From Newsgroup: alt.comp.os.windows-11

Imagine following all the Micro$oft rule$, setting up your computer,
creating a Micro$oft account and configuraing your computer to be "safe"
with UEFI and "Secure Boot".

Except the certificate expires in June 2026 and it won't boot after that.

If your computer has no entitlement, it cannot get the updated certificate
and you are shit out of luck.

Anything 2023 forward supposedly is okay and will get updates. Before
that? Tough.

What if it doesn't? All your boots are belong to us data recovery
companies.
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 5/18/2026 9:30 PM, anon wrote:

Imagine following all the Micro$oft rule$, setting up your computer,
creating a Micro$oft account and configuraing your computer to be "safe"
with UEFI and "Secure Boot".

Except the certificate expires in June 2026 and it won't boot after that.

If your computer has no entitlement, it cannot get the updated certificate and you are shit out of luck.

Anything 2023 forward supposedly is okay and will get updates. Before
that? Tough.

What if it doesn't? All your boots are belong to us data recovery
companies.

If this is true then there will be lawsuits. Many lawsuits.

Lynn

--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

I don't use Secured Boot...

Act now: Secure Boot certificates expire in June 2026 - Windows IT Pro Blog <https://techcommunity.microsoft.com/blog/windows-itpro-blog/act-now-secure-boot-certificates-expire-in-june-2026/4426856>
--

@~@ Simplicity is Beauty! Remain silent! Drink, Blink, Stretch!
/ v \ May the Force and farces be with you! Live long and prosper!!
/( _ )\ https://sites.google.com/site/changmw/
^ ^ https://github.com/changmw/changmw
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 05/19/2026 12:20 AM, Lynn McGuire wrote:

On 5/18/2026 9:30 PM, anon wrote:

Imagine following all the Micro$oft rule$, setting up your computer,
creating a Micro$oft account and configuraing your computer to be "safe"
with UEFI and "Secure Boot".

Except the certificate expires in June 2026 and it won't boot after that.

If your computer has no entitlement, it cannot get the updated
certificate
and you are shit out of luck.

Anything 2023 forward supposedly is okay and will get updates.  Before
that?  Tough.

What if it doesn't?  All your boots are belong to us data recovery
companies.

If this is true then there will be lawsuits.   Many lawsuits.

Lynn

Most misunderstand the impact of not updating or not having the option
to update with the 2023 certs(to replace the expiring 2011 certs)


Unless prepared, physical devices and VMs will:

Lose the ability to install Secure Boot security updates after June 2026.
Not trust third-party software signed with new certificates after June 2026. Not receive security fixes for Windows Boot Manager by October 2026.
</qp>

It's important to understand where the term 'boot' actually applies.
--
...w¡ñ§±¤ñ
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

In article <20260519.033010.5beadf0b@mixmin.net>, noreply@mixmin.net
says...

Imagine following all the Micro$oft rule$, setting up your computer, >creating a Micro$oft account and configuraing your computer to be "safe" >with UEFI and "Secure Boot".

Except the certificate expires in June 2026 and it won't boot after that.

If your computer has no entitlement, it cannot get the updated certificate >and you are shit out of luck.

Anything 2023 forward supposedly is okay and will get updates. Before
that? Tough.

What if it doesn't? All your boots are belong to us data recovery
companies.

I asked CoPilot the following question:


**Prompt
I understand that Windows 10 computers will need their secure boot certificates updated soon. I've checked all the computers I have
running Windows 10 (all enrolled in Extended Security Updates) and all
are already updated. But if a friend has a Windows 10 computer which is
not enrolled in ESU, and they do nothing, will their computer suddenly
cease to boot? And if so, what can they do about it?

**Response**

Short answer: No ? your friend?s PC will not suddenly stop booting. But
it will gradually become less secure and may eventually run into edge-
case issues.

Here?s the full picture.

What actually happens in June 2026:

Microsoft?s original Secure Boot certificates (from 2011) start expiring
in June 2026. These are used very early in the boot process to verify
trusted code.

If a machine does not receive the new 2023 certificates, then:

* It will still boot normally
* Windows will still run
* It will lose the ability to receive future Secure Boot / boot-chain
security protections
* Its security will gradually degrade over time

Microsoft explicitly states that systems without the update will
continue to start and operate normally, but will not receive new
protections for the early boot process.

Multiple sources confirm this is not a ?PC stops working? situation ?
the system keeps running, but becomes less secure.

What?s different for Windows 10 without ESU:

* Windows 10 support ended in October 2025
* Only systems enrolled in Extended Security Updates (ESU) continue
receiving updates
* The new Secure Boot certificates are delivered via Windows Update

Therefore:
A Windows 10 PC without ESU will not receive the updated certificates automatically.

Such systems will:

* Keep using the old (expiring) certificates
* Miss future Secure Boot improvements permanently

Does anything actually break?

For most users, nothing obvious happens immediately.

However, over time:

1. Security becomes weaker
The system cannot receive updates to bootloader trust or protections against new low-level threats.

2. Some features or scenarios may be affected
For example:
* BitLocker behaviour or protections
* Some third-party boot tools or components
* Future fixes to boot-level vulnerabilities

3. Rare edge-case issues can occur
In unusual cases (e.g. firmware or update problems), there could be:
* Boot validation warnings
* Recovery prompts
* Startup issues

These are not expected for most users, but are possible.

So will the PC suddenly stop booting?

No.

There is no hard cutoff or ?deadline? where systems suddenly fail. This
is not like Y2K.

A better way to think of it:
The PC continues working, but is effectively frozen at its current level
of boot security.

What can your friend do?

If they are running Windows 10 without ESU, the realistic options are:

1. Upgrade to Windows 11 (best option, if hardware supports it)
This ensures continued updates and automatic certificate updates.

2. Enrol in ESU (if still available)
This is the only supported way to stay on Windows 10 and receive the
new certificates.

3. Replace the device
This may be necessary for older, unsupported hardware.

4. Try manual or advanced fixes
* Install firmware (BIOS/UEFI) updates from the manufacturer
* Attempt manual Secure Boot certificate updates
These are more complex and not guaranteed.

5. Do nothing
The PC will keep working, but with increasing security risk over
time.

Bottom line:

* The PC will not suddenly fail to boot
* Unsupported Windows 10 systems will gradually fall behind
* The real issue is long-term security, not immediate usability

***
--
--
Phil, London
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On Tue, 19 May 2026 11:44:14 +0100, Philip Herlihy wrote:

I asked CoPilot

<sigh>
--
s|b
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On Tue, 19 May 2026 13:48:30 +0800, Mr. Man-wai Chang wrote:

I don't use Secured Boot...

Act now: Secure Boot certificates expire in June 2026 - Windows IT Pro Blog <https://techcommunity.microsoft.com/blog/windows-itpro-blog/act-now-secure-boot-certificates-expire-in-june-2026/4426856>

"act now" and do what exactly?
--
s|b
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On Tue, 19 May 2026 13:48:30 +0800, Mr. Man-wai Chang wrote:

I don't use Secured Boot...

Act now: Secure Boot certificates expire in June 2026 - Windows IT Pro Blog <https://techcommunity.microsoft.com/blog/windows-itpro-blog/act-now-secure-boot-certificates-expire-in-june-2026/4426856>

Is it possible to disable Secure Boot and still keep Secure Boot installed Windows bootable?
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 05/19/2026 8:40 AM, s|b wrote:

On Tue, 19 May 2026 11:44:14 +0100, Philip Herlihy wrote:

I asked CoPilot

<sigh>

Philip's reply included all the relevant information.
AI/Copilot as the source/content is not the issue - it was accurate.

His closing comments(Bottom line) still apply and are consistent with
MSFT response.

MSFT:


Unless prepared, physical devices and VMs will:

Lose the ability to install Secure Boot security updates after June 2026.
Not trust third-party software signed with new certificates after June 2026. Not receive security fixes for Windows Boot Manager by October 2026.
</qp>

Philip's:

Bottom line:

* The PC will not suddenly fail to boot
* Unsupported Windows 10 systems will gradually fall behind
* The real issue is long-term security, not immediate usability
</qp>
--
...w¡ñ§±¤ñ
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 5/19/2026 9:37 PM, JJ wrote:

Is it possible to disable Secure Boot and still keep Secure Boot installed Windows bootable?

I don't use it. I wish it has an "emergence boot" option like mobile
phones. BUT... that will defeat the purpose of SECURED boot! :)
--

@~@ Simplicity is Beauty! Remain silent! Drink, Blink, Stretch!
/ v \ May the Force and farces be with you! Live long and prosper!!
/( _ )\ https://sites.google.com/site/changmw/
^ ^ https://github.com/changmw/changmw
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 5/19/2026 9:02 PM, s|b wrote:

"act now" and do what exactly?

For website, you just need to renew the certificate, which is stamped
with a new expiration date. :)
--

@~@ Simplicity is Beauty! Remain silent! Drink, Blink, Stretch!
/ v \ May the Force and farces be with you! Live long and prosper!!
/( _ )\ https://sites.google.com/site/changmw/
^ ^ https://github.com/changmw/changmw
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On Tue, 19 May 2026 22:48:36 +0800, Mr. Man-wai Chang wrote:

"act now" and do what exactly?

