When it comes to my Microsoft Accounts (MSAs), I must laugh at what historian Hayden White unsmilingly called “the burden of history.” That is, it seems I’ve acquired quite a number of MSAs over the years. Thus, I had to shoulder that burden recently when I decided to clean things up a bit. Last week witnessed my own “great MSA massacre of 2026.” Indeed, I rid myself of 4 old MSAs and cleaned up what remained. It wasn’t exactly bloody, as such things go, but it was indeed a burdensome task.

What Spurred the Great MSA  Massacre of 2026?

As the lead-in graphic should suggest, the impetus came from devices associated with my many and varied MSAs. Indeed, I discovered numeous evaluation units from Lenovo, Dynabook, HP, MSI, and others. Some went as far back as the early 2020s.

One source of issues is that I didn’t practice good “eval return hygiene” on many loaner units. I would log in to them using an MSA, but didn’t unenroll them from device lists before sending them back. This, it seems, could cause them to persist for up to 6 months after return and presumable oblivion. At least, as far as logins from my MSA were concerned.

I spent about two weeks of concerted effort, visiting the managed devices page for my still-active MSAs. Each day, I would remove all stale entries (I call them “zombies”) only to see them pop up again. But over time, and with grim repetition, I finally consigned those stubborn devices to rest in eternal peace (hopefully).

What’s Left to Do?

I’ve got one MSA that’s a bit of a zombie itself. Its home email server was shut down last year, as its owner went out of business. I want to keep that account alive because it carries 20 years of — please don’t laugh out loud — Microsoft Solitaire history that I don’t want to lose. It’s tied to my cell number, so I can still prove my identity as long as that sticks with me, so I should be good.

I’m now shuffling all of its devices over to my primary MSA, so I can keep the ones I actually use all in one place. Going forward, I have a plan as I return eval units to Lenovo (or whomever else might send me a review unit). I’ll make sure to unenroll them from my registered device and MS Store device lists to keep things current and correct. Copilot opines further it’s a good idea to factory reset those units, too, to wipe all MSA traces. I’ll do that, too.

As IRL, in Windows-World actions have consequences. I’m doing my best to remember that using my MSA to login and play with eval units means I have to manage them more actively as they come and go. Fingers crossed I’ll do that properly from now on…

In reviewing Reliability Monitor for my peppy and capable ThinkStation P3 Ultra Gen 2, I saw recent repeated APPCRASH errors. If you could drill down into the lead-in graphic — as I did — you’d see 3  between March 11 and 14. So I asked Copilot to tell me more about this error. I learned that this utility is recommended, not required. I also learned that what’s blowing up reflects some kind of telemetry error when the app tried to phone home. So I uninstalled it. This Alexandrine solution fixes ThinkStation Diagnostics (think: Gordian knot) and smooths out my reliability ratings.

How the Alexandrine Solution Fixes ThinkStation Diagnostics

In this context I’m reminded of the well-known DCOM Event 10016 error, which pops up dozens to hundreds of times a day in Windows 10 and 11. It’s not really an error, it’s the result of a design choice that tries a series of component object model (COM) and distributed COM (DCOM) components as it performs routine tasks such as running shell components, search indexing, UWP apps and background services. It appears as an error, even though the actual work to which such errors are tied actually succeeds. Noise, in other words.

In the same vein, the ThinkStation Diagnostics (TD) software is:

1. Recommended, not required
2. The “critical error” relates to the software’s operation, not the system it monitors
3. Copilot reports that Lenovo documents numerous cases where TD fails this way owing to external device voltage issues, unsupported cables or dongles, power state transitions (sleep/resume)

Indeed the error is something on the back end, not in the system itself, and doesn’t really signal an actual problem. Ironically, it’s the system for reporting problems that’s itself causing problems.

Noise, Not Signal Makes Alexander Right

Nobody could untie the Gordian knot, so they couldn’t get in the door, either. Alexander cut it off, and got the door open right afterward. I’m taking the same approach with this tool. It’s not because I don’t want it to tell me useful stuff; it’s because I don’t want it to crash for uninformative reasons.

Here in Windows-World, there’s always a certain amount of noise to go along with valid signals. When I feel like the noise is swamping the signals, I’m glad to remove a source of such noise. There are plenty of ways for me to find out what’s going on, using other means. Basta!

