery image
    location: Recovery image index: 0 Custom image location:
    Custom image index: 0

    REAGENTC.EXE: Operation Successful.

    Winver reads: 19045.7417 22H2 Windows 10 Home (my only ESU_

    Box login requires password.

    Paul

    I am runnig Window 11 Pro and I am on 8457. I can not get updated and downloaded the cumulative update to 8655 but it will not update. Checking Device Security reports all is fine with certificates, etc.

    diskpart shows:

    Partition 4 Recovery 755MB 113GB
    Partition 5 Recovery 800MB 114GB

    Do I need to try and increase the size of the Recover Partitions?

    I recognize this is not a lot of info.

    <Bill>




    Probably a good idea for more analysis and data before trying/doing
    anything.

    Open Powershell admin console and enter the following command(either
    one, uppper and lower case are the same command)
    GET-VOLUME
    or
    get-volume

    The above will show the size and free space of partitions on the device
    System(UEFI)
    Windows
    Recovery
    Plus all other partitions on all connected disks, including unused/unnecessary Recovery partitions, and usually any unique OEM
    created for return-to-factory recovery partitions)

    Report the results in a reply(Size and SizeRemaining)

    Also rerun the diskpart feature to list partitions(ensure you, first,
    select the correct disk)
    list part

    This will show all the partition numbers for all items.
    If only one disk you should see
    Partition 1 System
    Partition 2 Reserved
    Partition 3 Primary
    Partition 4 Recovery
    Partition # where # could be additional partitions(an unused Recovery,
    like your #5 and, if present any other #6, etc. OEM on the disk)

    Report all the results in a reply.

    To determine your active recovery partition

    In a powershell admin console enter the following command
    reagentc /info

    This will show the current active Windows Recovery partition location,
    the output will look similar to this \\?\GLOBALROOT\device\harddisk0\partition4\Recovery\WindowsRE
    Note: WinRE is the label on mine, yours is probably different(i.e. just Recovery or similar).

    Report the results in a reply.

    Once you know the size and free space you can proceed and determine what
    next steps can(or should) be done.


    Last, if possible...a snapshot or picture of the disk partitions(taken
    while viewing Disk Management, Macrium, or other third party image or
    disk partitioning program).
    --
    ...w-i|#-o-#-n|#
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Paul@nospam@needed.invalid to alt.comp.os.windows-11,alt.comp.os.windows-10 on Tue Jun 16 08:38:21 2026
    From Newsgroup: alt.comp.os.windows-11

    On Mon, 6/15/2026 1:22 PM, Bill Bradshaw wrote:
    Paul wrote:
    On Sat, 6/13/2026 9:16 PM, ....winston wrote:
    On 06/12/2026 12:42 AM, Paul wrote:
    get-securebootuefi -decoded -name DB | Where-Object {$_.Subject
    -match "2023"} | Select subject

    get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject
    -match "2023"} | Select subject




    [MSI] MPG B550 Gaming Plus (MS-7C56) \
    Infineon TPM 2.0 \
    Ryzen 7 5700G 8C 16T CPU \
    BIOS version 7/13/2024 AMI 1i0 \
    DDR4 RAM (four sticks) \
    \___ Both have been used for Secure Boot test.
    [ASUS] ROG STRIX B550-F Gaming Wifi II / Secure Boot is now turned
    off on both.
    fTPM (no header for a physical TPM 2.0) / They're PCA2023. One has
    failed a media Secure Boot
    Ryzen 9 5950X 16C 32T CPU / where the media was still signed with
    PCA2011 and
    BIOS version 1/4/2026 AMI 3636 / at a guess, that is revoked.
    DDR4 RAM (four sticks) /

    [Asus] P9X79 <=== used for testing non-Secure-Boot behaviors
    no TPM at all (UEFI/CSM BIOS)
    4930K 6C 12T (HEDT, 42 PCIe lanes) This machine has W10 and W11 and
    can test what
    BIOS Version 12/24/2013 AMI 4608 miserable performance others might
    see. It has
    DDR3 RAM (eight sticks) a mixture of HDD and SSDs for test. Mouse
    click to response, takes 1 second.


    Did you run the get-securebootuefi on any of these devices or other
    devices(no virtual machines, but only devices with Windows 10 ESU or
    Win11 25H2 as the installed to metal o/s)?

    If so, what were the results?


    OK, so lets do that. First I have to turn Secure Boot back on.
    This will be on the 5950X. Then I can select the Win10 on the same
    machine, and see what is cooking over there.

    First Win11.

    msinfo32 (as administrator)
    BIOS Mode: UEFI
    Secure Boot State: ON
    PCR7 Configuration: Binding Possible

    Device Security
    Secure Boot - Looks like a power button circle, with the tick at
    the top, and green checkmark on the side. Text reads:

    "Secure Boot is on and all required certificate
    updates have been applied. No further certificate
    changes are needed." [SBAT status being ignored]

    Yes, this is an Administrator Terminal, but currently, either "value"
    can show
    up for the current working directory, for either terminal type.

    PS C:\Users\bullwinkle> get-securebootuefi -decoded -name DB |
    Where-Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
    CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US
    CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US

    PS C:\Users\bullwinkle> get-securebootuefi -decoded -name KEK |
    Where-Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US

    # Updates were stuck on the W11, due to (apparently) the recovery
    partition size. # I Resized it using a Macrium backup and
    restore/resize without breaking it.

    PS C:\Users\bullwinkle> reagentc /info
    Windows Recovery Environment (Windows RE) and system reset
    configuration
    Information:

    Windows RE status: Enabled
    Windows RE location:
    \\?\GLOBALROOT\device\harddisk0\partition5\Recovery\WindowsRE Boot
    Configuration Data (BCD) identifier:
    8f4fa731-3780-11ef-8ce3-b963a4dceb9a Recovery image location:
    Recovery image index: 0 Custom image location:
    Custom image index: 0
    Windows RE Version: 10.0.26100.8455

    DISKPART> list part

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 System 100 MB 1024 KB
    Partition 2 Reserved 16 MB 101 MB
    Partition 3 Primary 108 GB 117 MB
    Partition 5 Recovery 2068 MB 108 GB <=== Win11 is
    using its Recovery Partition Partition 4 Primary 127
    GB 110 GB <=== Win10 is using C: for the purpose "Access is
    Denied"

    Winver on box reads as: 26200.8655

    Oh, and the box logs in without using a password (local account) :-)
    Don't
    ask me how that happened, I haven't a clue.

    *******

    Now, we'll hop over to the Win10 side, and see what it says. The
    Win10 does not
    have a Recovery partition. I hope it doesn't break anything. Doing a
    backup
    before heading over...

    msinfo32 (as administrator)
    BIOS Mode: UEFI
    Secure Boot State: ON
    PCR7 Configuration: Binding Possible

    Device Security
    Secure Boot - Looks like a power button circle, with the tick at
    the top, and green checkmark on the side. Text reads:

    "Secure boot is on, preventing malicious software
    from loading when your device starts up."
    "Your device meets the requirements for standard
    hardware security."

    Windows PowerShell
    Copyright (C) Microsoft Corporation. All rights reserved.