For website, you just need to renew the certificate, which is stamped
with a new expiration date. :)

According to Le Chat (AI) Windows Updates will take care of it, but I
don't know if it's hallucinating or telling the truth.
--
s|b
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On Tue, 19 May 2026 10:31:05 -0400, ....winston wrote:

Philip's reply included all the relevant information.
AI/Copilot as the source/content is not the issue - it was accurate.

Well, I'm not going through a whole AI produced word salad. KISS and all that...
--
s|b
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 05/19/2026 9:37 AM, JJ wrote:

On Tue, 19 May 2026 13:48:30 +0800, Mr. Man-wai Chang wrote:

I don't use Secured Boot...

Act now: Secure Boot certificates expire in June 2026 - Windows IT Pro Blog >> <https://techcommunity.microsoft.com/blog/windows-itpro-blog/act-now-secure-boot-certificates-expire-in-june-2026/4426856>

Is it possible to disable Secure Boot and still keep Secure Boot installed Windows bootable?

Yes. Disabling secure boot only impacts the verification of the
bootloader security cert. It does not impact Windows booting.
The UEFI/BIOS(the system partition)loads the bootloader files, then
passes control to Windows(the boot partition) to to ***Boot*** the device.

Note: The experience can be different when using a Surface. The initial
screen may be 'red'(indicating Secure Boot is off, i.e. a warning) and
require a selection to continue and pass control to Windows to finish
the boot process.
--
...w¡ñ§±¤ñ
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 05/19/2026 10:53 AM, s|b wrote:

On Tue, 19 May 2026 22:48:36 +0800, Mr. Man-wai Chang wrote:

"act now" and do what exactly?

For website, you just need to renew the certificate, which is stamped
with a new expiration date. :)

According to Le Chat (AI) Windows Updates will take care of it, but I
don't know if it's hallucinating or telling the truth.

Secure Boot Troubleshooting Guide <https://support.microsoft.com/en-us/topic/secure-boot-troubleshooting-guide-5d1bf6b4-7972-455a-a421-0184f1e1ed7d#bkmk_secure_boot_update_scheduled_task>

Secure Boot Certs
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes)
-match 'Windows UEFI CA 2023')
- If this command returns “true,” then your PC is using the new certificate
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI
dbdefault).bytes) -match 'Windows UEFI CA 2023')
- If this command returns “true,” your system is running an updated
BIOS with the new Secure Boot certificates built in.
Older PCs and systems without a BIOS update installed will return “false” here.

Instead of Windows Update:
Manual(Force Update)
Set-ItemProperty -Path
“HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot” -Name “AvailableUpdates” -Value 0x40

Start-ScheduledTask -TaskName “\Microsoft\Windows\PI\Secure-Boot-Update”

After you run the commands, you have to restart your PC twice for the
update to take effect.
--
...w¡ñ§±¤ñ
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On Tue, 5/19/2026 8:40 AM, s|b wrote:

On Tue, 19 May 2026 11:44:14 +0100, Philip Herlihy wrote:

I asked CoPilot

<sigh>

One 18 page document on Secure Boot, lists as one objective
that the device not be bricked. The device is allowed to retry
the defective transaction [snicker], or to try to boot from
another boot device [snicker], but that's kinda the definition
of insanity. There's no reason to believe (on average)
that for the machine, life is a box of chocolates. There might
easily only be one boot device, and a failure to move forward
is effectively brickage.

As for device failure, the BIOS firmware can always be wrong.
An early UEFI failure, was mishandling of the 4MB NVRAM
(BIOS NOR Flash chip). The code had no compaction function,
or handing of when the 4MB storage area was full of boot paths.
A firmware update fixed that, for some of the affected customers.

I've seen red text on the screen, and a failure to go further.

But a general search on the topic, I can't really find an
outline that lists all the possible outcomes (things
you can see printed on the screen regarding PCR7 or whatever).
Linux has its "Something Is Seriously Wrong" message, as
an additional joke.

If we're expected, as customers, to deal with the situation,
we're expected to "research it, on the spot, as the situation
arises". The user manual for the product, doesn't exactly waste
any words on "what could happen".

And even on machines with Secure Boot disabled, I can still be
presented with text regarding Secure Boot, so it's not like this
crap shuts up even when "off". Ubuntu can still be attempting
to use MOKutil on machines where there is no possible good
outcome from doing so (machine has no TPM, machine has UEFI,
Secure Boot is off, modifying db/dbx can do absolutely nothing
in terms of machine state particularly).

Paul

--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 5/19/2026 11:02 AM, Paul wrote:

One 18 page document on Secure Boot, lists as one objective
that the device not be bricked. The device is allowed to retry
the defective transaction [snicker], or to try to boot from
another boot device [snicker], but that's kinda the definition
of insanity. There's no reason to believe (on average)
that for the machine, life is a box of chocolates. There might
easily only be one boot device, and a failure to move forward
is effectively brickage.

So this morning I again checked the event viewer and the secure boot
update still is failing. So I went back to the HP site and checked
again for a new BIOS. It reports I am on the latest version, nothing to
see here.

Do you think they are trying to address this issue across HP computers,
or are we all gonna be screwed one morning?
--
Science Doesn’t Support Darwin. Scientists Do

--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 2026/5/19 15:55:2, s|b wrote:

On Tue, 19 May 2026 10:31:05 -0400, ....winston wrote:

Philip's reply included all the relevant information.
AI/Copilot as the source/content is not the issue - it was accurate.

Well, I'm not going through a whole AI produced word salad. KISS and all that...

winston was not the only one who found what was said (a) useful (b) easy
to read. If you are determined to find otherwise, that's not our problem.

(No-one's saying believe everything AI says.)
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()ALIS-Ch++(p)Ar++T+H+Sh0!:`)DNAf

Quantum particles: the dreams that stuff is made of - David Moser
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

Paul <nospam@needed.invalid> wrote:

On Tue, 5/19/2026 8:40 AM, s|b wrote:

On Tue, 19 May 2026 11:44:14 +0100, Philip Herlihy wrote:

I asked CoPilot

<sigh>

One 18 page document on Secure Boot, lists as one objective
that the device not be bricked. The device is allowed to retry
the defective transaction [snicker], or to try to boot from
another boot device [snicker], but that's kinda the definition
of insanity. There's no reason to believe (on average)
that for the machine, life is a box of chocolates. There might
easily only be one boot device, and a failure to move forward
is effectively brickage.

The 'bricking' thing is AFAICT all FUD, urban legend, etc., but no
substance whatsoever.

The 'Secure boot' part of 'Device security' of 'Windows Security' has
a 'Learn more' link which points to this:

'Windows Secure Boot certificate expiration and CA updates' <https://support.microsoft.com/en-gb/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e>

If you look at the 'Secure Boot FAQ' of that document

'General Secure Boot FAQ' <https://support.microsoft.com/en-gb/topic/frequently-asked-questions-about-the-secure-boot-update-process-b34bf675-b03a-4d34-b689-98ec117c7818>

specifically at

'Q1: What happens if my device doesn't get the new Secure Boot
certificates before the okld ones expire?'

and

'Q9: What is the difference between firmware updates and Windows updates
when applying Secure Boot certificates?'

there's no issue of no longer booting, let alone 'bricking'!

The only possible issue is that the Secure Boot process itself becomes less/non *secure*, *not* non-functioning.

But read what it says and judge for yourself.

[...]
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

sticks <wolverine01@charter.net> wrote:

On 5/19/2026 11:02 AM, Paul wrote:

One 18 page document on Secure Boot, lists as one objective
that the device not be bricked. The device is allowed to retry
the defective transaction [snicker], or to try to boot from
another boot device [snicker], but that's kinda the definition
of insanity. There's no reason to believe (on average)
that for the machine, life is a box of chocolates. There might
easily only be one boot device, and a failure to move forward
is effectively brickage.

So this morning I again checked the event viewer and the secure boot
update still is failing. So I went back to the HP site and checked
again for a new BIOS. It reports I am on the latest version, nothing to
see here.

Do you think they are trying to address this issue across HP computers,
or are we all gonna be screwed one morning?

As to the HP BIOS issue: I have an HP laptop with a rather old BIOS
("AMI F.07, 04/07/2023" according to System Information) and the 'Secure
boot' part of 'Device security' of 'Windows Security' says I'm fine:

"<power icon with green tick-mark> Secure boot

Secure Boot is on and all required certificate
updates have been applied. No further
certificate changes are needed."

What does it say for you?

As to "are we all gonna be screwed one morning?", see my upcoming
response to Paul.
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 19/05/2026 17:30, sticks wrote:

Do you think they are trying to address this issue across HP computers,
or are we all gonna be screwed one morning?

This problem can be solved by purchasing a new HP or DELL machine,
especially since it has been causing many people considerable sleep disruption! on these newsgroups not to mention blog writers.



--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On Tue, 5/19/2026 1:52 PM, Frank Slootweg wrote:

sticks <wolverine01@charter.net> wrote:

On 5/19/2026 11:02 AM, Paul wrote:

One 18 page document on Secure Boot, lists as one objective
that the device not be bricked. The device is allowed to retry
the defective transaction [snicker], or to try to boot from
another boot device [snicker], but that's kinda the definition
of insanity. There's no reason to believe (on average)
that for the machine, life is a box of chocolates. There might
easily only be one boot device, and a failure to move forward
is effectively brickage.

