Category Archives: Windows 10

Insider stuff, Recent Activity, Secure Boot, Security, WED Blog, Windows 10, Windows 11

Explainer: Secure Boot Chain of Trust

2 Comments

Here’s an uncomfortable, seldom considered truth: your operating system isn’t the first thing that runs when you power on your PC. The firmware goes first. Then the bootloader. Then the OS kernel. Malware creators figured this out a long time ago. Get in early enough — before the OS loads — and you can own a machine invisibly, surviving reboots, reinstalls, and even antivirus scans. All this explains why the secure boot chain of trust is vital to modern Windows security.

The threat is real and it’s present right now. BlackLotus, a UEFI bootkit sold on criminal forums, made headlines in 2023 for bypassing Secure Boot on fully patched Windows 11 systems. BootHole exposed a critical flaw in GRUB2’s boot process that affected both Linux and Windows. PKFail (2024) revealed that dozens of device vendors had shipped products using a leaked “do not ship” test Platform Key — meaning the root of the entire trust hierarchy was compromised straight out of the box. Then, in January 2025, ESET researchers disclosed CVE-2024-7344: a Microsoft-signed UEFI recovery application that could silently load unsigned bootkit code — on any UEFI system, regardless of whether Secure Boot was enabled. Microsoft pulled the vulnerable binaries in the January 14, 2025 Patch Tuesday update.

Boot-time attacks aren’t theoretical. They’re happening. Under-standing Secure Boot’s chain of trust is the first step toward knowing whether your defenses are actually holding.

Understanding the Secure Boot Chain of Trust

Think of the chain of trust as a series of checkpoints at the border. Each checkpoint must vouch for the next before anything is allowed through. No vouching, no entry, and the boot process stops dead.

In technical terms: every component in the boot sequence verifies the digital signature of the next component cryptographically before handing off execution. The firmware checks the bootloader. The bootloader checks the OS kernel. The kernel checks drivers. If any link in that chain can’t be verified — wrong signature, no signature, a signature that’s been revoked — the process stops. Your PC refuses to proceed rather than run untrusted code. That’s the whole point. Always safe means never sorry, even if it also means a PC that won’t fire up and run.

The chain only works, of course, if the first link is trustworthy. That’s where the UEFI key hierarchy comes in.

The Key Players: PK, KEK, db, and dbx

UEFI Secure Boot manages trust through four interlocking databases baked into your firmware. Get familiar with them — they come up constantly whenever something goes wrong at boot time.

Key / Database Full Name Role
PK Platform Key Root of trust. Set by the hardware manufacturer. Controls who can update KEK.
KEK Key Exchange Key Authorized to update the signature databases (db and dbx).
db Signature Database Hashes and certificates of trusted bootloaders allowed to execute.
dbx Forbidden Signatures Database Revoked signatures and hashes. Anything here is blocked unconditionally.

The PK sits at the top. Your motherboard manufacturer owns it. Below the PK, the KEK authorizes who gets to update the lists of trusted and forbidden signatures. In practice, Microsoft functions as the de facto Secure Boot Certificate Authority for the consumer PC ecosystem. Nearly every machine you buy ships with Microsoft’s certificates pre-loaded in db — exactly why CVE-2024-7344 was so broadly dangerous. A legitimately Microsoft-signed binary became a usable attack vector!

Worth Knowing: PKFail and the Test Key Problem

In 2024, the PKFail vulnerability revealed that over 200 device models from multiple vendors shipped with a Platform Key originally marked “DO NOT TRUST” — a sample key from AMI’s reference firmware that was never meant to leave the lab. When your PK is public knowledge, the entire root of trust collapses.

How the Chain Is Created at Boot Time

Power on your PC, and here’s what actually happens — fast, invisible, and mostly taken for granted.

  1. The UEFI firmware initializes hardware and activates Secure Boot mode.
  2. The firmware reads the bootloader from the EFI System Partition and checks its signature against db. It also checks against dbx — if it’s there, execution stops immediately.
  3. The signed bootloader (Windows Boot Manager, for example) takes over and verifies the OS kernel’s signature using its own embedded certificates.
  4. The kernel loads and verifies signed drivers. On Windows, this is enforced through Driver Signature Enforcement — unsigned kernel-mode code is blocked by default.

