All posts by Ed Tittel

Full-time freelance writer, researcher and occasional expert witness, I specialize in Windows operating systems, information security, markup languages, and Web development tools and environments. I blog for numerous Websites, still write (or revise) the occasional book, and write lots of articles, white papers, tech briefs, and so forth.
Insider stuff, Recent Activity, Secure Boot, WED Blog, Windows 11, Windows Update

Lenovo PC SVNs Can Vary

Leave a comment

I have multiple Lenovo machines in my office. This morning I was checking a ThinkPad P16 Gen 3 mobile workstation and a ThinkStation P3 Ultra desktop in the wake Patch Tuesday’s update. Both run Windows 11, with Secure Boot enabled. While poking around in their Secure Boot UEFI settings, I noticed something that stopped me cold. These two machines report different Secure Boot SVN values. Same vendor. Roughly the same generation. Same security feature switched on. So why the difference? As it turns out, the answer is genuinely interesting, and it matters if you manage a mixed fleet of Lenovo hardware. Bottom line: Lenovo PC SVNs can vary. Let’s explore…

How Is It That Lenovo PC SVNs Can Vary?

SVN stands for Secure Version Number — a monotonically increasing counter (meaning it only ever goes up, never down). It’s embedded directly in UEFI firmware. Its job is to record how many Secure Boot security revisions a device has seen over its lifetime.

Let’s distinguish the Secure Boot SVN from two things it often gets confused with. First, it is not the same as the Secure Boot DB/DBX (the UEFI allow-list and deny-list databases that control which bootloaders and drivers are trusted or revoked). Second, it is not the same as your plain BIOS version number. The BIOS version tracks firmware feature releases; SVN tracks security-policy changes.

The practical muscle behind the SVN is its rollback prevention. If a piece of firmware or a bootloader carries a Secure Boot SVN lower than the minimum value stored in non-volatile memory, the UEFI stack simply refuses to load it. That makes it much harder for an attacker to downgrade your firmware to a vulnerable older version — a classic attack vector the SVN is designed to close.

Lenovo P16 Gen 3 vs. ThinkStation P3 Ultra

The lead-in graphic shows the output from Garlin’s check script and the get-SecureBootSVN command on the P16. Here’s what I found on the P3 Ultra, by way of contrast and comparison:

For the P16 Gen3 SVN is 8.0; for the TSP Ultra, it’s 9.0. WTF?

My first instinct was that something was misconfigured. It was not. These two machines serve quite different market segments. The P16 Gen 3 is a mobile workstation, designed for road warriors and power users who demand both portability and security. The ThinkStation P3 Ultra is a compact desktop workstation, built for workstation-class compute in a fixed location, where stability and long-term reliability tend to trump rapid update cycles.

Critically, the two platforms ship from separate firmware engineering teams inside Lenovo, each running its own BIOS release cadence. ThinkPad-family machines — including the P16 series — have historically received more frequent UEFI updates, driven by the constant churn of mobile power-management tuning, thermal firmware, and rapid security patch integration. ThinkStation platforms, by contrast, follow a slower, more deliberate update cadence that prioritizes stability for long-running workloads. Neither approach is wrong. They just produce different Secure Boot SVN trajectories over time. This time, however, the usual order got stood on its head: the ThinkStation preceded the ThinkPad.

How the SVN Update Pipeline Works

To really understand the divergence, you need to know how the Secure Boot SVN update pipeline actually flows. It is a three-layer process, and each layer operates on its own schedule.

  1. Microsoft issues a Secure Boot policy change or DBX update. A concrete example: the revocation of vulnerable bootloaders tied to CVE-2023-24932 (the so-called BlackLotus UEFI bootkit vulnerability). Microsoft publishes updated Secure Boot DB and DBX payloads, and the associated policy mandates a new minimum SVN level.
  2. OEMs like Lenovo incorporate updated SVNs into a new BIOS/UEFI release. Here is where the divergence begins. Lenovo’s mobile and desktop firmware teams each pick up the Microsoft changes on their own schedules. The ThinkPad team typically ships updated BIOS builds faster; the ThinkStation team takes longer to validate the changes against its broader ISV (independent software vendor) compatibility matrix.
  3. Windows Update stages Secure Boot DB/DBX changes to end-user systems in controlled waves. Microsoft doesn’t push Secure Boot policy changes to every machine simultaneously. It uses a staged rollout — sometimes spanning months — so different machines in your fleet can legitimately sit at different SVN levels even if they have all received recent Windows updates.

One more wrinkle worth noting: Lenovo now pre-configures newer-generation machines from the factory with both the legacy CA 2011 and the new CA 2023 Secure Boot certificates already in place. Older units, however, need a BIOS update to pick up those 2023 trust anchors. That factory-level difference alone can produce an SVN gap between otherwise-similar machines.

ℹ️ Key Insight

SVN divergence across a mixed fleet is a normal artifact of the staged update pipeline — not a sign of a compromised or misconfigured machine. The goal is parity over time, not instant uniformity.

What Should You Do?