So this morning I again checked the event viewer and the secure boot
update still is failing. So I went back to the HP site and checked
again for a new BIOS. It reports I am on the latest version, nothing to
see here.

Do you think they are trying to address this issue across HP computers,
or are we all gonna be screwed one morning?

As to the HP BIOS issue: I have an HP laptop with a rather old BIOS
("AMI F.07, 04/07/2023" according to System Information) and the 'Secure boot' part of 'Device security' of 'Windows Security' says I'm fine:

"<power icon with green tick-mark> Secure boot

Secure Boot is on and all required certificate
updates have been applied. No further
certificate changes are needed."

What does it say for you?

As to "are we all gonna be screwed one morning?", see my upcoming
response to Paul.

Here is a picture, of machines in the room and their status.

[Picture] Secure-Boot-Status.gif

https://postimg.cc/5QdMf1tj

https://imgur.com/a/hhTjzYN

The top machine is supposed to be a relative model citizen.
The Asus motherboard has no TPM header pins, so you have
to be satisfied with the fTPM implementation. The BIOS
has a setting to "enable" a physical TPM... which cannot be
connected.

The middle machine is used for a lot of "older machine" emulations,
the unfortunate user who is satisfied with their older kit but
the OSes march on, leaving them behind. It's running 25H2.
No TPM. No Secure Boot. Messages on screen, to match.

The bottom machine is the daily driver. It has a Physical TPM
which is enabled, but it is not Secure Booted.

And this is intended to give the room a "variety" of configs
for screenshot purposes.

And the model citizen, has booted both Ubuntu and Windows,
and Ubuntu likes to screw around with things, and that's
why the PCR7 messages are no longer perfect on the machine.
It still boots OK, but there's a message there I should be
reading (which requires me to shoot video of the screen).
Ubuntu screws around with dbx, in support of its "signed shim".
Not that long ago, it was blowing some red text "Something
Is Seriously Wrong" dialogs :-) That's why, getting a green
status in the Windows interface, is kinda comical, as there
might be some "details" involved. But as of right now,
it's OK I guess.

Paul
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On Tue, 5/19/2026 2:00 PM, John Smith wrote:

On 19/05/2026 17:30, sticks wrote:

Do you think they are trying to address this issue across HP computers,
or are we all gonna be screwed one morning?

This problem can be solved by purchasing a new HP or DELL machine, especially since it has been causing many people considerable sleep disruption! on these newsgroups not to mention blog writers.

I can attest to the topic being "annoying".

As much fun as Reagentc.

If it's one thing I hate, it is OSes
screwing around with BIOS/machine hardware
materials, in a non-obvious way. You get the
feeling most of the time that "no one cares".
That's the best part. I presume telemetry
is reporting somewhat what is going on.

For example, Ubuntu keeps attempting to
write to the 4930K mok/db/dbx etc, when
the machine has no TPM, and there is not
the remotest chance in the world the
machine will ever Secure Boot. Asus refused
to make a TPM2 module for it, simply because
the BIOS code does not support TPM2 modules.

Paul


--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 5/19/2026 12:52 PM, Frank Slootweg wrote:

sticks <wolverine01@charter.net> wrote:

On 5/19/2026 11:02 AM, Paul wrote:

One 18 page document on Secure Boot, lists as one objective
that the device not be bricked. The device is allowed to retry
the defective transaction [snicker], or to try to boot from
another boot device [snicker], but that's kinda the definition
of insanity. There's no reason to believe (on average)
that for the machine, life is a box of chocolates. There might
easily only be one boot device, and a failure to move forward
is effectively brickage.

So this morning I again checked the event viewer and the secure boot
update still is failing. So I went back to the HP site and checked
again for a new BIOS. It reports I am on the latest version, nothing to
see here.

Do you think they are trying to address this issue across HP computers,
or are we all gonna be screwed one morning?

As to the HP BIOS issue: I have an HP laptop with a rather old BIOS
("AMI F.07, 04/07/2023" according to System Information) and the 'Secure boot' part of 'Device security' of 'Windows Security' says I'm fine:

"<power icon with green tick-mark> Secure boot

Secure Boot is on and all required certificate
updates have been applied. No further
certificate changes are needed."

What does it say for you?

Well that is interesting. It says the same things for me.
I went back just now and looked and about 6 hours ago I got the same
TPM-WMI Error in event viewer with the red exclamation point "The Secure
Boot update failed to update SBAT with error Unknown HResult Error code:0x800700c1

Searching on this seems to show it is unable to write correctly to the blocklist of untrusted boot files. Suggests changing some bios secure
boot key settings, and then running SFC /scannow. That all not too
difficult and I think I might just try it out on this machine to see if
it makes any difference.

It appears to me all this means that yeah it'll work and startup, you
just don't get all the right things for it to check for malicious actors.

Thanks
--
Science Doesn’t Support Darwin. Scientists Do

--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 5/19/2026 4:07 PM, sticks wrote:

Searching on this seems to show it is unable to write correctly to the blocklist of untrusted boot files.  Suggests changing some bios secure
boot key settings, and then running SFC /scannow.  That all not too difficult and I think I might just try it out on this machine to see if
it makes any difference.

I went in and looked and the bios on this HP box does not have the
option available to change anything on the secure boot tab other than
turning it off. The only thing I saw was on the security tab, there is
an option "restore security settings to factory defaults." I didn't do
that.

It said TPM would be cleared as an example. Wonder if it would change
any settings on secure boot?
--
Science Doesn’t Support Darwin. Scientists Do

--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11



On 5/19/2026 4:43 PM, sticks wrote:

On 5/19/2026 4:07 PM, sticks wrote:

Searching on this seems to show it is unable to write correctly to the
blocklist of untrusted boot files.  Suggests changing some bios secure
boot key settings, and then running SFC /scannow.  That all not too
difficult and I think I might just try it out on this machine to see
if it makes any difference.

I went in and looked and the bios on this HP box does not have the
option available to change anything on the secure boot tab other than turning it off.  The only thing I saw was on the security tab, there is
an option "restore security settings to factory defaults."  I didn't do that.

It said TPM would be cleared as an example.  Wonder if it would change
any settings on secure boot?

Well I'll be damned. I then did a SFC /scannow and it did find some
errors and fixed them. Rebooted. Went into the event viewer and
instead of the FPM-WMI error it had 4 entries. A pre-attestation check,
a confirmation it is expected to pass attestation, TBS device identifier
has been generated, and finally "The TPM was successfully provisioned
and is now ready for use."

We'll see if it error faults again.
--
Science Doesn’t Support Darwin. Scientists Do

--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On Tue, 19 May 2026 11:44:14 +0100, Philip Herlihy wrote:

I asked CoPilot the following question:

**Prompt
I understand that Windows 10 computers will need their secure boot certificates updated soon. I've checked all the computers I have
running Windows 10 (all enrolled in Extended Security Updates) and all
are already updated. But if a friend has a Windows 10 computer which is
not enrolled in ESU, and they do nothing, will their computer suddenly
cease to boot? And if so, what can they do about it?

**Response**

[snip]

Bottom line:

* The PC will not suddenly fail to boot
* Unsupported Windows 10 systems will gradually fall behind
* The real issue is long-term security, not immediate usability

We know there's about a 10% chance that any given answer is wrong.
What we don't know, and can't know, is whether any given response,
including this one, is one of the 90% correct or the 10%
hallucinations (which, after all, sounds better than "lies").
--
"The power of accurate observation is frequently called cynicism by
those who don't have it." --George Bernard Shaw
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On Tue, 5/19/2026 5:07 PM, sticks wrote:

On 5/19/2026 12:52 PM, Frank Slootweg wrote:

sticks <wolverine01@charter.net> wrote:

On 5/19/2026 11:02 AM, Paul wrote:

One 18 page document on Secure Boot, lists as one objective
that the device not be bricked. The device is allowed to retry
the defective transaction [snicker], or to try to boot from
another boot device [snicker], but that's kinda the definition
of insanity. There's no reason to believe (on average)
that for the machine, life is a box of chocolates. There might
easily only be one boot device, and a failure to move forward
is effectively brickage.

So this morning I again checked the event viewer and the secure boot
update still is failing.  So I went back to the HP site and checked
again for a new BIOS.  It reports I am on the latest version, nothing to >>> see here.

Do you think they are trying to address this issue across HP computers,
or are we all gonna be screwed one morning?

   As to the HP BIOS issue: I have an HP laptop with a rather old BIOS
("AMI F.07, 04/07/2023" according to System Information) and the 'Secure
boot' part of 'Device security' of 'Windows Security' says I'm fine:

"<power icon with green tick-mark> Secure boot

  Secure Boot is on and all required certificate
  updates have been applied. No further
  certificate changes are needed."

   What does it say for you?

Well that is interesting.  It says the same things for me.
I went back just now and looked and about 6 hours ago I got the same TPM-WMI Error in event viewer with the red exclamation point "The Secure Boot update failed to update SBAT with error Unknown HResult Error code:0x800700c1

Searching on this seems to show it is unable to write correctly to the blocklist of untrusted boot files.  Suggests changing some bios secure boot key settings, and then running SFC /scannow.  That all not too difficult and I think I might just try it out on this machine to see if it makes any difference.