In poking around the fleet here at Chez Tittel lately, I can’t help but notice that my Windows PCs seem to pick up detritus at a good clip. Nearly every time I run a tool such as Disk Cleanup (cleanmgr.exe), PC Manager, or even the ancient but still servicable UnCleaner utility, I put at least 800MB-1GB  of storage back into the free pool. One of my mottos has been (and remains): “Keep your Windows clean.” And there’s more to suggest driven by that impetus…

What Keep Your Windows Clean REALLY Means

As you can see in the lead-in graphic, even after running PC Manager’s “deep clean” facility, Uncleaner still finds another GB of trash to take out. Indeed, multiple tools often focus on multiple sources of unwanted or unnecessary stuff. Using them in combination will usually take out more trash than a single item can ferry into oblivion on its own.

But wait: there’s more! Other things in Windows besides file storage need an occasional cleanup. Here are some examples:

• Use a tool such as RAPR (DriverStore Cleaner) to remove obsolete or duplicate device drivers from the Windows driver store
• Use DISM to do likewise for the Windows Component Store (e.g. DISM /Online /Cleanup-image /StartComponentCleanup)
• Various identity and authentication cleanups, including credential manager, Windows Hello/NGC, AAD/Workplace Join, cached identity tokens, and more

I’ll blog about this final item tomorrow, because I’ve been spending a lot of time on that kind of stuff lately, and have some useful PowerShell to share along those lines. Stay tuned.

And remember: a clean Windows install is a happy and healthy Windows install. Cheers!

A routine UEFI firmware update brought unexpected trouble to the Flo6 system yesterday. What should have been a simple BIOS flash turned into a boot failure. The cause? A major change in Secure Boot keys. This event highlights how firmware updates can affect system trust and stability. As I was figuring out how UEFI flash overturned Flo6, I had to work my way through another CMOS reset, GPU disconnect, and more. Buckle up: here come the deets!

How UEFI Flash Overturned Flo6, and Killed Normal Boot-up

The BIOS update for Flo6 included more than microcode or AGESA changes. It replaced the Secure Boot Platform Key (PK), Key Exchange Key (KEK), and the Allowed Signatures Database (DB). These new keys came from Microsoft’s 2023 certificate chain. They replaced the older 2011 certificates that had been in use since Windows 8. This was a full trust-chain rollover, not a routine patch.

Why Did Boot Balk Afterward?

After the update, Flo6 failed to boot. The reason was a mismatch between the new firmware keys and the bootloader signatures. Windows had already staged boot components signed with the 2023 certificates. But the firmware update reset the trust chain. The system no longer recognized the bootloader as valid. Secure Boot rejected it, and the system dropped into firmware setup.

Recovery and Realignment

Once the firmware finished installing those new keys, Windows rebuilt its boot entries. It aligned its bootloader with the new DB. The system re-entered User Mode and Secure Boot resumed normal operation. Flo6 booted successfully again. The trust chain was restored, and the system stabilized.

Along that seemingly simple path, however, I had to reboot Flo6 at least a dozen times. Maybe more than that: I kinda lost count. At one point I had to pop the CR2032 CMOS battery. At another, I unpowered the GPU so the system would be forced to reset GOP stuff during a next restart, destined and designed to fail. Along the way I worked through nearly ever aspect of the ASRock board’s Secure Boot capabilities, setting things back to rights.

Lesson Learned

Firmware updates that modify Secure Boot keys are not routine. They change the foundation of system trust. If the OS and firmware are not aligned, boot issues can result. Understanding how PK, KEK, and DB work helps prevent surprises. Always check BIOS release notes for Secure Boot changes before flashing.

The Flo6 incident shows how a UEFI flash can affect more than performance or features. It can change the system’s trust model. With Secure Boot evolving, it’s more important than ever to understand what firmware updates really do.

Secure Boot has definitely  made life more interesting here in Windows-World. I’ve just ordered an MSI MAG Tomahawk B550 board to replace the ASRock model. Hopefully, it will show itself more robust in the face of Secure Boot changes. We’ll see…

Here at Chez Tittel, I’ve been on something of a Secure Boot tear lately. Late last week, it dawned on me that this might require a change in recovery media, too. I checked: it does. Indeed, MS spells out the notion that secure boot recovery means new media in a couple of MS Learn Documents:

• Secure boot
• Signing with the new 2023 Microsoft UEFI certificates: what submitters need to know (MS Tech Community, MSA req’d)

Basically, this boils down to the following data points, all of which determine whether or not recovery media will work properly after enabling Secure Boot:

• Recovery media must use MS-signed UEFI bootloaders
• Bootloaders signed with a certificate trusted in db
• Bootloaders signed with the old 2011 CA blocked in dbx
• Updated WinRE images (incl. new recovery media) signed with the 2023 CA

What Secure Boot Recovery Means New Media Comes Down to…

Simply put: once a PC has secure boot enabled and reports the presence of CA 2023, it needs matching secure boot media for recovery and repair. Older media won’t work because it lacks the new CA 2023 certificate. Bootloaders will fail, and/or WinRE won’t run. This will provoke a “Secure Boot violation” error or “invalid certificate” message in the bootloader. Sounds bad, eh?

The fix is easy, as long as you’ve turned Secure Boot on, and have installed the CA 2023 certificate (Garlin’s scripts at ElevenForum do this job nicely). With all these pieces in place, your current runtime meets the afore-stated requirements. Then, you can use Windows built in “Create a recovery drive” feature to build new recovery media to match this new state. Done!

Here in Windows-World when things change the supporting infrastructure must change to follow suit. Today that means generating fresh, new recovery media to match Flo6’s “secure boot on, CA 2023 installed” state. Takes only a few minutes, but means that future recovery efforts are far more likely to succeed. Good-oh!

On February 4th, I recounted the Secure Boot status of my local fleet, along with machines possessing CA 2023 secure boot certificates. At that time, I had 3 of 11 PCs with no CA 2023 secure boot certs. One also couldn’t enter UEFI with Secure Boot enabled. My secure boot report card is now perfected. All 11 machines have secure boot enabled AND CA 2023 certs in their credentials stores.

How Did I Get Secure Boot Report Card Perfected?

Short answer: time, effort and (in one case) a hardware purchase. Now for a somewhat longer answer. Both holdout machines with SB enabled, but no CA 2023 present were two ThinkPads. First, the X380 Yoga, a 2018 vintage 7th-gen Intel-based laptop. Second was X12Hybrid, a 2020 vintage 10th-gen Intel based tablet.

The same fix worked for both machines. The inestimable long-time member at ElevenForum.com named @Garlin has a terrific thread. It’s entitled garlin’s PowerShell scripts for updating Secure Boot CA 2023. It includes a script named Check_UEFI-CA2023.ps1. If you run that script it not only tells you if the CA 2023 cert is present or absent. If CA 2023 is absent, it also provides two commands to put it in place. That worked for both of my ThinkPad holdouts.

Note: The lead-in graphic for this story shows the following:
1. Invocation and output from the Check script just mentioned.
2. Execution of the reg edit and scheduled task to add CA 2023.
3. Final check string to show CA 2023 is present in the SecureBoot UEFI db (database).

The Third Holdout Proves a Bit Trickier

The old NVIDIA GeForce RTX 1070Ti installed in the upstairs ASRock B550/AMD Ryzen 5 5800X desktop named “RyzenOfc” wouldn’t enter UEFI with Secure Boot enabled. Turns out the firmware on its older GPU just couldn’t coordinate with TPM changes. I bought a Gigabyte RTX 5060 because it was compact enough to fit the smallish RyzenOfc Antec A-201 case. That got me back into UEFI where I could install the default keys and get secure boot working properly.

After that, the same Garlin script cited above also got CA 2023 into the credentials store on RyzenOfc. It’s taken a good chunk of the last two weeks, and cost me a chunk of change — I also bought a new mouse and keyboard that skips USB enumeration issues and Fn key gotchas in getting to UEFI, plus the GPU — to finish this journey.

Just for grins I checked CA 2023 status on the ThinkPad P16 Gen 3 that showed up on Monday. It didn’t have the new certs, either, so I fixed it with commands from the Garlin check script, too. All good!

But at last, all my machines are Secure Boot enabled with the CA 2023 certificate installed in that environment. What a long, strange trip that turned into. I’m glad it’s over, and I learned a LOT along the way. I also heartily recommend the Garlin scripts to anybody facing uncertainty or issues in getting CA 2023 Secure Boot certs onto their PCs. Great stuff!