Every handoff is cryptographically verified before it happens. Compromise any link — plant an unsigned binary, exploit a signed-but-vulnerable loader, sneak past a misconfigured dbx — and an attacker owns your machine below the OS waterline. That’s precisely the attack surface that BlackLotus, BootHole, and CVE-2024-7344 each exploited in different ways.

Maintaining a Strong Chain of Trust

Secure Boot isn’t a “set it and forget it” control. Maintaining a healthy chain of trust requires ongoing attention from both Microsoft and from you.

The most important maintenance lever is the dbx — the blocklist. When a bootloader is found vulnerable (as happened with a batch of 2011-era Microsoft-signed binaries in 2023, and again with the CVE-2024-7344 binaries in January 2025), Microsoft issues dbx updates through Patch Tuesday. Your firmware then refuses to execute those specific binaries even if they’re somehow placed on the system. Keeping Windows Update current is how those revocations reach your PC.

Firmware updates matter just as much. Vulnerabilities in the UEFI firmware itself require OEM-supplied updates delivered via Windows Update or manufacturer tools. The NSA and CISA have both issued guidance recommending that organizations periodically audit their Secure Boot configuration — confirming the correct keys are enrolled, the dbx is current, and no rogue Platform Keys are in place (a lesson PKFail drove home hard).

Complementing Secure Boot is the TPM’s Measured Boot capability. While Secure Boot enforces what can execute, Measured Boot records cryptographic measurements of everything that did execute into TPM Platform Configuration Registers (PCRs). Remote attestation tools can then verify those measurements after the fact. Think of Secure Boot as the bouncer at the door; Measured Boot is the security camera logging who actually got in.

Why the Chain of Trust REALLY Matters

Secure Boot isn’t perfect — BlackLotus, BootHole, PKFail, and CVE-2024-7344 all proved that. But “not perfect” is a long way from “useless.” It raises the cost and complexity of boot-level attacks significantly, and when the ecosystem keeps the revocation databases current, it closes known attack paths quickly.

Do yourself a favor: open System Information (msinfo32), find BIOS Mode (should read UEFI) and Secure Boot State (should read On). If either is wrong, fix it. Keep your firmware updated. Keep Windows updated. The chain of trust is only as strong as its weakest, most-neglected link — and that link is usually sitting right between the keyboard and the chair. Here in Windows-World keeping track of key security concerns is darned important. The Secure Boot chain of trust should be at the top of everyone’s list.

Facebooklinkedin
Facebooklinkedin
Cool Tools, Device drivers, Insider stuff, Recent Activity, WED Blog, Windows 10, Windows 11

Intel DSA Remains Driver Install Clickmeister

1 Comment

I just realized that DSA was MIA on my ThinkPad X12 Gen 1 Detachable Tablet. So I installed it, then ran it. It found 3 drivers in need of updates on that device: Wi-Fi, Bluetooth, and (Xe) Graphics. In updating them, I observed that the  Intel Driver and Support Assistant (Intel DSA) remains driver install clickmeister supreme. Let me explain…

Why say: Intel DSA Remains Driver Install Clickmeister?

It’s long been my observation that using DSA requires lots of mouse clicks. This time around, installing the three drivers shown in the lead-in screencap required at least 24 mouse clicks. For the record, those drivers were (numbers at right count clicks for each one):

  • Wireless Bluetooth Drivers (9)
  • 11th-14th Gen Processor Graphics (10)
  • Wi-Fi Drivers (5)

This time around it actually took me 4 additional mouse clicks to get from item 2 to item 3, because I was installing the GPU driver for the first time. Thus, I had to reboot my system, because DSA got “stuck” on “installing” for item 2, and wouldn’t advance to item 3. Sigh. I didn’t count those “extra” clicks in my reported total.