    Try the new cross-platform PowerShell https://aka.ms/pscore6

    PS C:\Windows\system32> get-securebootuefi -decoded -name DB |
    Where-Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
    CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US
    CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US
    D
    PS C:\Windows\system32> get-securebootuefi -decoded -name KEK |
    Where-Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US

    PS C:\Windows\system32> reagentc /info
    Windows Recovery Environment (Windows RE) and system reset
    configuration
    Information:

    Windows RE status: Enabled
    Windows RE location:
    \\?\GLOBALROOT\device\harddisk0\partition4\Recovery\WindowsRE
    <=== this is the C: drive of W10 Boot Configuration Data (BCD)
    identifier: 8f4fa72c-3780-11ef-8ce3-b963a4dceb9a Recovery image
    location: Recovery image index: 0 Custom image location:
    Custom image index: 0

    REAGENTC.EXE: Operation Successful.

    Winver reads: 19045.7417 22H2 Windows 10 Home (my only ESU_

    Box login requires password.

    Paul

    I am runnig Window 11 Pro and I am on 8457. I can not get updated and downloaded the cumulative update to 8655 but it will not update. Checking Device Security reports all is fine with certificates, etc.

    diskpart shows:

    Partition 4 Recovery 755MB 113GB
    Partition 5 Recovery 800MB 114GB

    Do I need to try and increase the size of the Recover Partitions?

    I recognize this is not a lot of info.

    <Bill>

    701,193,948 19 May 2026 (Win11 2.02GB Recovery partition contents) Used TestDisk 7.0 for a quick look
    571,237,983 15-Jun-2026 (Win10 C:\Recovery\WindowsRE contents) Also via using TestDisk 7 to get around permissions.
    (This Win10 is the OS that doesn't have its own Recovery Partition.)

    Neither of these seems large enough to be held up by my partition dimensions, unless it is the "amount of margin" the scheme uses for updates. It doesn't just jam in the 701 thing and see if it fits, it takes the in-coming size, adds a couple hundred meg and checks whether that will fit.

    I made the room for the 701 one as 2.02GB, just because I wanted the job
    done and then on to the next thing.

    When an update does not go in, it is held in a waiting area in the
    root of C: and the folder has a dollar sign in it. This is the state
    of my "already-installed" one on Win11 (it's also in the 2.02GB Recovery partition).

    C:\$WinREAgent
    Rollback\
    Scratch\
    Backup\
    winre.wim 701,193,948 19 May 2026
    boot.sdi 3,170,304 14 June 2026
    ReAgent.xml 1,109 14 June 2026
    location.txt

    [WinRE Location]
    Partition offset=117890351104 <=== booby trap equipped... (when you cannot figure out why it Disabled itself)
    Relative path=\Recovery\WindowsRE
    OS Guid={8F4FA72F-3780-11EF-8CE3-B963A4DCEB9A}

    And normally, where that is stored, it will have some
    permissions to annoy you. For some reason right now, I
    can get into the Backup folder without using TestDisk :-)

    If your attempt to update it has failed, one of the places
    it could current be waiting is C:\$WinREAgent , but it has
    more hidey holes than that.

    Paul
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From sticks@wolverine01@charter.net to alt.comp.os.windows-11,alt.comp.os.windows-10 on Tue Jun 16 08:05:36 2026
    From Newsgroup: alt.comp.os.windows-11

    On 6/14/2026 2:56 AM, ....winston wrote:
    On 06/11/2026 10:26 PM, sticks wrote:
    On 6/11/2026 9:19 PM, ....winston wrote:

    Back on topic.
    @Paul and @sticks
    There are other powershell commands in admin mode that can be run for
    additional information on installation/updating 2023 certs.

    get-securebootuefi -decoded -name DB | Where-Object {$_.Subject -
    match "2023"} | Select subject

    get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject -
    match "2023"} | Select subject


    For this Secure Boot enabled device(Win10 Pro ESU) with a 4th Gen
    i7-4770 chip(yes, quite old) on a Asus Z87 Sabertooth mobo, last
    UEFI/ Bios March 2017) the results for the above commands are:

    PS C:\WINDOWS\system32> get-securebootuefi -decoded -name DB | Where-
    Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
    CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US
    CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US


    PS C:\WINDOWS\system32> get-securebootuefi -decoded -name KEK |
    Where- Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US


    Fyi...for those interested in an explanation of DB and KEK certs
    "DB (Allowed Signature Database): The list of certificates and
    trusted software the PC is allowed to run. The new 2023 DB
    certificates are used to sign modern Windows boot components."
    "KEK (Key Exchange Key): Often called the "master authority." The KEK
    gives Microsoft (and your hardware manufacturer) the permission to
    update your DB and DBX (revocation) lists without requiring a full
    manual BIOS flash".

    For the first command I only get your first entry, the second command
    I get the same as yours.-a That ok?



    With respect to CN=Microsoft Option ROM UEFI CA 2023

    When not present, it can have a few reasons, the two most common in
    simple answer form
    - not yet deployed
    - can't be deployed

    One could force the attempt to deploy by changing the reg key HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\AvailableUpdates dword value to 0x5944 or 0x1844, exit regedit, then go to Task Scheduler(admin mode) and run the Secure Boot scheduled task, once done restart
    twice(not shutdown, restart) then recheck.

    If still missing, then it's likely related to firmware limitation or missing/non-existent support from the mobo or mobo manufacturer or
    another possibility - the device never had the 2011 Option ROM 2011

    There is quite a bit of variation for option ROM and KEK deployment.
    -aThere are ancient 4th gen and later Intel machines(not capable of
    running Win11 but running Win10 ESU) that have both Option ROM and KEK
    2023 updates deployed while later devices(Intel 7th through 14th gen) running Win11 25H2 not having one or both(Option ROM, KEK 2023)

    Mine is an intel core ultra 5 225 (arrow lake) processor which I think
    is 2nd gen for the arrow lake, but it shows a launch date of Q1 2025 so
    I assume these ultra processors would be considered a later device and
    this is normal.
    --
    Science DoesnrCOt Support Darwin. Scientists Do

    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From ....winston@winstonmvp@gmail.com to alt.comp.os.windows-11,alt.comp.os.windows-10 on Tue Jun 16 10:35:46 2026
    From Newsgroup: alt.comp.os.windows-11

    On 06/16/2026 9:05 AM, sticks wrote:
    On 6/14/2026 2:56 AM, ....winston wrote:
    On 06/11/2026 10:26 PM, sticks wrote:
    On 6/11/2026 9:19 PM, ....winston wrote:

    Back on topic.
    @Paul and @sticks
    There are other powershell commands in admin mode that can be run
    for additional information on installation/updating 2023 certs.

    get-securebootuefi -decoded -name DB | Where-Object {$_.Subject -
    match "2023"} | Select subject

    get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject -
    match "2023"} | Select subject


    For this Secure Boot enabled device(Win10 Pro ESU) with a 4th Gen
    i7-4770 chip(yes, quite old) on a Asus Z87 Sabertooth mobo, last
    UEFI/ Bios March 2017) the results for the above commands are:

    PS C:\WINDOWS\system32> get-securebootuefi -decoded -name DB |
    Where- Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
    CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US
    CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US


    PS C:\WINDOWS\system32> get-securebootuefi -decoded -name KEK |
    Where- Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US >>>>

    Fyi...for those interested in an explanation of DB and KEK certs
    "DB (Allowed Signature Database): The list of certificates and
    trusted software the PC is allowed to run. The new 2023 DB
    certificates are used to sign modern Windows boot components."
    "KEK (Key Exchange Key): Often called the "master authority." The
    KEK gives Microsoft (and your hardware manufacturer) the permission
    to update your DB and DBX (revocation) lists without requiring a
    full manual BIOS flash".

