On 3/5/26 6:30 PM, Jack wrote:

Windows Secure Boot is EXPIRING: Do This Before June 2026!
Windows Secure Boot certificates are reaching their "End of Life"
starting June 2026. If you haven't updated your UEFI CA certificates,
your PC's boot-level security is about to expire and you may have
serious problems booting up your machine.

This only applies to UEFI boot. On Windows 10 this was not necessary but
for Windows 11 this is now mandatory. Whether Microsoft updates this
before they expire remains to be seen but you can manually upgrade it by using these PowerShell/Terminal commands as Administrator:

Check if it needs updating:

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes)
-match 'Windows UEFI CA 2023'

If it shows false then you need to change the registry:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot
/v AvailableUpdates /t REG_DWORD /d 0x5944 /f

Then run this in Terminal/PowerShell:

Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Article:

<https://support.microsoft.com/en-us/topic/how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d#bkmk_takeaction>

This is so old it's pathetic. 2023. I would sure hope that some standard MS patch came
down the line. It would be a pity if millions of windows 11 users got hung out to dry.

--
Linux Mint 22.3, Mozilla Thunderbird 140.8.0esr, Mozilla Firefox 148.0
Alan K.

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Thu, 3/5/2026 6:24 PM, Alan K. wrote:

On 3/5/26 6:30 PM, Jack wrote:

Windows Secure Boot is EXPIRING: Do This Before June 2026!
Windows Secure Boot certificates are reaching their "End of Life"
starting June 2026. If you haven't updated your UEFI CA certificates,
your PC's boot-level security is about to expire and you may have
serious problems booting up your machine.

This only applies to UEFI boot. On Windows 10 this was not necessary but
for Windows 11 this is now mandatory. Whether Microsoft updates this
before they expire remains to be seen but you can manually upgrade it by
using these PowerShell/Terminal commands as Administrator:

Check if it needs updating:

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes)
-match 'Windows UEFI CA 2023'

If it shows false then you need to change the registry:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot
/v AvailableUpdates /t REG_DWORD /d 0x5944 /f

Then run this in Terminal/PowerShell:

Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Article:

<https://support.microsoft.com/en-us/topic/how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d#bkmk_takeaction>

This is so old it's pathetic.ÿ 2023.ÿ I would sure hope that some standard MS patch came down the line.ÿÿ It would be a pity if millions of windows 11 users got hung out to dry.

My recommendation, is to check in the BIOS to see if you can
connect a USB stick and back up the four files with the
certificates in it. Keeping those four files, gives
you the ability to reset the certificate state if there
are problems anywhere along the line.

As for the proposition, Microsoft is concern-trolling us again,
just like the WinRE problem they would not fix for themselves.
I am "less excited" this time, at the prospect of messing
around with my stuff.

Paul

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Jack <Jack@invalid.invalid> wrote:

Windows Secure Boot is EXPIRING: Do This Before June 2026!
Windows Secure Boot certificates are reaching their "End of Life"
starting June 2026. If you haven't updated your UEFI CA certificates,
your PC's boot-level security is about to expire and you may have
serious problems booting up your machine.

This only applies to UEFI boot. ...

Only if you have Secure Boot enabled in the BIOS. I don't.

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 3/5/26 7:01 PM, Paul wrote:

On Thu, 3/5/2026 6:24 PM, Alan K. wrote:

On 3/5/26 6:30 PM, Jack wrote:

Windows Secure Boot is EXPIRING: Do This Before June 2026!
Windows Secure Boot certificates are reaching their "End of Life"
starting June 2026. If you haven't updated your UEFI CA certificates,
your PC's boot-level security is about to expire and you may have
serious problems booting up your machine.

This only applies to UEFI boot. On Windows 10 this was not necessary but >>> for Windows 11 this is now mandatory. Whether Microsoft updates this
before they expire remains to be seen but you can manually upgrade it by >>> using these PowerShell/Terminal commands as Administrator:

Check if it needs updating:

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes)
-match 'Windows UEFI CA 2023'

If it shows false then you need to change the registry:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot
/v AvailableUpdates /t REG_DWORD /d 0x5944 /f

Then run this in Terminal/PowerShell:

Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update" >>>
Article:

<https://support.microsoft.com/en-us/topic/how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d#bkmk_takeaction>

This is so old it's pathetic.ÿ 2023.ÿ I would sure hope that some standard MS patch came down the line.ÿÿ It would be a pity if millions of windows 11 users got hung out to dry.

My recommendation, is to check in the BIOS to see if you can
connect a USB stick and back up the four files with the
certificates in it. Keeping those four files, gives
you the ability to reset the certificate state if there
are problems anywhere along the line.

As for the proposition, Microsoft is concern-trolling us again,
just like the WinRE problem they would not fix for themselves.
I am "less excited" this time, at the prospect of messing
around with my stuff.

Paul

Paul, for those of us who are unaware of how, can you pass on your expertise on how to
grab those four files and replace them later. As much as I'm not sure I'll need it but
there's nothing like being ready anyway.

--
Linux Mint 22.3, Mozilla Thunderbird 140.8.0esr, Mozilla Firefox 148.0
Alan K.

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Thu, 3/5/2026 10:15 PM, Alan K. wrote:

On 3/5/26 7:01 PM, Paul wrote:

On Thu, 3/5/2026 6:24 PM, Alan K. wrote:

On 3/5/26 6:30 PM, Jack wrote:

Windows Secure Boot is EXPIRING: Do This Before June 2026!
Windows Secure Boot certificates are reaching their "End of Life"
starting June 2026. If you haven't updated your UEFI CA certificates,
your PC's boot-level security is about to expire and you may have
serious problems booting up your machine.

This only applies to UEFI boot. On Windows 10 this was not necessary but >>>> for Windows 11 this is now mandatory. Whether Microsoft updates this
before they expire remains to be seen but you can manually upgrade it by >>>> using these PowerShell/Terminal commands as Administrator:

Check if it needs updating:

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) >>>> -match 'Windows UEFI CA 2023'

If it shows false then you need to change the registry:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot >>>> /v AvailableUpdates /t REG_DWORD /d 0x5944 /f

Then run this in Terminal/PowerShell:

Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update" >>>>
Article:

<https://support.microsoft.com/en-us/topic/how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d#bkmk_takeaction>

This is so old it's pathetic.ÿ 2023.ÿ I would sure hope that some standard MS patch came down the line.ÿÿ It would be a pity if millions of windows 11 users got hung out to dry.

My recommendation, is to check in the BIOS to see if you can
connect a USB stick and back up the four files with the
certificates in it. Keeping those four files, gives
you the ability to reset the certificate state if there
are problems anywhere along the line.

As for the proposition, Microsoft is concern-trolling us again,
just like the WinRE problem they would not fix for themselves.
I am "less excited" this time, at the prospect of messing
around with my stuff.

ÿÿÿ Paul

Paul, for those of us who are unaware of how, can you pass on your expertise on how to grab those four files and replace them later.ÿ As much as I'm not sure I'll need it but there's nothing like being ready anyway.

I didn't realize, that there is an interface at BIOS level, where
you can back up the MOK, db, dbx and the other one, and the BIOS
interface tells you to "plug in a USB stick". Usually, BIOS
features like this use FAT or FAT32 for a file system. There
would be a button in the BIOS, to either back up the four
areas of the secure boot stuff, or do a restore.

You have to find the Secure Boot support area in the BIOS for this.

# Asus example. If you use the > icon next to an item,
# the menu there may allow backing up just that item, like
# just PK (platform key). The Save All puts four files on your
# USB stick.

https://i.sstatic.net/vTJqtwyo.jpg

For example, you can back up the machine key (MOK), then
remove the key, then restart the computer, and it is supposed
to be in "recovery mode". The claim is, that if an OS needed
to adjust the file set there, it could do it if the MOK is removed
and the UEFI is no longer protected. I tried that and Windows
would not touch the thing. So that wasn't a gating item for
maintenance of the materials there. I restored the MOK from
my USB stick, which enables Secure Boot again and prevents
some amount of alteration.

Ubuntu did not have a problem modifying something in either
the .db or .dbx. But because I had not backed up my four
items when the computer was new (I didn't know this feature
was there), I don't have a file set corresponding to "Factory".
And any "reset" feature, stands a chance of leaving four
completely empty silos in there. It's the usual thing
with computer manuals, that the documentation is not
particularly thorough.

Why should customers have to fuck around with this stuff ?
This makes no sense to me. I like a challenge, but this
is turning into just "more of the same", and I am less
game to be treated like a trained puppy.

Ubuntu seems to have no problem injecting two items
into my BIOS, without explicit permission. So if we're
going to be receiving missive after missive to be
manually inserting PCA 2023, it smacks of an attempt
to dodge responsibility for any "damages" to the users
computer, if we can trick the user into doing the messing
around.

Another question I have, is there is PCA 2011 and PCA 2023.
It may be (by some stretch of the imagination), an attack
surface to leave PCA 2011 active in the BIOS. But I don't
believe the certificate is valid past mid-year, and maybe
at that point, whether it is allowed to be present or not
is no longer an issue. If you aren't careful about your
treatment of those two, it restricts what OS(es) you can
boot. And again, we don't want to be put into a position
where the function of the machine is compromised in any way.

*******

In legacy BIOS era, how many concerns would I have ? I would
enable my disks, and the booting was a simple handoff from
legacy BIOS, to whatever I had attached to the computer.
I had complete freedom to use my computer the way I wanted
to.

What do we have today ? Hmmm.

I've warned people in previous years, that there was a
plan afoot to remove legacy (CSM) boot from BIOS soon
(by Intel). And that is likely to be the case for
equipment purchased now. What I don't know, is whether
Secure Boot in UEFI mode, can be switched on and off
as desired or not. Or for that matter, whether any amount
of modifications are to be expected to the UEFI four file
backup thing. The signed Linux shim, is supposed to use
PCA 2023 as part of its root. And in principle, we still
have the ability to boot other things. I don't know
if any FreeBSD-like OSes are included in this or not.

But with UEFI-only machines this year, a percentage
of my DVD collection would no longer boot. Some of my
legacy collection, will boot if you enter "noacpi"
as an option. With the price of hardware though, I
doubt I will be buying any more gear, any time soon.

Paul

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2026-03-06 02:07, VanguardLH wrote:

Jack <Jack@invalid.invalid> wrote:

Windows Secure Boot is EXPIRING: Do This Before June 2026!
Windows Secure Boot certificates are reaching their "End of Life"
starting June 2026. If you haven't updated your UEFI CA certificates,
your PC's boot-level security is about to expire and you may have
serious problems booting up your machine.

This only applies to UEFI boot. ...

Only if you have Secure Boot enabled in the BIOS. I don't.

A friend has a W10 machine that I will have to update in the summer, so
I will probably hit this. And to make it more interesting, the external
backup disk boots Linux.

--
Cheers, Carlos.
ES??, EU??;

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2026/3/6 4:27:10, Paul wrote:

On Thu, 3/5/2026 10:15 PM, Alan K. wrote:

On 3/5/26 7:01 PM, Paul wrote:

On Thu, 3/5/2026 6:24 PM, Alan K. wrote:

On 3/5/26 6:30 PM, Jack wrote:

Windows Secure Boot is EXPIRING: Do This Before June 2026!

[]

This only applies to UEFI boot. On Windows 10 this was not necessar

y but

for Windows 11 this is now mandatory. Whether Microsoft updates thi

s

Is there a way to tell from a running W10 setup (i. e. without having to
do a reboot and watch for things flashing by) whether you have UEFI or
legacy boot? (And, if UEFI, whether you have "Secure Boot enabled"
[thanks VLH]?)
[]

This is so old it's pathetic.ÿ 2023.ÿ I would sure hope th

at some standard

Has that happened (i. e. do we not need to worry anyway)?

MS patch came down the line.ÿÿ It would be a pity if millions o
f windows
11 users got hung out to dry.

Though I'd admit to a certain Schadenfreude!
[]

As for the proposition, Microsoft is concern-trolling us again,
just like the WinRE problem they would not fix for themselves.
I am "less excited" this time, at the prospect of messing
around with my stuff.

Yes. Yet again.

ÿÿÿ Paul

Paul, for those of us who are unaware of how, can you pass on your exp ertise on how to grab those four files and replace them later.ÿ As m

uch as I'm not sure I'll need it but there's nothing like being ready any
way.

I didn't realize, that there is an interface at BIOS level, where
you can back up the MOK, db, dbx and the other one, and the BIOS
interface tells you to "plug in a USB stick". Usually, BIOS

If this becomes necessary, does it screw up anything already on the stick
?
[]

Why should customers have to fuck around with this stuff ?
This makes no sense to me. I like a challenge, but this
is turning into just "more of the same", and I am less
game to be treated like a trained puppy.

Definitely. More of the killing off old hardware just for the sake of
it. (In the name of "security", no doubt, and antipiracy.)
[]

boot. And again, we don't want to be put into a position
where the function of the machine is compromised in any way.

*******

In legacy BIOS era, how many concerns would I have ? I would
enable my disks, and the booting was a simple handoff from
legacy BIOS, to whatever I had attached to the computer.
I had complete freedom to use my computer the way I wanted
to.

What do we have today ? Hmmm.

I've warned people in previous years, that there was a
plan afoot to remove legacy (CSM) boot from BIOS soon
(by Intel). And that is likely to be the case for
equipment purchased now. What I don't know, is whether
Secure Boot in UEFI mode, can be switched on and off
as desired or not. Or for that matter, whether any amount
of modifications are to be expected to the UEFI four file
backup thing. The signed Linux shim, is supposed to use
PCA 2023 as part of its root. And in principle, we still
have the ability to boot other things. I don't know
if any FreeBSD-like OSes are included in this or not.

But with UEFI-only machines this year, a percentage
of my DVD collection would no longer boot. Some of my
legacy collection, will boot if you enter "noacpi"
as an option. With the price of hardware though, I
doubt I will be buying any more gear, any time soon.

Me neither - and nothing (well, not a lot) to do with the cost of hardwar
e.

Paul

John
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()ALIS-Ch++(p)Ar++T+H+Sh0!:`)DNAf

I admire you British: when things get tough, you reach for humour. Not firearms. - Sigourney (Susan) Weaver, RT 2017/11/4-10

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Fri, 3/6/2026 6:18 AM, Carlos E.R. wrote:

On 2026-03-06 02:07, VanguardLH wrote:

Jack <Jack@invalid.invalid> wrote:

Windows Secure Boot is EXPIRING: Do This Before June 2026!
Windows Secure Boot certificates are reaching their "End of Life"
starting June 2026. If you haven't updated your UEFI CA certificates,
your PC's boot-level security is about to expire and you may have
serious problems booting up your machine.

This only applies to UEFI boot. ...

Only if you have Secure Boot enabled in the BIOS.ÿ I don't.

A friend has a W10 machine that I will have to update in the summer, so I will probably hit this. And to make it more interesting, the external backup disk boots Linux.

It's not that hard to make a W10/W11 boot disk of your own.
The license does not gate operation, and you can move the
disk drive from machine to machine (this is unlike previous
Windows versions, where between the license and the driver issue,
it takes a fair bit of planning to do a disk drive move like that).

You can also boot the Windows Installer DVD, select Troubleshooting
and use the Command Prompt there. For example, you could
do a CHKDSK /f on the customer C: drive, to tip it upright.
But plenty of other convenience features will be out of reach
if using the Installer DVD.

You can also take a Macrium Rescue CD with you, and the
item in there of usage is the "Boot Repair" option. It is
convenient for simple problems (ones the Microsoft repair
does not seem able to manage). There are Microsoft utilities
that can perform all sorts of miracles, but for reasons
of not damaging things, they are not typically automated
to "move quickly and break things".

For example, if D: was the EFI system partition (FAT32) and
C: was the thing that no longer booted, a sample command is:

bcdboot C:\Windows /s D: # The "slash s" specifies the "system" partition

And on Windows-multiboots, if C: is working but your
second OS on H: is not working, you can do this to remove
all the old H: related materials, so you can issue commands
to rebuild the details about H: .

bcdboot /bcdclean full
bcdboot H:\Windows # Since we replaced the boot files in D: with
# the command above, and are actually running off C:
# at the moment, adding H: back requires no specification
# of where the system partition is located.

There are differences between online and offline repair,
and also in the availability of some features (bcdclean),
so there is more to this than the simple commands demonstrate.
But what you see above, is some of the more powerful stuff
in the kit.

Paul

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Fri, 3/6/2026 11:26 AM, J. P. Gilliver wrote:

On 2026/3/6 4:27:10, Paul wrote:

On Thu, 3/5/2026 10:15 PM, Alan K. wrote:

On 3/5/26 7:01 PM, Paul wrote:

On Thu, 3/5/2026 6:24 PM, Alan K. wrote:

On 3/5/26 6:30 PM, Jack wrote:

Windows Secure Boot is EXPIRING: Do This Before June 2026!

[]

This only applies to UEFI boot. On Windows 10 this was not necessary but >>>>>> for Windows 11 this is now mandatory. Whether Microsoft updates this

Is there a way to tell from a running W10 setup (i. e. without having to
do a reboot and watch for things flashing by) whether you have UEFI or
legacy boot? (And, if UEFI, whether you have "Secure Boot enabled"
[thanks VLH]?)
[]

If you go to Settings and enter TPM, the
Device Security on mine says:

"Security Processor"
...
standard hardware security not supported

Which means, roughly, that it is not enabled at BIOS level
and used for the current boot. (The Security Processor is
operating, but the BIOS is not switched to a state where
it wants to measure anything, like measure a boot process.)

The other entry in a Settings Search is "Security Processor"
and it says

Attestation Ready
Storage Ready

and above that it indicates the TPM type and version. And that
is indicating, that if I did enable Secure Boot at BIOS level, it
should work.

The fact a TPM is detected and it is listed as an Infineon device
(one of the manufacturers of such), that indicates there is a
secure enclave for any TPM based measuring and recording to be done.

But if the BIOS does not contain code for operating the TPM
for the Secure Boot feature, that is a "lack of Attestation".
For example, on the Optiplex 780, there is a TPM present, but
there is no BIOS code to use it. On the Test Machine, there is
no TPM present and there *is* BIOS code to use it. And these
non-comformances prevent Secure Boot from happening.

If I do Start : Run : msinfo32, then look at System Summary
(there is at least one other MSFT utility to display this), it says:

BIOS Mode UEFI
Secure Boot State Off

and that's a decent summary suitable for determining whether
you're in CSM or UEFI, and if in UEFI whether Secure Boot
was used or not.

Paul




--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 3/5/2026 4:30 PM, Jack wrote:

Windows Secure Boot is EXPIRING: Do This Before June 2026!
Windows Secure Boot certificates are reaching their "End of Life"
starting June 2026. If you haven't updated your UEFI CA certificates,
your PC's boot-level security is about to expire and you may have
serious problems booting up your machine.

This only applies to UEFI boot. On Windows 10 this was not necessary but
for Windows 11 this is now mandatory. Whether Microsoft updates this
before they expire remains to be seen but you can manually upgrade it by using these PowerShell/Terminal commands as Administrator:

Check if it needs updating:

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes)
-match 'Windows UEFI CA 2023'

If it shows false then you need to change the registry:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot
/v AvailableUpdates /t REG_DWORD /d 0x5944 /f

Then run this in Terminal/PowerShell:

Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Article:

<https://support.microsoft.com/en-us/topic/how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d#bkmk_takeaction>

No need to change the registry

[1] If your device is capable and supported for an updated UEFI/BIOS,
update the UEFI/BIOS before performing the following.

Force Secure Boot Update

Logon to Windows with an admin account then Open Powershell in admin console

Manual(Force Update)
Set-ItemProperty -Path
?HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot? -Name
?AvailableUpdates? -Value 0x40

Start-ScheduledTask -TaskName ?\Microsoft\Windows\PI\Secure-Boot-Update?

After you separately run each of the above commands, it is necessary to restart your PC twice for the update to take effect.
=> in your admin logged-on Windows profile, click on the Start button,
click on the Power button(lower right), click Restart. Once Windows
restarts to the Lock screen, do not sign on. Click on the Power button,
and click Restart again.
Then, and only then log on to Windows in the same admin account.

Open Powershell in an admin prompt, then separately run each of these
two commands.

Secure Boot Certs
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes)
-match 'Windows UEFI CA 2023')

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI
dbdefault).bytes) -match 'Windows UEFI CA 2023')


- If the first command returns ?true,? then your PC is using the new certificate
- If this second command returns ?true,? your system is running an
updated BIOS with the new Secure Boot certificates built in.
Note: Older PCs and systems without a BIOS update installed will
return ?false? here.

One can always repeat the above Powershell process if a UEFI/BIOS update
is available in the future.