Achieving Intel Driver Update Silence

Believe it or not, that’s the title of a blog I posted on April 27, 2023. That was another time when the sheer number of clicks involved in running DSA hit me hard. It remains noticeable. Today, it struck me as excessive. So I’m formulating this plea to the Intel DSA developers:

Please add a silent mode switch to DSA. Let users tell the tool to run the installs without requiring minutes of babysitting to get through routine maintenance.

I wonder if anybody is listening. Then, I wonder if they’ll respond. Here in Windows-World the silence can sometimes be deafening. Let’s see what happens, shall we?

 

Facebooklinkedin
Facebooklinkedin
Insider stuff, Recent Activity, Troubleshooting, WED Blog, Windows 10, Windows 11

Resetting CMOS Has Its Hurdles

Leave a comment

You’d think it would be dead easy. And to be fair, on some motherboards it is. But popping (or replacing) a CR2032 3V coin battery — especially when resetting CMOS — has its hurdles to overcome. At my age, clear visibility can get interesting. Then, there’s often limited space inside the PC case to reach the darn thing. In dealing with recent Secure Boot (and related CA 2023 boot certificates) recently, I’ve been reaching for the CMOS battery rather more often than not.

OK, Resetting CMOS Has Its Hurdles: Name Some…

Beyond the two already noted (visibility and space), I also bumped into various other impedimenta, including:

  • Removal techniques: new sockets may not yield to a fingernail, so I found a small flat-head jeweler’s screwdriver helpful
  • Timing: most guides say to leave the PC alone after popping the battery for anywhere from 10 seconds to 5 minutes. I made sure I had something else to do before removing the battery and erred on the “too long” side of things. Seemed to work.
  • Reinsert the old or replace with a new: If it’s been more than 3 years since I replaced the battery (or I can’t remember) I’ll replace rather than reinsert a CR2032. They typically cost US$5 or less, so if I have to remove it anyway, why not replace it, too?
  • Making room: On at least a couple of desktops, I have to remove the GPU just so I can SEE the CMOS battery holder. On any given laptop at least one deck has to be removed; sometimes other assemblies (e.g. keyboards or storage modules) must also go.

But when a PC goes truly off the rails — especially when BIOS or UEFI becomes inaccessible or non-responsive — a CMOS reset can often set things back to rights. That’s why I find myself digging for my replacement stash from time to time, so I can put a fresh one in to replace the older one at the same time.

Nothing says resetting CMOS has to be easy, here in Windows-World. But lots of times, it’s a necessary step in the troubleshooting process. So it goes…

Facebooklinkedin
Facebooklinkedin
AI, Insider stuff, Recent Activity, WED Blog, Windows 10, Windows 11

Copilot: Driver’s Education

Leave a comment

If you read yesterday’s blog, you already know that I spent most of the weekend with my Flo6 desktop in UEFI, booting, or at the command line in WinRE/WinPE. On the other PC next to my desk chair, I keep a Lenovo P16 Gen1 Thinkpad. I was running Copilot on that PC, looking for insight into making Secure Boot work on the Flo6. Simply put, you can’t ask for help in Windows when that OS isn’t running. During that process I ended up in class for Copilot: driver’s education became quite a concern as I had difficulty scrolling down to read longish replies to my prompts and queries.

What Copilot Driver’s Education Is About

Turns out my scrolling attempts were misguided. I didn’t really understand how the touchpad on the P16 works. As you can see in the prompt window I’m using in this post for a lead-in graphic, the P16 touchpad is  more oriented to gestures than to driving screen controls.

While I was working over the weekend, I simply popped in a wired mouse — complete with scroll wheel — and used that to speed scrolling while interrogating Copilot on the P16. After I had time to dig in a bit deeper, I learned that a two-finger gesture works for scrolling that touchpad quite nicely (two-finger sweep up to scroll down, down to scroll up — shades of Doc in the movie Cars).