It appears to me all this means that yeah it'll work and startup, you just don't get all the right things for it to check for malicious actors.

Thanks

The 0x800700c1 error code is "ERROR_BAD_EXE_FORMAT" in err_6.4.5.exe tool.

This would be the HP then.

https://techcommunity.microsoft.com/event/windowsevents/ask-microsoft-anything-secure-boot---march-2026/4496004/comments/4507907

AvailableUpdates: 0x0400 (only SBAT bit remains) But it is not part of 0x5944 either. 0101 1001 0100 0100
^
|
4 0 0
This could be a side effect of an exposure to Ubuntu on the machine.

The definition of that is:

0x0400 Apply Secure Boot Advanced Targeting (SBAT) update to the firmware.

SBAT is explained here. This sounds a lot like a dual boot, Linux (shim) side effect of some sort.
But I don't know where it is stored (in UEFI), or how this is "executed".

https://github.com/rhboot/shim/blob/main/SBAT.md

*******

This is my Daily Driver, where Secure Boot is normally disabled.
This is "bad" (even though the green indicator is in the picture
I posted earlier!), because it appears this update process never
even started or attempted to start. My Daily Driver has occasional Linux SSDs connected, but not too often (because the machine does not have a lot of "attributes" I need for test).

DAILY DRIVER - NOT SECURE BOOTED

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot
AvailableUpdates DWORD32 0x00000400 <=== Mine is 0x0, yours might be looping on SBAT
Servicing
(Default) REG_SZ (value not set)
BucketHash REG_SZ 1111111111111111111111111111111111111111111111111111111111111111
ConfidenceLevel REG_SZ High Confidence
ConfidenceUpdate Type REG_DWORD 0x00005944 (22852) <=== looks like I haven't started
DBXLastUpdateError REG_DWORD 0x80071149 (2147946825)
DBXLastUpdateErrorReason REG_SZ InstallerError
LastParsedBucketDataVersion REG_DWORD 0x0000000f (15)
UEFICA2023Status REG_SZ NotStarted
WindowsUEFICA2023Capable REG_DWORD 0x00000002 (2)

Definitions:

https://support.microsoft.com/en-au/topic/registry-key-updates-for-secure-boot-windows-devices-with-it-managed-updates-a7be69c9-4634-42e1-9ca1-df06f43f360d

Whereas the Big Machine that has been assigned the task of being a Secure Boot donkey,
the registry looks quite different over there. It has an SBAT for example. And that was
likely the result of one too many exposures to Ubuntu.

BIG MACHINE - SECURE BOOTED

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot
AvailableUpdates DWORD32 0x00000000 <=== Mine is 0x0, yours is SBAT
SBAT <=== DailyDriver doesn't have this secton (smells like Linux... support from MSFT?)
(Default) REG_SZ (value not set)
SbatLevel sbat,1,2024010900
shim,4
grub,3
grub.debian,4
UpdateStatus DWORD32 0x00000003

Servicing
(Default) REG_SZ (value not set)
BucketHash REG_SZ 90e9934e217f9e10dd42a7ccf9b5c843c16405fb475e9b4e9cffd21d4dfc56b1
ConfidenceLevel REG_SZ Under Observation - More Data Needed

ConfidenceUpdate Type REG_DWORD 0x00000000 (0)
LastParsedBucketDataVersion REG_DWORD 0x0000000c (12)
RebootRequested3POROMDB REG_DWORD 0x00000001 (1)
RebootRequested3PUEFICADB REG_DWORD 0x00000001 (1)
RebootRequestedKEK REG_DWORD 0x00000001 (1)
UEFICA2023Status REG_SZ Updated <=== Big-Machine-Secure-Booted...
WindowsUEFICA2023Capable REG_DWORD 0x00000002 (2)
DeviceAttributes
(Default) REG_SZ (value not set)
BaseBoardManufacturer REG_SZ ASUSTeK COMPUTER INC.
CanAttemptUpdateAfter REG_BINARY b0 2c 88 ef 2e 5d dc 01
FirmwareManufacturer REG_SZ American Megatrends Inc.
FirmwareReleaseDate REG_SZ 09/10/2025
FirmwareVersion REG_SZ 3634
OEMManufacturerName REG_SZ ASUS
OEMModelBaseBoard REG_SZ ROG STRIX B550-F GAMING WIFI II

State
(Default) REG_SZ (value not set)
PolicyPublisher REG_SZ {77fa9abd-0359-4d32-bd60-28f4e78f784b}
PolicyVersion REG_DWORD 0x00000001 (1)
UEFISecureBootEnabled REG_DWORD 0x00000001 (1)

Anyway, I'm exhausted from all the copy/paste. Gotta stop now.

Paul




--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 5/19/2026 5:00 PM, sticks wrote:

On 5/19/2026 4:43 PM, sticks wrote:

On 5/19/2026 4:07 PM, sticks wrote:

Searching on this seems to show it is unable to write correctly to
the blocklist of untrusted boot files.  Suggests changing some bios
secure boot key settings, and then running SFC /scannow.  That all
not too difficult and I think I might just try it out on this machine
to see if it makes any difference.

I went in and looked and the bios on this HP box does not have the
option available to change anything on the secure boot tab other than
turning it off.  The only thing I saw was on the security tab, there
is an option "restore security settings to factory defaults."  I
didn't do that.

It said TPM would be cleared as an example.  Wonder if it would change
any settings on secure boot?

Well I'll be damned.  I then did a SFC /scannow and it did find some
errors and fixed them.  Rebooted.  Went into the event viewer and
instead of the FPM-WMI error it had 4 entries.  A pre-attestation check,
a confirmation it is expected to pass attestation, TBS device identifier
has been generated, and finally "The TPM was successfully provisioned
and is now ready for use."

We'll see if it error faults again.

Repeated this process on my other desktop that is a similar but not
identical HP and I'll be darned the SFC worked on that box too. Got the
same 4 event viewer entries of all now ready for use. The last machine
I have this problem with is a 6 month old laptop the warden, err wife,
uses. I'll try and pry her away from it long enough tomorrow to see if
it cures it on that machine too.
--
Science Doesn’t Support Darwin. Scientists Do

--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On Tue, 5/19/2026 8:46 PM, Stan Brown wrote:

On Tue, 19 May 2026 11:44:14 +0100, Philip Herlihy wrote:

I asked CoPilot the following question:


**Prompt
I understand that Windows 10 computers will need their secure boot
certificates updated soon. I've checked all the computers I have
running Windows 10 (all enrolled in Extended Security Updates) and all
are already updated. But if a friend has a Windows 10 computer which is
not enrolled in ESU, and they do nothing, will their computer suddenly
cease to boot? And if so, what can they do about it?

**Response**

[snip]

Bottom line:

* The PC will not suddenly fail to boot
* Unsupported Windows 10 systems will gradually fall behind
* The real issue is long-term security, not immediate usability

We know there's about a 10% chance that any given answer is wrong.
What we don't know, and can't know, is whether any given response,
including this one, is one of the 90% correct or the 10%
hallucinations (which, after all, sounds better than "lies").

Hallucinations is not technically correct.

An example of a hallucination, is counting the "R" in

s t r a w b e r r y
^ ^ ^

where the answer comes back as "2". By using simulated reasoning,
someone checked the summary text between runs, and the *question*
gets corrupted in memory, not the *answer*. The thing is, to the
best of my knowledge, *everything* in an LLM-AI is treated the
same. Nothing has priority. The question and answer are stored in
the same memory.

To make the wrong kind of module, do math, they turn up the
attention, the simulation temperature, and so on. This causes
both good things (sometimes, it manages to count items), and
bad things. There are better modules for math... but they're not free.

Whereas answering simple questions, doesn't fail exactly the same way.
Several of the bad results we've seen, are "marginal on training set".
To "catch" the LLM-AI telling a lie on purpose, you have to
flip it to "simulated reasoning" or "high reasoning" (two names
for similar things). Then, it is possible for the AI to look at
the history of answers as it "simulated" and discover it's
a sack of shit. It then writes a little text suggesting
where the answer it entirely made up from low-confidence
untrained parts of the matrix. It will say "I would be guessing
if I addressed this part of the question".

The machines would be better behaved... if they burned
about 10x the tokens they're using right now. That allows
a check for convergence. If reasoning cycles don't converge,
then the LLM-AI stands to make a frank admission about itself.

But the shoot-from-the-hip answers we get most of the time (one cycle),
do not receive the extra work. I thought there was some
sort of confidence interval on these things (like YOLO5 processing
an image and "looking for bears"), but I've seen no sign that
such a property is available.

Paul


--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 5/19/2026 1:08 AM, ....winston wrote:

On 05/19/2026 12:20 AM, Lynn McGuire wrote:

On 5/18/2026 9:30 PM, anon wrote:

Imagine following all the Micro$oft rule$, setting up your computer,
creating a Micro$oft account and configuraing your computer to be "safe" >>> with UEFI and "Secure Boot".

Except the certificate expires in June 2026 and it won't boot after
that.

If your computer has no entitlement, it cannot get the updated
certificate
and you are shit out of luck.