    For the first command I only get your first entry, the second command
    I get the same as yours.-a That ok?



    With respect to CN=Microsoft Option ROM UEFI CA 2023

    When not present, it can have a few reasons, the two most common in
    simple answer form
    - not yet deployed
    - can't be deployed

    One could force the attempt to deploy by changing the reg key
    HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\AvailableUpdates
    dword value to 0x5944 or 0x1844, exit regedit, then go to Task
    Scheduler(admin mode) and run the Secure Boot scheduled task, once
    done restart twice(not shutdown, restart) then recheck.

    If still missing, then it's likely related to firmware limitation or
    missing/non-existent support from the mobo or mobo manufacturer or
    another possibility - the device never had the 2011 Option ROM 2011

    There is quite a bit of variation for option ROM and KEK deployment.
    -a-aThere are ancient 4th gen and later Intel machines(not capable of
    running Win11 but running Win10 ESU) that have both Option ROM and KEK
    2023 updates deployed while later devices(Intel 7th through 14th gen)
    running Win11 25H2 not having one or both(Option ROM, KEK 2023)

    Mine is an intel core ultra 5 225 (arrow lake) processor which I think
    is 2nd gen for the arrow lake, but it shows a launch date of Q1 2025 so
    I assume these ultra processors would be considered a later device and
    this is normal.



    intel core ultra 5 225 - typically not classified with numerical gen
    level. Instead of '2nd gen' it was classified iirc as Series 2.

    Release wise, it's performance is plus or minus around the same point
    and time as-14th Gen...better than 14th gen budget chips and worse than
    14th gen mid-range.
    - a good choice for a large quantity end-user consumer devices
    --
    ...w-i|#-o-#-n|#
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From sticks@wolverine01@charter.net to alt.comp.os.windows-11,alt.comp.os.windows-10 on Tue Jun 16 09:54:48 2026
    From Newsgroup: alt.comp.os.windows-11

    On 6/16/2026 9:35 AM, ....winston wrote:
    On 06/16/2026 9:05 AM, sticks wrote:
    On 6/14/2026 2:56 AM, ....winston wrote:
    On 06/11/2026 10:26 PM, sticks wrote:
    On 6/11/2026 9:19 PM, ....winston wrote:

    Back on topic.
    @Paul and @sticks
    There are other powershell commands in admin mode that can be run
    for additional information on installation/updating 2023 certs.

    get-securebootuefi -decoded -name DB | Where-Object {$_.Subject -
    match "2023"} | Select subject

    get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject -
    match "2023"} | Select subject


    For this Secure Boot enabled device(Win10 Pro ESU) with a 4th Gen
    i7-4770 chip(yes, quite old) on a Asus Z87 Sabertooth mobo, last
    UEFI/ Bios March 2017) the results for the above commands are:

    PS C:\WINDOWS\system32> get-securebootuefi -decoded -name DB |
    Where- Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US



    PS C:\WINDOWS\system32> get-securebootuefi -decoded -name KEK |
    Where- Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US >>>>>

    Fyi...for those interested in an explanation of DB and KEK certs
    "DB (Allowed Signature Database): The list of certificates and
    trusted software the PC is allowed to run. The new 2023 DB
    certificates are used to sign modern Windows boot components."
    "KEK (Key Exchange Key): Often called the "master authority." The
    KEK gives Microsoft (and your hardware manufacturer) the permission >>>>> to update your DB and DBX (revocation) lists without requiring a
    full manual BIOS flash".

    For the first command I only get your first entry, the second
    command I get the same as yours.-a That ok?



    With respect to CN=Microsoft Option ROM UEFI CA 2023

    When not present, it can have a few reasons, the two most common in
    simple answer form
    - not yet deployed
    - can't be deployed

    One could force the attempt to deploy by changing the reg key
    HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\AvailableUpdates
    dword value to 0x5944 or 0x1844, exit regedit, then go to Task
    Scheduler(admin mode) and run the Secure Boot scheduled task, once
    done restart twice(not shutdown, restart) then recheck.

    If still missing, then it's likely related to firmware limitation or
    missing/non-existent support from the mobo or mobo manufacturer or
    another possibility - the device never had the 2011 Option ROM 2011

    There is quite a bit of variation for option ROM and KEK deployment.
    -a-aThere are ancient 4th gen and later Intel machines(not capable of
    running Win11 but running Win10 ESU) that have both Option ROM and
    KEK 2023 updates deployed while later devices(Intel 7th through 14th
    gen) running Win11 25H2 not having one or both(Option ROM, KEK 2023)

    Mine is an intel core ultra 5 225 (arrow lake) processor which I think
    is 2nd gen for the arrow lake, but it shows a launch date of Q1 2025
    so I assume these ultra processors would be considered a later device
    and this is normal.



    intel core ultra 5 225 - typically not classified with numerical gen
    level. Instead of '2nd gen' it was classified iirc as Series 2.

    Release wise, it's performance is plus or minus around the same point
    and time as-14th Gen...better than 14th gen budget chips and worse than
    14th gen mid-range.
    -a- a good choice for a large quantity end-user consumer devices

    I'm fine with the processor for what I use this machine for. My
    question though was to make sure I understand your answer above about
    later devices not having those other lines on the powershell result:

    CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US

    These two lines I don't get. I only get the Windows one:

    CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US

    For the later machines this is normal, right?
    --
    Science DoesnrCOt Support Darwin. Scientists Do

    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Bill Bradshaw@bradshaw@gci.net to alt.comp.os.windows-11,alt.comp.os.windows-10 on Tue Jun 16 08:26:59 2026
    From Newsgroup: alt.comp.os.windows-11

    Paul wrote:
    On Mon, 6/15/2026 1:22 PM, Bill Bradshaw wrote:
    Paul wrote:
    On Sat, 6/13/2026 9:16 PM, ....winston wrote:
    On 06/12/2026 12:42 AM, Paul wrote:
    get-securebootuefi -decoded -name DB | Where-Object {$_.Subject
    -match "2023"} | Select subject

    get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject
    -match "2023"} | Select subject




    [MSI] MPG B550 Gaming Plus (MS-7C56) \
    Infineon TPM 2.0 \
    Ryzen 7 5700G 8C 16T CPU \
    BIOS version 7/13/2024 AMI 1i0 \
    DDR4 RAM (four sticks) \
    \___ Both have been used for Secure Boot test.
    [ASUS] ROG STRIX B550-F Gaming Wifi II / Secure Boot is now turned
    off on both.
    fTPM (no header for a physical TPM 2.0) / They're PCA2023. One has
    failed a media Secure Boot
    Ryzen 9 5950X 16C 32T CPU / where the media was still signed with
    PCA2011 and
    BIOS version 1/4/2026 AMI 3636 / at a guess, that is revoked.
    DDR4 RAM (four sticks) /

    [Asus] P9X79 <=== used for testing non-Secure-Boot behaviors
    no TPM at all (UEFI/CSM BIOS)
    4930K 6C 12T (HEDT, 42 PCIe lanes) This machine has W10 and W11
    and can test what
    BIOS Version 12/24/2013 AMI 4608 miserable performance others
    might see. It has
    DDR3 RAM (eight sticks) a mixture of HDD and SSDs for test. Mouse
    click to response, takes 1 second.