The good news is that remediation steps here are straightforward. Here is what I recommend:

  • Update BIOS/UEFI on all machines to the latest Lenovo-published version. Head to the Lenovo Support site (support.lenovo.com), search for your specific model, and grab the current BIOS update. For the ThinkStation P3 Ultra in particular, confirm the release notes explicitly mention CA-2023 certificate integration. Do not rely on Windows Update alone to deliver BIOS updates; go direct to Lenovo.
  • Verify CA-2023 is present in the Secure Boot DB using PowerShell. Run the following one-liner on each machine to confirm the 2023 trust anchor is actually installed:
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023’

A result of True means the CA-2023 certificate is in the DB and your Secure Boot SVN should reflect the update. A result of False means the machine still needs the BIOS update or the Windows Update wave has not yet reached it.

  • For managed fleets, track SVN parity via Intune or MECM compliance policies. Build a compliance rule that surfaces machines whose Secure Boot SVN falls below your defined minimum baseline. That way you can proactively identify stragglers before 2026 certificate expiration forces your hand.

Bottom line: Secure Boot SVN divergence across a heterogeneous fleet of Lenovo machines is normal, expected behavior. It’s no red flag. The firmware update pipeline simply operates in waves, and different product families move at different speeds. What matters is establishing a consistent minimum Secure Boot SVN across all your machines well before the 2026 CA expiration deadline arrives. Start the BIOS update sweep now, and you’ll have plenty of time to close gaps without deadline pressure.

Facebooklinkedin
Facebooklinkedin
Insider stuff, Recent Activity, Secure Boot, WED Blog, Windows 11

Post Patch Tuesday CA-2011 Certs Still Kickin’

1 Comment

Yesterday was Patch Tuesday, and I read about Secure Boot changes in that mix. I was curious to see if MS had revoked any CA-2011 boot certificates yet. You can see the post Patch Tuesday CA-2011 certs still kickin’, from the output of the Garlin check script (v.2026.06.08). So I went off looking, specifically to check expiration dates. Here’s what I found…

If Post Patch Tuesday CA-2011 Certs Still Kickin’, When Is Revocation?

I asked Google AI to tell me about expiration dates for the three Microsoft Secure Boot 2011 certificates. Here’s what’s coming down the pike:

  • Microsoft Corporation KEK (Key Exchange Key) CA 2011 expires June 24, 2026. Microsoft Corporation KEK 2K CA 2023 replaces that certificate going forward.
  • Microsoft UEFI CA 2011 expires June 27, 2026. Microsoft UEFI CA 2023 replaces it, and it’s used to sign 3rd-party bootloaders.
  • Microsoft Windows Production PCA 2011 expires on October 19, 2026. Microsoft UEFI CA 2023 also replaces this as well.
  • In addition, MS is adding the Microsoft Option ROM UEFI CA 2023 cert to the mix. As the name says, it’s used to sign third-party option ROMs.

Copilot confirms this info, and it’s also covered in an MS Support Note entitled “Windows Secure Boot certificate expiration and CA updates.”

Then End Is Near, But Not Yet Here…

Thus, it looks like MS has decided not to anticipate the two closest upcoming revocation dates, scheduled for the final Wednesday (6/24) and Saturday (6/27) of this month. I’d wondered about that. If MS issues a Preview CU for July on June 30 (as it often does) we may see it then. Stay tuned: I’ll keep you posted.

 

Facebooklinkedin
Facebooklinkedin
Insider stuff, Recent Activity, Remote Desktop (RDP), Troubleshooting, WED Blog, Windows 11

Rare Update BSOD Proves Benign

Leave a comment

When better ways to shoot myself in the foot become available, I’ll invariably make use of same. Today, I found myself cleaning up after a surprise bluescreen (aka BSOD for “Blue Screen of Death”). This time, I did it to myself because I used a remote access session to drive updates for both my Intel and NVIDIA GPUs on the Lenovo P16 Gen 3 Mobile Workstation. Indeed, upon investigation, this rare update BSOD proves benign. You can see the error cascade from the Intel GPU update in the lead-in graphic (click that image to see the whole thing: it includes a “Shut down unexpectedly” error).

Why Say: Rare Update BSOD Proves Benign?

I couldn’t find any lingering bad behavior or unwanted side effects from this unexpected crash. Indeed, both Intel DSA (the tool I used to update the Intel ARC GPU) and the NVIDIA app (the tool I used to update the RTX Pro 5000 GPU) reported clean, successful installs when I fired them up to check what happened.

Indeed, that raises the interesting question: “Exactly what happened that caused the P16 Gen 3 to BSOD?” Short answer: me. Longer answer, courtesy of Copilot:

When you install a graphics driver over Remote Desktop:

  • Windows switches to a virtual display driver (RDPDD / Remote Display Adapter)
  • The real GPU driver is still being installed in the background
  • This creates a weird overlap between:
    • kernel graphics stack (dxgkrnl)
    • RDP virtual driver
    • the new GPU driver being initialized/unloaded

That’s exactly the kind of situation that can cause: KERNEL_MODE_HEAP_CORRUPTION (0x13A) → driver stomping memory during unload/reload. Even a perfectly “healthy” driver can crash in that transition.

The Devil Made Me Do It!

I confess: I prefer to work from my production desktop, even when I’m working on another PC. It’s a combination of convenience and laziness. Convenience, because I’ve got two big, clear 27″ monitors I can work from. Laziness, because I don’t have to get up from one chair in my office and move 8 feet over to the other desk where the P16 Gen 3 is running.

