From Newsgroup: alt.comp.os.windows-11
On Fri, 6/26/2026 8:01 AM, Dennis wrote:
On Mon, 20 Apr 2026 06:14:21 -0400, Dennis <nobody@nowhere.invalid>
wrote:
On Mon, 20 Apr 2026 03:41:37 -0400, Paul <nospam@needed.invalid> wrote:
[...]
Hi Paul,
Looks like I'll add yet another monthly item to my calendar (to check HP
for updated BIOS).
Thanks for your help on this.
A new BIOS version for my HP has just appeared at https://support.hp.com/us-en/drivers.
F.14 Rev A
It is dated 4 May 2026. It wasn't there last Friday.
Of course, the description only says "provides improved security".
I'll try it sometime next week to see if it has any impact on the
TPM-WMI errors.
https://support.microsoft.com/en-us/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e
June 24, 2026 Signs updates to DB and DBX.
October 19, 2026 Used for signing the Windows boot loader.
June 27, 2026 Signs third-party boot loaders and EFI applications.
June 27, 2026 Signs third-party option ROMs
Oct 19 looks like the most critical date.
If you're a dual booter, I think people have already been reporting
trouble with NVidia cards (bottom item) in Linux, where the driver is 580 instead
of 535 or 550, as the "driver" is now implemented as a firmware and
perhaps a display ends up running at 1024x768 (if the OS runs at all).
I've had to fix that in two Linux installs. Usually the situation is,
so "updates" come in, and on the next reboot, the graphics are fouled.
The June 24 one, maybe that one prevents PCA2011 from "being revoked",
but PCA2011 will expire on its own anyway (the second item in the list and
the impact of that on the "winload" file on your C: drive). I can't remember what I was doing, but I was getting a complaint about Winload failing signing.
On balance, I would think Oct 19 would be your most important day,
the others could still make the odd nuisance of themselves depending on
how many OSes you're juggling. I had to back out of one OS using a
580 driver already, tore 20 files out of the package management so
the OS would have no choice but to look for a 535 or a 550, and eventually
I regained control enough to select an older driver (which worked).
When I installed a new BIOS, I never seemed to notice that new keys
were installed, but perhaps some "paths" for updating things were
then opened and Windows could do its thing.
As another issue, I don't think any of the machines in the room,
really respond to the setting of SBAT (for Linux). I think no
motherboard in the room implements that. Linux sets that as a
"compression mechanism" so that the 4x32KB key stores
don't fill as quickly. That's why the mechanism exists, to define
a "class" or "epoch" of things, rather than naming a hundred
distros manually.
That's the beauty of the thing, others set the traps, you're
responsible for the maintenance :-)
Paul
--- Synchronet 3.22a-Linux NewsLink 1.2