    Did you run the get-securebootuefi on any of these devices or other
    devices(no virtual machines, but only devices with Windows 10 ESU
    or Win11 25H2 as the installed to metal o/s)?

    If so, what were the results?


    OK, so lets do that. First I have to turn Secure Boot back on.
    This will be on the 5950X. Then I can select the Win10 on the same
    machine, and see what is cooking over there.

    First Win11.

    msinfo32 (as administrator)
    BIOS Mode: UEFI
    Secure Boot State: ON
    PCR7 Configuration: Binding Possible

    Device Security
    Secure Boot - Looks like a power button circle, with the tick at
    the top, and green checkmark on the side. Text
    reads:

    "Secure Boot is on and all required certificate
    updates have been applied. No further certificate
    changes are needed." [SBAT status being ignored]

    Yes, this is an Administrator Terminal, but currently, either
    "value" can show
    up for the current working directory, for either terminal type.

    PS C:\Users\bullwinkle> get-securebootuefi -decoded -name DB |
    Where-Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
    CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US
    CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US

    PS C:\Users\bullwinkle> get-securebootuefi -decoded -name KEK |
    Where-Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation,
    C=US

    # Updates were stuck on the W11, due to (apparently) the recovery
    partition size. # I Resized it using a Macrium backup and
    restore/resize without breaking it.

    PS C:\Users\bullwinkle> reagentc /info
    Windows Recovery Environment (Windows RE) and system reset
    configuration
    Information:

    Windows RE status: Enabled
    Windows RE location:
    \\?\GLOBALROOT\device\harddisk0\partition5\Recovery\WindowsRE
    Boot Configuration Data (BCD) identifier:
    8f4fa731-3780-11ef-8ce3-b963a4dceb9a Recovery image location:
    Recovery image index: 0 Custom image location:
    Custom image index: 0
    Windows RE Version: 10.0.26100.8455

    DISKPART> list part

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 System 100 MB 1024 KB
    Partition 2 Reserved 16 MB 101 MB
    Partition 3 Primary 108 GB 117 MB
    Partition 5 Recovery 2068 MB 108 GB <=== Win11 is
    using its Recovery Partition Partition 4 Primary 127
    GB 110 GB <=== Win10 is using C: for the purpose "Access is
    Denied"

    Winver on box reads as: 26200.8655

    Oh, and the box logs in without using a password (local account) :-)
    Don't
    ask me how that happened, I haven't a clue.

    *******

    Now, we'll hop over to the Win10 side, and see what it says. The
    Win10 does not
    have a Recovery partition. I hope it doesn't break anything. Doing a
    backup
    before heading over...

    msinfo32 (as administrator)
    BIOS Mode: UEFI
    Secure Boot State: ON
    PCR7 Configuration: Binding Possible

    Device Security
    Secure Boot - Looks like a power button circle, with the tick at
    the top, and green checkmark on the side. Text
    reads:

    "Secure boot is on, preventing malicious software
    from loading when your device starts up."
    "Your device meets the requirements for standard
    hardware security."

    Windows PowerShell
    Copyright (C) Microsoft Corporation. All rights reserved.

    Try the new cross-platform PowerShell https://aka.ms/pscore6

    PS C:\Windows\system32> get-securebootuefi -decoded -name DB |
    Where-Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
    CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US
    CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US
    D
    PS C:\Windows\system32> get-securebootuefi -decoded -name KEK |
    Where-Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation,
    C=US

    PS C:\Windows\system32> reagentc /info
    Windows Recovery Environment (Windows RE) and system reset
    configuration
    Information:

    Windows RE status: Enabled
    Windows RE location:
    \\?\GLOBALROOT\device\harddisk0\partition4\Recovery\WindowsRE
    <=== this is the C: drive of W10 Boot Configuration Data (BCD)
    identifier: 8f4fa72c-3780-11ef-8ce3-b963a4dceb9a Recovery image
    location: Recovery image index: 0 Custom image location:
    Custom image index: 0

    REAGENTC.EXE: Operation Successful.

    Winver reads: 19045.7417 22H2 Windows 10 Home (my only ESU_

    Box login requires password.

    Paul

    I am runnig Window 11 Pro and I am on 8457. I can not get updated
    and downloaded the cumulative update to 8655 but it will not update.
    Checking Device Security reports all is fine with certificates, etc.

    diskpart shows:

    Partition 4 Recovery 755MB 113GB
    Partition 5 Recovery 800MB 114GB

    Do I need to try and increase the size of the Recover Partitions?

    I recognize this is not a lot of info.

    <Bill>

    701,193,948 19 May 2026 (Win11 2.02GB Recovery partition contents)
    Used TestDisk 7.0 for a quick look 571,237,983 15-Jun-2026 (Win10
    C:\Recovery\WindowsRE contents) Also via
    using TestDisk 7 to get around permissions. (This Win10 is the OS
    that doesn't have its own Recovery Partition.)

    Neither of these seems large enough to be held up by my partition
    dimensions,
    unless it is the "amount of margin" the scheme uses for updates. It
    doesn't
    just jam in the 701 thing and see if it fits, it takes the in-coming
    size, adds
    a couple hundred meg and checks whether that will fit.

    I made the room for the 701 one as 2.02GB, just because I wanted the
    job
    done and then on to the next thing.

    When an update does not go in, it is held in a waiting area in the
    root of C: and the folder has a dollar sign in it. This is the state
    of my "already-installed" one on Win11 (it's also in the 2.02GB
    Recovery partition).

    C:\$WinREAgent
    Rollback\
    Scratch\
    Backup\
    winre.wim 701,193,948 19 May 2026
    boot.sdi 3,170,304 14 June 2026
    ReAgent.xml 1,109 14 June 2026
    location.txt

    [WinRE Location]
    Partition offset=117890351104 <=== booby trap
    equipped... (when you cannot figure out why it Disabled
    itself) Relative path=\Recovery\WindowsRE OS Guid={8F4FA72F-3780-11EF-8CE3-B963A4DCEB9A}

    And normally, where that is stored, it will have some
    permissions to annoy you. For some reason right now, I
    can get into the Backup folder without using TestDisk :-)

    If your attempt to update it has failed, one of the places
    it could current be waiting is C:\$WinREAgent , but it has
    more hidey holes than that.

    Paul

    I got the computer updated to 8655. I installed the downloaded cumulative update 5094126. Checked secure boot was on and all certificates had been applied. Shutdown and restarted the computer and ran the cumulative update 5094126 downloaded file and then checked and I was on 8655. So all is good for now. I have enlarged recovery partitions in the past so I will look at this. Fingures crossed.