Occasionally, this means I get bitten or borked because I’m remoting in, rather than working on the machine directly. Here in Windows-World, I’ve learned to troubleshoot with a certain wry appreciation that I am often the cause of my own woes. Today was one of those days! That said, it all ends well because the system recovered completely upon a successful reboot.

Facebooklinkedin
Facebooklinkedin
Benchmarking, Cool Tools, Insider stuff, Recent Activity, WED Blog

OCuLink Offers A Viable TB4/5 Alternative

Leave a comment

Before we dig in, let me define the terms in the title so nobody gets left behind. OCuLink — short for “Optical-Copper Link” — uses the SFF-8611 and SFF-8612 cable specs, originally bred in the enterprise SAS and NVMe world, and now showing up on consumer PCIe expansion cards, eGPU docks, and mini-PC expansion modules. The reason OCuLink offers a viable TB4/5 aleternative is: it carries native PCIe lanes over a compact four-lane connector. Zero protocol translation is involved.

TB4 is Thunderbolt 4 — Intel’s certified 40 Gbps interconnect standard. It runs the Goshen Ridge controller and dominates today’s laptops and docks. TB5 is Thunderbolt 5, Intel’s 80 Gbps follow-up, running the Barlow Ridge controller. It started appearing on premium Copilot+ laptops and high-end docks in late 2024.

Intel has owned the high-speed external storage conversation for nearly a decade. I must ask: “Is there a credible alternative path for builders and prosumers who’d rather not pay the Thunderbolt toll?” Table 1 above says yes, emphatically. The rest of this post explains why the math works out that way.

Why OCuLink Offers a Viable TB4/5 Alternative

Start with the Intel moat, because it’s real and it matters. Thunderbolt certification ties nominally to the USB4 spec. In practice, Intel controls the gate through its mandatory certified controller requirement — Goshen Ridge for TB4, Barlow Ridge for TB5. Each controller adds $15–$25 to a device’s BOM. That cost tags along through the supply chain straight to your invoice. The certification program itself isn’t free either, which is why you see so many USB4 ports on budget laptops and mini-PCs that carry the USB4 badge but quietly skip PCIe tunneling entirely — because PCIe passthrough is optional in the USB4 specification. A port can wear the USB4 label, deliver USB 3.2 storage speeds, and be perfectly compliant. Go figure! Intel doubled the bandwidth ceiling with Thunderbolt 5. But the same certification architecture stayed intact. That structural dependency hasn’t gone anywhere.

The Tunneling Tax

Then there’s what tunneling costs you, and this part tends to get glossed over in spec-sheet marketing. Both TB4 and TB5 move PCIe data over a tunneled protocol stack built primarily for display connectivity. The protocol treats NVMe storage as a secondary concern. That overhead carries a measurable real-world cost. TB5’s 80 Gbps headline pipe delivers only around 6–7 GB/s to an NVMe enclosure in independent benchmarks

Alas, this lands below the sequential read ceiling for a single Samsung 990 Pro or WD Black SN850X. The bandwidth also gets split in ways the spec sheet doesn’t advertise. Run a TB5 dock with a 4K display and a storage enclosure at the same time. The NVMe gets whatever lanes aren’t already committed to display output. No firmware update can fix that. It’s simply how the tunneling protocol divides resources between display and storage traffic.

OCuLink sidesteps all of it, and the reason is almost embarrassingly simple: it carries native PCIe — no tunneling, no overhead, no protocol translation between the cable and the drive controller. The SSD on the far end of an SFF-8611 cable sees the host’s PCIe bus directly. It behaves exactly as if it were seated in a motherboard M.2 slot.

You need no Intel controller, no certification fee in the BOM, and no spec-version negotiation between host and peripheral. Any PCIe host with an SFF-8611 port talks to any OCuLink enclosure. The connector standard is generation-agnostic. OCuLink scales to PCIe Gen5 today, with a theoretical ceiling over 15 GB/s. Thunderbolt 5 can’t get close within its tunneling architecture. Intel spent a decade building a toll road. OCuLink is the county road that goes to the same place, faster, for free.

What Are OCuLink’s Trade-Offs?

I’d be doing you a disservice if I left it there. That’s because OCuLink’s edge comes with genuine limitations you need to price into a buy-in. Cable length is the hard ceiling for which there’s no current engineering workaround. Passive copper OCuLink tops out at 0.5 to 1 meter depending on implementation. TB5 copper passive reaches 2 meters. TB5 optical reaches 40 meters or more. For a storage enclosure sitting six inches from your PC, cable length is a non-issue. For anything across a room or mounted in a rack, it’s disqualifying. Know your use case before you order anything.

Hot-plug behavior is the next honest caveat. PCIe never supported hot-swapping natively. OCuLink inherits that reality. Some enclosure implementations handle safe removal gracefully through driver-level coordination. Others expect a full shutdown first. At minimum, eject the device properly from Windows before pulling the connector. TB4 and TB5 hot-plug is standardized, reliable, and boring in the best possible way. You unplug, Windows notices, the drive disappears from Explorer. No drama.

Ecosystem and Power: The Remaining Gaps

The OCuLink consumer ecosystem is thin compared to Thunder-bolt’s. The OCuLink ecosystem embraces dozens of enclosures from small-batch vendors. Thunderbolt counts hundreds of certified peripherals from Belkin, CalDigit, OWC, and others. Support responsiveness, documentation quality, and return policies reflect that gap. Also, OCuLink carries no power delivery over the connector itself — any drive or enclosure needs its own power source. TB4 and TB5 deliver up to 100W over the same cable that carries data. None of those are dealbreakers for a desktop prosumer. They could be for a road warrior expecting plug-and-play.