--
...w­¤?ñ?¤

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2026/3/6 20:29:39, Paul wrote:

On Fri, 3/6/2026 11:26 AM, J. P. Gilliver wrote:

On 2026/3/6 4:27:10, Paul wrote:

On Thu, 3/5/2026 10:15 PM, Alan K. wrote:

On 3/5/26 7:01 PM, Paul wrote:

On Thu, 3/5/2026 6:24 PM, Alan K. wrote:

On 3/5/26 6:30 PM, Jack wrote:

Windows Secure Boot is EXPIRING: Do This Before June 2026!

[]

This only applies to UEFI boot. On Windows 10 this was not necessary but
for Windows 11 this is now mandatory. Whether Microsoft updates this

Is there a way to tell from a running W10 setup (i. e. without having to
do a reboot and watch for things flashing by) whether you have UEFI or
legacy boot? (And, if UEFI, whether you have "Secure Boot enabled"
[thanks VLH]?)
[]

If you go to Settings and enter TPM, the

I get
Device security
Security processor
Security processor troubleshooting

Device Security on mine says:

"Security Processor"
...
standard hardware security not supported

If I select the middle one I get details of it, suggesting I do have
one, and it's AMD. I don't see the words standard or hardware on that
screen, though under Status, I see Attestation Not supported.

Which means, roughly, that it is not enabled at BIOS level
and used for the current boot. (The Security Processor is
operating, but the BIOS is not switched to a state where
it wants to measure anything, like measure a boot process.)

The other entry in a Settings Search is "Security Processor"
and it says

Attestation Ready
Storage Ready

and above that it indicates the TPM type and version. And that
is indicating, that if I did enable Secure Boot at BIOS level, it
should work.

The fact a TPM is detected and it is listed as an Infineon device
(one of the manufacturers of such), that indicates there is a
secure enclave for any TPM based measuring and recording to be done.

But if the BIOS does not contain code for operating the TPM
for the Secure Boot feature, that is a "lack of Attestation".
For example, on the Optiplex 780, there is a TPM present, but
there is no BIOS code to use it. On the Test Machine, there is
no TPM present and there *is* BIOS code to use it. And these
non-comformances prevent Secure Boot from happening.

If I do Start : Run : msinfo32, then look at System Summary
(there is at least one other MSFT utility to display this), it says:

BIOS Mode UEFI
Secure Boot State Off

and that's a decent summary suitable for determining whether
you're in CSM or UEFI, and if in UEFI whether Secure Boot
was used or not.

Paul

When I found those in mine (they're not adjacent lines), they're

BIOS Mode UEFI
Secure Boot State On



Which suggests I may be susceptible to what this thread is about. Can I
turn it off? (Ideally from within Windows?)
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()ALIS-Ch++(p)Ar++T+H+Sh0!:`)DNAf

As we journey through life, discarding baggage along the way, we should
keep an iron grip, to the very end, on the capacity for silliness. It
preserves the soul from desiccation. - Humphrey Lyttelton quoted by
Barry Cryer in Radio Times 10-16 November 2012

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2026/3/6 22:26:40, Jack wrote:

On 06/03/2026 16:26, J. P. Gilliver wrote:

Is there a way to tell from a running W10 setup (i. e. without having to
do a reboot and watch for things flashing by) whether you have UEFI or
legacy boot? (And, if UEFI, whether you have "Secure Boot enabled"
[thanks VLH]?)
[]

On Windows (10 / 11)
The quickest and most reliable ways:

Using System Information (easiest, no commands needed):

Press Win + R ? type msinfo32 ? press Enter.

In the System Summary section, look for the line BIOS Mode:

* UEFI ? you are booted in UEFI mode
* Legacy ? you are booted in Legacy / BIOS mode

Look for "Secure Boot State" Line

To access the actual settings, you will need to boot up at the firmware level and make changes in the BIOS. My system has UEFI and the
certificate is fully updated, so I am not going to tamper with it.
According to Microsoft, this cannot be changed without flashing old
firmware from Dell (my current machine), which I am not going to do as
it would be too risky.

Sorry, I followed Paul's reply before seeing yours. Since mine is "On",
I presume I'm susceptible? I don't want to tamper if I don't have to (MY Windows is 10, Home, Build 19041.vb_release.191206-1406, according to
bottom right of my desktop).
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()ALIS-Ch++(p)Ar++T+H+Sh0!:`)DNAf

As we journey through life, discarding baggage along the way, we should
keep an iron grip, to the very end, on the capacity for silliness. It
preserves the soul from desiccation. - Humphrey Lyttelton quoted by
Barry Cryer in Radio Times 10-16 November 2012

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 3/7/2026 3:49 PM, J. P. Gilliver wrote:

On 2026/3/6 20:29:39, Paul wrote:

Windows Secure Boot is EXPIRING: Do This Before June 2026!

Which suggests I may be susceptible to what this thread is about. Can I
turn it off? (Ideally from within Windows?)

No need to switch Secure boot off now. You can do it when
Windows doesn't boot because of a missing valid certificate
(happened for me a few years ago). But what you should do
now is: if your system disk is encrypted, make sure you have
access to the Bitlocker key, because when you switch off
Secure Boot, Windows will boot only if you enter the
Bitlocker key. In my case it was saved in a Microsoft account,
but the phone number for that account was no longer valid
so I had to wait 4 weeks to access the account without a
SMS verification. This means, 4 weeks no access to the laptop!



--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Sat, 3/7/2026 9:49 AM, J. P. Gilliver wrote:

On 2026/3/6 20:29:39, Paul wrote:

On Fri, 3/6/2026 11:26 AM, J. P. Gilliver wrote:

On 2026/3/6 4:27:10, Paul wrote:

On Thu, 3/5/2026 10:15 PM, Alan K. wrote:

On 3/5/26 7:01 PM, Paul wrote:

On Thu, 3/5/2026 6:24 PM, Alan K. wrote:

On 3/5/26 6:30 PM, Jack wrote:

Windows Secure Boot is EXPIRING: Do This Before June 2026!

[]

This only applies to UEFI boot. On Windows 10 this was not necessary but
for Windows 11 this is now mandatory. Whether Microsoft updates this >>>

Is there a way to tell from a running W10 setup (i. e. without having to >>> do a reboot and watch for things flashing by) whether you have UEFI or
legacy boot? (And, if UEFI, whether you have "Secure Boot enabled"
[thanks VLH]?)
[]

If you go to Settings and enter TPM, the

I get
Device security
Security processor
Security processor troubleshooting

Device Security on mine says:

"Security Processor"
...
standard hardware security not supported

If I select the middle one I get details of it, suggesting I do have
one, and it's AMD. I don't see the words standard or hardware on that
screen, though under Status, I see Attestation Not supported.

Which means, roughly, that it is not enabled at BIOS level
and used for the current boot. (The Security Processor is
operating, but the BIOS is not switched to a state where
it wants to measure anything, like measure a boot process.)

The other entry in a Settings Search is "Security Processor"
and it says

Attestation Ready
Storage Ready

and above that it indicates the TPM type and version. And that
is indicating, that if I did enable Secure Boot at BIOS level, it
should work.

The fact a TPM is detected and it is listed as an Infineon device
(one of the manufacturers of such), that indicates there is a
secure enclave for any TPM based measuring and recording to be done.

But if the BIOS does not contain code for operating the TPM
for the Secure Boot feature, that is a "lack of Attestation".
For example, on the Optiplex 780, there is a TPM present, but
there is no BIOS code to use it. On the Test Machine, there is
no TPM present and there *is* BIOS code to use it. And these
non-comformances prevent Secure Boot from happening.

If I do Start : Run : msinfo32, then look at System Summary
(there is at least one other MSFT utility to display this), it says:

BIOS Mode UEFI
Secure Boot State Off

and that's a decent summary suitable for determining whether
you're in CSM or UEFI, and if in UEFI whether Secure Boot
was used or not.

Paul

When I found those in mine (they're not adjacent lines), they're

BIOS Mode UEFI
Secure Boot State On

Which suggests I may be susceptible to what this thread is about. Can I
turn it off? (Ideally from within Windows?)

Secure Boot is best controlled from the BIOS.

And I've had situations like you're in, where Attestation
was off and I couldn't figure out how to change the state
of it. The BIOS side appeared to be functional to me.

There is one registry entry, which could cause the
secure boot state of the computer to be reconsidered,
but I did not make a note of this in my Notes file :-/
I think I may have tested that on the Big Machine,
as part of trying to tip it upright on Secure Boot.
But I didn't write down the details because I was
on that other machine. Googling for this is a waste of
time, as it simply latches onto the current PCA 2023
campaign and will not let me get a whiff of that
other registry setting (that came from before
PCA 2023 was an issue).

Machines:
Test Machine No TPM, Cannot Attest (only for TPM 1.4)
DailyDriver Physical TPM, PCA 2023 likely, Attestation ON, but not Secure Booted
Big Machine fTPM, PCA 2023 NO, Attestation likely ON, Secure Boot "messed up".
Getting various PCR7 messages at startup, not the good message.
Two Canonical/Ubuntu certificates in .db or .dbx .
Still unclear how to fix. And this machine is the
Secure Boot Test Pig as well -- really happy about this.
SpareMachine fTPM, machine not used often enough to know

Paul

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2026/3/7 16:55:51, Herbert Kleebauer wrote:

On 3/7/2026 3:49 PM, J. P. Gilliver wrote:

On 2026/3/6 20:29:39, Paul wrote:

Windows Secure Boot is EXPIRING: Do This Before June 2026!

Which suggests I may be susceptible to what this thread is about. Can I
turn it off? (Ideally from within Windows?)

No need to switch Secure boot off now. You can do it when
Windows doesn't boot because of a missing valid certificate
(happened for me a few years ago). But what you should do

I have C: (and hidden partitions) images - does that help?

now is: if your system disk is encrypted, make sure you have

I've no idea whether it is or not.

access to the Bitlocker key, because when you switch off

I have no idea how to get that.

Secure Boot, Windows will boot only if you enter the
Bitlocker key. In my case it was saved in a Microsoft account,

AFAIK I have no such account.

but the phone number for that account was no longer valid
so I had to wait 4 weeks to access the account without a
SMS verification. This means, 4 weeks no access to the laptop!

This is getting very wearing.
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()ALIS-Ch++(p)Ar++T+H+Sh0!:`)DNAf

"Subtlety is the art of saying what you think and getting out of the
way before it is understood." - Fortunes

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Sat, 3/7/2026 2:24 PM, J. P. Gilliver wrote:

On 2026/3/7 16:55:51, Herbert Kleebauer wrote:

On 3/7/2026 3:49 PM, J. P. Gilliver wrote:

On 2026/3/6 20:29:39, Paul wrote:

Windows Secure Boot is EXPIRING: Do This Before June 2026!

Which suggests I may be susceptible to what this thread is about. Can I
turn it off? (Ideally from within Windows?)

No need to switch Secure boot off now. You can do it when
Windows doesn't boot because of a missing valid certificate
(happened for me a few years ago). But what you should do

I have C: (and hidden partitions) images - does that help?

now is: if your system disk is encrypted, make sure you have

I've no idea whether it is or not.

access to the Bitlocker key, because when you switch off

I have no idea how to get that.

Secure Boot, Windows will boot only if you enter the
Bitlocker key. In my case it was saved in a Microsoft account,

AFAIK I have no such account.

but the phone number for that account was no longer valid
so I had to wait 4 weeks to access the account without a
SMS verification. This means, 4 weeks no access to the laptop!

This is getting very wearing.

manage-bde -status # as administrator, indicates encryption

Paul


--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2026/3/7 22:18:23, Paul wrote:

On Sat, 3/7/2026 2:24 PM, J. P. Gilliver wrote:

[]

This is getting very wearing.

manage-bde -status # as administrator, indicates encryption

Paul

That (done in an administrator prompt) told me (between ===s):

===
Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: []
[OS Volume]

Size: 75.00 GB
BitLocker Version: None
Conversion Status: Fully Decrypted
Percentage Encrypted: 0.0%
Encryption Method: None
Protection Status: Protection Off
Lock Status: Unlocked
Identification Field: None
Key Protectors: None Found

Volume D: [data]
[Data Volume]

Size: 371.48 GB
BitLocker Version: None
Conversion Status: Fully Decrypted
Percentage Encrypted: 0.0%
Encryption Method: None
Protection Status: Protection Off
Lock Status: Unlocked
Identification Field: None
Automatic Unlock: Disabled
Key Protectors: None Found
===
Do I need to worry - about _anything_ in this thread? The above _looks_
to me as if I'm not using BitLocker. Am I still in danger from this
Secure Boot Certificate thing, or anything else that's been mentioned?
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()ALIS-Ch++(p)Ar++T+H+Sh0!:`)DNAf

if I agreed with you, we'd both be wrong

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Sat, 3/7/2026 5:48 PM, J. P. Gilliver wrote:

On 2026/3/7 22:18:23, Paul wrote:

On Sat, 3/7/2026 2:24 PM, J. P. Gilliver wrote:

[]

This is getting very wearing.

manage-bde -status # as administrator, indicates encryption

Paul

That (done in an administrator prompt) told me (between ===s):

===
Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: []
[OS Volume]

Size: 75.00 GB
BitLocker Version: None
Conversion Status: Fully Decrypted
Percentage Encrypted: 0.0%
Encryption Method: None
Protection Status: Protection Off
Lock Status: Unlocked
Identification Field: None
Key Protectors: None Found

Volume D: [data]
[Data Volume]

Size: 371.48 GB
BitLocker Version: None
Conversion Status: Fully Decrypted
Percentage Encrypted: 0.0%
Encryption Method: None
Protection Status: Protection Off
Lock Status: Unlocked
Identification Field: None
Automatic Unlock: Disabled
Key Protectors: None Found
===
Do I need to worry - about _anything_ in this thread? The above _looks_
to me as if I'm not using BitLocker. Am I still in danger from this
Secure Boot Certificate thing, or anything else that's been mentioned?

That tells you, since there is no evidence of Microsoft encryption,
then there would not be any blowback from resetting the TPM or so.
You would not need a recovery key, to access your own disk.
It means "one fewer complication", it's not some sort of
complete solution to every problem.

One of the installs I did here (perhaps 25H2 on the Test Machine),
it started to encrypt C: but I noticed what it was up to and
switched that off. The interface then has to decrypt (undo)
the portion it has done up to that point. These tend to be CBC
codes, block oriented, and it is not encrypting files as such,
it's encrypting the physical layer as a series of blocks. That's
how it can work backwards and undo things at block level.

Paul

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Fri, 6 Mar 2026 15:29:39 -0500, Paul wrote:

But if the BIOS does not contain code for operating the TPM
for the Secure Boot feature, that is a "lack of Attestation".
For example, on the Optiplex 780, there is a TPM present, but
there is no BIOS code to use it.

My Windows 10 Optiplex desktop shows:

Status
Attestation not-ready
Storage not-ready

If I do Start : Run : msinfo32, then look at System Summary
(there is at least one other MSFT utility to display this), it says:

BIOS Mode UEFI
Secure Boot State Off

Same here. The computer's about 7 years old (refurbished after it
came off a corporate lease), so I suspect it simply doesn't have TPM
or Secure Boot.

--
"The power of accurate observation is frequently called cynicism by
those who don't have it." --George Bernard Shaw

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Sat, 7 Mar 2026 19:24:57 +0000, J. P. Gilliver wrote:

On 2026/3/7 16:55:51, Herbert Kleebauer wrote:

now is: if your system disk is encrypted, make sure you have
access to the Bitlocker key, because when you switch off

I have no idea how to get that.

And you didn't try googling? I searched for
how do I find my bitlocker key
and the very first hit was

https://support.microsoft.com/en-us/windows/find-your-bitlocker-recovery-key-6b71ad27-0b89-ea08-f143-056f5ab347d6

--
"The power of accurate observation is frequently called cynicism by
those who don't have it." --George Bernard Shaw

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Sat, 3/7/2026 8:52 PM, Stan Brown wrote:

On Fri, 6 Mar 2026 15:29:39 -0500, Paul wrote:

But if the BIOS does not contain code for operating the TPM
for the Secure Boot feature, that is a "lack of Attestation".
For example, on the Optiplex 780, there is a TPM present, but
there is no BIOS code to use it.

My Windows 10 Optiplex desktop shows:

Status
Attestation not-ready
Storage not-ready

If I do Start : Run : msinfo32, then look at System Summary
(there is at least one other MSFT utility to display this), it says:

BIOS Mode UEFI
Secure Boot State Off

Same here. The computer's about 7 years old (refurbished after it
came off a corporate lease), so I suspect it simply doesn't have TPM
or Secure Boot.

Optiplex is for Corporate use and usually comes with Pro.
When the machines are refurbished, the OS SKU that replaces the
original OS tends to be Pro as well.

For a Corporate user, they expect the TPM to be present.
On a consumer line, it might be missing but Optiplex usually
have Qxx chipset for Intel Management Engine, and TPM-like device.
Part of refurbishment, is turning off IME for home usage.

There is a claim that for 8th Gen Intel, there is a PTT
to function as a secure enclave for the TPM function. On
AMD, the fTPM uses an ARM core in the AMD processor (it
has a secure enclave based on an ARM core of some sort).

https://www.dell.com/support/kbdoc/en-us/000189676/windows-10-how-to-enable-the-tpm-trusted-platform-module

On my machines, I managed to buy a physical TPM for one machine,
but the others use fTPM (a BIOS coded function). The only
reason to suspect fTPM, is if you cannot get VirtualBox
TPM passthru to work. Otherwise, for host OS usage, the
fTPM should fully meet the requirements. The Big Machine
I use for Secure Boot test, uses fTPM instead of a nice
physical TPM. There is no pin header on the Asus
motherboard, which cost at least $250. That saves
about ten cents. TPM modules started at $25, and
by the time they were disappearing from the market,
they were around $70 or so. Hard to say whether
scalpers got them or not. There are many different models,
and only one exact part number is intended to work.
(An MSI won't fit an Asus, because the keying pin is
in the wrong place.)

Dell doesn't make you bob for those. If the era
is right, it should be included. You would be waiting
for a machine where the BIOS designers had caught up
to the rest of the world, regarding attestation.

The PCR7 message during boot on a computer, pressing
the Break key does not delay the screen I/O. The only
way I've found to view the PCR7 message (or any things
that might represent errors), is to film the screen
with a camera. If you want to OCR the crooked image,
the SnippingTool has an OCR function good enough that
it actually was 100% accurate on converting the
messages I caught in a vid. As a rule of thumb, one
line of text is likely OK, two lines something is
probably going wrong. No guarantees.

Paul



--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2026/3/7 23:1:28, Paul wrote:

On Sat, 3/7/2026 5:48 PM, J. P. Gilliver wrote:

[]

That (done in an administrator prompt) told me (between ===s):

[]

Do I need to worry - about _anything_ in this thread? The above _looks_
to me as if I'm not using BitLocker. Am I still in danger from this
Secure Boot Certificate thing, or anything else that's been mentioned?

That tells you, since there is no evidence of Microsoft encryption,

Good to know.

then there would not be any blowback from resetting the TPM or so.

I have no intention of doing that, or even finding out hoe to unless I
need to.

You would not need a recovery key, to access your own disk.

Good.

It means "one fewer complication", it's not some sort of
complete solution to every problem.

One of the installs I did here (perhaps 25H2 on the Test Machine),

That's one of the main differences between us: I have not done an
install of any Windows since, I think, 98SE. (And that might have been
an upgrade rather than an install.)
[]
So - _am_ I going to have to do anything about what this thread is about?
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()ALIS-Ch++(p)Ar++T+H+Sh0!:`)DNAf

Eve had an Apple, Adam had a Wang...

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Sun, 3/8/2026 3:13 AM, J. P. Gilliver wrote:

[]
So - _am_ I going to have to do anything about what this thread is about?

That "depends on the future".

I cannot see Secure Boot becoming mandatory. The disk will
still have to boot somehow, if moved to a machine with
no Secure Boot capability. For W11, you have to think about
what 26H2 may bring.

For Win10, your concern is your Secure Boot status right now.
If Secure Boot is turned off, then I don't see the OS dropping
like a rock in mid-year.

But it is still a good idea to maintain a computer,
because you as the operator, don't want to be put
between a rock and a hard place at some later date.

It's not a good example, but take the behavior of
Gentoo as an example. If you "do maintenance every day",
the changes are tiny. If you put the machine away for
six months, and try to do maintenance, suddenly you have
two incompatible things that need repair at the same
time and "things jam up". You have to be Kreskin at
that point, to figure it out and fix it (apply a
bias to the package manager, if you're lucky). When you
know these things about computers, it's just a good
idea to "maintain the machine posture", in case
lord knows what happens :-)

Even though I don't expect trouble, I still do my
BIOS flashups that are labeled "Security Fix". Because
I don't know what future exploits could happen.