    <Bill>




    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From ....winston@winstonmvp@gmail.com to alt.comp.os.windows-11,alt.comp.os.windows-10 on Tue Jun 16 14:31:17 2026
    From Newsgroup: alt.comp.os.windows-11

    On 06/16/2026 10:54 AM, sticks wrote:
    On 6/16/2026 9:35 AM, ....winston wrote:
    On 06/16/2026 9:05 AM, sticks wrote:
    On 6/14/2026 2:56 AM, ....winston wrote:
    On 06/11/2026 10:26 PM, sticks wrote:
    On 6/11/2026 9:19 PM, ....winston wrote:

    Back on topic.
    @Paul and @sticks
    There are other powershell commands in admin mode that can be run >>>>>> for additional information on installation/updating 2023 certs.

    get-securebootuefi -decoded -name DB | Where-Object {$_.Subject - >>>>>> match "2023"} | Select subject

    get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject - >>>>>> match "2023"} | Select subject


    For this Secure Boot enabled device(Win10 Pro ESU) with a 4th Gen >>>>>> i7-4770 chip(yes, quite old) on a Asus Z87 Sabertooth mobo, last
    UEFI/ Bios March 2017) the results for the above commands are:

    PS C:\WINDOWS\system32> get-securebootuefi -decoded -name DB |
    Where- Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US



    PS C:\WINDOWS\system32> get-securebootuefi -decoded -name KEK |
    Where- Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, >>>>>> C=US


    Fyi...for those interested in an explanation of DB and KEK certs
    "DB (Allowed Signature Database): The list of certificates and
    trusted software the PC is allowed to run. The new 2023 DB
    certificates are used to sign modern Windows boot components."
    "KEK (Key Exchange Key): Often called the "master authority." The >>>>>> KEK gives Microsoft (and your hardware manufacturer) the
    permission to update your DB and DBX (revocation) lists without
    requiring a full manual BIOS flash".

    For the first command I only get your first entry, the second
    command I get the same as yours.-a That ok?



    With respect to CN=Microsoft Option ROM UEFI CA 2023

    When not present, it can have a few reasons, the two most common in
    simple answer form
    - not yet deployed
    - can't be deployed

    One could force the attempt to deploy by changing the reg key
    HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\AvailableUpdates
    dword value to 0x5944 or 0x1844, exit regedit, then go to Task
    Scheduler(admin mode) and run the Secure Boot scheduled task, once
    done restart twice(not shutdown, restart) then recheck.

    If still missing, then it's likely related to firmware limitation or
    missing/non-existent support from the mobo or mobo manufacturer or
    another possibility - the device never had the 2011 Option ROM 2011

    There is quite a bit of variation for option ROM and KEK deployment.
    -a-aThere are ancient 4th gen and later Intel machines(not capable of >>>> running Win11 but running Win10 ESU) that have both Option ROM and
    KEK 2023 updates deployed while later devices(Intel 7th through 14th
    gen) running Win11 25H2 not having one or both(Option ROM, KEK 2023)

    Mine is an intel core ultra 5 225 (arrow lake) processor which I
    think is 2nd gen for the arrow lake, but it shows a launch date of Q1
    2025 so I assume these ultra processors would be considered a later
    device and this is normal.



    intel core ultra 5 225 - typically not classified with numerical gen
    level. Instead of '2nd gen' it was classified iirc as Series 2.

    Release wise, it's performance is plus or minus around the same point
    and time as-14th Gen...better than 14th gen budget chips and worse
    than 14th gen mid-range.
    -a-a- a good choice for a large quantity end-user consumer devices

    I'm fine with the processor for what I use this machine for.-a My
    question though was to make sure I understand your answer above about
    later devices not having those other lines on the powershell result:

    CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US

    These two lines I don't get.-a I only get the Windows one:

    CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US

    For the later machines this is normal, right?



    As note before, variation exists.
    Not all devices 'get' everything...and that is 'normal'

    Failure to deploy Option ROM and Microsoft UEFI certs is
    'normally'/typically caused by existing device hardware/firmware limitation.

    Two approaches may offer subsequent deployment of those two certs.
    1. Updating the firmware(OEM or mobo manufacture UEFI/BIOS
    2. Resetting Secure Boot in the UEFI/BIOS (Restoring Factory or
    Installing Default Secure Boot Keys)
    One or both may provide deployment of the 2023 cert keys on next restart(after the Schedule task runs, and two restarts).

    Whatever the end result...it would still be normal(the same condition
    before #1/#2, after 1/2, or doing nothing)
    --
    ...w-i|#-o-#-n|#
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From ....winston@winstonmvp@gmail.com to alt.comp.os.windows-11,alt.comp.os.windows-10 on Tue Jun 16 14:51:03 2026
    From Newsgroup: alt.comp.os.windows-11

    On 06/16/2026 12:26 PM, Bill Bradshaw wrote:
    Paul wrote:
    On Mon, 6/15/2026 1:22 PM, Bill Bradshaw wrote:
    Paul wrote:
    On Sat, 6/13/2026 9:16 PM, ....winston wrote:
    On 06/12/2026 12:42 AM, Paul wrote:
    get-securebootuefi -decoded -name DB | Where-Object {$_.Subject
    -match "2023"} | Select subject

    get-securebootuefi -decoded -name KEK | Where-Object {$_.Subject >>>>>>> -match "2023"} | Select subject




    [MSI] MPG B550 Gaming Plus (MS-7C56) \
    Infineon TPM 2.0 \
    Ryzen 7 5700G 8C 16T CPU \
    BIOS version 7/13/2024 AMI 1i0 \
    DDR4 RAM (four sticks) \
    \___ Both have been used for Secure Boot test.
    [ASUS] ROG STRIX B550-F Gaming Wifi II / Secure Boot is now turned >>>>>> off on both.
    fTPM (no header for a physical TPM 2.0) / They're PCA2023. One has >>>>>> failed a media Secure Boot
    Ryzen 9 5950X 16C 32T CPU / where the media was still signed with
    PCA2011 and
    BIOS version 1/4/2026 AMI 3636 / at a guess, that is revoked.
    DDR4 RAM (four sticks) /

    [Asus] P9X79 <=== used for testing non-Secure-Boot behaviors
    no TPM at all (UEFI/CSM BIOS)
    4930K 6C 12T (HEDT, 42 PCIe lanes) This machine has W10 and W11
    and can test what
    BIOS Version 12/24/2013 AMI 4608 miserable performance others
    might see. It has
    DDR3 RAM (eight sticks) a mixture of HDD and SSDs for test. Mouse
    click to response, takes 1 second.


    Did you run the get-securebootuefi on any of these devices or other
    devices(no virtual machines, but only devices with Windows 10 ESU
    or Win11 25H2 as the installed to metal o/s)?

    If so, what were the results?


    OK, so lets do that. First I have to turn Secure Boot back on.
    This will be on the 5950X. Then I can select the Win10 on the same
    machine, and see what is cooking over there.

    First Win11.

    msinfo32 (as administrator)
    BIOS Mode: UEFI
    Secure Boot State: ON
    PCR7 Configuration: Binding Possible

    Device Security
    Secure Boot - Looks like a power button circle, with the tick at
    the top, and green checkmark on the side. Text
    reads:

    "Secure Boot is on and all required certificate
    updates have been applied. No further certificate
    changes are needed." [SBAT status being ignored]

    Yes, this is an Administrator Terminal, but currently, either
    "value" can show
    up for the current working directory, for either terminal type.