Hah! I’ve been using Copilot since it first showed up over two years ago (June 2023) and didn’t know that this till this weekend. Probably because I still mostly drive with a mouse and not a touchpad. Now I know. Here in Windows-World, it’s the little things that sometimes make a big difference…

Facebooklinkedin
Facebooklinkedin
Insider stuff, Recent Activity, Thoughts & concerns, WED Blog, Windows 10, Windows 11

Windows 10’s Long Goodbye

1 Comment

Officially, it’s been “out of service” since October 14. And indeed, Windows 10 market share has been falling for some time now, with 11 ascendant. But, in unwinding Windows 10’s long goodbye from the desktop OS scene, there’s no sign yet of a spiraling vortex as the old OS goes down the drain. Remember, too, that older OSes — inlcuding 7,  XP and 8.x versions all show up in a range from just under 3% (7) to under 0.3% (XP, 8, and 8.1). Apparently old OSes never fade away completely…

Unwinding Windows 10’s Long Goodbye via 7

As I think about what’s going on here, I can’t help but use Windows 7 as a lens through which to view Windows 10’s upcoming decline. This actually shows itself quite nicely in a Copilot-generated desktop share graph (source: Wikipedia’s summary of StatCounter data 2015-2025).

2015, of course, was the year in which Windows 10 made its debut. It was also the same year in which Windows 7 transitioned from “mainstream support” to “extended support.” That’s what Windows 10 did this year, in slightly different terms.

Notice the shape of the curve imposes modest steps until the midpoint. It shows more serious declines since then. My gut feel is that Windows 10 will experience a similar fall-off. That said, I also believe the curve will drop more precipitously. That’s because MS has long sworn to limit extended support for 10 to 3 years, whereas it didn’t end ESU for 7 until the 5-year mark (2020) came along.

That would put the half-way mark three rather than 5 years out, with faster dropoffs after that. That said, with RAM and GPU prices currently on a steep rise, the impetus to buy new hardware to meet Windows 11 requirements may have hit a steep wall. Here in Windows-World the path from A to B (or 2025 to the New Year and beyond) isn’t always straight or simple. Let’s see what happens, shall we?

Facebooklinkedin
Facebooklinkedin
Insider stuff, Recent Activity, Thoughts & concerns, WED Blog, Windows 10, Windows 11

Windows 11 Hits One Billion Active Users

Leave a comment

Here’s an interesting milestone that raises an even more interesting question. In his Ignite 2025 keynote, Pavan Davuluri made this statement “At Ignite 2025, we’re celebrating a major milestone: Windows 11 now powers more than one billion people worldwide.” Windows 10 hit that same number in March 2020. As Windows 11 hits one billion active users, the tide is turning on Windows 10, too. Let’s talk about this changeover, shall we?

After Windows 11 Hits One Billion Active Users, Then What?

According to StatCounter, Windows 10 accounts for 41.75% of the user base, with Windows 11 at 55.18%. Assuming the 1 B count applies as of that date — perhaps foolish, but a point of departure anyway — that means ~757M users still run Windows 10. It also means that ~30.7 M still run some older Windows version.

This shows several interesting things, IMO:

  • The Windows user base is pretty formidable, with perhaps as many as 1.8B users across all versions. it’s big but less than one-third compared to global 5.78B smartphone users.
  • Windows 11 crossed over 10 last June, and is over 13% ahead of the older OS now. I expect this split to continue, with 11 gaining ever more market share.
  • It took Windows 10 13 months to increase from 1B to 1.3B (April 2021); I think Windows 11 will cross that span more quickly.
  • It took Windows 10 five years to hit the 1B mark; Windows 11 did it in 4 years. With Windows 10 EOS behind us, it can only gain momentum.
  • With MS offering free ESU to consumer grade users for one year, that momentum may be somewhat blunted. This is offset by the remaining 30-35% of “strictly business” Windows 10 users who MUST pay for ESU. Estimates of ESU Windows 10 users vary widely, anywhere from 100-400M.

It’s an interesting situation, and an even more interesting landscape. As always, it will be fun to wait and watch for another such milestone announcement from MS. I wonder if that means Ignite 2026, or something sooner? Here in Windows-World, waiting and wondering are both hugely germane and useful attributes for those who labor in such fields.