Back in late 2021/early 2022, I bought a pair of motherboards for side-by-side PC builds. One for me, one for my son to use at home. I also bought an NVIDIA 3070Ti GPU so he could game away. But that latter plan didn’t turn out because his PC case — an Antec A201 — was too small inside for that GPU. We stuck with our older 1070Ti models because they fit. Just recently, I’ve been working to get Secure Boot running on those PCs. I wasn’t able to get it up on Flo6 (my office desktop, now in a bigger case) until I swapped the 1070 GPU for that 3070 model. I still haven’t been able to get back to UEFI on the upstairs model (his former desktop). That’s why I’m buying newer GPU for RyzenOfc (desktop machine name). Let me explain…

Why Buying Newer GPU For RyzenOfc Could Help

The older 1070Ti has Pascal generation firmware, while the newer 4070 has Ada generation firmware. The 1070 firmware is 11 years old, or thereabouts, and lacks features and capabilities that newer firmware environments — including UEFI, TPM and Secure Boot — need. Copilot put a feature table that lays things out nicely for easy perusal and comparison.

Basically, I was unable to get past the graphics output protocol (GOP) phase during boot-up with the 1070 installed. The PC froze there every time. I could still get to Windows (straight to the lock screen, in fact) but I never could see the Asrock initial boot-up logo, nor could I use Del or F2 to get into UEFI.

Can’t Do Secure Boot Except via UEFI

That last little bit is a dealbreaker. If I can’t get into UEFI, I can’t turn secure boot on. Nor can I load the default Secure Boot keys, essential to resetting TPM to let the whole Secure Boot infrastructure get put in place. Bit of a problem, that…

So I ordered a used compact NVIDIA 4070 GPU to replace the 1070Ti. It’s due in next week. And I’m betting a reasonably substantial sum that when I pop the new GPU into the PCIe x16 slot the 1070 currently occupies, I’ll be able to get through Secure Boot installation.

We’ll see: I’ll report back then. Stay tuned, and check your own PCs for status. On older builds you, too, may need to start making some changes. In PowerShell, Confirm-SecureBootUEFI  shows “True” if it’s on, “False” if it’s off. Likewise, Get-SecureBootUEFI -Name db will show you if you have the new UEFI CA 2023 certificate installed or not (the old 2011 certificates expire later this year, so it’s time to get ready).

Here in Windows-World the old saw from Roseanne Roseanna-danna often applies: “It’s always something!” And indeed, this time it could be something somewhat costly, as well. Sigh

When I crashed last night, it was with yesterday’s post-Patch-Tuesday updates pending. Thus, I had to log in this morning, following the reboot for KB5068861. Right away, I knew something was amiss. Indeed, the right-hand monitor went into serious blink mode immediately as my dual-display desktop came alive. I’ve seen this before, many times, on the old i7Skylake desktop. This was a first since I switched to the Flo6 (AMD 5800X CPU, Asrock B550 Extreme 4 mobo). Fortunately, this Flo6 driver hiccup easily fixed itself, via installation of a new NVIDIA driver.

Here’s How: Flo6 GPU Driver Hiccup Easily Fixed

There’s something about the combination of two displays and NVDIA GPUs that gets them into blink mode. Invariably when that happens, a new driver is mysteriously available. As my friend Wiggo would say of such things: “How do it know?” I have no clue…

But having been in this same spot dozens of times before, I knew exactly what to do. I opened the NVIDIA app, and learned that a new Studio driver (supposedly the most stable version) has been available since Oct 14. However, I needed it today, and installed same. Immediately after installation (no reboot required) the blink mode quit blinking.

Here in Windows-World, one must expect a bit of trouble from time to time. The good kind of trouble is familiar. The best kind is the one that surrenders to the obvious, well-known fix. The worst kind is the one that refuses to give way, even to a “huge bulldozer — slow, tedious, lumbering, laborious, but invincible.” [Note: that’s a quote from Robert Pirsig’s Zen and the Art of Motorcycle Maintenance that describes the full rigor of the scientific method.

Luckily for me, my kind of trouble was the best kind in that taxonomy. Thus I can exclaim: “Problem solved!”

I’ve been messing around with the Lenovo Yoga AIO 32i (aka 9i, for some odd reason or another) since last July. It’s proven itself to be a fast and surprisingly capable Copilot+ PC. That’s nice, especially for an All-in-One — AIO, get it? Yesterday, I had to get some help and insight from “the Boss” (wife, Dina) to figure out how to get it packed in its monster shipping box (dimensions: 34″ x 26″ x13″). It’s a bit of a puzzle box to unpack and repack, in fact. Summing up this device, I say “Farewell AIO32i: Fast, Capable & Costly.” Let me explain…

I Bid Farewell AIO32i: Fast, Capable & Costly

When this model first showed up at Chez Tittel, it came with an MSRP of over US$2,800. I can’t find that same model for sale any more. But one with an Intel Core 256 (not a 258), 16 instead of 32 GB of RAM, and lacking the original unit’s Nvidia GeForce RTX 4050 (6GB) currently goes for US$2,100 in the Lenovo Store.  Like I said: it’s kind of pricey.