    PS C:\Users\bullwinkle> get-securebootuefi -decoded -name DB |
    Where-Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
    CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US
    CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US

    PS C:\Users\bullwinkle> get-securebootuefi -decoded -name KEK |
    Where-Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation,
    C=US

    # Updates were stuck on the W11, due to (apparently) the recovery
    partition size. # I Resized it using a Macrium backup and
    restore/resize without breaking it.

    PS C:\Users\bullwinkle> reagentc /info
    Windows Recovery Environment (Windows RE) and system reset
    configuration
    Information:

    Windows RE status: Enabled
    Windows RE location:
    \\?\GLOBALROOT\device\harddisk0\partition5\Recovery\WindowsRE
    Boot Configuration Data (BCD) identifier:
    8f4fa731-3780-11ef-8ce3-b963a4dceb9a Recovery image location:
    Recovery image index: 0 Custom image location:
    Custom image index: 0
    Windows RE Version: 10.0.26100.8455

    DISKPART> list part

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 System 100 MB 1024 KB
    Partition 2 Reserved 16 MB 101 MB
    Partition 3 Primary 108 GB 117 MB
    Partition 5 Recovery 2068 MB 108 GB <=== Win11 is
    using its Recovery Partition Partition 4 Primary 127
    GB 110 GB <=== Win10 is using C: for the purpose "Access is
    Denied"

    Winver on box reads as: 26200.8655

    Oh, and the box logs in without using a password (local account) :-)
    Don't
    ask me how that happened, I haven't a clue.

    *******

    Now, we'll hop over to the Win10 side, and see what it says. The
    Win10 does not
    have a Recovery partition. I hope it doesn't break anything. Doing a
    backup
    before heading over...

    msinfo32 (as administrator)
    BIOS Mode: UEFI
    Secure Boot State: ON
    PCR7 Configuration: Binding Possible

    Device Security
    Secure Boot - Looks like a power button circle, with the tick at
    the top, and green checkmark on the side. Text
    reads:

    "Secure boot is on, preventing malicious software
    from loading when your device starts up."
    "Your device meets the requirements for standard
    hardware security."

    Windows PowerShell
    Copyright (C) Microsoft Corporation. All rights reserved.

    Try the new cross-platform PowerShell https://aka.ms/pscore6

    PS C:\Windows\system32> get-securebootuefi -decoded -name DB |
    Where-Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
    CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US
    CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US
    D
    PS C:\Windows\system32> get-securebootuefi -decoded -name KEK |
    Where-Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation,
    C=US

    PS C:\Windows\system32> reagentc /info
    Windows Recovery Environment (Windows RE) and system reset
    configuration
    Information:

    Windows RE status: Enabled
    Windows RE location:
    \\?\GLOBALROOT\device\harddisk0\partition4\Recovery\WindowsRE
    <=== this is the C: drive of W10 Boot Configuration Data (BCD)
    identifier: 8f4fa72c-3780-11ef-8ce3-b963a4dceb9a Recovery image
    location: Recovery image index: 0 Custom image location:
    Custom image index: 0

    REAGENTC.EXE: Operation Successful.

    Winver reads: 19045.7417 22H2 Windows 10 Home (my only ESU_

    Box login requires password.

    Paul

    I am runnig Window 11 Pro and I am on 8457. I can not get updated
    and downloaded the cumulative update to 8655 but it will not update.
    Checking Device Security reports all is fine with certificates, etc.

    diskpart shows:

    Partition 4 Recovery 755MB 113GB
    Partition 5 Recovery 800MB 114GB

    Do I need to try and increase the size of the Recover Partitions?

    I recognize this is not a lot of info.

    <Bill>

    701,193,948 19 May 2026 (Win11 2.02GB Recovery partition contents)
    Used TestDisk 7.0 for a quick look 571,237,983 15-Jun-2026 (Win10
    C:\Recovery\WindowsRE contents) Also via
    using TestDisk 7 to get around permissions. (This Win10 is the OS
    that doesn't have its own Recovery Partition.)

    Neither of these seems large enough to be held up by my partition
    dimensions,
    unless it is the "amount of margin" the scheme uses for updates. It
    doesn't
    just jam in the 701 thing and see if it fits, it takes the in-coming
    size, adds
    a couple hundred meg and checks whether that will fit.

    I made the room for the 701 one as 2.02GB, just because I wanted the
    job
    done and then on to the next thing.

    When an update does not go in, it is held in a waiting area in the
    root of C: and the folder has a dollar sign in it. This is the state
    of my "already-installed" one on Win11 (it's also in the 2.02GB
    Recovery partition).

    C:\$WinREAgent
    Rollback\
    Scratch\
    Backup\
    winre.wim 701,193,948 19 May 2026
    boot.sdi 3,170,304 14 June 2026
    ReAgent.xml 1,109 14 June 2026
    location.txt

    [WinRE Location]
    Partition offset=117890351104 <=== booby trap
    equipped... (when you cannot figure out why it Disabled
    itself) Relative path=\Recovery\WindowsRE OS
    Guid={8F4FA72F-3780-11EF-8CE3-B963A4DCEB9A}

    And normally, where that is stored, it will have some
    permissions to annoy you. For some reason right now, I
    can get into the Backup folder without using TestDisk :-)

    If your attempt to update it has failed, one of the places
    it could current be waiting is C:\$WinREAgent , but it has
    more hidey holes than that.

    Paul

    I got the computer updated to 8655. I installed the downloaded cumulative update 5094126. Checked secure boot was on and all certificates had been applied. Shutdown and restarted the computer and ran the cumulative update 5094126 downloaded file and then checked and I was on 8655. So all is good for now. I have enlarged recovery partitions in the past so I will look at this. Fingures crossed.

    <Bill>





    Progess!

    Ensure if resizing the active Recovery Partition, the correct partition
    is chosen.
    ...and only one is necessary. If both are adjacent to each other(e.g. partition 4 and 5, 4 is likely your active Recovery partition), then no shrinkage of C:(Partition #3 likely) would be necessary - just remove
    the unused Recovery partition, disable the current, and recreate the new
    with the the entire available space(1555 MB) or shrink C by 493 MB and
    create a 2048 MB(2GB) Recovery partition.

    Those earlier requests for more data and pictures may still apply so interested parties can get a better idea of current condition and
    provide better and more accurate input, suggestions, or cautions.
    --
    ...w-i|#-o-#-n|#
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From sticks@wolverine01@charter.net to alt.comp.os.windows-11,alt.comp.os.windows-10 on Tue Jun 16 18:40:36 2026
    From Newsgroup: alt.comp.os.windows-11

    On 6/16/2026 1:31 PM, ....winston wrote:

    For the later machines this is normal, right?

    As note before, variation exists.
    Not all devices 'get' everything...and that is 'normal'

    Failure to deploy Option ROM and Microsoft UEFI certs is 'normally'/ typically caused by existing device hardware/firmware limitation.

    Two approaches may offer subsequent deployment of those two certs.
    -a1. Updating the firmware(OEM or mobo manufacture UEFI/BIOS
    -a2. Resetting Secure Boot in the UEFI/BIOS (Restoring Factory or Installing Default Secure Boot Keys)
    -aOne or both may provide deployment of the 2023 cert keys on next restart(after the Schedule task runs, and two restarts).