For desktop and prosumer builders, or anybody running a PCIe expansion card that exposes an SFF-8611 OCuLink port, you get a legit, lower-cost, higher-throughput alternative to Intel’s certified Thunderbolt ecosystem. The bandwidth math in Table 1 speaks for itself. OCuLink over PCIe 4.0 x4 already beats TB5’s real-world NVMe ceiling. PCIe Gen5 doubles that figure again with no new Intel controller, no certification program, and no tunneling tax required. Those are the deets. Intel built the tollbooth. OCuLink is the on-ramp they forgot to close.

It’s worth considering, and maybe buying into. I’m doing just that myself. You may want to do likewise, if you like the numbers as much as I do.

 

Facebooklinkedin
Facebooklinkedin
Copilot+ PCs, Hardware Reviews, Insider stuff, Recent Activity, WED Blog, Windows 11

Yog7X2 Revisited, 10 Days In

Leave a comment

One week ago Tuesay, Fed-Ex dropped a nifty new Lenovo Yoga Slim 7X Gen 11 at my door. That’s why it’s named Yog7X2 on my network, for “Yoga Slim 7X, Snapdragon X2 model.” TLDR version of my recent experience using it as a daily driver is: “It’s a peach.” Indeed this piece of review text about Yog7X2 revisited, 10 days into my experience is no mere first look. It reflects my experience on this laptop, chewing through deadlines, long-running scripting sessions, video calls and teleconferences, and extended Copilot sessions. My report is almost entirely positive, with only a few minor nits to pick.

Re-Speccing Yog7X2 Revisited, 10 Days In

Just for the record, here’s a quick overview of what Yog7X2 brings to the party. The 7X Gen 11 runs on Qualcomm’s Snapdragon X2 Elite (X2E-88-100) — that’s second-generation Snapdragon X Elite silicon, not a rebadge of the 2024 parts. That distinction matters more than the spec sheet suggests. The first wave of Copilot+ PCs was impressive hardware wrapped around a compatibility story with certain gotchas. Two years on, most of that has quietly sorted itself out. My daily toolchain — Edge, Word, PowerShell, a handful of Win32 utilities — runs natively or transparently through emulation without me having to think about it. That’s exactly how it should be.

The review configuration I’ve been running ships with 32GB of RAM and a 1TB SSD, paired with an 8-bit 1920×1200 OLED display. Lenovo’s configurator puts that at $1,650-1,750, depending on timing and promotions. The base model starts at $1,099. For what you get here, the price-to-capability ratio is genuinely competitive — but we’ll get to that.

The Battery Story

I want to be precise about this, because I won’t throw superlatives around lightly. I’ve been using laptops as my primary work machines since the early 1990s. In that entire span — Intel machines, AMD machines, ultrabooks, workstation-class slabs, every category you can name — I have never gotten genuine all-day battery life. Not once. There was always a charger within arm’s reach by mid-afternoon, if not sooner.

My normal workload is not gentle. On any given workday I’m running Edge with more tabs open than I care to admit, writing in Word, banging out blog drafts, running PowerShell scripts, diving into Windows event logs, and doing the kind of system tuning and troubleshooting that keeps the lights on around here. Not gaming. Not video rendering. But not exactly browsing cat photos either.

On the Yoga Slim 7X Gen 11, I routinely close out a full working day — eight-plus hours of active use — with battery to spare. I’ve stopped automatically reaching for the charger when I sit down to work. That is genuinely new behavior for me, and I’m not entirely sure I trust it yet. But nearly two weeks in, it keeps happening.

The published benchmarks back this up. PCMag measured 20 hours 16 minutes in their battery rundown test. CNET’s reviewer reported nearly 24 hours under their methodology. Real-world mixed-workload numbers will always differ from a controlled rundown script at 150 nits, but even my demanding day falls comfortably within the machine’s range. The math works.

The credit goes to Qualcomm’s Oryon v3 CPU architecture. These cores are built around aggressive power-gating and efficiency in a way that x86 designs still struggle to match at this thermal envelope — and remember, this is a machine that is 0.51 inches thin and weighs 2.9 lbs. There is no magic here, just a fundamentally different approach to how the chip uses (or doesn’t use) its power budget.

I’ve been doing this long enough to know not to take marketing claims about battery life at face value. This one’s different.

Display and Keyboard: Lenovo Keeps It Up!

The OLED panel — 1920×1200 resolution, 120Hz refresh rate, Dolby Vision certified, DisplayHDR True Black 1000 rated — is the kind of display that makes you look at everything twice. Laptop Mag measured it at 155% of the DCI-P3 color gamut. At 162 PPI on a 14-inch screen, text is sharp enough that I’ve caught myself checking whether anti-aliasing is doing anything at all. Blacks are genuinely black, not “dark grey in a dim room” black. It’s glossy, which means reflections are a real consideration in bright environments, but for document work and long writing sessions, it’s stunning.