So you at least want to check your Secure Boot status.
If it's enabled, then you could do the PCA 2023 thing.

Paul


--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 3/7/2026 3:48 PM, J. P. Gilliver wrote:

On 2026/3/7 22:18:23, Paul wrote:

On Sat, 3/7/2026 2:24 PM, J. P. Gilliver wrote:

[]

This is getting very wearing.

manage-bde -status # as administrator, indicates encryption

Paul

That (done in an administrator prompt) told me (between ===s):

===
Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: []
[OS Volume]

Encryption Method: None

Volume D: [data]
[Data Volume
Encryption Method: None

===
Do I need to worry - about _anything_ in this thread? The above _looks_
to me as if I'm not using BitLocker. Am I still in danger from this
Secure Boot Certificate thing, or anything else that's been mentioned?

For those volumes, Bitlocker worries - No.

For Secure Boot(read my March 6th post. Follow the instructions provided
for installing the updated certificate and updating the UEFI firmware(if
a Secure Boot Firmware update is available for your device).
- there is nothing else you need or can do.

--
...w­¤?ñ?¤

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Paul <nospam@needed.invalid> wrote:

On Sun, 3/8/2026 3:13 AM, J. P. Gilliver wrote:

[]
So - _am_ I going to have to do anything about what this thread is about?

That "depends on the future".

I cannot see Secure Boot becoming mandatory. The disk will
still have to boot somehow, if moved to a machine with
no Secure Boot capability. For W11, you have to think about
what 26H2 may bring.

For Win10, your concern is your Secure Boot status right now.
If Secure Boot is turned off, then I don't see the OS dropping
like a rock in mid-year.

You/Winston/anybody correct me if I'm wrong, but if John does not
want/need Secure Boot he can do one of two things: 1) Go into his BIOS
and turn off Secure Boot now (and check that it's off with the 'System Information' (msinfo32) utility or 2) do nothing and just wait-and-see
if the system fails to boot in/after June 2026 and if so, do 1).

[...]

So you at least want to check your Secure Boot status.
If it's enabled, then you could do the PCA 2023 thing.

AFAIR, John already mentioned that Secure Boot *is* enabled on his
system.

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2026/3/8 17:12:51, Paul wrote:

On Sun, 3/8/2026 3:13 AM, J. P. Gilliver wrote:

[]
So - _am_ I going to have to do anything about what this thread is about?

That "depends on the future".

I cannot see Secure Boot becoming mandatory. The disk will
still have to boot somehow, if moved to a machine with
no Secure Boot capability.

Can't see doing that.

For W11, you have to think about> what 26H2 may bring.

Don't see using W11 any time soon - and if I do, I'll probably buy a refurbished machine (probably after EOS).

For Win10, your concern is your Secure Boot status right now.
If Secure Boot is turned off, then I don't see the OS dropping
like a rock in mid-year.

But it is still a good idea to maintain a computer,
because you as the operator, don't want to be put
between a rock and a hard place at some later date.

I Macrium my C: and FreeFileSync my D: (where most of my data is) about
once a month - is that sufficient?

It's not a good example, but take the behavior of
Gentoo as an example. If you "do maintenance every day",
the changes are tiny. If you put the machine away for
six months, and try to do maintenance, suddenly you have
two incompatible things that need repair at the same

(six impossible things before breakfast?)

time and "things jam up". You have to be Kreskin at
that point, to figure it out and fix it (apply a
bias to the package manager, if you're lucky). When you
know these things about computers, it's just a good
idea to "maintain the machine posture", in case
lord knows what happens :-)

I don't even know who Kreskin is :-)

Even though I don't expect trouble, I still do my
BIOS flashups that are labeled "Security Fix". Because
I don't know what future exploits could happen.

I generally operate on the trailing edge; running Windows XP, 7, and now
10 from just before until well (years) after EOS.

So you at least want to check your Secure Boot status.
If it's enabled, then you could do the PCA 2023 thing.

I seem to have
BIOS Mode UEFI
Secure Boot State On

Is the "PCA 2023 thing" what w­¤?ñ?¤ says is in his "March 6th post"? I
can't find a w­¤?ñ?¤ post in this thread dated (allowing for timezones)
5, 6, or 7.

Paul

--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()ALIS-Ch++(p)Ar++T+H+Sh0!:`)DNAf

That's the key to wisdom: being delighted when you're wrong because
you've learn something. - (Professor) Brian Cox, RT 2019/5/25-31

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2026/3/8 18:25:39, Frank Slootweg wrote:
[]

You/Winston/anybody correct me if I'm wrong, but if John does not
want/need Secure Boot he can do one of two things: 1) Go into his BIOS

I don't particularly want it; to me, it's just another thing to go
wrong, and really only protects me against the laptop being stolen.
(Which, of course, could happen, I grant.)

and turn off Secure Boot now (and check that it's off with the 'System

Does turning it off - assuming it really is as simple as just toggling something in the BIOS (assuming I can get into that) - scramble
anything? (I think I've established I don't have bitlocker on.)

Information' (msinfo32) utility or 2) do nothing and just wait-and-see
if the system fails to boot in/after June 2026 and if so, do 1).

That may be what I do, though if it's Really Simple (and safe) I may do
1 earlier.

[...]

So you at least want to check your Secure Boot status.
If it's enabled, then you could do the PCA 2023 thing.

AFAIR, John already mentioned that Secure Boot *is* enabled on his
system.

"On", I think.
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()ALIS-Ch++(p)Ar++T+H+Sh0!:`)DNAf

If it ever makes a product which doesn't suck, it will be a vacuum cleaner.

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 3/6/2026 1:29 PM, Paul wrote:

On Fri, 3/6/2026 11:26 AM, J. P. Gilliver wrote:

On 2026/3/6 4:27:10, Paul wrote:

On Thu, 3/5/2026 10:15 PM, Alan K. wrote:

On 3/5/26 7:01 PM, Paul wrote:

On Thu, 3/5/2026 6:24 PM, Alan K. wrote:

On 3/5/26 6:30 PM, Jack wrote:

Windows Secure Boot is EXPIRING: Do This Before June 2026!

[]

This only applies to UEFI boot. On Windows 10 this was not necessary but
for Windows 11 this is now mandatory. Whether Microsoft updates this

Is there a way to tell from a running W10 setup (i. e. without having to
do a reboot and watch for things flashing by) whether you have UEFI or
legacy boot? (And, if UEFI, whether you have "Secure Boot enabled"
[thanks VLH]?)
[]

If you go to Settings and enter TPM, the
Device Security on mine says:

"Security Processor"
...
standard hardware security not supported

Which means, roughly, that it is not enabled at BIOS level
and used for the current boot. (The Security Processor is
operating, but the BIOS is not switched to a state where
it wants to measure anything, like measure a boot process.)

The other entry in a Settings Search is "Security Processor"
and it says

Attestation Ready
Storage Ready

and above that it indicates the TPM type and version. And that
is indicating, that if I did enable Secure Boot at BIOS level, it
should work.

The fact a TPM is detected and it is listed as an Infineon device
(one of the manufacturers of such), that indicates there is a
secure enclave for any TPM based measuring and recording to be done.

But if the BIOS does not contain code for operating the TPM
for the Secure Boot feature, that is a "lack of Attestation".
For example, on the Optiplex 780, there is a TPM present, but
there is no BIOS code to use it. On the Test Machine, there is
no TPM present and there *is* BIOS code to use it. And these
non-comformances prevent Secure Boot from happening.

If I do Start : Run : msinfo32, then look at System Summary
(there is at least one other MSFT utility to display this), it says:

BIOS Mode UEFI
Secure Boot State Off

and that's a decent summary suitable for determining whether
you're in CSM or UEFI, and if in UEFI whether Secure Boot
was used or not.

Paul

<https://techcommunity.microsoft.com/blog/windows-itpro-blog/attestation-readiness-verifier-for-tpm-reliability/4394221>

The article mentions to check Event ID 1041 for 'attestation status'
Also look at Event ID 1025 and 1038
1025 indicates TPM provisioning and ready for use
1038 indicates pre-attestation health check and device expectation for passing attestation.

Also note, if one accesses 'Security Processor' for Attestation
status...there is a known issue(like a bug but usually temporary, i.e. a
a delay in analysis for devices with TPM and Event ID 1041 indicating attestation status(as True).
- Security Processor on initial use my show 'Attestation as not
ready'. Closing Settings and re-searching TPM and choosing Security
Processor item a few times(one or more) may eventually show
'Attestation' as ready.
- in some cases just accessing the option for 'Security Processor Troubleshooting' but not running any provided options and returning(back arrow, upper left) updates and flips the status from Not Ready to Ready.

This is one of those 'won't fix bugs' and has been present in later
Win10 builds and Win11.

--
...w­¤?ñ?¤

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Sun, 3/8/2026 2:41 PM, J. P. Gilliver wrote:

I seem to have
BIOS Mode UEFI
Secure Boot State On

Is the "PCA 2023 thing" what w­¤?ñ?¤ says is in his "March 6th post"? I
can't find a w­¤?ñ?¤ post in this thread dated (allowing for timezones)
5, 6, or 7.

...w­¤?ñ?¤ <winstonmvp@gmail.com>

Re: Windows Secure Boot Certificate

<10og10n$16885$1@dont-email.me>

Fri, 6 Mar 2026 19:03:04 -0700

The post is at the end of the thread.
I'd use HowardKnight, but it's broken and likely for good
(sooner or later it would lose access to part of what it uses).

******* copy of post *******

No need to change the registry

[1] If your device is capable and supported for an updated UEFI/BIOS, update the UEFI/BIOS before performing the following.

Force Secure Boot Update

Logon to Windows with an admin account then Open Powershell in admin console

Manual(Force Update)
Set-ItemProperty -Path ?HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot? -Name ?AvailableUpdates? -Value 0x40

Start-ScheduledTask -TaskName ?\Microsoft\Windows\PI\Secure-Boot-Update?

After you separately run each of the above commands, it is necessary to restart your PC twice for the update to take effect.

in your admin logged-on Windows profile, click on the Start button, click on the Power button(lower right), click Restart. Once Windows restarts to the Lock screen, do not sign on. Click on the Power button, and click Restart again.

Then, and only then log on to Windows in the same admin account.

Open Powershell in an admin prompt, then separately run each of these two commands.

Secure Boot Certs
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) -match 'Windows UEFI CA 2023')


- If the first command returns ?true,? then your PC is using the new certificate
- If this second command returns ?true,? your system is running an updated BIOS with the new Secure Boot certificates built in.
Note: Older PCs and systems without a BIOS update installed will return ?false? here.

One can always repeat the above Powershell process if a UEFI/BIOS update is available in the future.

******* End: copy of post *******

Paul

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

..w??? <winstonmvp@gmail.com> wrote:
[...]

Open Powershell in an admin prompt, then separately run each of these
two commands.

Secure Boot Certs ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) -match 'Windows UEFI CA 2023')

- If the first command returns ?true,? then your PC is using the new certificate
- If this second command returns ?true,? your system is running an
updated BIOS with the new Secure Boot certificates built in.

On my HP Windows 11 laptop with the (March) 'Secure Boot Allowed Key
Exchange Key (KEK) Update', both commands return 'True', while AFAIK,
the only (Windows Update supplied) BIOS update was done on Sept 19, 2023
and according to HP documentation, the Secure Boot Certificate BIOS
update for the age of my laptop (Nov 2022) should have come out around September 30 or December 31.

'HP PCs - Prepare for new Windows Secure Boot certificates' <https://support.hp.com/us-en/document/ish_13070353-13070429-16>

So how can a BIOS which was updated on Sept 19, 2023 include
certificate fixes which were not released until late 2025?

Sadly the information on what is fixed in which BIOS version for a
given model is missing in the documentation on HP's support site. It
only says something meaningless like 'security fix'.

For my laptop, the HP support site lists sp167316.exe (8.6 MB, of Dec
12, 2025) for BIOS Version F.13 Rev.A. But Windows Update hasn't offered
any new BIOS update and the 'HP Support Assistant' program only offers
version F.11 (i.e. lower number) of Nov 22, 2024 (i.e. way before end of
2025).

Anyway, as I mentioned in another response, I'll probably just
wait-and-see and if Windows fails to boot in/after June, I'll turn off
Secure Boot in the BIOS (assuming the HP BIOS has such a setting). (N.B. 'System Information' of course says "Secure Boot State On".)

[...]

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Sun, 3/8/2026 3:05 PM, Frank Slootweg wrote:

..w­¤?ñ?¤ <winstonmvp@gmail.com> wrote:
[...]

Open Powershell in an admin prompt, then separately run each of these
two commands.

Secure Boot Certs
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes)
-match 'Windows UEFI CA 2023')

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI
dbdefault).bytes) -match 'Windows UEFI CA 2023')


- If the first command returns ?true,? then your PC is using the new
certificate
- If this second command returns ?true,? your system is running an
updated BIOS with the new Secure Boot certificates built in.

On my HP Windows 11 laptop with the (March) 'Secure Boot Allowed Key Exchange Key (KEK) Update', both commands return 'True', while AFAIK,
the only (Windows Update supplied) BIOS update was done on Sept 19, 2023
and according to HP documentation, the Secure Boot Certificate BIOS
update for the age of my laptop (Nov 2022) should have come out around September 30 or December 31.

'HP PCs - Prepare for new Windows Secure Boot certificates' <https://support.hp.com/us-en/document/ish_13070353-13070429-16>

So how can a BIOS which was updated on Sept 19, 2023 include
certificate fixes which were not released until late 2025?

Sadly the information on what is fixed in which BIOS version for a
given model is missing in the documentation on HP's support site. It
only says something meaningless like 'security fix'.

For my laptop, the HP support site lists sp167316.exe (8.6 MB, of Dec
12, 2025) for BIOS Version F.13 Rev.A. But Windows Update hasn't offered
any new BIOS update and the 'HP Support Assistant' program only offers version F.11 (i.e. lower number) of Nov 22, 2024 (i.e. way before end of 2025).

Anyway, as I mentioned in another response, I'll probably just
wait-and-see and if Windows fails to boot in/after June, I'll turn off
Secure Boot in the BIOS (assuming the HP BIOS has such a setting). (N.B. 'System Information' of course says "Secure Boot State On".)

The Security Fix may have been for BlackLotus.

https://en.wikipedia.org/wiki/BlackLotus

One of my motherboards (only a year old), didn't get
a BlackLotus fix. It was available for two other motherboards
(from different manufacturers).

Some motherboard companies, they're releasing a BIOS
once a month. The only problem with this, is the
update has nothing of note (no "meat") in it, which is
the height of the ridiculous for a user.

While we can dream that the computer industry is
alive and fully functional, it does not look that
way at the "detail" level.

Paul

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Sun, 3/8/2026 2:48 PM, J. P. Gilliver wrote:

On 2026/3/8 18:25:39, Frank Slootweg wrote:

and turn off Secure Boot now (and check that it's off with the 'System

Does turning it off - assuming it really is as simple as just toggling something in the BIOS (assuming I can get into that) - scramble
anything? (I think I've established I don't have bitlocker on.)

When you turn Secure Boot off, it does not scramble anything in
the OS.

I tested this on the Big Machine, and the choices were

Other OS <=== suited to Windows 7
Secure Boot <=== used to test

Both boot sequences were the same. I didn't
see any difference. If I use MSINFO32, then
the choice in the BIOS is reflected in the
summary info in MSINFO32. When I select Secure Boot,
it says it has Secure Booted.

*******

With a Linux OS, the boot sequence can be seen as a
series of text lines. When Secure Boot is engaged, you
might see some sort of "Success message" regarding PCR7.
If you see two lines of text, then it is a good idea to
repeat the boot, and shoot video of the screen, so
you can obtain a record of what the two lines say.

If the Linux OS is booted under the "Other OS" setting,
then there should be no bold text with a message
like that, on the screen

*******

Back in W11, I used Winstons two lines of status check. Both returned True.
But I would prefer a software that dumps exactly what is in
there, as there is a small risk when doing pattern match like this,
that something that "looks similar" could return True.

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) -match 'Windows UEFI CA 2023')

But so far, the ON and OFF and ON again, did not hurt anything, at BIOS level.

Paul

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2026/3/9 4:26:7, Paul wrote:

On Sun, 3/8/2026 2:48 PM, J. P. Gilliver wrote:

On 2026/3/8 18:25:39, Frank Slootweg wrote:

and turn off Secure Boot now (and check that it's off with the 'System

Does turning it off - assuming it really is as simple as just toggling
something in the BIOS (assuming I can get into that) - scramble
anything? (I think I've established I don't have bitlocker on.)

When you turn Secure Boot off, it does not scramble anything in
the OS.

Thanks. I'll try to figure out how to turn it off next time I reboot,
since I can't see what use it is to me, and it sounds like having it on
_might_ be problematic at some point.
[]

With a Linux OS, the boot sequence can be seen as a

[]
No penguin here - just W10.
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()ALIS-Ch++(p)Ar++T+H+Sh0!:`)DNAf

Fortunately radio is a forgiving medium.
It hides a multitude of chins ... Vanessa feltz, RT 2014-3/28-4/4

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2026/3/8 19:0:22, Paul wrote:

On Sun, 3/8/2026 2:41 PM, J. P. Gilliver wrote:

[]

The post is at the end of the thread.

Thanks. I think I do remember seeing it; not sure why I've lost it.

I'd use HowardKnight, but it's broken and likely for good
(sooner or later it would lose access to part of what it uses).

Sad, but inevitable, I think. (Maybe the MID enhancement to Thunderbird
will come along soon.)

******* copy of post *******

Thanks again for this.

It does seem awfully complicated, to a bear of little brain like me; in
_your_ opinion, is it likely really to be necessary? (For a simple W10?)

No need to change the registry

[1] If your device is capable and supported for an updated UEFI/BIOS, update the UEFI/BIOS before performing the following.

That presumably involves getting something from the laptop manufacturer.

Force Secure Boot Update

(I thought we'd just agreed that was - for me, anyway - better off!)
[rest snipped (but post kept)]
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()ALIS-Ch++(p)Ar++T+H+Sh0!:`)DNAf

Fortunately radio is a forgiving medium.
It hides a multitude of chins ... Vanessa feltz, RT 2014-3/28-4/4

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 3/8/2026 12:05 PM, Frank Slootweg wrote:

..w­¤?ñ?¤ <winstonmvp@gmail.com> wrote:
[...]

Open Powershell in an admin prompt, then separately run each of these
two commands.

Secure Boot Certs
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes)
-match 'Windows UEFI CA 2023')

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI
dbdefault).bytes) -match 'Windows UEFI CA 2023')


- If the first command returns ?true,? then your PC is using the new
certificate
- If this second command returns ?true,? your system is running an
updated BIOS with the new Secure Boot certificates built in.

On my HP Windows 11 laptop with the (March) 'Secure Boot Allowed Key Exchange Key (KEK) Update', both commands return 'True', while AFAIK,
the only (Windows Update supplied) BIOS update was done on Sept 19, 2023
and according to HP documentation, the Secure Boot Certificate BIOS
update for the age of my laptop (Nov 2022) should have come out around September 30 or December 31.

'HP PCs - Prepare for new Windows Secure Boot certificates' <https://support.hp.com/us-en/document/ish_13070353-13070429-16>

So how can a BIOS which was updated on Sept 19, 2023 include
certificate fixes which were not released until late 2025?

It won't.

Sadly the information on what is fixed in which BIOS version for a
given model is missing in the documentation on HP's support site. It
only says something meaningless like 'security fix'.

For my laptop, the HP support site lists sp167316.exe (8.6 MB, of Dec
12, 2025) for BIOS Version F.13 Rev.A. But Windows Update hasn't offered
any new BIOS update and the 'HP Support Assistant' program only offers version F.11 (i.e. lower number) of Nov 22, 2024 (i.e. way before end of 2025).

Anyway, as I mentioned in another response, I'll probably just wait-and-see and if Windows fails to boot in/after June, I'll turn off
Secure Boot in the BIOS (assuming the HP BIOS has such a setting). (N.B. 'System Information' of course says "Secure Boot State On".)

[...]

Look in System Information for BIOS Version/Date

What version and date value is reported for your device?