Facebooklinkedin
Facebooklinkedin
Cool Tools, Insider stuff, Recent Activity, WED Blog, Windows 10, Windows 11, Windows Update

DISM /Add-Packages Loses Windows 11 Mojo

Leave a comment

This week, I’ve been updating a story for ComputerWorld. Along the way, I learned a little about .msu files for the Microsoft Update Standalone Installer. They differ widely between Windows 10 and 11. TLDR version: it’s pretty easy to extract a usable .cab file from Windows 10 .msu from Microsoft Catalog downloads. For Windows 11 .msu, it’s not. That’s why I observe that DISM /Add-Packages loses Windows 11 mojo. Let me now explain…

Why Say: DISM /Add-Packages Loses Windows 11 Mojo

The contents of .msu files for Windows 10 versus 11 updates reveals some stark differences. For recent such updates  I chose KB5066791 for Windows 10, and KB5067036 for 11.

Turns out you can open .msu files in 7-Zip to examine their contents. The two files couldn’t be more different internally. The latest 10 update includes 5 files and is just over 700MB in size. The latest 11 update includes over 100K files and comes in at just under 3.5 GB.

The really big difference is that DISM /Add-package /online (the incarnation of that command that permits working on a running Windows image) REQUIRES a .cab file to do its job. Simply put: Windows 10 makes that easy to find, extract, and use; Windows 11 makes it pretty much impossible.

Where the Mojo Went…

That means you can use DISM /Add-Package on Windows 10 to apply updates to a running image, when Windows Update isn’t working or something goes sideways with some particular update. But if you want to use DISM to add a package to a running Windows 11 image, you must take that image offline, apply the update, then bring the image back online.

The net effect is that a quick and handy alternate update technique that works fine for Windows 10, turns into a slow and cumbersome slog for Windows 11. Better to try something else, instead. I’m sorry to lose a helpful tool from my Windows fixes and workarounds toolbox, but that’s the way progress sometimes works in Windows-World.

Facebooklinkedin
Facebooklinkedin
Backup/Restore, Insider stuff, Recent Activity, Troubleshooting, WED Blog, Windows 10, Windows 11

Update Gotcha Highlights BitLocker Key Backup

1 Comment

Recent updates have triggered news and warnings that some PCs will request a BitLocker key upon restart. Reports from Windows Latest and Neowin confirm that KB5066835 (Win11) and KB5066791 (Win10) trigger such behavior for Windows Enterprise and Microsoft 365 Business editions. Apparently, as Copilot says of this issue “Intel-based PCs with Modern Standby are most susceptible.” But this update gotcha highlights BitLocker key backup and recovery techniques for all Windows users. Let me tell you about that…

New Update Gotcha Highlights BitLocker
Key Backup and Recovery

The easiest way to backup and use a BitLocker recovery key is to type Bitlocker into Settings, then select the resulting “Manage BitLocker” item that pops up. This takes you to the Control Panel pane for BitLocker Drive Encryption shown above, where you can click the entry labeled “Back up your recovery key.”

Resulting options read:

  • Save to your Microsoft account
  • Save to a USB flash drive
  • Save to a file
  • Print the recovery key

As something of a belt-and-suspenders guy, I usually save to a file named <machine-name>blrk.txt AND I print a copy that I stick in a folder in my filing cabinet labeled “PC Recovery Stuff.” Saving to a file means loss of access to its drives and backups could stymie recovery in some circumstances, so I like to have the hard copy as a fallback.

Of course, you can also register your PCs into your MSA (Microsoft Account) and get it online as well. The URL for that specific purpose is https://account.microsoft.com/devices/recoverykey. I’ve pretty much got that memorized because I do use it multiple times a year, every year, like clockwork.

Here in Windows-World, if you use BitLocker it’s wise to ensure you can access the recovery key when and as you need it. The techniques I’ve described will get you where you need to go, should that need arise. Cheers!