The keyboard is excellent, and I say that as someone who has spent years on ThinkPads. Yoga Slim models skip the TrackPoint eraser puck that ThinkPad loyalists — myself included, some days — know and love. But they bring everything else. Key travel is satisfying, the layout is sensible, the function-row behavior is configurable, and the spacebar has never missed a beat. XDA Developers and Android Headlines both called it one of the best keyboards on any Windows ultraportable. Two weeks of heavy typing confirms that verdict.

The touchpad is large, accurate, and well-tuned. Lenovo’s touchpad calibration remains class-leading on the Windows side — no complaints there. One honest caveat: the keyboard deck does have a very slight flex under hard typing pressure. Not a dealbreaker, and honestly easy to forget about after the first day. But if you press down firmly in the middle of the deck, you’ll feel it. Worth knowing before you spend $1,600 or more…

Windows Hello Does the Job

The Yoga Slim 7X Gen 11 ships with a 9MP IR webcam — native resolution of 3840×2400 — which puts it in a completely different class from the pedestrian 1080p cameras most Windows laptops still ship with in 2026. The gap between “has Windows Hello” and “has Windows Hello that actually works well” is wider than most people realize until they use the real thing.

My experience: the face recognition fires quickly after lid open. No perceptible delay, no “hold still for a moment” pause, no second attempt. It just authenticates. More to the point, it recognizes me both with and without my reading glasses, without any hesitation either way. That is not trivially true of all Windows Hello IR cameras — I’ve owned machines where swapping eyewear or changing room lighting was enough to trip the thing up and send me to the PIN fallback. Not here.

The IR sensor handles varied ambient lighting without complaint. LED overhead lighting in my home office, dimmer evening conditions — it doesn’t care. It just works. The 9MP sensor also means video calls look genuinely good, not just “acceptable for a laptop camera.” The webcam supports up to 1440p video output, and on a call it shows. Touch screen support is pretty great, too. I miss that on the Zenbook A14 so I appreciate it even more here on the Yog7X2.

Windows Hello has been part of the Windows story since 2015. It has taken this long — and a camera this capable — to make the feature feel fully baked. Better late than never, I suppose.

Performance: Good for Any Laptop, Full Stop

The Snapdragon X2 Elite (X2E-88-100) delivers performance that I would describe as genuinely competitive with any thin-and-light laptop on the market. Not “impressive for ARM” — impressive, full stop. My daily workload of PowerShell scripting, multi-tab Edge browsing, Word, event log analysis, and general system tuning runs without stutter, lag, or hesitation. App launch times are snappy. The machine never feels like it’s working hard, even when I’m throwing a lot at it simultaneously.

Windows on ARM compatibility is no longer the obstacle it once was. The overwhelming majority of my tools run natively on Snapdragon. The few that still go through emulation do so transparently — no perceptible performance penalty, no workflow interruption. That was emphatically not the story two years ago, and it’s worth saying plainly: the platform has matured.

The machine handles all of this inside a 0.51-inch, 2.9-pound chassis, and it does it silently. Under my normal load, the fans are simply not a factor. That used to be the price of admission for real performance in this class — fan noise as a constant companion. Not here. Two weeks in, I’ve yet to find a workload that makes it flinch.

Net-Net: Nice-Nice

Two weeks in, the Yoga Slim 7X Gen 11 has done something rare: it has exceeded expectations on exactly the things that matter most to how I actually work. The battery life is the headline, full stop. The display and keyboard are the supporting cast that make every hour in front of the machine a pleasure. And Windows Hello, of all things, turns out to be the pleasant surprise that keeps on giving.

My only nits to pick are minor. My review unit shipped with Windows Home, which I immediately upgraded to Pro for remote access and Hyper-V support. Keyboard flex does occur in the middle. Surprisingly, there’s no headphone jack and the external speakers are noticeably mid-level in clarity and tone. Though it does have USB-C ports on both sides (2 left, 1 right) it has no USB-A  nor HDMI. For me, none of these is a deal-killer. I’ve learned to like this laptop quite a bit, in fact.

I’ll have more to say about Windows on ARM compatibility and the Snapdragon X2 Elite’s full performance story in a follow-up post. There’s real depth there worth unpacking, and it deserves its own space. Stay tuned.

Facebooklinkedin
Facebooklinkedin

Insider stuff, Recent Activity, Troubleshooting, WED Blog, Windows 11

Fixing Windows Security Stays Blank

Leave a comment

Normally, when you open the Windows Security app, there’s a brief pause during which the app window is blank (1-2 seconds is normal). But sometimes, that window remains empty. This morning, it popped up on my second Ryzen 7 5800X desktop. In turn, that had me seeking out ways for fixing Windows Security stays blank. Turns out there are two extremely easy fixes, though one takes longer and is more disruptive than the other. Here goes…

Note: the intro screencap shows mockups of the blank Windows Security window (light theme at left, dark theme at right). The key point is “Nothing to see here!” That’s a problem that turns out to be relatively easy to fix.

How-To: Fixing Windows Security Stays Blank

The quick and easy way is to use the app menu a little differently. On the affected machine, I observed that picking any subsystem inside Windows Security will cause it to open, after which “going home” inside the app works like a champ. Since I wanted to check “Device Security” anyway, I went straight there.

Instead of clicking the icon at top center, I clicked on “Device Security” (3rd from bottom in preceding screencap). It came right up and I saw what I needed to see (checking Secure Boot status info).