Anything 2023 forward supposedly is okay and will get updates.  Before
that?  Tough.

What if it doesn't?  All your boots are belong to us data recovery
companies.

If this is true then there will be lawsuits.   Many lawsuits.

Lynn

Most misunderstand the impact of not updating or not having the option
to update with the 2023 certs(to replace the expiring 2011 certs)

Unless prepared, physical devices and VMs will:

Lose the ability to install Secure Boot security updates after June 2026.
Not trust third-party software signed with new certificates after June
2026.
Not receive security fixes for Windows Boot Manager by October 2026.
</qp>

It's important to understand where the term 'boot' actually applies.

Thanks !

Lynn
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On Wed, 5/20/2026 12:06 AM, Lynn McGuire wrote:

On 5/19/2026 1:08 AM, ....winston wrote:

On 05/19/2026 12:20 AM, Lynn McGuire wrote:

On 5/18/2026 9:30 PM, anon wrote:

Imagine following all the Micro$oft rule$, setting up your computer,
creating a Micro$oft account and configuraing your computer to be "safe" >>>> with UEFI and "Secure Boot".

Except the certificate expires in June 2026 and it won't boot after that. >>>>
If your computer has no entitlement, it cannot get the updated certificate >>>> and you are shit out of luck.

Anything 2023 forward supposedly is okay and will get updates.  Before >>>> that?  Tough.

What if it doesn't?  All your boots are belong to us data recovery
companies.

If this is true then there will be lawsuits.   Many lawsuits.

Lynn

Most misunderstand the impact of not updating or not having the option to update with the 2023 certs(to replace the expiring 2011 certs)

<qp>
Unless prepared, physical devices and VMs will:

Lose the ability to install Secure Boot security updates after June 2026.
Not trust third-party software signed with new certificates after June 2026. >> Not receive security fixes for Windows Boot Manager by October 2026.
</qp>

It's important to understand where the term 'boot' actually applies.

Thanks !

Lynn

I just did the second part of mine.

One part of it, may have been related to a BIOS update done some time ago.

But the Registry entries (regedit) indicated the 0x5944 part hadn't even started.

https://pureinfotech.com/install-secure-boot-certificates-windows-11/

[High points, this is not the whole procedure]

1) Enable Secure Boot in the BIOS.
This is harder than it seems, depending on the manufacturer,
you may end up looking in several places, and when you switch to UEFI-only
on mine, then the Secure Boot setting appears below that. This machine
(for experimental purposes) has both physical TPM and BIOS fTPM and was
in physical TPM mode while the procedure was carried out. The machine
with no TPM, will never be "High Confidence".
2) Boot into Windows.
Run msinfo32 and "Secure Boot State ON" should be there in the main view.
That proves the BIOS knob adjustments, worked.
3) Without fiddling any registry settings, these kinds of entries report
"what I propose to do" and the bottom one is "what I did".

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing
ConfidenceLevel High Confidence
ConfidenceUpdateType 0x5944 <=== bitfields indicating things in UEFI that need updates

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot
AvailableUpdates 0x4000

AvailableUpdates starts at 0x0000 ("Procedure has not started" state).
In the High Confidence state, 0x5944 is transferred in there.
When the Task is started, it works on the updates. Bits that stay
asserted, indicate "something is stuck".
The state machine "End State" is 0x4000 indicating all done.

4) As Administrator, this makes it "notice that a meal has been served"
and it can chow down and do the work. In my case, I was in state 0x0000,
and it automatically realizes that 0x5944 needs to be put in AvailableUpdates
(I did not keep observing this). The reason the sequence started
at all, is because I (finally) had "High Confidence".

Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

5) Reboots are slower than normal after this.
Eventually, if all went well, AvailableUpdates should be 0x4000 indicating
sequence is complete.

6) If you dual-boot and GRUB is involved, there will be an SBAT entry in the
Registry, that I showed in my other post. I think Ubuntu might have been
trying to do this as well. SBAT is 0x0400 and is not part of bitfields 0x5944,
so it is unclear how this even works. Like, if I installed Ubuntu in Secure Boot
mode, this very minute, I know that Ubuntu would be "excited", but I don't
know how/why/when the Windows SBAT response would/could start. For a pure Windows
system, you don't have to worry about this at the moment. It's not even clear
(to me) where the functional SBAT text lines are getting stored. The Registry
is not their final home. To work, they have to go "somewhere else".

I suspect maybe my dbx still isn't updated properly and the PCA 2011 materials may not have been revoked. Which is fine with me, this month :-)

Paul
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 5/19/2026 5:00 PM, sticks wrote:

On 5/19/2026 4:43 PM, sticks wrote:

On 5/19/2026 4:07 PM, sticks wrote:

Searching on this seems to show it is unable to write correctly to
the blocklist of untrusted boot files.  Suggests changing some bios
secure boot key settings, and then running SFC /scannow.  That all
not too difficult and I think I might just try it out on this machine
to see if it makes any difference.

I went in and looked and the bios on this HP box does not have the
option available to change anything on the secure boot tab other than
turning it off.  The only thing I saw was on the security tab, there
is an option "restore security settings to factory defaults."  I
didn't do that.

It said TPM would be cleared as an example.  Wonder if it would change
any settings on secure boot?

Well I'll be damned.  I then did a SFC /scannow and it did find some
errors and fixed them.  Rebooted.  Went into the event viewer and
instead of the FPM-WMI error it had 4 entries.  A pre-attestation check,
a confirmation it is expected to pass attestation, TBS device identifier
has been generated, and finally "The TPM was successfully provisioned
and is now ready for use."

We'll see if it error faults again.

All for naught. Back again this morning. Disappointing


Log Name: System
Source: Microsoft-Windows-TPM-WMI
Date: 5/20/2026 6:53:06 AM
Event ID: 1796
Description: The Secure Boot update failed to update SBAT with error
Unknown HResult Error code: 0x800700c1.
--
Science Doesn’t Support Darwin. Scientists Do

--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On Tue, 19 May 2026 18:48:09 +0100, J. P. Gilliver wrote:

winston was not the only one who found what was said (a) useful (b) easy
to read. If you are determined to find otherwise, that's not our problem.

We don't really care about that.
--
s|b
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

sticks <wolverine01@charter.net> wrote:

On 5/19/2026 5:00 PM, sticks wrote:

[...]

Well I'll be damned.� I then did a SFC /scannow and it did find some errors and fixed them.� Rebooted.� Went into the event viewer and
instead of the FPM-WMI error it had 4 entries.� A pre-attestation check,
a confirmation it is expected to pass attestation, TBS device identifier has been generated, and finally "The TPM was successfully provisioned
and is now ready for use."

We'll see if it error faults again.

All for naught. Back again this morning. Disappointing

Log Name: System
Source: Microsoft-Windows-TPM-WMI
Date: 5/20/2026 6:53:06 AM
Event ID: 1796
Description: The Secure Boot update failed to update SBAT with error Unknown HResult Error code: 0x800700c1.

If it's any consolation, I also get this error, twice a day, since at
least 15/01/2026.

The error comes with a "For more information, please see..." link [1],
but that only mentions Event ID 1795, not 1796. However the 'Change log'
of the document implies that 1796 *is* documented. Microsoft moves in mysterious ways! :-(

I think that this 'Error' is nothing to worry about.

IMO, if we got a dollar for every 'Error' in our Event Viewer logs, we
would make Elon look like a pauper! :-)

[1] 'Secure Boot DB and DBX variable update events' <https://support.microsoft.com/en-gb/topic/secure-boot-db-and-dbx-variable-update-events-37e47cf8-608b-4a87-8175-bdead630eb69>
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 5/20/2026 8:50 AM, Frank Slootweg wrote:

sticks <wolverine01@charter.net> wrote:

On 5/19/2026 5:00 PM, sticks wrote:

[...]

Well I'll be damned.  I then did a SFC /scannow and it did find some
errors and fixed them.  Rebooted.  Went into the event viewer and
instead of the FPM-WMI error it had 4 entries.  A pre-attestation check, >>> a confirmation it is expected to pass attestation, TBS device identifier >>> has been generated, and finally "The TPM was successfully provisioned
and is now ready for use."

We'll see if it error faults again.

All for naught. Back again this morning. Disappointing


Log Name: System
Source: Microsoft-Windows-TPM-WMI
Date: 5/20/2026 6:53:06 AM
Event ID: 1796
Description: The Secure Boot update failed to update SBAT with error
Unknown HResult Error code: 0x800700c1.

If it's any consolation, I also get this error, twice a day, since at least 15/01/2026.

The error comes with a "For more information, please see..." link [1],
but that only mentions Event ID 1795, not 1796. However the 'Change log'
of the document implies that 1796 *is* documented. Microsoft moves in mysterious ways! :-(

I think that this 'Error' is nothing to worry about.