Fyi:
Key Fixes and Enhancements in F.13:
Security Updates: Addresses security vulnerabilities (often referencing CVE-2023-39368, CVE-2023-38575, and CVE-2023-28746).
Charging Fix: Fixes an issue where the unit would not charge during sleep/hibernate/shutdown states when using a 15W USB Type-C adapter.
Battery Management: Adds a pop-up message recommending the use of
genuine HP-branded batteries.
Functionality: Addresses potential loss of Clickpad functionality during sudden shutdowns.
Error Reporting: Improves error messages for Fan 1 and Fan 2 to provide
more specific, actionable information.
System Stability: Updates Intel RC for compatibility enhancements

Vulnerability
CVE-2023-39368 - Intel Bus Lock Regulator Denial of Service
CVE-2023-38575 - Intel Information disclosure
CVE-2023-28746 - Intel Information exposure(Atom CPU)
- None of these were specific to certificates for Secure Boot



--
...w­¤?ñ?¤

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Mon, 3/9/2026 12:07 PM, J. P. Gilliver wrote:

On 2026/3/9 4:26:7, Paul wrote:

On Sun, 3/8/2026 2:48 PM, J. P. Gilliver wrote:

On 2026/3/8 18:25:39, Frank Slootweg wrote:

and turn off Secure Boot now (and check that it's off with the 'System

Does turning it off - assuming it really is as simple as just toggling
something in the BIOS (assuming I can get into that) - scramble
anything? (I think I've established I don't have bitlocker on.)

When you turn Secure Boot off, it does not scramble anything in
the OS.

Thanks. I'll try to figure out how to turn it off next time I reboot,
since I can't see what use it is to me, and it sounds like having it on _might_ be problematic at some point.
[]

With a Linux OS, the boot sequence can be seen as a

[]
No penguin here - just W10.

The point of mentioning Linux, is to show that the OS boot
procedure collects information about "how the boot went".

In Windows, this could be recorded as an Event in eventvwr.msc .
The Linux happens to show one or two lines in Bold Text, pointing
out to the observer whether the Secure Boot went well, or it
has indigestion. If the Linux screen puts up a red rectangle with
scare text in the middle, that means the integrity of some
file is suspect and the boot... stopped. I would expect Windows
to have scare text too, on a failure (such as certificate-expired error).
Both OSes should have a red-window as a possible result.

*******

Enter the BIOS and somewhere in a menu, like maybe under
Boot, would be a "Secure Boot" line, and that line offers
"Other OS" or "UEFI Secure Boot". There really
should not be a lot of options in that line. In yet
another place, it will allow CSM (legacy BIOS boot) or
UEFI/CSM or UEFIonly as options, for determining the
BIOS flavor. Windows has supported both CSM and UEFI
at times, so if you're working on someones computer,
don't be surprised if the disk is MSDOS partitioned
and the boot is a Legacy BIOS boot that cannot do
Secure Boot under any circumstances.

I have on purpose, done both kinds of installs.
I have even used MBR2GPT and switched an older
OS to GPT, so it can be installed-over-top and
even do Secure Boot on the new OS. It is because
of all these bloody options, I have no hair left.
You get the idea.

When I tell you things like this, it's not to scare
you. I drop hints like this, so you will be able
to classify your own goods when necessary.

So based on the above descriptions, a person who installed
Windows 10 (32 bit) in Legacy mode, they are
doubly-behind-the-8ball when it comes time to
upgrade to Win11 64bit gpt secure-boot UEFI over top.
That's never going to work. For many other combinations,
the situation is not nearly as tense (which is
presumably where you are right now, based on the
hints you are dropping). You've done enough ID stuff
so far, you don't seem to be in any trouble, one way
or another.

If Winstons two commands were to return True,
then there would be nothing at all to worry about.
If you can't manage to get those both True, just use
"Other OS" in the boot, or at least any "not-Secure-Boot"
option. A person with a 2026 laptop, may have
only "Secure" or "Not-Secure" as BIOS options.
(A 2026 laptop may not boot Windows 7. "Other OS"
means to use CSM legacy boot which is Win7/OldLinux.)

On Linux, they don't want us to use CSM boot any more.
They ruin the GRUB setup to try to stop you, and I
just use Boot Repair disc and pave over the idiots. For
as long as that works of course. And I have to do that...
for test reasons, when someone else tries to install
NewLinux on an OldLinux or multiboot disk drive.

It's because the users are so experienced here, that
you get the full spectrum of cases.

Paul

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Mon, 3/9/2026 12:16 PM, J. P. Gilliver wrote:

(I thought we'd just agreed that was - for me, anyway - better off!)
[rest snipped (but post kept)]

You should use the administrator terminal and try winstons two status commands.

Just to see if PCA 2023 has already wandered in there.

I'm seeing them both return True, even though my motherboard
did not have a BlackLotus patch like the other motherboards.
And my Secure Boot key situation has been changing dynamically
with time (the kind of behavior I hate). At one time,
I was even able to get red scare text in Linux about
Secure Boot, and that seems to have stopped, but I don't
know what exactly fixed it.

I wouldn't panic about remedying this right away,
but a minimum for you to do right now, is to
run the two status commands.

Paul

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 3/9/2026 9:16 AM, J. P. Gilliver wrote:

On 2026/3/8 19:0:22, Paul wrote:

On Sun, 3/8/2026 2:41 PM, J. P. Gilliver wrote:

[]

The post is at the end of the thread.

Thanks. I think I do remember seeing it; not sure why I've lost it.

Force Secure Boot Update

(I thought we'd just agreed that was - for me, anyway - better off!)
[rest snipped (but post kept)]

Leave Secure Boot enabled.
Just run the following one at at time in the following order in a
Powershell admin.
- copy each command and paste into Powershell, press the 'Return' key.

Set-ItemProperty -Path
?HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot? -Name
?AvailableUpdates? -Value 0x40

Start-ScheduledTask -TaskName ?\Microsoft\Windows\PI\Secure-Boot-Update?

Restart the device twice, once after performing the above, and again
when Windows finishes the first restart(do not logon to Windows, restart
for the second time)...once the second restart finishes logon to Windows
in an Admin account.

Your done.

--
...w­¤?ñ?¤

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

...w??? <winstonmvp@gmail.com> wrote:

On 3/8/2026 12:05 PM, Frank Slootweg wrote:

..w??? <winstonmvp@gmail.com> wrote:
[...]

Open Powershell in an admin prompt, then separately run each of these
two commands.

Secure Boot Certs
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes)
-match 'Windows UEFI CA 2023')

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI
dbdefault).bytes) -match 'Windows UEFI CA 2023')


- If the first command returns ?true,? then your PC is using the new
certificate
- If this second command returns ?true,? your system is running an
updated BIOS with the new Secure Boot certificates built in.

On my HP Windows 11 laptop with the (March) 'Secure Boot Allowed Key Exchange Key (KEK) Update', both commands return 'True', while AFAIK,
the only (Windows Update supplied) BIOS update was done on Sept 19, 2023 and according to HP documentation, the Secure Boot Certificate BIOS
update for the age of my laptop (Nov 2022) should have come out around September 30 or December 31.

'HP PCs - Prepare for new Windows Secure Boot certificates' <https://support.hp.com/us-en/document/ish_13070353-13070429-16>

So how can a BIOS which was updated on Sept 19, 2023 include
certificate fixes which were not released until late 2025?

It won't.

Sadly the information on what is fixed in which BIOS version for a
given model is missing in the documentation on HP's support site. It
only says something meaningless like 'security fix'.

For my laptop, the HP support site lists sp167316.exe (8.6 MB, of Dec 12, 2025) for BIOS Version F.13 Rev.A. But Windows Update hasn't offered any new BIOS update and the 'HP Support Assistant' program only offers version F.11 (i.e. lower number) of Nov 22, 2024 (i.e. way before end of 2025).

Anyway, as I mentioned in another response, I'll probably just wait-and-see and if Windows fails to boot in/after June, I'll turn off Secure Boot in the BIOS (assuming the HP BIOS has such a setting). (N.B. 'System Information' of course says "Secure Boot State On".)

[...]

Look in System Information for BIOS Version/Date

Thanks for the tip. I didn't know how to check the BIOOS version
without shutting down / restarting and I didn't want to do that.

What version and date value is reported for your device?

"BIOS Version/Date AMI F.07, 04/07/2023"

N.B. Other dates are reported as DD/MM/YYYY, so I assume this is 04
July, 2023.

Anyway, this is a arather old BIOS version.

Fyi:
Key Fixes and Enhancements in F.13:
Security Updates: Addresses security vulnerabilities (often referencing CVE-2023-39368, CVE-2023-38575, and CVE-2023-28746).
Charging Fix: Fixes an issue where the unit would not charge during sleep/hibernate/shutdown states when using a 15W USB Type-C adapter.
Battery Management: Adds a pop-up message recommending the use of
genuine HP-branded batteries.
Functionality: Addresses potential loss of Clickpad functionality during sudden shutdowns.
Error Reporting: Improves error messages for Fan 1 and Fan 2 to provide
more specific, actionable information.
System Stability: Updates Intel RC for compatibility enhancements

Vulnerability
CVE-2023-39368 - Intel Bus Lock Regulator Denial of Service
CVE-2023-38575 - Intel Information disclosure
CVE-2023-28746 - Intel Information exposure(Atom CPU)
- None of these were specific to certificates for Secure Boot

But according to the date (December 2025) in the ''HP PCs - Prepare
for new Windows Secure Boot certificates' document, this version
*should* have fixes for Secure Boot certificates.

Anyway, where did you get the above 'Key Fixes and Enhancements in
F.13:' information? (As I mentioned, my reference [1] came without any
specific details.)

[1] <https://support.hp.com/us-en/drivers/hp-pavilion-15-laptop-pc-15-eh2000/model/2101006263?sku=693B1EA&serialnumber=5CD212QLDP>

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2026/3/9 17:29:30, Paul wrote:

On Mon, 3/9/2026 12:07 PM, J. P. Gilliver wrote:

On 2026/3/9 4:26:7, Paul wrote:

[]

With a Linux OS, the boot sequence can be seen as a

[]
No penguin here - just W10.

The point of mentioning Linux, is to show that the OS boot
procedure collects information about "how the boot went".

Ah, sorry - thought I was simplifying; didn't realise you were helping,
rather than just telling me more.

In Windows, this could be recorded as an Event in eventvwr.msc .

I have never used that before. I found I have eight files of that name,
the more recent four having the same timestamp of about two days ago,
probably last time I booted.

The Linux happens to show one or two lines in Bold Text, pointing
out to the observer whether the Secure Boot went well, or it
has indigestion. If the Linux screen puts up a red rectangle with
scare text in the middle, that means the integrity of some
file is suspect and the boot... stopped. I would expect Windows
to have scare text too, on a failure (such as certificate-expired error). Both OSes should have a red-window as a possible result.

Double-clicking on one of the files opened something called Event
Viewer. I don't know what I'm looking at, but none of the bits I'm
seeing look "scary" - nothing in red.

*******

Enter the BIOS and somewhere in a menu, like maybe under
Boot, would be a "Secure Boot" line, and that line offers
"Other OS" or "UEFI Secure Boot". There really
should not be a lot of options in that line. In yet
another place, it will allow CSM (legacy BIOS boot) or
UEFI/CSM or UEFIonly as options, for determining the
BIOS flavor. Windows has supported both CSM and UEFI
at times, so if you're working on someones computer,
don't be surprised if the disk is MSDOS partitioned
and the boot is a Legacy BIOS boot that cannot do
Secure Boot under any circumstances.

My days of working on other people's computers - at least, at this sort
of level - are long over.

I have on purpose, done both kinds of installs.

The last time I did any OS installs was in the 95/98/98SE era. with one exception - "Soporific's windows 98 tenth anniversary edition", which I
assume from the name was thus about 2008. (Unfortunately the person it
was for - a remote sheep-farmer - wasn't really interested in
computers.) For my own machines, I bought my XP one new, and my 7-32 and
this 10-64 from a small shop who refurbished (possibly not entirely as
per EULAs, though I think UK probably is tolerant of such), both being
machines that I _think_ didn't originally have the OS I bought them with.

I have even used MBR2GPT and switched an older
OS to GPT, so it can be installed-over-top and
even do Secure Boot on the new OS. It is because
of all these bloody options, I have no hair left.
You get the idea.

I think if I ever get W11, it will be a preinstalled refurbish from the
same source.

I greatly appreciate your hair expenditure to help me and others here
(and in the other 'groups you frequent)!

When I tell you things like this, it's not to scare

Don't worry - others do plenty of that! What little I understand of your
output _tends_ more to reassure me.

you. I drop hints like this, so you will be able
to classify your own goods when necessary.

So based on the above descriptions, a person who installed
Windows 10 (32 bit) in Legacy mode, they are
doubly-behind-the-8ball when it comes time to
upgrade to Win11 64bit gpt secure-boot UEFI over top.
That's never going to work. For many other combinations,
the situation is not nearly as tense (which is
presumably where you are right now, based on the
hints you are dropping). You've done enough ID stuff
so far, you don't seem to be in any trouble, one way
or another.

There you are, reassuring me again! The only minor (at the moment)
concern is whether this machine will suddenly brick in June.

If Winstons two commands were to return True,
then there would be nothing at all to worry about.
If you can't manage to get those both True, just use
"Other OS" in the boot, or at least any "not-Secure-Boot"

Assuming I can find my way into the boot and find that option, does
"Other OS" include Windows 10?

option. A person with a 2026 laptop, may have
only "Secure" or "Not-Secure" as BIOS options.
(A 2026 laptop may not boot Windows 7. "Other OS"
means to use CSM legacy boot which is Win7/OldLinux.)

This says on the bottom Mfg Date 16/07/11, so that means 2016 or 2011
(the latter more likely). (It's a Lenovo ideapad.)

On Linux, they don't want us to use CSM boot any more.
They ruin the GRUB setup to try to stop you, and I
just use Boot Repair disc and pave over the idiots. For

By "they", do you mean Microsoft, the PC manufacturing cartel, or the
Linux - I don't know what word is appropriate there, cartel or mafia?

as long as that works of course. And I have to do that...
for test reasons, when someone else tries to install
NewLinux on an OldLinux or multiboot disk drive.

It's because the users are so experienced here, that
you get the full spectrum of cases.

Which I just observe with admiration!

Paul

--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()ALIS-Ch++(p)Ar++T+H+Sh0!:`)DNAf

... behaving morally does not require religious adherence.
- The Right Rev Nigel McCulloch\Bishop of Manchester
(Radio Times, 24-30 September 2011

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

...w??? <winstonmvp@gmail.com> wrote:

On 3/9/2026 9:16 AM, J. P. Gilliver wrote:

On 2026/3/8 19:0:22, Paul wrote:

On Sun, 3/8/2026 2:41 PM, J. P. Gilliver wrote:

[]

The post is at the end of the thread.

Thanks. I think I do remember seeing it; not sure why I've lost it.

Force Secure Boot Update

(I thought we'd just agreed that was - for me, anyway - better off!)
[rest snipped (but post kept)]

Leave Secure Boot enabled.
Just run the following one at at time in the following order in a
Powershell admin.
- copy each command and paste into Powershell, press the 'Return' key.

Set-ItemProperty -Path
?HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot? -Name
?AvailableUpdates? -Value 0x40

Start-ScheduledTask -TaskName ?\Microsoft\Windows\PI\Secure-Boot-Update?

If I were to follow this advice, I would first *check* if the
mentioned key or/and Scheduled Task do not already exist.

For example on my Windows 11 25H2 system they are both already there
and the task has been run and is run every 12 hours. (Minor nit: I think
you mean 0x400 (1024 decimal). That's what mine is set to and what I
have seen mentioned in several web articles.)

BTW, in that same ...\PI branch, there's also a 'Sqm-Tasks' task with Description: 'This task gathers information about the Trusted Platform
Module (TPM), Secure Boot, and Measured Boot.'.

Restart the device twice, once after performing the above, and again
when Windows finishes the first restart(do not logon to Windows, restart
for the second time)...once the second restart finishes logon to Windows
in an Admin account.

Your done.

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2026/3/9 17:34:54, ...w­¤?ñ?¤ wrote:
[]

Just run the following one at at time in the following order in a
Powershell admin.

By that, I assume you mean run powershell as administrator. Have opened
that (white-on-blue window).

- copy each command and paste into Powershell, press the 'Return' key.

Set-ItemProperty -Path
?HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot? -Name
?AvailableUpdates? -Value 0x40

I copied that, as one line, into powershell, and pressed return. I just
got the prompt again.

Start-ScheduledTask -TaskName ?\Microsoft\Windows\PI\Secure-Boot-Update?

I copied that into powershell, and pressed return. Just prompt again,
but perceptible pause before I did.

Restart the device twice, once after performing the above, and again
when Windows finishes the first restart(do not logon to Windows, restart

I think I have it set to login without asking, but I think there's a
point where it tells me there have been no unsuccessful logins since
last time, so I'll just restart at that point.

for the second time)...once the second restart finishes logon to Windows

OK - saving this post as a draft ...

in an Admin account.

Your done.

Not sure how to logon in an Admin account, but if "my done" at that
point, presumably don't need to.

Right, going to save this draft now, then try those two restarts ...
...
I'm back, after two restarts (though they were full ones, getting into Windows). Not sure what I do next ...
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()ALIS-Ch++(p)Ar++T+H+Sh0!:`)DNAf

You'll need to have this fish in your ear.
(First series, fit the first.)

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2026/3/9 17:34:27, Paul wrote:

On Mon, 3/9/2026 12:16 PM, J. P. Gilliver wrote:

(I thought we'd just agreed that was - for me, anyway - better off!)
[rest snipped (but post kept)]

See my reply to Winston ...

You should use the administrator terminal and try winstons two status commands.

I started powershell as Administrator, then copied his two commands into
it, pressing return each time. I just got the prompt back each time,
though after a noticeable few seconds' pause after the second one. I
then did two restarts.

Just to see if PCA 2023 has already wandered in there.

How would I know?

I'm seeing them both return True, even though my motherboard

If you mean Winston's two commands, they didn't return anything.

did not have a BlackLotus patch like the other motherboards.
And my Secure Boot key situation has been changing dynamically
with time (the kind of behavior I hate). At one time,

Me too.

I was even able to get red scare text in Linux about
Secure Boot, and that seems to have stopped, but I don't
know what exactly fixed it.

I wouldn't panic about remedying this right away,
but a minimum for you to do right now, is to
run the two status commands.

If that's
Set-ItemProperty -Path ?HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot? -Name
?AvailableUpdates? -Value 0x40

(entered all as one line)
and
Start-ScheduledTask -TaskName ?\Microsoft\Windows\PI\Secure-Boot-Update?

(ditto)
, then I did, and nothing happened.

Paul

John
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()ALIS-Ch++(p)Ar++T+H+Sh0!:`)DNAf

You'll need to have this fish in your ear.
(First series, fit the first.)

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2026/3/9 17:26:21, ...w­¤?ñ?¤ wrote:

On 3/8/2026 12:05 PM, Frank Slootweg wrote:

..w­¤?ñ?¤ <winstonmvp@gmail.com> wrote:
[...]

Open Powershell in an admin prompt, then separately run each of these
two commands.

Secure Boot Certs
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes)
-match 'Windows UEFI CA 2023')

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI
dbdefault).bytes) -match 'Windows UEFI CA 2023')


- If the first command returns ?true,? then your PC is using the new
certificate
- If this second command returns ?true,? your system is running an
updated BIOS with the new Secure Boot certificates built in.