    Whatever the end result...it would still be normal(the same condition
    before #1/#2, after 1/2, or doing nothing)

    Thank you. Only thing I will do now is just check occasionally for
    another bios update. It sounds like the rest will all work out.
    --
    Science DoesnrCOt Support Darwin. Scientists Do

    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From ....winston@winstonmvp@gmail.com to alt.comp.os.windows-11,alt.comp.os.windows-10 on Tue Jun 16 20:12:12 2026
    From Newsgroup: alt.comp.os.windows-11

    On 06/16/2026 7:40 PM, sticks wrote:
    On 6/16/2026 1:31 PM, ....winston wrote:

    For the later machines this is normal, right?

    As note before, variation exists.
    Not all devices 'get' everything...and that is 'normal'

    Failure to deploy Option ROM and Microsoft UEFI certs is 'normally'/
    typically caused by existing device hardware/firmware limitation.

    Two approaches may offer subsequent deployment of those two certs.
    -a-a1. Updating the firmware(OEM or mobo manufacture UEFI/BIOS
    -a-a2. Resetting Secure Boot in the UEFI/BIOS (Restoring Factory or
    Installing Default Secure Boot Keys)
    -a-aOne or both may provide deployment of the 2023 cert keys on next
    restart(after the Schedule task runs, and two restarts).

    Whatever the end result...it would still be normal(the same condition
    before #1/#2, after 1/2, or doing nothing)

    Thank you.-a Only thing I will do now is just check occasionally for
    another bios update.-a It sounds like the rest will all work out.


    You're welcome...in the meantime, fix your dual, and unnecessary two
    Recovery partitions using diskpart or 3rd party tools.

    ...and ensure you have a backup or know how to obtain winre.wim.
    --
    ...w-i|#-o-#-n|#
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From sticks@wolverine01@charter.net to alt.comp.os.windows-11,alt.comp.os.windows-10 on Tue Jun 16 20:08:43 2026
    From Newsgroup: alt.comp.os.windows-11

    On 6/16/2026 7:12 PM, ....winston wrote:

    You're welcome...in the meantime, fix your dual, and unnecessary two Recovery partitions using diskpart or 3rd party tools.

    ...and ensure you have a backup or know how to obtain winre.wim.

    I think you've got me mixed up with Bill in a offshoot of this thread.
    You and Paul helped me fix my winre issues awhile ago when the
    difficulties first began. Jeeze, that must be a couple years back by now.
    --
    Science DoesnrCOt Support Darwin. Scientists Do

    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From ....winston@winstonmvp@gmail.com to alt.comp.os.windows-11,alt.comp.os.windows-10 on Wed Jun 17 02:33:18 2026
    From Newsgroup: alt.comp.os.windows-11

    On 06/16/2026 9:08 PM, sticks wrote:
    On 6/16/2026 7:12 PM, ....winston wrote:

    You're welcome...in the meantime, fix your dual, and unnecessary two
    Recovery partitions using diskpart or 3rd party tools.

    ...and ensure you have a backup or know how to obtain winre.wim.

    I think you've got me mixed up with Bill in a offshoot of this thread.
    You and Paul helped me fix my winre issues awhile ago when the
    difficulties first began.-a Jeeze, that must be a couple years back by now.


    Yes, sorry for the inconvenience.
    --
    ...w-i|#-o-#-n|#
    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From Bill Bradshaw@bradshaw@gci.net to alt.comp.os.windows-11,alt.comp.os.windows-10 on Wed Jun 17 08:25:18 2026
    From Newsgroup: alt.comp.os.windows-11

    ....winston wrote:
    On 06/16/2026 12:26 PM, Bill Bradshaw wrote:
    Paul wrote:
    On Mon, 6/15/2026 1:22 PM, Bill Bradshaw wrote:
    Paul wrote:
    On Sat, 6/13/2026 9:16 PM, ....winston wrote:
    On 06/12/2026 12:42 AM, Paul wrote:
    get-securebootuefi -decoded -name DB | Where-Object {$_.Subject >>>>>>>> -match "2023"} | Select subject

    get-securebootuefi -decoded -name KEK | Where-Object
    {$_.Subject -match "2023"} | Select subject




    [MSI] MPG B550 Gaming Plus (MS-7C56) \
    Infineon TPM 2.0 \
    Ryzen 7 5700G 8C 16T CPU \
    BIOS version 7/13/2024 AMI 1i0 \
    DDR4 RAM (four sticks) \
    \___ Both have been used for Secure Boot test.
    [ASUS] ROG STRIX B550-F Gaming Wifi II / Secure Boot is now
    turned off on both.
    fTPM (no header for a physical TPM 2.0) / They're PCA2023. One
    has failed a media Secure Boot
    Ryzen 9 5950X 16C 32T CPU / where the media was still signed
    with PCA2011 and
    BIOS version 1/4/2026 AMI 3636 / at a guess, that is revoked.
    DDR4 RAM (four sticks) /

    [Asus] P9X79 <=== used for testing non-Secure-Boot behaviors
    no TPM at all (UEFI/CSM BIOS)
    4930K 6C 12T (HEDT, 42 PCIe lanes) This machine has W10 and W11
    and can test what
    BIOS Version 12/24/2013 AMI 4608 miserable performance others
    might see. It has
    DDR3 RAM (eight sticks) a mixture of HDD and SSDs for test.
    Mouse click to response, takes 1 second.


    Did you run the get-securebootuefi on any of these devices or
    other devices(no virtual machines, but only devices with Windows
    10 ESU or Win11 25H2 as the installed to metal o/s)?

    If so, what were the results?


    OK, so lets do that. First I have to turn Secure Boot back on.
    This will be on the 5950X. Then I can select the Win10 on the same
    machine, and see what is cooking over there.

    First Win11.

    msinfo32 (as administrator)
    BIOS Mode: UEFI
    Secure Boot State: ON
    PCR7 Configuration: Binding Possible

    Device Security
    Secure Boot - Looks like a power button circle, with the tick
    at the top, and green checkmark on the side.
    Text reads:

    "Secure Boot is on and all required certificate
    updates have been applied. No further
    certificate changes are needed." [SBAT status being ignored]

    Yes, this is an Administrator Terminal, but currently, either
    "value" can show
    up for the current working directory, for either terminal type.

    PS C:\Users\bullwinkle> get-securebootuefi -decoded -name DB |
    Where-Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
    CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation,
    C=US CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US

    PS C:\Users\bullwinkle> get-securebootuefi -decoded -name KEK |
    Where-Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation,
    C=US

    # Updates were stuck on the W11, due to (apparently) the recovery
    partition size. # I Resized it using a Macrium backup and
    restore/resize without breaking it.

    PS C:\Users\bullwinkle> reagentc /info
    Windows Recovery Environment (Windows RE) and system reset
    configuration
    Information:

    Windows RE status: Enabled
    Windows RE location:
    \\?\GLOBALROOT\device\harddisk0\partition5\Recovery\WindowsRE
    Boot Configuration Data (BCD) identifier:
    8f4fa731-3780-11ef-8ce3-b963a4dceb9a Recovery image location:
    Recovery image index: 0 Custom image location:
    Custom image index: 0
    Windows RE Version: 10.0.26100.8455

    DISKPART> list part

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 System 100 MB 1024 KB
    Partition 2 Reserved 16 MB 101 MB
    Partition 3 Primary 108 GB 117 MB
    Partition 5 Recovery 2068 MB 108 GB <=== Win11 is
    using its Recovery Partition Partition 4 Primary 127 GB >>>>> 110 GB <=== Win10 is using C: for the purpose "Access is
    Denied"

    Winver on box reads as: 26200.8655

    Oh, and the box logs in without using a password (local account)
    :-) Don't
    ask me how that happened, I haven't a clue.