Another Fix: Reboot, Try Again

I also observed that a reboot brought Windows Security back to a normal, predictable state. Indeed, this is a workable technique to undo lots of everyday wonkiness in Windows, as many readers will know and appreciate. This has been a staple early stage activity in Windows troubleshooting as far back as I can remember (1991, 35 years ago).

Why Does This Happen?

Copilot attributes this reasonably common behavior to an outcome from its design as a UWP shell atop a set of back-end Windows services. It says “When the shell launches faster than its backend services are ready to respond — a classic race condition — the shell renders the window frame but has nothing to populate it with, so you get a blank canvas.” Sounds about right to me, especially noticing a slight delay between launch and population on other PCs I just checked (including the 2018 vintage ThinkPad Yoga X380, the 2022 vintage ThinkPad X16, and the 2020 vintage ThinkPad X12 Detachable Tablet).

Here in Windows-World thinks going wonky is part of the daily round. It’s nice to find a minor glitch that’s quick and easy to diagnose, and fix. I’ll take those wins where I can find them!

Facebooklinkedin
Facebooklinkedin
Cool Tools, Insider stuff, Recent Activity, Updates, WED Blog

GNUBG Shows WinGet Pin Rationale

Leave a comment

Since Monday, I’ve noticed that WinGet is updating GNU Backgammon every day, aka GNUBG. You can see in the lead-in graphic this happens because the app reports its version number as unknown. Of course, that means WinGet wants to update it, even though that’s unnecessary. How to avoid this unwanted repetition: the WinGet Pin command. Thus, GNUBG shows WinGet Pin rationale, and lets me turn down the noise.

How GNUBG Shows WinGet Pin Rationale

The lead-in graphic also shows that the current installed GNU Backgammon version matches the one that WinGet wants to install. That proves it’s a reporting error from the app itself, not the typical “current version is less than winget database version” that supplies a usually valid reason to run the update process.

Obviously, this will go on until (or if) the developers fix the game, or until a real, new version comes out. So here’s what I did to stop the madness: I ran winget pin –id GNU.gnubg

Once pinned, WinGet stops its repeated GNUBG updates. Good!
[Click image for full-sized, more readable view.]

I’ve seldom had to use WinGet Pin on the PC fleet here at Chez Tittel. But every now and then — as with GNUBG here — something pops up that calls for a timeout. Now, I just have to remember to keep an eye on the app so I can unpin or force-update when a REAL one shows up. That’s just one of the small things that keeps me on my toes, here in Windows-World.

Facebooklinkedin
Facebooklinkedin
Device drivers, Insider stuff, Recent Activity, USB devices, Windows 11

USB Ports Need More Storage Bandwidth

2 Comments

In reading over Computex coverage I’m impressed by an array of newer, faster computing platforms and storage technologies. At the same time I’m depressed that USB-attached storage is not swimming in this rising tide of increased performance and capability. Simply put: USB ports need more storage bandwidth so they can hold up their end while ushering in a brave new world of performance computing. Let me explain…

Why USB Ports Need More Storage Bandwidth

Thunderbolt 4 tops out at 40 Gbps — that’s a theoretical ceiling of roughly 5 GB/s, and real-world storage transfers run well below that. It was impressive when it arrived. It isn’t anymore. Thunderbolt 5 moved the needle, pushing up to 120 Gbps on the read side and 40 Gbps on writes. Indeed, its asymmetric bandwidth design delivers somewhere in the neighborhood of 6–7 GB/s of actual storage throughput under optimal conditions.

That’s a real boost, and to give credit where it’s due: Intel’s Thunderbolt 5 is the current high-water mark for USB-attached external storage performance. But here’s the problem — “high-water mark for external” and “keeping pace with internal” are two very different things. Alas, the gap between them is widening fast.

Phison’s PCIe 5 Controllers: Lapping the Field

Let’s talk about what’s happening inside the box right now. Phison’s E26 controller — the flagship PCIe 5.0 x4 part — pushes sequential reads up to roughly 14 GB/s and writes near 12 GB/s. That’s not a roadmap promise. That’s shipping silicon, today, in drives like the Crucial T705 and Seagate FireCuda 540. And the reason those numbers are possible is that PCIe 5.0 x4 delivers approximately 32 GB/s of raw bus bandwidth — a figure Thunderbolt 5’s best-case scenario can’t remotely approach.

I’ll be blunt: Thunderbolt 5 running at its theoretical maximum is still less than a quarter of PCIe 5’s available bus bandwidth. External storage users are working with a narrow pipe while internal NVMe users are drinking from a fire hose. And here’s what makes it even more galling — PCIe 5 SSDs themselves are already hitting their ceiling and looking nervously at what comes next. The interface they’re starved for is PCIe 6, which is already coming down the pipe.

Phison PCIe 6 Controllers: Next Tier Is Here

Computex 2025 was where Phison first made the PCIe 6.0 future feel real, and the momentum has only built from there. The next-generation Phison controller roadmap targets PCIe 6.0 x4 — an interface that theoretically delivers around 64 GB/s of raw bandwidth per slot, thanks to PAM4 signaling running at 64 GT/s per lane. Real-world sequential read targets are north of 20 GB/s.