Here's what I got (entire session, between ===== lines):
=====
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\Windows\system32> Secure Boot Certs ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes)
-match 'Windows UEFI CA 2023')
Secure : The term 'Secure' is not recognized as the name of a cmdlet,
function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that
the path is correct and try again.
At line:1 char:1
+ Secure Boot Certs ([System.Text.Encoding]::ASCII.GetString((Get-Secur ...
+ ~~~~~~
+ CategoryInfo : ObjectNotFound: (Secure:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

PS C:\Windows\system32> ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI
dbdefault).bytes) -match 'Windows UEFI CA 2023')
False
PS C:\Windows\system32>
=====

The bit from "Secure :" up to just before PS is in red.

On my HP Windows 11 laptop with the (March) 'Secure Boot Allowed Key

(According to winver, I have Windows 10 22H2.)

Exchange Key (KEK) Update', both commands return 'True', while AFAIK,
the only (Windows Update supplied) BIOS update was done on Sept 19, 2023
and according to HP documentation, the Secure Boot Certificate BIOS
update for the age of my laptop (Nov 2022) should have come out around
September 30 or December 31.

'HP PCs - Prepare for new Windows Secure Boot certificates'
<https://support.hp.com/us-en/document/ish_13070353-13070429-16>

So how can a BIOS which was updated on Sept 19, 2023 include
certificate fixes which were not released until late 2025?

It won't.

Sadly the information on what is fixed in which BIOS version for a
given model is missing in the documentation on HP's support site. It
only says something meaningless like 'security fix'.

For my laptop, the HP support site lists sp167316.exe (8.6 MB, of Dec
12, 2025) for BIOS Version F.13 Rev.A. But Windows Update hasn't offered
any new BIOS update and the 'HP Support Assistant' program only offers
version F.11 (i.e. lower number) of Nov 22, 2024 (i.e. way before end of
2025).

Anyway, as I mentioned in another response, I'll probably just
wait-and-see and if Windows fails to boot in/after June, I'll turn off
Secure Boot in the BIOS (assuming the HP BIOS has such a setting). (N.B.
'System Information' of course says "Secure Boot State On".)

[...]

Look in System Information for BIOS Version/Date

What version and date value is reported for your device?

System Information includes:

BIOS Version/Date LENOVO 1LCN50WW, 2017/4/17
SMBIOS Version 2.8
Embedded Controller Version 1.50
BIOS Mode UEFI

does that answer that question?
[]
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()ALIS-Ch++(p)Ar++T+H+Sh0!:`)DNAf

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Sun, 8 Mar 2026 13:12:51 -0400, Paul wrote:

So you at least want to check your Secure Boot status.
If it's enabled, then you could do the PCA 2023 thing.

In my LG Windows 11 laptop, msinfo32 says

BIOS Mode UEFI
Secure Boot State On
BIOS Version/Date Phoenix Technologies Ltd. A1ZG0380.X64, 2022-07-06

Both of the GetString commands for Powershell that you posted return
False.

The boot options screen doesn't seem to have any way to turn Secure
Boot off. Can I do that within Windows?

(Getting new certificates from LG seems to be a non-starter. Since
Day 1, the LG Update program runs, but after it does its thing and
re-lists the available updates, all the same ones are listed, and the
existing versions of programs or drivers to be updated have not
changed.)


--
"The power of accurate observation is frequently called cynicism by
those who don't have it." --George Bernard Shaw

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Mon, 9 Mar 2026 14:44:59 -0700, Stan Brown wrote:

The boot options screen doesn't seem to have any way to turn Secure
Boot off. Can I do that within Windows?

I was mistaken. I restarted the laptop and went into the BIOS boot
options again, this time checking the sub-menus. I found "Secure Boot Configuration" under Security. There are three settings within it:

* Secure Boot Option [Enabled]; can be changed to Disabled
* Install Default Secure Boot Keys [Enter] -- I'm nervous about
testing that without knowing what it will do
* Delete All Signatures [Enter] -- seems like a bad idea

There are also three sub-sub-menus:

Delete Signatures
Signatures Information
Enroll Signatures

Correct me if I'm wrong, but the _least_ likely source of trouble
seems to me to be changing Secure Boot Option to Disabled.

--
"The power of accurate observation is frequently called cynicism by
those who don't have it." --George Bernard Shaw

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 8 Mar 2026 19:05:58 GMT, Frank Slootweg wrote:

Anyway, as I mentioned in another response, I'll probably just
wait-and-see and if Windows fails to boot in/after June, I'll turn off
Secure Boot in the BIOS (assuming the HP BIOS has such a setting). (N.B. 'System Information' of course says "Secure Boot State On".)

Now that I've found where in the BIOS settings to disable Secure
Boot, I think I'll do the same thing.

--
"The power of accurate observation is frequently called cynicism by
those who don't have it." --George Bernard Shaw

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 3/9/2026 12:39 PM, J. P. Gilliver wrote:

Not sure how to logon in an Admin account, but if "my done" at that
point, presumably don't need to.

You should know which logon accounts on your device(s) are logon
accounts as an Administrator(i.e. an Admin account)

I'm back, after two restarts (though they were full ones, getting into Windows). Not sure what I do next ...

Now, in a Powershell admin window copy and paste the following and press
the 'Enter' key. The response will indicate True or False.

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes)
-match 'Windows UEFI CA 2023')

Report the response in a reply.


--
...w­¤?ñ?¤

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 3/9/2026 12:28 PM, Frank Slootweg wrote:

...w­¤?ñ?¤ <winstonmvp@gmail.com> wrote:

Set-ItemProperty -Path
?HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot? -Name
?AvailableUpdates? -Value 0x40

For example on my Windows 11 25H2 system they are both already there
and the task has been run and is run every 12 hours. (Minor nit: I think
you mean 0x400 (1024 decimal). That's what mine is set to and what I
have seen mentioned in several web articles.)

For Powershell, the value in the command is 0x40
The registry value in the Data column will show 0x00000040
- clicking on the 'AvailableUpdates' in thh Name column will show 40
and Hexadecimal will be the selected 'Base'. If one changes the base to decimal it shows 64



--
...w­¤?ñ?¤

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Mon, 3/9/2026 8:11 PM, rbowman wrote:

On Mon, 9 Mar 2026 16:07:34 +0000, J. P. Gilliver wrote:

On 2026/3/9 4:26:7, Paul wrote:

On Sun, 3/8/2026 2:48 PM, J. P. Gilliver wrote:

On 2026/3/8 18:25:39, Frank Slootweg wrote:

and turn off Secure Boot now (and check that it's off with the
'System

Does turning it off - assuming it really is as simple as just toggling >>>> something in the BIOS (assuming I can get into that) - scramble
anything? (I think I've established I don't have bitlocker on.)

When you turn Secure Boot off, it does not scramble anything in the OS.

Thanks. I'll try to figure out how to turn it off next time I reboot,
since I can't see what use it is to me, and it sounds like having it on
_might_ be problematic at some point.

I'm fond of penguins so I turn it off and leave it off. It might have some utility for Windows but I don't know what. Zero use with Linux except for complicating life.

You probably don't want to turn off Fast Boot on a Windows machine.

Linux supports Secure Boot. Try it :-)
A representative from each major distro, flies
to a site with an air-gapped signing setup, and
a shim is signed. Presumably the case I was
reading about, could be related to PCA 2023.

So far, Ubuntu seems to be the most aggressive distro
in the room, as it messed with something in .db or .dbx .
And, without indicating it was doing it. The first time
Ubuntu did this, they popped up Mokutil on the screen
before the OS was booted, and demand the user immediately
select "Yes", to whatever they were going to do to the
four files in the BIOS. When they tried that on me,
I turned of the PC power, just... like... that.

it turns out, they were actually attempting to change
two things with the Mokutil run, but only one was listed.

The last time they tried this, it was a silent attack,
and I wasn't really expecting this. I had not taken
defensive measures. Ubuntu is really on my banned list
now, it still gets to run here, but only for certain
experiments. Not as a "promote-able" distro. They've crossed
a couple red lines, and I can no longer recommend them to anyone.
Some patronizing behavior in Nautilus was the last straw.
Plenty of other distros don't have to do that to make friends.

Paul

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Mon, 9 Mar 2026 16:16:44 +0000, "J. P. Gilliver" <G6JPG@255soft.uk>
wrote:

On 2026/3/8 19:0:22, Paul wrote:

I'd use HowardKnight, but it's broken and likely for good
(sooner or later it would lose access to part of what it uses).

Sad, but inevitable, I think. (Maybe the MID enhancement to Thunderbird
will come along soon.)

Not that it's actually needed, though, since MID functionality already
exists via extensions.


--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Mon, 3/9/2026 6:02 PM, Stan Brown wrote:

On Mon, 9 Mar 2026 14:44:59 -0700, Stan Brown wrote:

The boot options screen doesn't seem to have any way to turn Secure
Boot off. Can I do that within Windows?

I was mistaken. I restarted the laptop and went into the BIOS boot
options again, this time checking the sub-menus. I found "Secure Boot Configuration" under Security. There are three settings within it:

* Secure Boot Option [Enabled]; can be changed to Disabled
* Install Default Secure Boot Keys [Enter] -- I'm nervous about
testing that without knowing what it will do
* Delete All Signatures [Enter] -- seems like a bad idea

There are also three sub-sub-menus:

Delete Signatures
Signatures Information
Enroll Signatures

Correct me if I'm wrong, but the _least_ likely source of trouble
seems to me to be changing Secure Boot Option to Disabled.

Sure, if you want to do that, Disable is an option.

The "Install Default Secure Boot Keys", that's the "Factory Option".

One trick I use, is to install an OS, just for the side-effects
of the patching it does. But the last time I tried that, I did not
see any improvement in my symptoms. Either install side-by-side on
an existing disk, or install fresh on a scratch drive used for such
purposes.

Delete All Signatures, yes, that seems particularly silly. Unless
we know of a utility that is proof-positive to put things back
properly, the Factory Option would be better.

What I don't know, is whether forward progress is possible
when the "TPM" info in Settings does not indicate that
Attestation is working. For example, mine right now says:

Status

Attestation Ready
Storage Ready

but at one time I was stuck in Attestation Not Ready. And
banging my head against the wall at that time, did not help.

The Storage one would be handy for Bitlocker on W11 Pro.

The Attestation, I can't see that working unless there is
some Certificate Structure for Attestation to build upon.
To measure something, there has to be a certificate chain
for that to work. What we're trying to do, is take
a working (but exploitable) chain, and convert it
into a working chain with a PCA 2023 in it. This means
adding some materials, then revoking some materials,
the net result is a "fresher root certificate" and a bunch
of boot materials revoked.

https://techcommunity.microsoft.com/blog/windows-itpro-blog/revoking-vulnerable-windows-boot-managers/4121735

"Windows boot manager mitigations that we released previously

To address this vulnerability, as part of the May 2023 servicing updates, we introduced
a code integrity policy that blocked vulnerable Windows boot managers based on their
version number. For versions of Windows boot manager that remained unaffected by this fix,
we added them to the DBX.

However, we have found multiple cases that can bypass the rollback protections released
during the May 2023 servicing updates. As a result, we are putting forth a more
comprehensive solution that involves revoking the Microsoft Windows Production PCA
(Product Certificate Authority) 2011.
"

and they cannot revoke PCA 2011, until PCA 2023 is fitted and is working
to boot the computer. Only then is revoking PCA 2011 going to work. This
should have an effect on a range of Linux LiveDVD releases (only an issue
if Secure Boot is enabled, and most all of those would have options
to still be able to boot).

At the very least, we want to start with something like the above, for a Status.
Maybe Attestation status, proves that a lot of material in MOK, KEK, db, dbx are present
and working properly. One of those databases is for storage of revokes of things.

*******

This is turning out to be about as much fun as working with
Intel Management Engine, where the penultimate web page is
100 pages long, and I actually got a migraine before reading all of it.

https://call4cloud.nl/tpm-attestation-troubleshoot-0x81039001/

Out of that page, I would not go any further than

PS C:\WINDOWS\system32> tpmtool getdeviceinformation # Daily Driver physical TPM module
# Purchased specifically for test of these.
-TPM Present: True
-TPM Version: 2.0
-TPM Manufacturer ID: IFX
-TPM Manufacturer Full Name: Infineon
-TPM Manufacturer Version: 7.85.4555.0
-PPI Version: 1.3
-Is Initialized: True
-Ready For Storage: True
-Ready For Attestation: True
-Is Capable For Attestation: True
-Clear Needed To Recover: False
-Clear Possible: True
-TPM Has Vulnerable Firmware: False <=== Machine received a BlackLotus BIOS/firmware update
-Bitlocker PCR7 Binding State: Binding Not Possible <=== My secure boot might be off :-)
-Maintenance Task Complete: True
-TPM Spec Version: 1.38
-TPM Errata Date: Monday, January 08, 2018
-PC Client Version: 1.03
-Lockout Information:
-Is Locked Out: False
-Lockout Counter: 0
-Max Auth Fail: 32
-Lockout Interval: 7200s
-Lockout Recovery: 86400s
PS C:\WINDOWS\system32>

Now, I should run that on the Big Machine (Mr.TroubleMaker), uses an AMD fTPM, has no TPM header pins

[CHEVRON]
PS C:\Users\bullwinkle> tpmtool getdeviceinformation # Yes, it's an Admin Terminal...

-TPM Present: True
-TPM Version: 2.0
-TPM Manufacturer ID: AMD
-TPM Manufacturer Full Name: AMD
-TPM Manufacturer Version: 3.94.2.5
-PPI Version: 1.3
-Is Initialized: True
-Ready For Storage: True
-Ready For Attestation: True
-Is Capable For Attestation: True
-Clear Needed To Recover: False
-Clear Possible: True
-TPM Has Vulnerable Firmware: False <=== This machine had no BlackLotus specific BIOS patch
-Bitlocker PCR7 Binding State: Binding Possible <=== This means it just Secure Booted... all ducks aligned
-Maintenance Task Complete: True
-TPM Spec Version: 1.38
-TPM Errata Date: Thursday, January 28, 2021
-PC Client Version: 1.05
-Lockout Information:
-Is Locked Out: False
-Lockout Counter: 0
-Max Auth Fail: 31
-Lockout Interval: 600s
-Lockout Recovery: 86400s
PS C:\Users\bullwinkle>

*******

Before we get too excited, I like to collect some statuses
for the "comfort they bring". Even if we don't have a
tool to name and shame the certificates, we can pretend
we know what is going on. You'll notice that other
certificate interfaces on our computers, do have Properties
and you can ask the machine about the validity. This is one
interface where my local tools are "zero". But, I live in hope...

Paul





--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Mon, 3/9/2026 4:11 PM, J. P. Gilliver wrote:

On 2026/3/9 17:26:21, ...w­¤?ñ?¤ wrote:

On 3/8/2026 12:05 PM, Frank Slootweg wrote:

..w­¤?ñ?¤ <winstonmvp@gmail.com> wrote:
[...]

Open Powershell in an admin prompt, then separately run each of these
two commands.

Secure Boot Certs
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) >>>> -match 'Windows UEFI CA 2023')

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI
dbdefault).bytes) -match 'Windows UEFI CA 2023')


- If the first command returns ?true,? then your PC is using the new >>>> certificate
- If this second command returns ?true,? your system is running an
updated BIOS with the new Secure Boot certificates built in.

Here's what I got (entire session, between ===== lines):
=====
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\Windows\system32> Secure Boot Certs ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')
Secure : The term 'Secure' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that
the path is correct and try again.
At line:1 char:1
+ Secure Boot Certs ([System.Text.Encoding]::ASCII.GetString((Get-Secur ...
+ ~~~~~~
+ CategoryInfo : ObjectNotFound: (Secure:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

PS C:\Windows\system32> ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) -match 'Windows UEFI CA 2023')
False
PS C:\Windows\system32>
=====

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) -match 'Windows UEFI CA 2023')

Even when you don't know how a computer thing works, you can start with the "root"
of the statement and work with it. I actually did that some time ago with one of these. [following in an Administrator Terminal]

(Get-SecureBootUEFI db).bytes <=== binary, but listed in decimal! Yikes.
This is the "db" file from the BIOS.
See if this much works.

ASCII.GetString((Get-SecureBootUEFI db).bytes) <=== did not work

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) <=== will need to pattern-match this mess.
Suited to some Wordpad examination.
Using findstr 2023 the last line there, gives these along with emojis

Windows UEFI CA 2023 <=== Winstons string is there
Microsoft UEFI CA 2023

So what is this one ? Don't know exactly.

(Get-SecureBootUEFI dbdefault).bytes

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) <=== mixed binary and strings, like the other

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) | findstr 2023

Windows UEFI CA 2023
Microsoft UEFI CA 2023

That's an example of breaking a thing apart in bits, which is how I checked
out this string-thing originally when the topic came up.

Paul





--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Mon, 3/9/2026 8:11 PM, rbowman wrote:

I'm fond of penguins so I turn it off and leave it off. It might have some utility for Windows but I don't know what. Zero use with Linux except for complicating life.

You probably don't want to turn off Fast Boot on a Windows machine.

If you were to check how my machines were set in the room,
you would not conclude I was a believer in Secure Boot.

But once a CVE exists for this, you can't rule out that
BlackLotus will come looking for you. I don't know if
the CVE has a proof-of-concept or not, for you to analyze,
but it is good to know (like if it is rated as a 10),
whether it is a threat or not.

The BIOS patches may not be a complete solution. And some
machines didn't get a BIOS patch (they're Secure Boot but
too old for another BIOS to show up).

Moving Security Issues into the BIOS, has made the BIOS update
strategy of "a couple years of support" as being bogus. The
motherboard companies definitely do not like the idea of
having to issue hundreds of BIOS files on a given day.
They would need to hire more fairly trained staff
to keep up with this.

Paul


--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2026/3/10 0:11:23, rbowman wrote:
[Secure Boot]

I'm fond of penguins so I turn it off and leave it off. It might have some utility for Windows but I don't know what. Zero use with Linux except for complicating life.

I haven't touched it yet.

You probably don't want to turn off Fast Boot on a Windows machine.

That's the first time _Fast_ Boot has been mentioned in this thread (I
think); not sure if I have that or not. I think I have verbose or
something like that, as it tells me what's happening, and I like that -
gives me some idea what's going on (or at least that something is); the
boot time (I have an SSD) isn't irritatingly slow.
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()ALIS-Ch++(p)Ar++T+H+Sh0!:`)DNAf

I reckon in a few years we'll have GoogleBum. You'll type in someone's
name and it will show you what their bum looks like. Even if they've
never posted a nude picture, it will reconstruct their bum from bits of
their face and leg and whatever else they can find.
- Charlie Brooker, RT 2014/12/13-19

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2026/3/10 1:14:6, ...w­¤?ñ?¤ wrote:

On 3/9/2026 12:39 PM, J. P. Gilliver wrote:

Not sure how to logon in an Admin account, but if "my done" at that
point, presumably don't need to.

You should know which logon accounts on your device(s) are logon
accounts as an Administrator(i.e. an Admin account)

I think I have two accounts - my normal one (from which I can "run
[things] as Administrator", but I don't think it is an Admin account),
and an Administrator one, which I created (or enabled - I think it was
there, but hidden) in response to something (IIRR) here. I can't
remember how to get into it - but I could probably find out. (I _think_
I can remember its password.)

I'm back, after two restarts (though they were full ones, getting into
Windows). Not sure what I do next ...

Now, in a Powershell admin window copy and paste the following and press
the 'Enter' key. The response will indicate True or False.

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

Report the response in a reply.

True

By the way, when I paste lines like the above (copied from your original email), they come up with the second part ("-match ...") preceded by a
">> " (though I am copying from an unquoted post); I delete that so they
appear as one line, and they seem to work. (I just tried copying and
pressing enter, and got a lot of angry red, including "Missing closing
')'", which makes sense.) This may be a Thunderbird thing.
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()ALIS-Ch++(p)Ar++T+H+Sh0!:`)DNAf

(please reply to group - they also serve who only look and lurk)
(William Allen, 1999 - after Milton, of course)

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2026/3/10 1:50:25, Char Jackson wrote:

On Mon, 9 Mar 2026 16:16:44 +0000, "J. P. Gilliver" <G6JPG@255soft.uk>
wrote:

On 2026/3/8 19:0:22, Paul wrote:

I'd use HowardKnight, but it's broken and likely for good
(sooner or later it would lose access to part of what it uses).

Sad, but inevitable, I think. (Maybe the MID enhancement to Thunderbird
will come along soon.)

Not that it's actually needed, though, since MID functionality already
exists via extensions.

I have the "Open By Message-ID" one (though I think I'd forgotten that I
do!); however, I prefer not to rely on extensions, as updates sometimes
break them (or at best they have to be manually updated after updates).
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()ALIS-Ch++(p)Ar++T+H+Sh0!:`)DNAf

(please reply to group - they also serve who only look and lurk)
(William Allen, 1999 - after Milton, of course)

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2026/3/10 3:20:5, Paul wrote:

On Mon, 3/9/2026 4:11 PM, J. P. Gilliver wrote:

On 2026/3/9 17:26:21, ...w­¤?ñ?¤ wrote:

On 3/8/2026 12:05 PM, Frank Slootweg wrote:

..w­¤?ñ?¤ <winstonmvp@gmail.com> wrote:
[...]

Open Powershell in an admin prompt, then separately run each of these >>>>> two commands.

Secure Boot Certs
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) >>>>> -match 'Windows UEFI CA 2023')

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI
dbdefault).bytes) -match 'Windows UEFI CA 2023')


- If the first command returns ?true,? then your PC is using the new >>>>> certificate
- If this second command returns ?true,? your system is running an >>>>> updated BIOS with the new Secure Boot certificates built in.

Here's what I got (entire session, between ===== lines):
=====
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\Windows\system32> Secure Boot Certs
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes)
-match 'Windows UEFI CA 2023')
Secure : The term 'Secure' is not recognized as the name of a cmdlet,
function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that
the path is correct and try again.
At line:1 char:1
+ Secure Boot Certs ([System.Text.Encoding]::ASCII.GetString((Get-Secur ... >> + ~~~~~~
+ CategoryInfo : ObjectNotFound: (Secure:String) [],
CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

PS C:\Windows\system32>
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI
dbdefault).bytes) -match 'Windows UEFI CA 2023')
False
PS C:\Windows\system32>
=====

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) -match 'Windows UEFI CA 2023')

Ah, got it: I hadn't realised that Winston's "Secure Boot Certs" was
just him telling me what the next two lines did - I thought that was
supposed to be part of what I was to enter.