Facebooklinkedin
Facebooklinkedin
Cool Tools, Insider stuff, Recent Activity, WED Blog, Windows 10, Windows 11

PowerToys Fixes Random Light Switch Toggle

Leave a comment

Just over a week ago, the PowerToys dev team dropped v.0.95.0. Highly touted amidst its new features: a Light Switch toy, which defines the default key combo Winkey-Ctrl-Shift-D to toggle Windows desktops from light to dark mode, or vice-versa. It’s also turned on by default. As I couldn’t help but notice after that, my PC(s) started toggling between light and dark mode with no help from me. Yesterday, the team dropped a new version: 0.95.1. It’s really worth installing because in that release, PowerToys fixes random Light Switch toggle behavior. I’m glad!

Why PowerToys Fixes Random Light Switch Toggle

PowerToys are supposed to work according to the user’s direction, not on their own recognizance. It’s a little disconcerting to be plugging away on one’s desktop and have the mode change whenever it feels like it. The timing was interesting, too: sometimes, it might happen once or twice a day. Sometimes, it would switch back and forth every 30 to 90 seconds. Disconcerting!

It’s easy enough to switch back if this happens to you. Fortunately, the key combo is quick: it’s close together and easy to enter. But better to avoid spontaneous mode switching if at all possible. That’s why I’m delighted to see an update that addresses such behavior sooner rather than later.

What the Release Notes Say…

The first Highlights entry is ALL about Light Switch. It lists 6 different fixes including: turning off enabled by default, not allowing sunset calculations to over-ride Manual time schedule, and renaming “Manual” to “Fixed Hours” mode. There’s even a new off mode that disables the switchover schedule but keeps the key combo working. Here is the new control pane for Light Switch:

I’ve already turned scheduling off because I don’t switch modes by time of day. If you use PowerToys you’ll want to update to v0.95.1. I’m glad to see this fix so soon, because it was a little disturbing.

But hey! “A little disturbing” describes a pretty familiar feeling — for me, at least — here in Windows-World. How ’bout you?

Facebooklinkedin
Facebooklinkedin
Insider stuff, Recent Activity, Thoughts & concerns, WED Blog, Windows 10, Windows 11

Enduring Windows 10 Hangover

Leave a comment

It’s interesting and perhaps a bit puzzling. For “compatibility reasons” — some having to do with browsing the Web — Windows 11 has long reported itself as a kind of Windows 10. Indeed, one must examine Build numbers, mostly, to figure out which version of Windows is really driving the bus. To see this enduring Windows 10 hangover try this string in PowerShell:

[System.Environment]::OSVersion.Version

You can, of course, get the real skinny by running winver.exe, or a more nuanced Get-ItemProperty command in PowerShell:

Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" | Select-Object DisplayVersion, EditionID, CurrentBuild

You can see the results of these two commands in this blog post’s lead-in graphic. It still shows my production Windows 11 PC (Build 26200) with a Major version number of “10,” while the Get-ItemProperly output shows the “real deal” on this machine.

Will Enduring Windows 10 Hangover Get Fixed?

Now that Windows 10 is past its End of Service date, will MS fix this strange reporting practice? Probably not. There are reasons upon reasons why this reporting quirk is likely to remain unaltered.

The whole compatibility thing is HUGE: lots of driver models, apps and applications, and enterprise tools assume that Windows 10 is the end-all and be-all for modern Windows versions. Indeed, it’s much, much more than a browser user-agent assumption. According to Copilot, “enterprise environments rely on registry keys such as ProductName and ReleaseId for automation,” so “those keys are often left untouched in Insider Builds to avoid disrupting telemetry and deployment pipelines.”

Hence the following, also from PowerShell using this command sequence:

Get-ComputerInfo | Select-Object WindowsProductName, WindowsVersion, OsBuildNumber

Notice that my Production Win11 system reports in this command as Windows 10 Pro, version 2009, with correct build number.

At least, I now know why this apparent misreporting occurs, and understand that it’s for good cause. Here in Windows-World there are plenty of apparent mysteries whose simple explanations lie in the many twists and turns in Windows history. This is one of those, I reckon.

Facebooklinkedin
Facebooklinkedin