Think about what that means for Thunderbolt 5’s ceiling. A single PCIe 6 SSD — one drive, one M.2 slot — could in principle saturate nearly five simultaneous Thunderbolt 5 connections running flat out. The Thunderbolt bandwidth ceiling doesn’t just look inadequate at that point; it looks comical. External storage users are so far behind that “catching up” is a massive understatement. Instead, designs must condider a completely different approach.

What Needs to Change?

USB4 Gen 3×2 sits at 40 Gbps — identical to Thunderbolt 4, still not enough. USB4 v2 bumps that to 80 Gbps, which helps at the margins but still lands less than a third of PCIe 5’s bus bandwidth, let alone PCIe 6’s. These are incremental improvements on an interface that needs a fundamental rethink, not a spec bump.

The industry needs a paradigm shift. Either Thunderbolt 6 or USB5 — whatever we end up calling it — must arrive with dramatically higher bandwidth, we’re talking 200+ Gbps as a floor, not a ceiling. Alternatively, PCIe tunneling over external cables needs to mature to the point where it can fully exploit NVMe speeds without  overhead that kills performance today. One or the other. Probably both, eventually.

Until one of those paths becomes real and shipping, external storage users are locked in a performance ghetto. Internal SSD buyers are sprinting ahead with every product generation. The storage industry owes external storage users a credible, substantive answer. I’m not talking about another incremental spec revision, not another narrowly defined workaround. Computex 2026 is the right venue and this is the right moment. USB silicon designers need to envision, then deliver something worth getting excited about. So far, I can’t see it. Let’s hope for something amazing, shall we?

Facebooklinkedin
Facebooklinkedin
Cool Tools, Copilot+ PCs, Insider stuff, Recent Activity, WED Blog, Windows 11, Windows OS Musings

NVIDIA Extends ARM on Windows’ Reach

Leave a comment

Just a couple of weeks ago, Lenovo sent me the Qualcomm X2-based Yoga Slim 7X Gen 11 laptop. Over the weekend, NVIDIA upped the ante with a Computex announcement of its RTX Spark CPU, also ARM-based. Developer in collaboration with MediaTek, this new CPU family, aka N1 and N1X, shows that NVIDIA extends ARM on Windows’ reach. Indeed Microsoft has announced a “Surface Laptop Ultra” build around this silicon, and ASUS, Dell, HP, Lenovo and MSI are also on the bandwagon. Acer and Gigabyte will follow shortly after that, and we’ll have both laptops and desktops running RTX Spark to choose among. Big news!

What NVIDIA Extends ARM on Windows’ Reach Means

Let me be clear about what’s going on with this upcoming architecture and systems that will use it. It’s aimed squarely at the top end of the market. I’m guessing such systems could easily cost upwards of US$5K, because they are aiming at high-end creators and AI developers.

Here’s a list of noteworthy features that NVIDIA and the OEMs are touting as relevant to potential buyers of such top-flight PCs:

  • Up to 6,144‑core Blackwell RTX GPU for high‑performance graphics, AI acceleration, and workstation‑class compute in thin‑and‑light designs.
  • 20‑core Arm‑based Grace CPU (co‑developed with MediaTek) delivering strong performance‑per‑watt for mobile and small‑form‑factor desktops.
  • Up to 1 petaFLOP FP4 AI compute enabling local execution of large AI models, agentic workflows, and advanced inference without cloud dependency.
  • Unified memory architecture (16–128GB LPDDR5X) shared between CPU and GPU, reducing bottlenecks and enabling massive 3D scenes, large‑context LLMs, and high‑resolution media workflows.
  • Ultra‑low power envelope (single‑digit watts to ~80W) allowing OEMs to build ultra‑slim laptops with all‑day battery life while retaining workstation‑class performance.
  • Full RTX software stack support (CUDA, TensorRT, DLSS 4.5, OptiX, Reflex, G‑SYNC) for creators, developers, and gamers on Windows.
  • Native support for on‑device AI agents via NVIDIA OpenShell and Windows 11 optimizations, positioning PCs as proactive “teammates” rather than passive tools.
  • High‑bandwidth NVLink‑C2C interconnect (600 GB/s) between CPU and GPU for low‑latency, high‑throughput compute.
  • Advanced media engines including 4:2:2 hardware encode/decode, AV1 encoders, and Blackwell‑class video pipelines for 12K editing and pro‑grade content creation.

A LOT to Take In, MORE Left to Understand

Whoa! That’s a lot of capability with a pretty rarified set of target buyers. Given current RAM and storage pricing, and rising costs for PC hardware in general, it’s clearly a small sliver of the market. But it’s got huge potential, and could ultimately redefine how Windows works — for a certain subset of users/consumers.

I think it’s pretty cool. I hope I’ll get  a chance to check one out later this year. In the long run, though, what will make the difference is how and when such special capabilities trickle down to garden-variety PC users. I’m intensely curious to watch this unfold, and see how it all plays out. Stay tuned: I’ll keep you posted!

Facebooklinkedin
Facebooklinkedin
Uncategorized

Windows Outgrows 100 MB ESP

Leave a comment

ESP is an abbreviation for the EFI System Partition, where a PC uses its contents to boot a PC far enough along to start loading Windows. For almost as long as I can remember, that partition has been created and sized during Windows installation at 100 MB. But this is changing. Here’s a “known issue” for  KB5089549, Microsoft’s May 2026 Patch Tuesday cumulative update for Windows 11. It can fail mid-installation on systems with a critically full EFI System Partition (10 MB or less free space). What do we, and OEMs, do as Windows outgrows 100 MB ESP? Get bigger!