I've just entered the above two lines into an Admin powershell, and the
first one said True, the second False.

(Incidentally, copying them from _your_ post _didn't_ give any embedded
">> " bits, even though they were split.)
[]
So what does one returning True and one returning False tell me/you/us?
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()ALIS-Ch++(p)Ar++T+H+Sh0!:`)DNAf

(please reply to group - they also serve who only look and lurk)
(William Allen, 1999 - after Milton, of course)

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Tue, 3/10/2026 9:39 AM, J. P. Gilliver wrote:

On 2026/3/10 0:11:23, rbowman wrote:
[Secure Boot]

I'm fond of penguins so I turn it off and leave it off. It might have some >> utility for Windows but I don't know what. Zero use with Linux except for >> complicating life.

I haven't touched it yet.

You probably don't want to turn off Fast Boot on a Windows machine.

That's the first time _Fast_ Boot has been mentioned in this thread (I think); not sure if I have that or not. I think I have verbose or
something like that, as it tells me what's happening, and I like that -
gives me some idea what's going on (or at least that something is); the
boot time (I have an SSD) isn't irritatingly slow.

There are "two fast things" on your computer.

The "Fast" one in the BIOS, that setting can change the behavior
of the BIOS.

Any time electrical components are changed inside the computer,
it reverts to "slow boot" while it does a slightly better
memtest on the way up. I've had modern computers take
90 seconds to come up, when they are doing their "thorough"
method. The motherboards with the four white "staging LEDs",
none of the LEDs are lit while the guru in there contemplates
its navel. The next time, the BIOS might be 5-8 seconds, because
it knows the hardware content of the box has not changed. We
see this slow startup behavior, on new screwdriver assembly
of computer components. The first boot is a slow one. You
sit with crossed fingers waiting waiting for the staging
LEDs to light up :-) It's like waiting for Christmas.

*******

In Windows, in the Power options, there is a control to enable
things you would not normally enable. If you hibernate just
the kernel of the OS, between sessions (and writing hiberfil.sys
for storage space), that takes a minimum of time at shutdown
(350MB write), and on the way up, the kernel blob is "bulk loaded",
and that saves time on reading in the individual driver files
for all the hardware. That reduces the OS boot component to
5-10 seconds (depending on the prowess of your processor).
The kids with the 6GHz processors, will race their machines
to see "who is the fastest". And the "Fast Startup" OS option helps.

# If you have trouble opening this .webp graphic, Irfanview can open it.
# Using "control.exe" and then Power Options, eventually gives this dialog

https://cdn.mos.cms.futurecdn.net/r5TsgNrpaNUSgzgckzGnEG-888-80.jpg.webp

There is a similarity between OSes, so other versions have something like this.

( https://www.laptopmag.com/how-to/turn-off-fast-startup-on-windows-11 )

Turning off Fast Startup, is for if you are a multibooter. If you only
use the one OS on the laptop, then leaving Fast Startup enabled is fine.
All the kit in the room here, has that turned off, as I refuse to be held hostage by any silliness :-) I only care about boot times if it
takes 3-5 minutes. A TORAM boot of a Linux DVD takes that long...
Use a USB stick instead.

Paul

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Tue, 3/10/2026 9:57 AM, J. P. Gilliver wrote:

On 2026/3/10 1:14:6, ...w­¤?ñ?¤ wrote:

On 3/9/2026 12:39 PM, J. P. Gilliver wrote:

Not sure how to logon in an Admin account, but if "my done" at that
point, presumably don't need to.

You should know which logon accounts on your device(s) are logon
accounts as an Administrator(i.e. an Admin account)

I think I have two accounts - my normal one (from which I can "run
[things] as Administrator", but I don't think it is an Admin account),
and an Administrator one, which I created (or enabled - I think it was
there, but hidden) in response to something (IIRR) here. I can't
remember how to get into it - but I could probably find out. (I _think_
I can remember its password.)

control.exe then "User Accounts", then "Manage another account" .

That allows reviewing the "full" accounts on the machine.

Mine has three accounts. The administrator group account (the
one I MUST NOT delete :-) ), plus two unelevated accounts
used as credentials for file sharing sessions.

The real administrator account is not enabled on the machine.
By default, this is OFF and I generally leave it OFF as it
has a slight security aspect to it. With real malware,
I don't think it matters what you do but we can always
pretend these little ceremonies make a difference.

Paul


--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2026/3/10 14:23:8, Paul wrote:

On Tue, 3/10/2026 9:39 AM, J. P. Gilliver wrote:

[]

That's the first time _Fast_ Boot has been mentioned in this thread (I
think); not sure if I have that or not. I think I have verbose or
something like that, as it tells me what's happening, and I like that -
gives me some idea what's going on (or at least that something is); the
boot time (I have an SSD) isn't irritatingly slow.

There are "two fast things" on your computer.

The "Fast" one in the BIOS, that setting can change the behavior
of the BIOS.

Any time electrical components are changed inside the computer,
it reverts to "slow boot" while it does a slightly better
memtest on the way up. I've had modern computers take

Ah yes, I remember that from the '286 (and before) era - it tested each
(64K was it?) block of memory, emitting a tick for each one, up to the
massive 640K. You could make it tick faster. (We had one of those still,
at least up to when I was made redundant in 2017 - it was for testing a
piece of avionics that came in only once in a blue moon, and it wasn't
worth updating the kit. [Actually, by that point, I doubt any of the
original software designers was still with us!]) I hadn't realised
modern BIOSes did something similar ...

90 seconds to come up, when they are doing their "thorough"
method. The motherboards with the four white "staging LEDs",
none of the LEDs are lit while the guru in there contemplates
its navel. The next time, the BIOS might be 5-8 seconds, because
it knows the hardware content of the box has not changed. We

... presumably using the microswitch some cases had/have to detect when
you opened the case.

see this slow startup behavior, on new screwdriver assembly
of computer components. The first boot is a slow one. You
sit with crossed fingers waiting waiting for the staging
LEDs to light up :-) It's like waiting for Christmas.

*******

In Windows, in the Power options, there is a control to enable
things you would not normally enable. If you hibernate just
the kernel of the OS, between sessions (and writing hiberfil.sys
for storage space), that takes a minimum of time at shutdown
(350MB write), and on the way up, the kernel blob is "bulk loaded",
and that saves time on reading in the individual driver files
for all the hardware. That reduces the OS boot component to
5-10 seconds (depending on the prowess of your processor).
The kids with the 6GHz processors, will race their machines
to see "who is the fastest". And the "Fast Startup" OS option helps.

# If you have trouble opening this .webp graphic, Irfanview can open it.
# Using "control.exe" and then Power Options, eventually gives this dialog

https://cdn.mos.cms.futurecdn.net/r5TsgNrpaNUSgzgckzGnEG-888-80.jpg.webp

There is a similarity between OSes, so other versions have something like this.

( https://www.laptopmag.com/how-to/turn-off-fast-startup-on-windows-11 )

I _do_ seem to have that one turned on. What I was thinking of was some
setting I came across - maybe in an earlier version of Windows - that
told you what it was doing; I think they called it "verbose" mode, and
although it obviously did slow it down a bit, it wasn't much, and I
found it reassuring that something was happening (otherwise booting - I
was on HDDs then - just seemed to stop for ages). I had thought I'd
turned it on for W10, BICBW. It _does_ pause at some point to tell me
when I last logged in and that there have been no unsuccessful login
attempts since then - I thought that only appeared after I turned this on.

Turning off Fast Startup, is for if you are a multibooter. If you only
use the one OS on the laptop, then leaving Fast Startup enabled is fine.

That's me.

All the kit in the room here, has that turned off, as I refuse to be held hostage by any silliness :-) I only care about boot times if it
takes 3-5 minutes. A TORAM boot of a Linux DVD takes that long...
Use a USB stick instead.

My Macrium CD and DVD (I have one of each - don't seem noticeably
different, though the CD must be slower [not a mini-CD, M8 I think it is
will no longer fit on one of those]) do seem to take a long time.

Paul

--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()ALIS-Ch++(p)Ar++T+H+Sh0!:`)DNAf

what - recession? Up north? What we gonna have - more nowt?
(News Quiz 2013-7-26)

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2026/3/10 14:28:51, Paul wrote:
[]

control.exe then "User Accounts", then "Manage another account" .

That allows reviewing the "full" accounts on the machine.

I don't see "Manage another account", but "Add or remove user accounts"
or "Change account type" seem to show I have only the one, which it says is
Local Account
Administrator
.

Mine has three accounts. The administrator group account (the
one I MUST NOT delete :-) ), plus two unelevated accounts
used as credentials for file sharing sessions.

The real administrator account is not enabled on the machine.

I thought I had (leaving it with a password for once), but maybe that
was on my last machine (the 7-32 one).

By default, this is OFF and I generally leave it OFF as it
has a slight security aspect to it. With real malware,
I don't think it matters what you do but we can always
pretend these little ceremonies make a difference.

:-)

Paul

--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()ALIS-Ch++(p)Ar++T+H+Sh0!:`)DNAf

what - recession? Up north? What we gonna have - more nowt?
(News Quiz 2013-7-26)

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Tue, 3/10/2026 10:18 AM, J. P. Gilliver wrote:

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) -match 'Windows UEFI CA 2023')

Ah, got it: I hadn't realised that Winston's "Secure Boot Certs" was
just him telling me what the next two lines did - I thought that was
supposed to be part of what I was to enter.

I've just entered the above two lines into an Admin powershell, and the
first one said True, the second False.

(Incidentally, copying them from _your_ post _didn't_ give any embedded
">> " bits, even though they were split.)
[]
So what does one returning True and one returning False tell me/you/us?

I don't know :-)

It depends on what dbdefault means. I don't have such a
thing in the four file set from my BIOS, to comment.

Maybe this is something a BlackLotus BIOS patch would have loaded,
but I'm just guessing and we'll see if Winston knows what that is.

The answers at the bottom here, seem to suggest "dbdefault" is a
Factory state patch via a BlackLotus BIOS patch file. It's strange that
the commands both return True on the Big Machine, as the Big Machine
was not supposed to have a BlackLotus patch. But maybe the tricky bastards snuck that into one of the previous files, without labeling what was
included.

https://learn.microsoft.com/en-gb/answers/questions/5784883/uefi-ca-2023

The reason you would want the Factory copy updated, is so if the
user does a "reload Factory secure boot" at BIOS level, the reload has PCA 2023 in it.

Paul

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2026-03-10 14:23, Paul wrote:

Turning off Fast Startup, is for if you are a multibooter. If you only
use the one OS on the laptop, then leaving Fast Startup enabled is fine.

Also you should disable it if you use imaging software to back up your
system disk.

--

Fake news kills!

I may be contacted via the contact address given on my website: www.macfh.co.uk


--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Java Jive <java@evij.com.invalid> wrote:

On 2026-03-10 14:23, Paul wrote:

Turning off Fast Startup, is for if you are a multibooter. If you only
use the one OS on the laptop, then leaving Fast Startup enabled is fine.

Also you should disable it if you use imaging software to back up your system disk.

Why?

The imaging software - in my case Macrium Reflect Free - just does a
sector copy of the partitions. Any changes to the file-systems/
partitions while the image backup is taking place are recorded in a
Volume Shadow Copy.

So I don't see why Fast Startup, which only does it's preparation/ (partial-)hibernation work during Shutdown, has any effect on an image
backup.

Or is your concern that the hibernated system copy might be
stale compared to the current OS? If so, 1) when restoring, the Rescue
media will be booted, invalidating the old hibernated system copy and
2) AFAIK, the hiberfil.sys file is not included in the image, so it
can't be restored.

But please educate me/us.

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2026-03-10 18:47, Frank Slootweg wrote:

Java Jive <java@evij.com.invalid> wrote:

On 2026-03-10 14:23, Paul wrote:

Turning off Fast Startup, is for if you are a multibooter. If you only
use the one OS on the laptop, then leaving Fast Startup enabled is fine.

Also you should disable it if you use imaging software to back up your
system disk.

Why?

The imaging software - in my case Macrium Reflect Free - just does a sector copy of the partitions. Any changes to the file-systems/
partitions while the image backup is taking place are recorded in a
Volume Shadow Copy.

So I don't see why Fast Startup, which only does it's preparation/ (partial-)hibernation work during Shutdown, has any effect on an image backup.

Or is your concern that the hibernated system copy might be
stale compared to the current OS? If so, 1) when restoring, the Rescue
media will be booted, invalidating the old hibernated system copy and
2) AFAIK, the hiberfil.sys file is not included in the image, so it
can't be restored.

But please educate me/us.

First, let me clarify things. From what has been discussed before here
&/or in other Windows NGs, Fast Start only hibernates the state of the
OS, IIRC at login, whereas user hibernation saves the state of the
Desktop and running programs. The above is a minimum and there may well
be other differences, but I'm not aware of them, and particularly not
wrt the following problem, which I know happens when an OS is user
hibernated.

When an OS is hibernated by the user, the state of play of ALL the
Windows readable disks is remembered, not just that of the system disk.
If then the PC is booted into a different OS which results in changes to
any of the disks readable by Windows, say you copy in a file, when the original Windows OS is reverted to, it will attempt to revert the state
of ALL the disks back to their remembered state, and thus any changes
made, such as copying in that file, will probably be lost. At very
least a chkdsk is likely to be triggered.

Similarly, if you restore a Windows OS from a backup taken while the OS
was hibernated, then when the restored OS boots it will attempt to
revert all the disks back to their state when the backup was taken, potentially losing any legitimate changes made in the meantime, even
those to a data disk.

So I'm thinking that possibly/probably the same thing may happen when
Fast Start is enabled, and thus I cannot recommend using imaging
software to back up a Windows OS with Fast Start enabled.

--

Fake news kills!

I may be contacted via the contact address given on my website: www.macfh.co.uk


--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Tue, 3/10/2026 3:28 PM, Java Jive wrote:

On 2026-03-10 18:47, Frank Slootweg wrote:

Java Jive <java@evij.com.invalid> wrote:

On 2026-03-10 14:23, Paul wrote:

Turning off Fast Startup, is for if you are a multibooter. If you only >>>> use the one OS on the laptop, then leaving Fast Startup enabled is fine. >>>

Also you should disable it if you use imaging software to back up your
system disk.

ÿÿ Why?

ÿÿ The imaging software - in my case Macrium Reflect Free - just does a
sector copy of the partitions. Any changes to the file-systems/
partitions while the image backup is taking place are recorded in a
Volume Shadow Copy.

ÿÿ So I don't see why Fast Startup, which only does it's preparation/
(partial-)hibernation work during Shutdown, has any effect on an image
backup.

ÿÿ Or is your concern that the hibernated system copy might be
stale compared to the current OS? If so, 1) when restoring, the Rescue
media will be booted, invalidating the old hibernated system copy and
2) AFAIK, the hiberfil.sys file is not included in the image, so it
can't be restored.

ÿÿ But please educate me/us.

First, let me clarify things.ÿ From what has been discussed before here &/or in other Windows NGs, Fast Start only hibernates the state of the OS, IIRC at login, whereas user hibernation saves the state of the Desktop and running programs.ÿ The above is a minimum and there may well be other differences, but I'm not aware of them, and particularly not wrt the following problem, which I know happens when an OS is user hibernated.

When an OS is hibernated by the user, the state of play of ALL the Windows readable disks is remembered, not just that of the system disk. If then the PC is booted into a different OS which results in changes to any of the disks readable by Windows, say you copy in a file, when the original Windows OS is reverted to, it will attempt to revert the state of ALL the disks back to their remembered state, and thus any changes made, such as copying in that file, will probably be lost.ÿ At very least a chkdsk is likely to be triggered.

Similarly, if you restore a Windows OS from a backup taken while the OS was hibernated, then when the restored OS boots it will attempt to revert all the disks back to their state when the backup was taken, potentially losing any legitimate changes made in the meantime, even those to a data disk.

So I'm thinking that possibly/probably the same thing may happen when Fast Start is enabled, and thus I cannot recommend using imaging software to back up a Windows OS with Fast Start enabled.

Does a Macrium Rescue CD "allow" a backup to run while a hiberfil.sys
has a validated header on it (the OS partition being in a hibernated state) ?

If I run this through CoPilot, I think you can imagine what the answer
is, but I'm not convinced the LLM-AI knows this to be true. It could be
a projection of logical-consequences instead of an observation based
on seeing someone report this.

************** CoPilot Answer *********************

Here?s the clear, technically accurate answer <=== Pinocchio's nose seems longer...
you?re looking for - and the short version is: **No, a Macrium Rescue CD Answer has no cites.
will not allow you to run a proper image backup of a Windows partition that
is in a hibernated state (i.e., with a valid hiberfil.sys header).**

---

# **Short Answer**
**Macrium Reflect Rescue Media will *refuse* to image an OS partition that contains a valid hibernation file header**, because that indicates the filesystem
is in an *inconsistent* state. This is by design ? imaging a hibernated Windows volume would produce a corrupted or unbootable image.

---

# **Why This Happens**
When Windows hibernates:

- It writes the entire memory state into **hiberfil.sys**.
- It marks the filesystem as **?dirty / hibernated?** in the NTFS metadata.
- The volume is *not* in a crash-consistent state.

Macrium Reflect (including the Rescue CD environment) checks for this condition.
If it detects a valid hibernation header:

- It **blocks the backup**
- It warns that the volume is in a hibernated state
- It requires you to **disable hibernation or boot Windows normally** before imaging

This is the same behavior you see when trying to mount or image a
hibernated NTFS volume under Linux ? the filesystem is considered unsafe to access

On Tue, 3/10/2026 2:06 PM, Java Jive wrote:

On 2026-03-10 14:23, Paul wrote:

Turning off Fast Startup, is for if you are a multibooter. If you only
use the one OS on the laptop, then leaving Fast Startup enabled is fine.

Also you should disable it if you use imaging software to back up your system disk.

You can back up the system hot. Not a problem.
(That's why it uses VSS, the Volume Shadow Service, it
freezes a "snapshot" of the OS files, and anything saved
after the ten second quiesce phase, will be backed up
on your *next* backup.)

Backing up from a Rescue CD, the X: OS partition there does not
have VSS, but the C: filesystem is at rest and so it is
easier to back up (compared to backing up hot).

Macrium can pretend to record the pagefile.sys while the
OS is running on C: , but the contents are all zero. There
is a good chance it is just faking it.

It would be nice if some utilities would agree as to what
files are on various representations of a partition like C:
(and the C: backup), but this hardly happens. There are
too many little differences to get an exact match out of anything.

Whereas a data partition like D: , it is more likely to have utilities
that see the same things on there.

Paul

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 3/10/2026 7:18 AM, J. P. Gilliver wrote:

On 2026/3/10 3:20:5, Paul wrote:

On Mon, 3/9/2026 4:11 PM, J. P. Gilliver wrote:

On 2026/3/9 17:26:21, ...w­¤?ñ?¤ wrote:

On 3/8/2026 12:05 PM, Frank Slootweg wrote:

..w­¤?ñ?¤ <winstonmvp@gmail.com> wrote:
[...]

Open Powershell in an admin prompt, then separately run each of these >>>>>> two commands.

Secure Boot Certs
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) >>>>>> -match 'Windows UEFI CA 2023')

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI
dbdefault).bytes) -match 'Windows UEFI CA 2023')


- If the first command returns ?true,? then your PC is using the new >>>>>> certificate
- If this second command returns ?true,? your system is running an >>>>>> updated BIOS with the new Secure Boot certificates built in.

Here's what I got (entire session, between ===== lines):
=====
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

PS C:\Windows\system32> Secure Boot Certs
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes)
-match 'Windows UEFI CA 2023')
Secure : The term 'Secure' is not recognized as the name of a cmdlet,
function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that
the path is correct and try again.
At line:1 char:1
+ Secure Boot Certs ([System.Text.Encoding]::ASCII.GetString((Get-Secur ... >>> + ~~~~~~
+ CategoryInfo : ObjectNotFound: (Secure:String) [],
CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException

PS C:\Windows\system32>
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI
dbdefault).bytes) -match 'Windows UEFI CA 2023')
False
PS C:\Windows\system32>
=====

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) -match 'Windows UEFI CA 2023')

Ah, got it: I hadn't realised that Winston's "Secure Boot Certs" was
just him telling me what the next two lines did - I thought that was
supposed to be part of what I was to enter.

I've just entered the above two lines into an Admin powershell, and the
first one said True, the second False.

(Incidentally, copying them from _your_ post _didn't_ give any embedded
">> " bits, even though they were split.)
[]
So what does one returning True and one returning False tell me/you/us?