But the display was absolutely gorgeous and the unit very nice to work on. It handled everything I threw at it without breaking a sweat. That included some pretty serious program compilations in Python, some intense and demanding Copilot and ChatGPT sessions, and more. I don’t think it’s suited for heavy development or AI work. But I do think it would make a fine office or dorm room PC, easy to set up and put to work in a flash.

Pros & Cons

I’m just going to list what I observed and enjoyed (or not) about the machine in a set of plusses and minuses to put this PC into context:

Pros
*  Gorgeous, high-res display
*  Excellent built in wireless keyboard & mouse (USB-charged)
*  Great performance and handling
*  Trouble-free Windows 11 and Copilot+ AI support (only PC I’ve ever used that fully supported Smart App Control, too)

Cons
*  Pricey when compared to similar-value desktops or laptops
*  Relatively few USB ports, kinda hard to reach on back of base (most notably: only 1 USB4 port)
*  Not much upgradeability: soldered RAM, only 1 M.2 slot

Net-Net: Copilot+ for Convenience, Not Upgrades

For those seeking a plug it in, turn it on, and let it go experience with little or nor setup or customization needed, this is a terrific and capable PC. Given that it’s Copilot+ capable, and able to handle typical tasks quickly and effectively, it’s a good choice for naive or untutored Windows users who won’t want to mess with their machines much anyway. I’d rate it very high for office workers who need to sit down and get stuff done. Likewise for students not interested in computers themselves but more for what they can do with them. And ditto for families trying to outfit seniors with a nice PC that’s easy for them to use and others to support.

IMO, what you can get for $2,100 by way of desktop or laptop PCs — including many other models from Lenovo — make me less inclined, personally, to buy such a machine. But I have monitors and peripherals galore around. Also, my baseline Windows 11 config now includes 32GB RAM (which the current AIO32i for sale falls short of by half).

That said, it is a gorgeous machine to look at and use. Not beyond the pale, and eminently suitable for some. Just not me, as it happens.

I admit it: I’m something of an SSD nut. I’ve been fascinated with these solid-state alternatives to spinning media since they first appeared in the mSATA days. Indeed, I acquired my first SSD in 2008, in the form of a SATA based Intel X25-M. I jumped on the mSATA bandwagon early in 2011, about two months after Intel dropped its M.2 SSD 310. Over the past decade and more, I’ve spent far too much time wondering if the latest performance boost is worth the typical doubling in cost over previous generations that vendors exact for riding on the bleeding edge. Here’s what I think…

When Pondering Performance Premiums, Don’t Forget Price

I bought a very nicely priced Samsung 990 EVO Plus 4TB Gen4 NVMe to include in my current desktop build earlier this summer. It set me back just over US$200. I was just reading about a new offering from Lexar — the NM1090 Pro 4TB — that costs “just $360” in the words of that story’s title. The difference is what got me thinking about today’s musings.

The thing about leading edge hardware is the whole device chain. That means it’s not just the drive itself in this case, but the slot into which it plugs, the bus upon which it rides, and the motherboard that houses all the pieces and their connections. Here at Chez Tittel, I have perhaps one or two systems — both laptops — that could use the Gen5 high-speed capabilities the Lexar drive can deliver.  I own neither of them (one is on loan from Lenovo, the other from Dynabook).

Getting There from Here Is More Than a Ride

Taking full advantage of the leading edge means a leading edge rig in which to house a leading edge drive. Right now, building such a system would cost me over US$2,000 (maybe even over $3K if I want to max out on the GPU side, too).

My strategy is to hang back one generation when building, because I can get reasonable performance for half the cost of buying into whatever the state of the art might be at purchase time. Of course, that means my build will be obsolete a bit sooner, but gosh: saving 50% lets me buy in more often at a lower overall cost. I happen to think that’s the right way to go.

Here in Windows-World, buyers can do as they like. I’d rather stretch my dollars a bit further, and use them more sparingly. But then, I’m not a gamer, nor do I run many applications where my productivity is diminished because I can’t operate at max bandwidth. What’s your take?