IMO, if we got a dollar for every 'Error' in our Event Viewer logs, we would make Elon look like a pauper! :-)

[1] 'Secure Boot DB and DBX variable update events' <https://support.microsoft.com/en-gb/topic/secure-boot-db-and-dbx-variable-update-events-37e47cf8-608b-4a87-8175-bdead630eb69>

I know I can't do much more myself, and am not too worried about it.
However, it does annoy me that the secure boot process is evidently
missing some of the available data because of the update failure. I
find it difficult to believe HP cannot figure out a way to fix this error.
--
Science Doesn’t Support Darwin. Scientists Do

--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 05/20/2026 10:11 AM, sticks wrote:

On 5/20/2026 8:50 AM, Frank Slootweg wrote:

sticks <wolverine01@charter.net> wrote:

On 5/19/2026 5:00 PM, sticks wrote:

[...]

Well I'll be damned.  I then did a SFC /scannow and it did find some
errors and fixed them.  Rebooted.  Went into the event viewer and
instead of the FPM-WMI error it had 4 entries.  A pre-attestation
check,
a confirmation it is expected to pass attestation, TBS device
identifier
has been generated, and finally "The TPM was successfully provisioned
and is now ready for use."

We'll see if it error faults again.

All for naught.  Back again this morning.  Disappointing


Log Name:      System
Source:        Microsoft-Windows-TPM-WMI
Date:          5/20/2026 6:53:06 AM
Event ID:      1796
Description:  The Secure Boot update failed to update SBAT with error
Unknown HResult Error code: 0x800700c1.

   If it's any consolation, I also get this error, twice a day, since at >> least 15/01/2026.

   The error comes with a "For more information, please see..." link [1], >> but that only mentions Event ID 1795, not 1796. However the 'Change log'
of the document implies that 1796 *is* documented. Microsoft moves in
mysterious ways! :-(

   I think that this 'Error' is nothing to worry about.
   IMO, if we got a dollar for every 'Error' in our Event Viewer logs, we >> would make Elon look like a pauper! :-)

[1] 'Secure Boot DB and DBX variable update events'
<https://support.microsoft.com/en-gb/topic/secure-boot-db-and-dbx-
variable-update-events-37e47cf8-608b-4a87-8175-bdead630eb69>

I know I can't do much more myself, and am not too worried about it. However, it does annoy me that the secure boot process is evidently
missing some of the available data because of the update failure.  I
find it difficult to believe HP cannot figure out a way to fix this error.

Run this a Powershell admin window

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes)
-match 'Windows UEFI CA 2023')

- If the above command returns “true,” then your PC is using the new certificate


If it returns true or false, the EventViewer error is normal.
a. can't update(thus fails) if already present or not installed
--
...w¡ñ§±¤ñ
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 5/20/2026 10:11 AM, ....winston wrote:

Run this a Powershell admin window

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

 - If the above command returns “true,” then your PC is using the new certificate

It returned true.

If it returns true or false, the EventViewer error is normal.
 a. can't update(thus fails) if already present or not installed

They should fix that IMO. Chasing my tail around for nothing. It didn't really fail, it was already successfully completed, evidently. When the update searches for data to update, it should report completed if
something is done, and move on to the next point. I ain't a programmer,
but this does not seem normal to me. But, thanks for the powershell test!
--
Science Doesn’t Support Darwin. Scientists Do

--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On Wed, 5/20/2026 10:11 AM, sticks wrote:

On 5/20/2026 8:50 AM, Frank Slootweg wrote:

sticks <wolverine01@charter.net> wrote:

On 5/19/2026 5:00 PM, sticks wrote:

[...]

Well I'll be damned.  I then did a SFC /scannow and it did find some
errors and fixed them.  Rebooted.  Went into the event viewer and
instead of the FPM-WMI error it had 4 entries.  A pre-attestation check, >>>> a confirmation it is expected to pass attestation, TBS device identifier >>>> has been generated, and finally "The TPM was successfully provisioned
and is now ready for use."

We'll see if it error faults again.

All for naught.  Back again this morning.  Disappointing


Log Name:      System
Source:        Microsoft-Windows-TPM-WMI
Date:          5/20/2026 6:53:06 AM
Event ID:      1796
Description:  The Secure Boot update failed to update SBAT with error
Unknown HResult Error code: 0x800700c1.

   If it's any consolation, I also get this error, twice a day, since at >> least 15/01/2026.

   The error comes with a "For more information, please see..." link [1], >> but that only mentions Event ID 1795, not 1796. However the 'Change log'
of the document implies that 1796 *is* documented. Microsoft moves in
mysterious ways! :-(

   I think that this 'Error' is nothing to worry about.
      IMO, if we got a dollar for every 'Error' in our Event Viewer logs, we
would make Elon look like a pauper! :-)

[1] 'Secure Boot DB and DBX variable update events'
<https://support.microsoft.com/en-gb/topic/secure-boot-db-and-dbx-variable-update-events-37e47cf8-608b-4a87-8175-bdead630eb69>

I know I can't do much more myself, and am not too worried about it. However, it does annoy me that the secure boot process is evidently missing some of the available data because of the update failure.  I find it difficult to believe HP cannot figure out a way to fix this error.

In my other post, I pasted this. This is a side effect of having
run Linux on your machine. Perhaps by some means, Microsoft notices
GRUB2 was used to launch Windows, and Microsoft wants to play the SBAT game.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot
AvailableUpdates DWORD32 0x00000000 <=== 0x4000 when finished...
SBAT <=== DailyDriver doesn't have this secton (smells like Linux... support from MSFT?)
(Default) REG_SZ (value not set)
SbatLevel sbat,1,2024010900
shim,4
grub,3
grub.debian,4
UpdateStatus DWORD32 0x00000003

SBAT is not a part of what Winston is working on (0x5944). The definition is:

0x0400 Apply Secure Boot Advanced Targeting (SBAT) update to the firmware.

A Linux OS can also be attempting to apply that.
This is generational revocation of software revision, intended
to save on the limited (32KB * 4) storage space in your
computer BIOS NOR Flash chip. Since the 32KB in one case, is now
half full, SBAT is a more efficient coding for handling Linux
and Linux Shim issues related to this signing stuff. If they spell out
each permutation and combination of these elements, it would fill dbx
to overflowing.

A person who dual boots Fedora or Red Hat, might have a different
"SbatLevel" entry. The SBatLevel is four lines of text. The Sbat
entry can even revoke itself, preventing a version 1 Sbat from running.

I do not know whether that is intended for dbx or somewhere else.
But at least two OSes are trying to do the same thing. Ubuntu (Debian)
is likely also trying to inject one of those (via MOKutil, at boot time),
one that is identical to the registry entry one.

A person who has not had Linux on the computer, is less likely to be
burdened with the SBAT activity (and the registry entry). You will notice Microsoft does not mention 0x0400 in the major documentation it offers.
But once they get a sniff of GRUB2, then Microsoft has to mess with
that (to prevent a GRUB2 exploit from spoiling Secure Boot for Windows).

Paul
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 5/20/2026 5:05 PM, Paul wrote:

I know I can't do much more myself, and am not too worried about it. However, it does annoy me that the secure boot process is evidently missing some of the available data because of the update failure.  I find it difficult to believe HP cannot figure out a way to fix this error.

In my other post, I pasted this. This is a side effect of having
run Linux on your machine. Perhaps by some means, Microsoft notices
GRUB2 was used to launch Windows, and Microsoft wants to play the SBAT game.

---snip---

Most of that was over my head, Paul. FWIW, I have never even tried Linux.
--
Science Doesn’t Support Darwin. Scientists Do

--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On Wed, 5/20/2026 7:31 PM, sticks wrote:

On 5/20/2026 5:05 PM, Paul wrote:

I know I can't do much more myself, and am not too worried about it. However, it does annoy me that the secure boot process is evidently missing some of the available data because of the update failure.  I find it difficult to believe HP cannot figure out a way to fix this error.

In my other post, I pasted this. This is a side effect of having
run Linux on your machine. Perhaps by some means, Microsoft notices
GRUB2 was used to launch Windows, and Microsoft wants to play the SBAT game.

---snip---

Most of that was over my head, Paul.  FWIW, I have never even tried Linux.

We still have the issue, of why HP machines seem to have this problem.
None of my machines are HP, and I have an SBAT on the machine across the way, and not one on this machine. Perhaps Microsoft is applying this to all
of them, I cannot be certain.

In some forum where the Rufus dev was holding court, he was apparently
working on patching something when Rufus sticks were made. That's
where I picked up the tidbit, that a GRUB2 Linux issue could be used
to exploit a dual boot Linux/Windows machine. And that is presumably
why Microsoft is patching this.

But the other part of the deal, is the motherboard BIOS may have to read
that SBAT stuff somehow, and respond, and I have no information on how
that works.

it's documented, somewhat, on Linux forums, and not at all on Windows
forums, and only multi-platform people like Mr.Batard are on top of this.
I don't have a complete picture of this to share. Just that I recognize
the data content in that Microsoft registry setting, as I've seen those
on a Linux site and that's where it comes from. And I've also seen
the tidbit, that if the machine is booting via GRUB2 on the disk,
GRUB2 can have an exploit crafted for it, that affects the
ability to properly Secure Boot Windows. And this is something
Microsoft knows, which is why there is an interest in revocation
of such things (buggy GRUB2 version, if one exists).

Paul
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On Wed, 5/20/2026 11:11 AM, ....winston wrote:

On 05/20/2026 10:11 AM, sticks wrote:

On 5/20/2026 8:50 AM, Frank Slootweg wrote:

sticks <wolverine01@charter.net> wrote:

On 5/19/2026 5:00 PM, sticks wrote:

[...]