It means you're done with updating the device for the current 2023 cert,
and good to go.
The only other option until the Secure Boot 2011 are
revoked/expired/removed is an OEM provided UEFI/BIOS update - which can
be installed if released, if not, your done.
Any future Windows Updates with Secure Boot will be installed via
Windows Update, the scheduled task will continue to run and update the
2023 cert if necessary. After 2011 cert is revoked and 2023 fully
implemented the scheduled task can be deleted or ignored.



--
...w­¤?ñ?¤

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2026/3/11 1:41:24, ...w­¤?ñ?¤ wrote:

On 3/10/2026 7:18 AM, J. P. Gilliver wrote:

On 2026/3/10 3:20:5, Paul wrote:

[]

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) -match 'Windows UEFI CA 2023')

Ah, got it: I hadn't realised that Winston's "Secure Boot Certs" was
just him telling me what the next two lines did - I thought that was
supposed to be part of what I was to enter.

I've just entered the above two lines into an Admin powershell, and the
first one said True, the second False.

[]

So what does one returning True and one returning False tell me/you/us?

It means you're done with updating the device for the current 2023 cert,
and good to go.

Thanks! That sounds reassuring.

The only other option until the Secure Boot 2011 are
revoked/expired/removed is an OEM provided UEFI/BIOS update - which can
be installed if released, if not, your done.

Given
BIOS Version/Date LENOVO 1LCN50WW, 2017/4/17
, I don't think that's likely. (Almost certainly pre Windows 10?)

Any future Windows Updates with Secure Boot will be installed via
Windows Update, the scheduled task will continue to run and update the
2023 cert if necessary. After 2011 cert is revoked and 2023 fully implemented the scheduled task can be deleted or ignored.

I guess I'll find out in June! (Or am O safe from that one?)


--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()ALIS-Ch++(p)Ar++T+H+Sh0!:`)DNAf

Who's General Failure & why's he reading my disk?
(Stolen from another .sig)

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2026-03-10 22:34, Paul wrote:

On Tue, 3/10/2026 3:28 PM, Java Jive wrote:

On 2026-03-10 18:47, Frank Slootweg wrote:

Java Jive <java@evij.com.invalid> wrote:

On 2026-03-10 14:23, Paul wrote:

Turning off Fast Startup, is for if you are a multibooter. If you only >>>>> use the one OS on the laptop, then leaving Fast Startup enabled is fine. >>>>

Also you should disable it if you use imaging software to back up your >>>> system disk.

ÿÿ Why?

ÿÿ The imaging software - in my case Macrium Reflect Free - just does a >>> sector copy of the partitions. Any changes to the file-systems/
partitions while the image backup is taking place are recorded in a
Volume Shadow Copy.

ÿÿ So I don't see why Fast Startup, which only does it's preparation/
(partial-)hibernation work during Shutdown, has any effect on an image
backup.

ÿÿ Or is your concern that the hibernated system copy might be
stale compared to the current OS? If so, 1) when restoring, the Rescue
media will be booted, invalidating the old hibernated system copy and
2) AFAIK, the hiberfil.sys file is not included in the image, so it
can't be restored.

ÿÿ But please educate me/us.

First, let me clarify things.ÿ From what has been discussed before here &/or in other Windows NGs, Fast Start only hibernates the state of the OS, IIRC at login, whereas user hibernation saves the state of the Desktop and running programs.ÿ The above is a minimum and there may well be other differences, but I'm not aware of them, and particularly not wrt the following problem, which I know happens when an OS is user hibernated.

When an OS is hibernated by the user, the state of play of ALL the Windows readable disks is remembered, not just that of the system disk. If then the PC is booted into a different OS which results in changes to any of the disks readable by Windows, say you copy in a file, when the original Windows OS is reverted to, it will attempt to revert the state of ALL the disks back to their remembered state, and thus any changes made, such as copying in that file, will probably be lost.ÿ At very least a chkdsk is likely to be triggered.

Similarly, if you restore a Windows OS from a backup taken while the OS was hibernated, then when the restored OS boots it will attempt to revert all the disks back to their state when the backup was taken, potentially losing any legitimate changes made in the meantime, even those to a data disk.

So I'm thinking that possibly/probably the same thing may happen when Fast Start is enabled, and thus I cannot recommend using imaging software to back up a Windows OS with Fast Start enabled.

Does a Macrium Rescue CD "allow" a backup to run while a hiberfil.sys
has a validated header on it (the OS partition being in a hibernated state) ?

If I run this through CoPilot, I think you can imagine what the answer
is, but I'm not convinced the LLM-AI knows this to be true. It could be
a projection of logical-consequences instead of an observation based
on seeing someone report this.

Macrium is not the only imaging software, though it is the one that
currently I'm using. As you may remember, I used to use Ghost until I discovered that it is buggy with GPT disks, and that warns you that the filesystem is in a 'dirty' state, advises you not to proceed, but will
allow you to do so if you choose.

************** CoPilot Answer *********************

Here?s the clear, technically accurate answer <=== Pinocchio's nose seems longer...
you?re looking for - and the short version is: **No, a Macrium Rescue CD Answer has no cites.
will not allow you to run a proper image backup of a Windows partition that is in a hibernated state (i.e., with a valid hiberfil.sys header).**

---

# **Short Answer**
**Macrium Reflect Rescue Media will *refuse* to image an OS partition that contains a valid hibernation file header**, because that indicates the filesystem
is in an *inconsistent* state. This is by design ? imaging a hibernated Windows volume would produce a corrupted or unbootable image.

---

# **Why This Happens**
When Windows hibernates:

- It writes the entire memory state into **hiberfil.sys**.
- It marks the filesystem as **?dirty / hibernated?** in the NTFS metadata.
- The volume is *not* in a crash-consistent state.

Macrium Reflect (including the Rescue CD environment) checks for this condition.
If it detects a valid hibernation header:

- It **blocks the backup**
- It warns that the volume is in a hibernated state
- It requires you to **disable hibernation or boot Windows normally** before imaging

This is the same behavior you see when trying to mount or image a
hibernated NTFS volume under Linux ? the filesystem is considered unsafe to access.

---

# **Why Macrium Blocks It**
Allowing a backup of a hibernated OS partition would risk:

- Filesystem corruption
- Incomplete or inconsistent system state
- Unbootable restored images

Macrium?s design philosophy is to guarantee *restorable* images, so it refuses to proceed.