    *******

    Now, we'll hop over to the Win10 side, and see what it says. The
    Win10 does not
    have a Recovery partition. I hope it doesn't break anything.
    Doing a backup
    before heading over...

    msinfo32 (as administrator)
    BIOS Mode: UEFI
    Secure Boot State: ON
    PCR7 Configuration: Binding Possible

    Device Security
    Secure Boot - Looks like a power button circle, with the tick
    at the top, and green checkmark on the side.
    Text reads:

    "Secure boot is on, preventing malicious
    software from loading when your device starts
    up." "Your device meets the requirements for
    standard hardware security."

    Windows PowerShell
    Copyright (C) Microsoft Corporation. All rights reserved.

    Try the new cross-platform PowerShell https://aka.ms/pscore6

    PS C:\Windows\system32> get-securebootuefi -decoded -name DB |
    Where-Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US
    CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation,
    C=US CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US
    D
    PS C:\Windows\system32> get-securebootuefi -decoded -name KEK |
    Where-Object {$_.Subject -match "2023"} | Select subject

    Subject
    -------
    CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation,
    C=US

    PS C:\Windows\system32> reagentc /info
    Windows Recovery Environment (Windows RE) and system reset
    configuration
    Information:

    Windows RE status: Enabled
    Windows RE location:
    \\?\GLOBALROOT\device\harddisk0\partition4\Recovery\WindowsRE
    <=== this is the C: drive of W10 Boot Configuration Data (BCD)
    identifier: 8f4fa72c-3780-11ef-8ce3-b963a4dceb9a Recovery
    image location: Recovery image index: 0 Custom image
    location: Custom image index: 0

    REAGENTC.EXE: Operation Successful.

    Winver reads: 19045.7417 22H2 Windows 10 Home (my only ESU_

    Box login requires password.

    Paul

    I am runnig Window 11 Pro and I am on 8457. I can not get updated
    and downloaded the cumulative update to 8655 but it will not
    update. Checking Device Security reports all is fine with
    certificates, etc. diskpart shows:

    Partition 4 Recovery 755MB 113GB
    Partition 5 Recovery 800MB 114GB

    Do I need to try and increase the size of the Recover Partitions?

    I recognize this is not a lot of info.

    <Bill>

    701,193,948 19 May 2026 (Win11 2.02GB Recovery partition
    contents) Used TestDisk 7.0 for a quick look 571,237,983 15-Jun-2026
    (Win10
    C:\Recovery\WindowsRE contents) Also via using TestDisk 7 to get
    around permissions. (This Win10 is the OS
    that doesn't have its own Recovery Partition.)

    Neither of these seems large enough to be held up by my partition
    dimensions,
    unless it is the "amount of margin" the scheme uses for updates. It
    doesn't
    just jam in the 701 thing and see if it fits, it takes the in-coming
    size, adds
    a couple hundred meg and checks whether that will fit.

    I made the room for the 701 one as 2.02GB, just because I wanted the
    job
    done and then on to the next thing.

    When an update does not go in, it is held in a waiting area in the
    root of C: and the folder has a dollar sign in it. This is the state
    of my "already-installed" one on Win11 (it's also in the 2.02GB
    Recovery partition).

    C:\$WinREAgent
    Rollback\
    Scratch\
    Backup\
    winre.wim 701,193,948 19 May 2026
    boot.sdi 3,170,304 14 June 2026
    ReAgent.xml 1,109 14 June 2026
    location.txt

    [WinRE Location]
    Partition offset=117890351104 <=== booby trap
    equipped... (when you cannot figure out why it Disabled
    itself) Relative path=\Recovery\WindowsRE OS
    Guid={8F4FA72F-3780-11EF-8CE3-B963A4DCEB9A}

    And normally, where that is stored, it will have some
    permissions to annoy you. For some reason right now, I
    can get into the Backup folder without using TestDisk :-)

    If your attempt to update it has failed, one of the places
    it could current be waiting is C:\$WinREAgent , but it has
    more hidey holes than that.

    Paul

    I got the computer updated to 8655. I installed the downloaded
    cumulative update 5094126. Checked secure boot was on and all
    certificates had been applied. Shutdown and restarted the computer
    and ran the cumulative update 5094126 downloaded file and then
    checked and I was on 8655. So all is good for now. I have enlarged
    recovery partitions in the past so I will look at this. Fingures
    crossed. <Bill>





    Progess!

    Ensure if resizing the active Recovery Partition, the correct
    partition is chosen.
    ...and only one is necessary. If both are adjacent to each other(e.g. partition 4 and 5, 4 is likely your active Recovery partition), then
    no shrinkage of C:(Partition #3 likely) would be necessary - just
    remove the unused Recovery partition, disable the current, and
    recreate the new with the the entire available space(1555 MB) or
    shrink C by 493 MB and create a 2048 MB(2GB) Recovery partition.

    Those earlier requests for more data and pictures may still apply so interested parties can get a better idea of current condition and
    provide better and more accurate input, suggestions, or cautions.

    I thought having 2 recoverys was strange. My other computers have 2 GB recovery partitions.
    Thanks for the advice.

    <Bill>


    --- Synchronet 3.22a-Linux NewsLink 1.2
  • From ....winston@winstonmvp@gmail.com to alt.comp.os.windows-11,alt.comp.os.windows-10 on Thu Jun 18 02:21:53 2026
    From Newsgroup: alt.comp.os.windows-11

    On 06/17/2026 12:25 PM, Bill Bradshaw wrote:
    ....winston wrote:
    On 06/16/2026 12:26 PM, Bill Bradshaw wrote:

    I got the computer updated to 8655. I installed the downloaded
    cumulative update 5094126. Checked secure boot was on and all
    certificates had been applied. Shutdown and restarted the computer
    and ran the cumulative update 5094126 downloaded file and then
    checked and I was on 8655. So all is good for now. I have enlarged
    recovery partitions in the past so I will look at this. Fingures
    crossed. <Bill>





    Progess!

    Ensure if resizing the active Recovery Partition, the correct
    partition is chosen.
    ...and only one is necessary. If both are adjacent to each other(e.g.
    partition 4 and 5, 4 is likely your active Recovery partition), then
    no shrinkage of C:(Partition #3 likely) would be necessary - just
    remove the unused Recovery partition, disable the current, and
    recreate the new with the the entire available space(1555 MB) or
    shrink C by 493 MB and create a 2048 MB(2GB) Recovery partition.

    Those earlier requests for more data and pictures may still apply so
    interested parties can get a better idea of current condition and
    provide better and more accurate input, suggestions, or cautions.

    I thought having 2 recoverys was strange. My other computers have 2 GB recovery partitions.
    Thanks for the advice.

    <Bill>



    You're welcome. Good luck.
    --
    ...w-i|#-o-#-n|#
    --- Synchronet 3.22a-Linux NewsLink 1.2