Well I'll be damned.  I then did a SFC /scannow and it did find some >>>>> errors and fixed them.  Rebooted.  Went into the event viewer and
instead of the FPM-WMI error it had 4 entries.  A pre-attestation check, >>>>> a confirmation it is expected to pass attestation, TBS device identifier >>>>> has been generated, and finally "The TPM was successfully provisioned >>>>> and is now ready for use."

We'll see if it error faults again.

All for naught.  Back again this morning.  Disappointing


Log Name:      System
Source:        Microsoft-Windows-TPM-WMI
Date:          5/20/2026 6:53:06 AM
Event ID:      1796
Description:  The Secure Boot update failed to update SBAT with error >>>> Unknown HResult Error code: 0x800700c1.

   If it's any consolation, I also get this error, twice a day, since at >>> least 15/01/2026.

   The error comes with a "For more information, please see..." link [1], >>> but that only mentions Event ID 1795, not 1796. However the 'Change log' >>> of the document implies that 1796 *is* documented. Microsoft moves in
mysterious ways! :-(

   I think that this 'Error' is nothing to worry about.
   IMO, if we got a dollar for every 'Error' in our Event Viewer logs, we >>> would make Elon look like a pauper! :-)

[1] 'Secure Boot DB and DBX variable update events'
<https://support.microsoft.com/en-gb/topic/secure-boot-db-and-dbx- variable-update-events-37e47cf8-608b-4a87-8175-bdead630eb69>

I know I can't do much more myself, and am not too worried about it. However, it does annoy me that the secure boot process is evidently missing some of the available data because of the update failure.  I find it difficult to believe HP cannot figure out a way to fix this error.

Run this a Powershell admin window

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')

 - If the above command returns “true,” then your PC is using the new certificate

If it returns true or false, the EventViewer error is normal.
 a. can't update(thus fails) if already present or not installed

This is a known issue. Secure Boot Advanced Targeting, is an attempt to
improve the efficiency of the contents of the dbx database. Microsoft
has to "care" about the buggy or not-buggy state of GRUB2, in order
to keep Windows secure, as there is a cross-platform "hole" that GRUB2
on a machine opens. Microsoft trying to install a four line text file
for SBAT, is to ensure the status of GRUB2 is covered. Instead of
putting a hundred separate entries into dbx, the scheme is one
four line text file, and then virtually any GRUB2 based OS can have
a buggy version of GRUB2 blocked.

The issue is not documented properly, and only an LLM-AI will be
able to gather the pieces and write a story for it. I don't know
how it was ever supposed to work on the BIOS side, and maybe
it only works at some stage in the OS progression.

Paul

--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11



On 5/20/2026 7:12 PM, Paul wrote:

On Wed, 5/20/2026 7:31 PM, sticks wrote:

On 5/20/2026 5:05 PM, Paul wrote:

I know I can't do much more myself, and am not too worried about it. However, it does annoy me that the secure boot process is evidently missing some of the available data because of the update failure.  I find it difficult to believe HP cannot figure out a way to fix this error.

In my other post, I pasted this. This is a side effect of having
run Linux on your machine. Perhaps by some means, Microsoft notices
GRUB2 was used to launch Windows, and Microsoft wants to play the SBAT game.

---snip---

Most of that was over my head, Paul.  FWIW, I have never even tried Linux.

We still have the issue, of why HP machines seem to have this problem.
None of my machines are HP, and I have an SBAT on the machine across the way, and not one on this machine. Perhaps Microsoft is applying this to all
of them, I cannot be certain.

---snip---

thanks for the details. BTW, the laptop of my wife's that also has this
error is also a HP machine.
--
Science Doesn’t Support Darwin. Scientists Do

--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

Paul wrote:

Secure Boot Advanced Targeting, is an attempt to
improve the efficiency of the contents of the dbx database. Microsoft
has to "care" about the buggy or not-buggy state of GRUB2, in order
to keep Windows secure

How many people know what's going on under the waterline? I make no
claims to understand it, but since the era of virtualisation on PCs I've avoided dual boot.

<https://github.com/rhboot/shim/blob/main/SBAT.md>

--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

In article <n7342aFf2nqU1@mid.individual.net>, me@privacy.invalid
says...

On Tue, 19 May 2026 11:44:14 +0100, Philip Herlihy wrote:

I asked CoPilot

<sigh>

I'm sure if you can point out what part of that account was wrong you'll
be doing us all a great service.
--
--
Phil, London
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On Thu, 5/21/2026 3:34 AM, Andy Burns wrote:

Paul wrote:

Secure Boot Advanced Targeting, is an attempt to
improve the efficiency of the contents of the dbx database. Microsoft
has to "care" about the buggy or not-buggy state of GRUB2, in order
to keep Windows secure

How many people know what's going on under the waterline?  I make no claims to understand it, but since the era of virtualisation on PCs I've avoided dual boot.

<https://github.com/rhboot/shim/blob/main/SBAT.md>

I have a collection of all sorts of disk drives, with
different configurations on them. And that is mainly
a side effect of testing out questions that come up.

So if someone else has a dual boot Linux/Windows, I have one too.

I have a disk with ten OSes on it, for example, but that hasn't been
inside a machine for some time, and right off hand, I don't know
where it got to :-)

With regard to the SBAT thing, the concern might even extend
to plugging a Linux Live USB stick into a machine, that could
still have consequences unless UEFI has some SBAT usage for
revocation control. I just don't have all the info for a full
story, as where the SBAT goes is a black box right now.

I'm only doing these things, in the faint hope we can have
some control over our machines, and be proactive enough
to not end up bricked some day, out of ignorance.

Paul
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On Thu, 21 May 2026 08:34:05 +0100, Andy Burns wrote:

Paul wrote:

Secure Boot Advanced Targeting, is an attempt to improve the efficiency
of the contents of the dbx database. Microsoft has to "care" about the
buggy or not-buggy state of GRUB2, in order to keep Windows secure

How many people know what's going on under the waterline? I make no
claims to understand it, but since the era of virtualisation on PCs I've avoided dual boot.

<https://github.com/rhboot/shim/blob/main/SBAT.md>

I haven't done a dual boot in a very long time. The last was openSUSE/
Windows 7. I found I very seldom booted to 7. I do have several computers
so Linux or Windows only is no problem.
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 22/05/2026 4:15 am, rbowman wrote:

On Thu, 21 May 2026 08:34:05 +0100, Andy Burns wrote:

Paul wrote:

Secure Boot Advanced Targeting, is an attempt to improve the efficiency
of the contents of the dbx database. Microsoft has to "care" about the
buggy or not-buggy state of GRUB2, in order to keep Windows secure

How many people know what's going on under the waterline? I make no
claims to understand it, but since the era of virtualisation on PCs I've
avoided dual boot.

<https://github.com/rhboot/shim/blob/main/SBAT.md>

I haven't done a dual boot in a very long time. The last was openSUSE/ Windows 7. I found I very seldom booted to 7. I do have several computers
so Linux or Windows only is no problem.

My Laptop had Win7 and a couple of Linuxs on it.

Usually on a Wednesday, I'd have two separate sessions on the Laptop so,
in the Afternoon, I'd boot into Win7, update stuff (System, Anti-virus,
etc.) then have the Anti-Virus check out the drives whilst I browsed and
read newsgroups.

Then, in the evening, I'd boot into Linux .... and get on with life!!

The other six days ... straight into Linux.
--
Daniel70
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On Wed, 5/20/2026 9:16 PM, sticks wrote:

On 5/20/2026 7:12 PM, Paul wrote:

On Wed, 5/20/2026 7:31 PM, sticks wrote:

On 5/20/2026 5:05 PM, Paul wrote:

I know I can't do much more myself, and am not too worried about it. However, it does annoy me that the secure boot process is evidently missing some of the available data because of the update failure.  I find it difficult to believe HP cannot figure out a way to fix this error.

In my other post, I pasted this. This is a side effect of having
run Linux on your machine. Perhaps by some means, Microsoft notices
GRUB2 was used to launch Windows, and Microsoft wants to play the SBAT game.

---snip---

Most of that was over my head, Paul.  FWIW, I have never even tried Linux. >>

We still have the issue, of why HP machines seem to have this problem.
None of my machines are HP, and I have an SBAT on the machine across the way,
and not one on this machine. Perhaps Microsoft is applying this to all
of them, I cannot be certain.

---snip---

thanks for the details.  BTW, the laptop of my wife's that also has this error is also a HP machine.

OK, I ran the question past CoPilot. Regarding the tar&feather of HP/Insyde, you are
likely to find slightly older machines that have not had the firmware updated, can also fall through the cracks. My Asus motherboard (ROG STRIX B550-F GAMING WIFI II),
they did not seem to release an update when the others released their Black Lotus update,
yet that same motherboard is being re-released to help sell DDR4 systems and older processors,
as of a week or two ago...

****************** CoPilot Answer: SBAT question ****************************

Here is the direct, technically precise answer you’re looking for -
grounded in what SBAT *actually is*, how Windows handles it, where it is stored,
and why your HP/Insyde firmware is throwing **0x800700c1 (ERROR_BAD_EXE_FORMAT)**
during the SBAT update attempt.