---

# **What *Does* Work**
If you want to image the OS partition from Rescue Media:

### Boot into Rescue Media
### Open a command prompt
### Run:

powercfg /h off
```
This deletes **hiberfil.sys** and clears the hibernation flag. <=== sheerest hallucination!
it is booted off X:, not C:
After that, Macrium will allow the backup. If this works, this is my
shocked face.
---

# **Edge Case: Forced Imaging?**
Even if you try to force it (e.g., using forensic sector-by-sector mode), Macrium still checks the NTFS state and will warn or refuse.
Macrium does **not** provide an override to ignore a hibernated filesystem.

---

# **Bottom Line**
**A Macrium Rescue CD will *not* allow a backup of a Windows OS partition
if hiberfil.sys has a valid header.**
You must disable hibernation or boot Windows normally first. <=== this is a more sound advice (including no Fast Startup cycle)

[Please note: This answer had NO reference section with cites at the bottom.]

[This will require test to validate. I can believe the answer that the consistency problem will be picked up by the Rescue CD (because Macrium
devs are very thorough individuals -- hardly ever making stupid mistakes),
if you attempt to pull the old switcheroo. And adjusting your hibernation state before
going offline to make a backup, that's a good answer. But thinking
you can erase C:\hiberfil.sys while booted from X: is just silly. If the LLM-AI told me to "del C:\hiberfil.sys" from the X: prompt, that would make more logical (and dangerous) sense for an AI to cook up. And no, don't
do that either.]

When you back up, it's up to you as a responsible adult, to not be
throwing challenges into the picture that are illogical and just
asking for trouble. Great for an experiment. Bad for a part of your
regular backup cycle. Since my hiberfil.sys is disabled everywhere in
this room, I'm not even ready to test this. Purely by accident,
I'm ready for backup anytime. I didn't plan this.

I use hibernation on a daily basis. Occasionally I get caught out by
this, usually by booting into another version of Windows &/or Linux
without remembering first to go into the hibernated version and fully
shut it down, the result of which is usually a chkdsk; the latter
doesn't seem to have any effect within Linux itself, but, as described previously, changes to a Windows readable disk will be lost.

---

Summarising the copious output above, it seems to support pretty much
what I was suggesting, but with the added information that some imaging software is better than others in guarding against accidental imaging of
a hibernated partition.

--

Fake news kills!

I may be contacted via the contact address given on my website: www.macfh.co.uk


--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2026-03-10 23:25, Paul wrote:

Macrium can pretend to record the pagefile.sys while the
OS is running on C: , but the contents are all zero. There
is a good chance it is just faking it.

Which is the sort of reason why I think the whole idea of imaging a
running system is dodgy, and always shut a system down before imaging it.

IIRC, another is that there are keys in the registry which flag whether
a system was shut down properly. If you restore the image of a running system, on first boot it will find that these flags are not in their
proper state, and a menu will be displayed asking for which version of
Windows to load, even if there's only one, or whether to load safe mode,
etc. This might not matter much to a home user, but, speaking as a
former professional who used to create the OS images for thousands of corporate PCs, I'm pretty sure that I wouldn't have been allowed to
produce an image that did that, even supposing I had been sufficiently unembarrassed to try!

--

Fake news kills!

I may be contacted via the contact address given on my website: www.macfh.co.uk


--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 3/11/2026 6:29 AM, Java Jive wrote:

Macrium is not the only imaging software, though it is the one that currently I'm using.ÿ As you may remember, I used to use Ghost until I discovered that it is buggy with GPT disks, and that warns you that the filesystem is in a 'dirty' state, advises you not to proceed, but will
allow you to do so if you choose.

Hardly a fair comparison(Ghost vs. Macrium). Most today would be using
the last released free version of Macrium or its current subscription
released version.

Ghost last released version compatible for a Windows operating system
was over 16 years ago(Nov. 2009) - Windows 7 and earlier. Never designed
for use on Win8x and later, nor with UEFI and GPT.

For non-enterprise consumer Windows 8x and later Symantec's product was
System Recovery(for Win10 version SSR version 11.1.3, aka 2013 SP4), Enterprise was Ghost Solution Suite version 3.3 later.
- Symantec consumer division Veritas was sold to Carlisle Group in
2016 with SSR rebranded as Veritas System Recovery(initial release
version 16 for Win10 compatibility).




--
...w­¤?ñ?¤

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 3/11/2026 5:47 AM, J. P. Gilliver wrote:

On 2026/3/11 1:41:24, ...w­¤?ñ?¤ wrote:

On 3/10/2026 7:18 AM, J. P. Gilliver wrote:

On 2026/3/10 3:20:5, Paul wrote:

[]

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) -match 'Windows UEFI CA 2023')

Ah, got it: I hadn't realised that Winston's "Secure Boot Certs" was
just him telling me what the next two lines did - I thought that was
supposed to be part of what I was to enter.

I've just entered the above two lines into an Admin powershell, and the
first one said True, the second False.

[]

So what does one returning True and one returning False tell me/you/us?

It means you're done with updating the device for the current 2023 cert,
and good to go.

Thanks! That sounds reassuring.

The only other option until the Secure Boot 2011 are
revoked/expired/removed is an OEM provided UEFI/BIOS update - which can
be installed if released, if not, your done.

Given
BIOS Version/Date LENOVO 1LCN50WW, 2017/4/17
, I don't think that's likely. (Almost certainly pre Windows 10?)

Any future Windows Updates with Secure Boot will be installed via
Windows Update, the scheduled task will continue to run and update the
2023 cert if necessary. After 2011 cert is revoked and 2023 fully
implemented the scheduled task can be deleted or ignored.

I guess I'll find out in June! (Or am O safe from that one?)

As noted, you're good to go(based on your earlier reply that the
Powershell command indicated 2023 cert is present in the db store.
Discussion here and elsewhere regarding Secure Boot has been going on
for quite some time.

Some of the articles are missing the point and spreading fear beyond
what will/does happen.

For Win10 and Secure Boot with the 2023 cert deployed(like yours True
for Windows, False for UEFI), the device and its Win10 OS(24H2) should
be enrolled in ESU to ensure any future Secure Boot updates are
available, downloaded and installed.



--
...w­¤?ñ?¤

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2026-03-11 17:53, ...w­¤?ñ?¤ wrote:

On 3/11/2026 6:29 AM, Java Jive wrote:

Macrium is not the only imaging software, though it is the one that
currently I'm using.ÿ As you may remember, I used to use Ghost until I
discovered that it is buggy with GPT disks, and that warns you that
the filesystem is in a 'dirty' state, advises you not to proceed, but
will allow you to do so if you choose.

Hardly a fair comparison(Ghost vs. Macrium). Most today would be using
the last released free version of Macrium or its current subscription released version.

Ghost last released version compatible for a Windows operating system
was over 16 years ago(Nov. 2009) - Windows 7 and earlier. Never designed
for use on Win8x and later, nor with UEFI and GPT.

For non-enterprise consumer Windows 8x and later Symantec's product was System Recovery(for Win10 version SSR version 11.1.3, aka 2013 SP4), Enterprise was Ghost Solution Suite version 3.3 later.
ÿ- Symantec consumer division Veritas was sold to Carlisle Group in
2016 with SSR rebranded as Veritas System Recovery(initial release
version 16 for Win10 compatibility).

I just used Ghost for as long as it worked for me, because I had rescue
media which automated a lot of the process of backing up and restoring,
and stopped using it when I found it was buggy and gave problems on GPT
disks.

Anyway, I don't think you've altered my point, which was that there are different imaging programs which might behave differently under unusual situations, such as the 'dirty' flag being set.

--

Fake news kills!

I may be contacted via the contact address given on my website: www.macfh.co.uk


--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Wed, 3/11/2026 2:08 PM, ...w­¤?ñ?¤ wrote:

On 3/11/2026 5:47 AM, J. P. Gilliver wrote:

On 2026/3/11 1:41:24, ...w­¤?ñ?¤ wrote:

On 3/10/2026 7:18 AM, J. P. Gilliver wrote:

On 2026/3/10 3:20:5, Paul wrote:

[]

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) -match 'Windows UEFI CA 2023')

Ah, got it: I hadn't realised that Winston's "Secure Boot Certs" was
just him telling me what the next two lines did - I thought that was
supposed to be part of what I was to enter.

I've just entered the above two lines into an Admin powershell, and the >>>> first one said True, the second False.

[]

So what does one returning True and one returning False tell me/you/us? >>>

It means you're done with updating the device for the current 2023 cert, >>> ÿÿ and good to go.

Thanks! That sounds reassuring.

The only other option until the Secure Boot 2011 are
revoked/expired/removed is an OEM provided UEFI/BIOS update - which can
be installed if released, if not, your done.

Given
ÿÿÿÿBIOS Version/Dateÿÿÿ LENOVO 1LCN50WW, 2017/4/17
, I don't think that's likely. (Almost certainly pre Windows 10?)

ÿÿ Any future Windows Updates with Secure Boot will be installed via
Windows Update, the scheduled task will continue to run and update the
2023 cert if necessary.ÿ After 2011 cert is revoked and 2023 fully
implemented the scheduled task can be deleted or ignored.

I guess I'll find out in June! (Or am O safe from that one?)

As noted, you're good to go(based on your earlier reply that the Powershell command indicated 2023 cert is present in the db store.
Discussion here and elsewhere regarding Secure Boot has been going on for quite some time.

Some of the articles are missing the point and spreading fear beyond what will/does happen.

The fear is justified, given how stupid some of the motherboard
engineering can be. One company lost the curation chain for their
BIOS releases. In some cases, the only reason this stuff works,
is because the BIOS in an Award, AMI, Phoenix, InSyde and those
companies push out the code for that.

It is the lack of industry expertise in UEFI and Secure Boot that
strikes fear for the unlucky computer owners.

PCA 2011 would presumably have been signed in that year, W10 was
a 2015 release.

Ubuntu seems to be able to inject into db dbx, and could do that
without informing the user.

It would help greatly, if we had a tool to properly list the certs
and revokes.

Paul

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 2026/3/11 18:8:19, ...w­¤?ñ?¤ wrote:

On 3/11/2026 5:47 AM, J. P. Gilliver wrote:

On 2026/3/11 1:41:24, ...w­¤?ñ?¤ wrote:

On 3/10/2026 7:18 AM, J. P. Gilliver wrote:

On 2026/3/10 3:20:5, Paul wrote:

[]

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) -match 'Windows UEFI CA 2023')

[]

Given
BIOS Version/Date LENOVO 1LCN50WW, 2017/4/17
, I don't think that's likely. (Almost certainly pre Windows 10?)

Any future Windows Updates with Secure Boot will be installed via
Windows Update, the scheduled task will continue to run and update the
2023 cert if necessary. After 2011 cert is revoked and 2023 fully
implemented the scheduled task can be deleted or ignored.

I guess I'll find out in June! (Or am O safe from that one?)

As noted, you're good to go(based on your earlier reply that the
Powershell command indicated 2023 cert is present in the db store.
Discussion here and elsewhere regarding Secure Boot has been going on
for quite some time.

Some of the articles are missing the point and spreading fear beyond
what will/does happen.

Yes, I got that impression.

For Win10 and Secure Boot with the 2023 cert deployed(like yours True
for Windows, False for UEFI), the device and its Win10 OS(24H2) should
be enrolled in ESU to ensure any future Secure Boot updates are
available, downloaded and installed.

I am enrolled in ESU (I did the bodge that was pointed to here, before -
I think - such enrolling became automatic anyway, for UK/EU at least).


--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()ALIS-Ch++(p)Ar++T+H+Sh0!:`)DNAf

"Look, if it'll help you to do what I tell you, baby, imagine that I've
got a blaster ray in my hand." "Uh - you _have_ got a blaster ray in
your hand." "So you shouldn't have to tax your imagination too hard."
(Link episode)

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 3/11/2026 11:21 AM, Java Jive wrote:

On 2026-03-11 17:53, ...w­¤?ñ?¤ wrote:

On 3/11/2026 6:29 AM, Java Jive wrote:

Macrium is not the only imaging software, though it is the one that
currently I'm using.ÿ As you may remember, I used to use Ghost until
I discovered that it is buggy with GPT disks, and that warns you that
the filesystem is in a 'dirty' state, advises you not to proceed, but
will allow you to do so if you choose.

Hardly a fair comparison(Ghost vs. Macrium). Most today would be using
the last released free version of Macrium or its current subscription
released version.

Ghost last released version compatible for a Windows operating system
was over 16 years ago(Nov. 2009) - Windows 7 and earlier. Never
designed for use on Win8x and later, nor with UEFI and GPT.

For non-enterprise consumer Windows 8x and later Symantec's product
was System Recovery(for Win10 version SSR version 11.1.3, aka 2013
SP4), Enterprise was Ghost Solution Suite version 3.3 later.
ÿÿ- Symantec consumer division Veritas was sold to Carlisle Group in
2016 with SSR rebranded as Veritas System Recovery(initial release
version 16 for Win10 compatibility).

I just used Ghost for as long as it worked for me, because I had rescue media which automated a lot of the process of backing up and restoring,
and stopped using it when I found it was buggy and gave problems on GPT disks.

Anyway, I don't think you've altered my point, which was that there are different imaging programs which might behave differently under unusual situations, such as the 'dirty' flag being set.

I used Ghost for years as well as earlier Peter Norton and later
Symantec branded products. Beta testing began in 1982, ended with
SystemWorks 16 and Ghost 15.

Agreed, their are different imaging programs and in some situation
operate or behave differently, but Ghost of yesteryear(never designed
for GPT) isn't in play in today's or even recent year's comparison.

--
...w­¤?ñ?¤

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Paul <nospam@needed.invalid> wrote:

On Tue, 3/10/2026 2:06 PM, Java Jive wrote:

On 2026-03-10 14:23, Paul wrote:

Turning off Fast Startup, is for if you are a multibooter. If you only
use the one OS on the laptop, then leaving Fast Startup enabled is fine.

Also you should disable it if you use imaging software to back up
your system disk.

You can back up the system hot. Not a problem.

Yes, that's the scenario I described in my response to Java Jive, NOT
an offline backup using the Rescue media

(That's why it uses VSS, the Volume Shadow Service, it
freezes a "snapshot" of the OS files, and anything saved
after the ten second quiesce phase, will be backed up
on your *next* backup.)

Backing up from a Rescue CD, the X: OS partition there does not
have VSS, but the C: filesystem is at rest and so it is
easier to back up (compared to backing up hot).

Macrium can pretend to record the pagefile.sys while the
OS is running on C: , but the contents are all zero. There
is a good chance it is just faking it.

You probably mean the hiberfil.sys file, because *that* is under
discussion, i.e. whether or not a hibernated OS (not the whole system)
can present a problem later.

For an online Macrium Reflect image backup, the contents of the
hiberfil.sys is irrelevant, because by definition the contents is
stale, as the system is still online, so any contents of the
hiberfil.sys is the contents of a *previous* OS hibernation.

That's why I said Macrium Reflect probably doesn't even backup (the
sectors containing) the hiberfil.sys file, because there's just no
point. I/we could try to chase this down in the Macrium knowledge base
etc. or/and check the contect of an image I/we made, but I won't try
such an exercise in futility.

It would be nice if some utilities would agree as to what
files are on various representations of a partition like C:
(and the C: backup), but this hardly happens. There are
too many little differences to get an exact match out of anything.

Whereas a data partition like D: , it is more likely to have utilities
that see the same things on there.

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Java Jive <java@evij.com.invalid> wrote:

On 2026-03-10 23:25, Paul wrote:

Macrium can pretend to record the pagefile.sys while the
OS is running on C: , but the contents are all zero. There
is a good chance it is just faking it.

Which is the sort of reason why I think the whole idea of imaging a
running system is dodgy, and always shut a system down before imaging it.

Which is of course perfectly fine. I know of at least one other member
in the audience which also does/prefer offline image backups.

IIRC, another is that there are keys in the registry which flag whether
a system was shut down properly. If you restore the image of a running system, on first boot it will find that these flags are not in their
proper state, and a menu will be displayed asking for which version of Windows to load, even if there's only one, or whether to load safe mode, etc.

I think it's extremely unlikely that this is actually a problem,
because if it was, Macrium Reflect would not offer online image backup
(of system partitions) or would at least warn for the consequences and
what precautions/ measures to take when restoring.

This might not matter much to a home user, but, speaking as a
former professional who used to create the OS images for thousands of corporate PCs, I'm pretty sure that I wouldn't have been allowed to
produce an image that did that, even supposing I had been sufficiently unembarrassed to try!

Our IT department(s) managed bare-metal-restore functionality for only
some mere 150 thousand Windows PCs in the later 90s! :-) I only used
that functionality, did not manage or design it. But I did manage
similar functionality for those 'tiny' multi-million dollar Five Nines
metro clusters. :-)

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 12/03/2026 15:41, Frank Slootweg wrote:

Java Jive <java@evij.com.invalid> wrote:

IIRC, another is that there are keys in the registry which flag whether
a system was shut down properly. If you restore the image of a running
system, on first boot it will find that these flags are not in their
proper state, and a menu will be displayed asking for which version of
Windows to load, even if there's only one, or whether to load safe mode,
etc.

I think it's extremely unlikely that this is actually a problem,
because if it was, Macrium Reflect would not offer online image backup
(of system partitions) or would at least warn for the consequences and
what precautions/ measures to take when restoring.

No, agreed, not an actual problem as such, it's just the result seems
somewhat unprofessional. Fine for home use, but perhaps not good for
your professional reputation at work :-), which is why I added ...

This might not matter much to a home user, but, speaking as a
former professional who used to create the OS images for thousands of
corporate PCs, I'm pretty sure that I wouldn't have been allowed to
produce an image that did that, even supposing I had been sufficiently
unembarrassed to try!

--

Fake news kills!

I may be contacted via the contact address given on my website: www.macfh.co.uk

--- PyGate Linux v1.5.12
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Thu, 3/12/2026 1:57 PM, Java Jive wrote:

On 12/03/2026 15:41, Frank Slootweg wrote:

Java Jive <java@evij.com.invalid> wrote:

IIRC, another is that there are keys in the registry which flag whether
a system was shut down properly.ÿ If you restore the image of a running
system, on first boot it will find that these flags are not in their
proper state, and a menu will be displayed asking for which version of
Windows to load, even if there's only one, or whether to load safe mode, >>> etc.

ÿÿ I think it's extremely unlikely that this is actually a problem,
because if it was, Macrium Reflect would not offer online image backup
(of system partitions) or would at least warn for the consequences and
what precautions/ measures to take when restoring.

No, agreed, not an actual problem as such, it's just the result seems somewhat unprofessional.ÿ Fine for home use, but perhaps not good for your professional reputation at work :-), which is why I added ...

ÿÿÿÿThis might not matter much to a home user, but, speaking as a
former professional who used to create the OS images for thousands of
corporate PCs, I'm pretty sure that I wouldn't have been allowed to
produce an image that did that, even supposing I had been sufficiently
unembarrassed to try!

At least 30 Windows backup products use VSS and trust it.
And they use that for on-line "hot" backup.

Note that you can set a shadow yourself, "freeze" C: and compare
the frozen copy to the current state of C: . This means, that if
a backup product did not have VSS Volume Shadow Service integrated in the code, you
could freeze a copy of C: and tell the backup program to "back up K: "
and that would be the frozen version getting backed up.

Somewhere in that mess, is a log of things that did not quiesce.

*******

https://learn.microsoft.com/en-us/sysinternals/downloads/disk2vhd

By Mark Russinovich

(Tick box: Use Volume Shadow Copy)

https://learn.microsoft.com/en-us/sysinternals/downloads/media/disk2vhd/20131218_disk2vhd_v2.0.png

That's a way of doing P2V.

Paul

--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Paul wrote on 3/11/2026 1:11 PM:

On Wed, 3/11/2026 2:08 PM, ...w­¤?ñ?¤ wrote:

Some of the articles are missing the point and spreading fear beyond what will/does happen.

The fear is justified, given how stupid some of the motherboard
engineering can be. One company lost the curation chain for their
BIOS releases. In some cases, the only reason this stuff works,
is because the BIOS in an Award, AMI, Phoenix, InSyde and those
companies push out the code for that.

They lost the curation chain b/c of Secure Boot requirements?

It is the lack of industry expertise in UEFI and Secure Boot that
strikes fear for the unlucky computer owners.

There is some truth to that(though not related to Secure Boot)
considering too many OEM's ignore standard GPT partition order(System,
MSR, o/s, Recovery, OEM Recovery, and data partitions at the end or immediately prior to OEM Recovery.
- in some cases, before OEM Recovery since it's much easier to
extend(after wiping the OEM Recovery)the data partition.

It would help greatly, if we had a tool to properly list the certs
and revokes.

I agree a better tool is warranted. Even a dedicated app in the MSFT
store might be of value for Win10/11.

Paul

--
...w­¤?ñ?¤

--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

Frank Slootweg wrote on 3/12/2026 8:26 AM:

That's why I said Macrium Reflect probably doesn't even backup (the sectors containing) the hiberfil.sys file, because there's just no
point. I/we could try to chase this down in the Macrium knowledge base
etc. or/and check the contect of an image I/we made, but I won't try
such an exercise in futility.

cf.
<https://knowledgebase.macrium.com/display/KNOWX/Backup+Defaults>

Intelligent Sector Copy
Only backup data blocks that are being used by files on the disk. This significantly reduces the time it takes for backups to complete and
reduces the size of the backup files.

***The data blocks in Pagefile (pagefile.sys) and hibernation
(hiberfil.sys) files will be excluded from images.***
Data blocks in these files are temporary and not required when Windows
starts. These files will be visible in the imaged file system, but will
take up zero space in the image file.


--
...w­¤?ñ?¤

--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Fri, 3/13/2026 3:18 AM, ...w­¤?ñ?¤ wrote:

Frank Slootweg wrote on 3/12/2026 8:26 AM:

ÿÿ That's why I said Macrium Reflect probably doesn't even backup (the
sectors containing) the hiberfil.sys file, because there's just no
point. I/we could try to chase this down in the Macrium knowledge base
etc. or/and check the contect of an image I/we made, but I won't try
such an exercise in futility.

cf.
<https://knowledgebase.macrium.com/display/KNOWX/Backup+Defaults>

Intelligent Sector Copyÿÿÿ
Only backup data blocks that are being used by files on the disk. This significantly reduces the time it takes for backups to complete and reduces the size of the backup files.

***The data blocks in Pagefile (pagefile.sys) and hibernation (hiberfil.sys) files will be excluded from images.***
Data blocks in these files are temporary and not required when Windows starts.ÿ These files will be visible in the imaged file system, but will take up zero space in the image file.

I just tested this. I had a lot of trouble with the test subject, just
getting hiberfil.sys turned on. There really is a minimum size it is happy with!
Who knew. I had to move partitions around on the test disk, it took a while
to get set up for this.

The Online backup was 46,716,473 KB and the Hiberfil.sys (after having just used it to hibernate the session then wake up again) was all zeros. While it reads out as zeros, the zeros don't seem to be recorded as such. The same is true of the pagefile.sys, it's zeros and they might or might not be stored.

The Offline backup was 81,806,033 KB and the Hiberfil.sys is recorded.
The first four characters are "WAKE". The pagefile.sys is similar recorded. #HSTR:Trojan:MSIL/AgentTesla <=== a piece of some virus definitions, incoming.

Restoring an all-zeros pagefile.sys does not hurt anything. That is
because there is a GPEdit security policy that does exactly that.
It zeros the pagefile.sys at shutdown, so you "can't find those virus definitions" sitting there.

https://www.ninjaone.com/blog/virtual-memory-pagefile-encryption/

"To securely erase sensitive virtual memory data,
enable ClearPageFileAtShutdown via Group Policy...

This protects data remnants and enhances system security compliance."

The hiberfile has one header pattern for a valid head. And something
different when it is invalidating the hiberfile content to prevent
accidental reuse (which might not align with file system state). so
while I can see the word "WAKE", I don't know which byte is the invalidate byte.

Paul

--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Fri, 3/13/2026 3:09 AM, ...w­¤?ñ?¤ wrote:

Paul wrote on 3/11/2026 1:11 PM:

On Wed, 3/11/2026 2:08 PM, ...w­¤?ñ?¤ wrote:

Some of the articles are missing the point and spreading fear beyond what will/does happen.

The fear is justified, given how stupid some of the motherboard
engineering can be. One company lost the curation chain for their
BIOS releases. In some cases, the only reason this stuff works,
is because the BIOS in an Award, AMI, Phoenix, InSyde and those
companies push out the code for that.

They lost the curation chain b/c of Secure Boot requirements?

When they now offer BIOS updates to users (like issuing
a BlackLotus patch in a BIOS), the existing BIOS does not
know whether the incoming BIOS about-to-be-flashed, is valid
or not. It's possible some signing materials were lost.
A bare minimum for a BIOS flash to happen, is for an eight
character string near the end of the file, to match what is
already on the motherboard. The version number may be involved
too (some BIOS, there is a separate tool for taking versions
backwards).

This means, if they are asked for any more Security changes,
they "aren't really secure". A Russian could have prepared the
BIOS image and hacked into the web site and offered their file for usage.

The custody chain for BIOS updates is broken, and that injures
their ability to help customers have the best most secure
motherboards possible.

And the other companies are just stupid, and they don't
care about anything. This is why Asus is on parole for
some router firmware issues. Something about a lack of
best practice. I don't remember all the details.

https://www.zdnet.com/article/asus-hit-by-ftc-with-20-year-audit-for-bungled-router-security/

There are some things the computer industry is good at,
but there are also certain topics where they like
to feint a certain incompetence. This could be based
on the management considering "excess engineering work" to be
a "reduction in profits". If Microsoft comes up with
a scheme that costs more hours of engineering time
per motherboard than before, then they have the option
of showing their displeasure by doing a poor job
on the maintenance of the scheme.

Paul


--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Fri, 3/13/2026 4:46 AM, Paul wrote:

On Fri, 3/13/2026 3:18 AM, ...w­¤?ñ?¤ wrote:

Frank Slootweg wrote on 3/12/2026 8:26 AM:

ÿÿ That's why I said Macrium Reflect probably doesn't even backup (the
sectors containing) the hiberfil.sys file, because there's just no
point. I/we could try to chase this down in the Macrium knowledge base
etc. or/and check the contect of an image I/we made, but I won't try
such an exercise in futility.

cf.
<https://knowledgebase.macrium.com/display/KNOWX/Backup+Defaults>

Intelligent Sector Copyÿÿÿ
Only backup data blocks that are being used by files on the disk. This significantly reduces the time it takes for backups to complete and reduces the size of the backup files.

***The data blocks in Pagefile (pagefile.sys) and hibernation (hiberfil.sys) files will be excluded from images.***
Data blocks in these files are temporary and not required when Windows starts.ÿ These files will be visible in the imaged file system, but will take up zero space in the image file.

I just tested this. I had a lot of trouble with the test subject, just getting hiberfil.sys turned on. There really is a minimum size it is happy with!
Who knew. I had to move partitions around on the test disk, it took a while to get set up for this.

The Online backup was 46,716,473 KB and the Hiberfil.sys (after having just used it to hibernate the session then wake up again) was all zeros. While it reads out as zeros, the zeros don't seem to be recorded as such. The same is true of the pagefile.sys, it's zeros and they might or might not be stored.

The Offline backup was 81,806,033 KB and the Hiberfil.sys is recorded.
The first four characters are "WAKE". The pagefile.sys is similar recorded. #HSTR:Trojan:MSIL/AgentTesla <=== a piece of some virus definitions, incoming.

Restoring an all-zeros pagefile.sys does not hurt anything. That is
because there is a GPEdit security policy that does exactly that.
It zeros the pagefile.sys at shutdown, so you "can't find those virus definitions" sitting there.

https://www.ninjaone.com/blog/virtual-memory-pagefile-encryption/

"To securely erase sensitive virtual memory data,
enable ClearPageFileAtShutdown via Group Policy...

This protects data remnants and enhances system security compliance."

The hiberfile has one header pattern for a valid head. And something different when it is invalidating the hiberfile content to prevent
accidental reuse (which might not align with file system state). so
while I can see the word "WAKE", I don't know which byte is the invalidate byte.

https://knowledgebase.macrium.com/display/KNOW/Macrium+Reflect+default+settings

Option Description

Intelligent Sector Copy

Only backup the sectors that are being used by data on the disk.
Pagefile (pagefile.sys) and hibernation (hiberfil.sys) will also be excluded.

This reduces the time it takes for the backup to complete.

Forensic Copy

Backup every sector.

*******
I've completed a bit more testing.

This time, I hibernated Windows, then shut down the power at the back.
On power up, my Macrium Rescue stick was then inserted, and the plan was to
do a backup of C: to "see what would happen".

Well, the result was "more interesting than I would have expected".

There is in fact, no safety flag raised about backing up a Hibernated OS.

I examine the backup image, and the Hiberfil.sys has the word "HIBR"
as the first four characters. So this is how the invalidation mechanism
works. "HIBR" indicating the file is awaiting a chance to boot, and
"WAKE" indicating it was just used (WAKE == now invalid).

After the backup was finished, I rebooted the computer. No complaint yet.
I ran a CHKDSK from Properties. It tells me C: needs to be repaired. I
look in Eventvwr and see this. This is caused by Macrium, writing to
the C: it just backed up (you can't write to the file systems while
they are dirty). The directory 0x5,0x5 is filenum 5, having parent 5
and is the root of the filesystem, otherwise known as C: in this case.
It was then, attempting to write C:\rescuepe.log indicating that the
backup had just started.

Stage 2: Examining file name linkage ...
Found an unneeded link (SFILE_NAME: "rescuepe.log") in index "SI30" of directory "\ <0x5,0x5>"
was not able to send command for self-healing due to lack of memory.

*******

CoPilot tells me:

Why Backup Tools Don?t Warn You

Macrium Reflect (and similar tools):

- operate at the **block level**, not the filesystem level
- don?t interpret NTFS metadata <=== wrongo!
- don?t inspect `hiberfil.sys`
- don?t check the NTFS hibernation flag
- assume the user knows what state the OS is in

Why This *Should* Trigger a Warning (but doesn?t)

You?re correct:
**Restoring a hibernated OS image is dangerous unless you intend to resume immediately.**

A practical backup tool *should* warn:

?This volume appears to be hibernated. Restoring it later may cause resume corruption.
Consider shutting down Windows before imaging.?

I get a different answer this time, regarding "how to make it safe".

How to Make This Safe

Here?s the reliable rule:

### If you restore a hibernated image, **you must delete `hiberfil.sys` before booting**.

You can do this by:

- Booting into WinPE or rescue media
- Deleting C:\hiberfil.sys
- Clearing the hibernation flag by running: powercfg /h off

To me then, this implies a normal boot will happen, and
any uncommitted files (with fragments) would be cleared
via USN Journal playback.

Summary: This is NOT what I was expecting. Caveat emptor .

Paul

--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 3/13/2026 10:01 PM, Paul wrote:

On Fri, 3/13/2026 4:46 AM, Paul wrote:

On Fri, 3/13/2026 3:18 AM, ...w­¤?ñ?¤ wrote:

Frank Slootweg wrote on 3/12/2026 8:26 AM:

ÿÿ That's why I said Macrium Reflect probably doesn't even backup (the >>>> sectors containing) the hiberfil.sys file, because there's just no
point. I/we could try to chase this down in the Macrium knowledge base >>>> etc. or/and check the contect of an image I/we made, but I won't try
such an exercise in futility.

cf.
<https://knowledgebase.macrium.com/display/KNOWX/Backup+Defaults>

Intelligent Sector Copy
Only backup data blocks that are being used by files on the disk. This significantly reduces the time it takes for backups to complete and reduces the size of the backup files.

***The data blocks in Pagefile (pagefile.sys) and hibernation (hiberfil.sys) files will be excluded from images.***
Data blocks in these files are temporary and not required when Windows starts.ÿ These files will be visible in the imaged file system, but will take up zero space in the image file.

I just tested this. I had a lot of trouble with the test subject, just
getting hiberfil.sys turned on. There really is a minimum size it is happy with!
Who knew. I had to move partitions around on the test disk, it took a while >> to get set up for this.

Paul

I don't use hibernation, routinely disabled(or verified as disabled)
shortly after a Windows install of any type(clean, on-top, repair,
feature update[now only H2]...except for testing(like you are doing).

I recall from an earlier on-MSFT-campus discussion that hiberfil.sys
that was intended(oobe) to have a minimum size, but as expected that's
just a starting point and growth can occur even with the same identical footprint of programs, apps, services, etc. running and without any
changes to Windows.

It's like a monster *It's alive* (Victor Frankenstein, after turning
on/off the electricity or lightning strike - movie version; Shelley's
version - no electricity or lightning) and for my use not needed.

--
...w­¤?ñ?¤

--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On 3/13/2026 1:59 AM, Paul wrote:

On Fri, 3/13/2026 3:09 AM, ...w­¤?ñ?¤ wrote:

Paul wrote on 3/11/2026 1:11 PM:

On Wed, 3/11/2026 2:08 PM, ...w­¤?ñ?¤ wrote:

Some of the articles are missing the point and spreading fear beyond what will/does happen.

The fear is justified, given how stupid some of the motherboard
engineering can be. One company lost the curation chain for their
BIOS releases. In some cases, the only reason this stuff works,
is because the BIOS in an Award, AMI, Phoenix, InSyde and those
companies push out the code for that.

They lost the curation chain b/c of Secure Boot requirements?

The custody chain for BIOS updates is broken, and that injures
their ability to help customers have the best most secure
motherboards possible.

May very well be broken, but doubtful it's because of Secure Boot.
- which seems to indicate your answer to my earlier question would be 'No'

--
...w­¤?ñ?¤

--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)

On Sat, 3/14/2026 5:12 PM, ...w­¤?ñ?¤ wrote:

I don't use hibernation, routinely disabled(or verified as disabled) shortly after a Windows install of any type(clean, on-top, repair, feature update[now only H2]...except for testing(like you are doing).

I recall from an earlier on-MSFT-campus discussion that hiberfil.sys that was intended(oobe) to have a minimum size, but as expected that's just a starting point and growth can occur even with the same identical footprint of programs, apps, services, etc. running and without any changes to Windows.

It's like a monster *It's alive* (Victor Frankenstein, after turning on/off the electricity or lightning strike - movie version; Shelley's version - no electricity or lightning) and for my use not needed.

I saw another behavior in there I couldn't believe,
but we'll save that for another time. Something
changed the hiberfil.sys size, from one OS boot
(not hibernated) to another OS boot (not hibernated).
I've not heard of that being a capability the OS
reserves for itself. There were no conditions that
would even remotely stress the hibernation scheme
(shouldn't have taken more than a gigabyte of storage
space while hibernating, no excuse for finding my
backup was backing up a 64GB hiberfil.sys). This increased
the size of the offline backup I was making (impact would
have been greatly reduced if I had switched on compression.

Paul

--- PyGate Linux v1.5.13
* Origin: Dragon's Lair, PyGate NNTP<>Fido Gate (3:633/10)