Other Evidence That Windows Outgrows 100 MB ESP

I polled the 7 PCs (2 desktops, 5 laptops) here in my office at Chez Tittel to check their ESPs and observed something interesting. Here’s what I found:

Name Year ESP (MB)
X380 2018 100
X12 Hybrid 2021 100
P16 Gen 1 2022 100
Tsp3Ultra2 2024 260
P16 Gen 3 2025 260
AsusSnap 2025 260
Yog7X2 2026 450

Notice that the ESP sticks at the 100 MB mark until 2024, at which point it jumps to 260 MB. Then, on this year’s May-delivered Lenovo Yoga Slim 7X Gen 11 (X2 Snapdragon) it jumps again to 450 MB. There’s no doubt about it: the EFI is getting bigger!

What is the ESP, Anywho?

The EFI System Partition — ESP, in the shorthand everyone actually uses — is a small, dedicated FAT32 partition that lives on GPT-formatted disks and serves as the staging ground for everything the system needs before the operating system proper gets involved. Boot loaders live there. Firmware drivers live there. UEFI utility executables live there. If the system can’t find and read the ESP at power-on, it goes nowhere. It is, in other words, foundational infrastructure — and like most foundational infrastructure, nobody pays attention to it until something breaks.

Microsoft’s own documentation has recommended a minimum ESP size of 200 MB for UEFI/GPT systems since at least the Windows 8 era, with 260 MB or larger as the preferred target for new installations. That guidance has been sitting in plain sight on Microsoft Learn for years. OEMs, however, have a long tradition of shipping machines with a 100 MB ESP because, at the time those machines were built, Windows fit comfortably within it. The margins were thin, but they existed. That era is over.

Why 100 MB Isn’t Enough Anymore

Every Windows feature update — and, increasingly, every cumulative security update — must write updated boot files, recovery sequences, and language-specific font sets into the ESP. As the Windows boot stack has grown over successive releases, the items demanding ESP real estate have multiplied: Secure Boot validation assets, BitLocker metadata, UEFI capsule drivers, and a collection of per-locale font files for the pre-OS boot interface that can alone consume several dozen megabytes. If 100 MB was ever “enough,” Windows has long since moved those goalposts.

The specific tripwire for KB5089549 is tight, but telling. Microsoft confirmed that the failure triggers when the ESP has 10 MB or less of free space remaining. On a 100 MB partition that has been hosting Windows through several years of cumulative updates, that threshold is entirely realistic. The update proceeds normally through its initial phases — progress bars, the usual theater — and then dies during the restart phase, right around the 35–36% completion mark. The CBS.log entries are unambiguous: SpaceCheck: Insufficient free space and ServicingBootFiles failed. Error = 0x70. The accompanying companion error code, 0xc1900104, surfaces during feature-update upgrade attempts and carries the same root cause. The partition is simply full.

Increasing ESP Lebensraum

The community has converged on two main workarounds, and it is worth being clear-eyed about both of them.

The first is the “fonts delete” trick. You mount the ESP using mountvol Y: /S from an elevated command prompt, navigate to EFI\Microsoft\Boot\Fonts, and delete everything inside — typically recovering somewhere between 30 and 60 MB in a single sweep. It is fast, it is effective, and it is entirely unsupported by Microsoft. The risk is real: those font files support non-English boot environments. If your machine ever needs to display Cyrillic, Japanese, or Arabic characters in the pre-OS recovery interface, you will have a bad time. For an English-only deployment sitting quietly in a US office, the practical risk is low. In any multilingual environment, it should be treated as a last resort only.

Microsoft has also offered its own short-term registry tweak for KB5089549 specifically: running reg add “HKLM\SYSTEM\CurrentControlSet\Control\Bfsvc” /v EspPaddingPercent /t REG_DWORD /d 0 /f from an elevated prompt, followed by a reboot. This reduces the padding buffer the update engine reserves in the ESP, giving just enough headroom to slip the update through. It buys time. It does not fix the underlying problem.

The second, more durable option is partition resizing — shrinking the C: volume and extending the ESP to somewhere between 260 MB and 512 MB. Tools like MiniTool Partition Wizard (MTPW) can accomplish this from within Windows on many configurations. That said, a WinPE offline environment is the proper path since you are modifying a sometimes live boot partition. This is the correct fix. It is also disruptive, carries a non-trivial risk of data loss if anything goes wrong mid-operation, and absolutely requires a verified backup before you touch anything. Done properly, you will not need to revisit this for years. Done carelessly, you will spend an afternoon with recovery media and a sinking feeling. I experienced this myself recently on an ASUS Zenbook A14 laptop.

MS Is Mum on Remediation

Microsoft has not, as of this writing in mid-2026, provided an official, automated remediation path. There is no inbox tool that detects an undersized ESP and expands it gracefully. Ditto no Setup-phase blocker with a clear, actionable error. There is a Known Issue Rollback for KB5089549, which automatically propagates to consumer and unmanaged devices and prevents the broken update state — useful, but it leaves the machine unpatched. Enterprise admins can deploy the associated Group Policy to apply the KIR on managed fleets. None of this changes the underlying geometry of the partition. Something’s got to grow — and soon!

Facebooklinkedin
Facebooklinkedin