---

## **1. Where SBAT data is *supposed* to live**
The four SBAT lines you see in the Registry:

sbat,1,2024010900
shim,4
grub,3
grub.debian,4

are **not** the final storage location.
They are **staging data** that Windows prepares before attempting to write SBAT into UEFI.

### **The actual target storage location is a UEFI authenticated variable:**

### **`SbatLevel`**
- Namespace: **EFI_GLOBAL_VARIABLE** (or vendor-specific namespace depending on firmware)
- Type: **EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS |
EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS**

This is the same class of variable used for:

- `db` (allowed signatures)
- `dbx` (revoked signatures)
- `KEK`
- `PK`

SBAT is *not* stored in the DBX.
It is stored in its own dedicated authenticated variable, **SbatLevel**, defined by the Linux shim maintainers.

**Windows simply mirrors the Linux SBAT mechanism** and writes the same variable into UEFI.

---
## **2. Does UEFI firmware understand SBAT?**
### **Yes - but only if the OEM firmware implements SBAT support.**

SBAT is *not* part of the UEFI specification.
It is an **extension invented by the Linux shim project**, and firmware vendors must add support voluntarily.

### **What SBAT support requires in firmware**
The firmware must:

1. Recognize the SbatLevel authenticated variable.
2. Parse the CSV-like SBAT entries.
3. Compare the SBAT levels of bootloaders (shim, grub, etc.) against the stored SbatLevel.
4. Enforce revocation if the bootloader’s SBAT generation is too old.

### **Your HP 17t‑cn400 (Insyde BIOS) almost certainly does *not* fully support SBAT.** <=== device ID not in my question!

This is consistent with:
- Missing HP support pages
- Missing BIOS updates
- Event ID 1796 / 1801
- Error **0x800700c1** during variable update
- The fact that PCA2023 succeeded but SBAT did not

---

## **3. Why Windows is trying to install SBAT**
Microsoft added SBAT support to Windows in 2024-2025 to:

- Reduce DBX bloat
- Block insecure Linux bootloaders
- Align with the Linux ecosystem

Windows now attempts to write SBAT into firmware **even on systems that never had Linux installed**.

This is exactly why Microsoft had to publish workarounds - the firmware ecosystem is not ready.

---

## **4. Why your SBAT update is failing with 0x800700c1**
### **0x800700c1 = ERROR_BAD_EXE_FORMAT**
This error is thrown when:

- The firmware rejects the authenticated variable payload
- The firmware does not recognize the variable format
- The firmware cannot parse the SBAT CSV
- The firmware does not support SBAT at all
- The firmware rejects the signature on the update capsule

### **Most likely cause on your HP/Insyde system**
Your firmware **does not implement SBAT support**, so when Windows attempts to write
the SbatLevel authenticated variable, the firmware returns:

- "Invalid format"
- "Unsupported variable"
- "Malformed authenticated payload"

Windows surfaces this as **0x800700c1**.

This is consistent with other HP and Intel systems reporting the same error.

---

## **5. Why the Registry shows SBAT data even though firmware rejected it** Windows stages SBAT data in:

HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\SBAT

This is **not** the authoritative store.
It is only the *input* for the Secure-Boot-Update scheduled task.

The firmware is the authoritative store.

If the firmware rejects the update, the Registry still shows the staged SBAT data, but:

- `UpdateStatus` remains non‑zero
- Event ID 1796 continues
- Event ID 1801 continues
- No SbatLevel variable is written to UEFI

---

## **6. Why PCA2023 succeeded but SBAT did not**
PCA2023 updates:

- PK
- KEK
- db
- dbx

These are **standard UEFI variables** supported by all Secure Boot firmware.

SBAT is **not** standard UEFI.

Your firmware supports PCA2023 but **does not support SBAT**, so:

- PCA2023 --> success
- SBAT --> 0x800700c1 failure

This is exactly the pattern seen across many HP and Intel systems.

---

## **7. Summary - direct answers to your questions**

### **Q: What is the target storage location of the four SBAT lines?**
**A: The UEFI authenticated variable `SbatLevel` in NVRAM.**
Not the Registry, not DBX.

### **Q: Does the UEFI BIOS recognize SBAT encoding?**
**A: Only if the OEM implemented SBAT support.**
Your HP/Insyde firmware almost certainly did not.

### **Q: Why is the update failing with 0x800700c1?**
**A: The firmware is rejecting the SBAT authenticated variable as an unsupported or invalid format.**
This is a firmware limitation, not a Windows error.

---

## **8. The real root cause**
Your HP 17t‑cn400 (Insyde F.13) firmware **does not support SBAT**, and Windows cannot force it to.

This is why:

- SBAT variable cannot be written
- Event 1796 persists
- Event 1801 persists
- UpdateStatus remains non-zero
- 0x800700c1 appears

This is a firmware defect or omission — not a Windows configuration issue. ****************** End: CoPilot Answer ****************************

Paul
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 5/22/2026 10:15 AM, Paul wrote:

On Wed, 5/20/2026 9:16 PM, sticks wrote:

On 5/20/2026 7:12 PM, Paul wrote:

On Wed, 5/20/2026 7:31 PM, sticks wrote:

On 5/20/2026 5:05 PM, Paul wrote:

I know I can't do much more myself, and am not too worried about it. However, it does annoy me that the secure boot process is evidently missing some of the available data because of the update failure.  I find it difficult to believe HP cannot figure out a way to fix this error.

In my other post, I pasted this. This is a side effect of having
run Linux on your machine. Perhaps by some means, Microsoft notices
GRUB2 was used to launch Windows, and Microsoft wants to play the SBAT game.

---snip---

Most of that was over my head, Paul.  FWIW, I have never even tried Linux.

We still have the issue, of why HP machines seem to have this problem.
None of my machines are HP, and I have an SBAT on the machine across the way,
and not one on this machine. Perhaps Microsoft is applying this to all
of them, I cannot be certain.

---snip---

thanks for the details.  BTW, the laptop of my wife's that also has this error is also a HP machine.

OK, I ran the question past CoPilot. Regarding the tar&feather of HP/Insyde, you are
likely to find slightly older machines that have not had the firmware updated,
can also fall through the cracks. My Asus motherboard (ROG STRIX B550-F GAMING WIFI II),
they did not seem to release an update when the others released their Black Lotus update,
yet that same motherboard is being re-released to help sell DDR4 systems and older processors,
as of a week or two ago...

****************** CoPilot Answer: SBAT question ****************************

Here is the direct, technically precise answer you’re looking for - grounded in what SBAT *actually is*, how Windows handles it, where it is stored,
and why your HP/Insyde firmware is throwing **0x800700c1 (ERROR_BAD_EXE_FORMAT)**
during the SBAT update attempt.

---

## **1. Where SBAT data is *supposed* to live**
The four SBAT lines you see in the Registry:

sbat,1,2024010900
shim,4
grub,3
grub.debian,4

are **not** the final storage location.
They are **staging data** that Windows prepares before attempting to write SBAT into UEFI.

### **The actual target storage location is a UEFI authenticated variable:**

### **`SbatLevel`**
- Namespace: **EFI_GLOBAL_VARIABLE** (or vendor-specific namespace depending on firmware)
- Type: **EFI_VARIABLE_NON_VOLATILE | EFI_VARIABLE_BOOTSERVICE_ACCESS |
EFI_VARIABLE_RUNTIME_ACCESS | EFI_VARIABLE_TIME_BASED_AUTHENTICATED_WRITE_ACCESS**

This is the same class of variable used for:

- `db` (allowed signatures)
- `dbx` (revoked signatures)
- `KEK`
- `PK`

SBAT is *not* stored in the DBX.
It is stored in its own dedicated authenticated variable, **SbatLevel**, defined by the Linux shim maintainers.

**Windows simply mirrors the Linux SBAT mechanism** and writes the same variable into UEFI.

---
## **2. Does UEFI firmware understand SBAT?**
### **Yes - but only if the OEM firmware implements SBAT support.**

SBAT is *not* part of the UEFI specification.
It is an **extension invented by the Linux shim project**, and firmware vendors must add support voluntarily.

### **What SBAT support requires in firmware**
The firmware must:

1. Recognize the SbatLevel authenticated variable.
2. Parse the CSV-like SBAT entries.
3. Compare the SBAT levels of bootloaders (shim, grub, etc.) against the stored SbatLevel.
4. Enforce revocation if the bootloader’s SBAT generation is too old.

### **Your HP 17t‑cn400 (Insyde BIOS) almost certainly does *not* fully support SBAT.** <=== device ID not in my question!

This is consistent with:
- Missing HP support pages
- Missing BIOS updates
- Event ID 1796 / 1801
- Error **0x800700c1** during variable update
- The fact that PCA2023 succeeded but SBAT did not

---

## **3. Why Windows is trying to install SBAT**
Microsoft added SBAT support to Windows in 2024-2025 to:

- Reduce DBX bloat
- Block insecure Linux bootloaders
- Align with the Linux ecosystem

Windows now attempts to write SBAT into firmware **even on systems that never had Linux installed**.

This is exactly why Microsoft had to publish workarounds - the firmware ecosystem is not ready.

---

## **4. Why your SBAT update is failing with 0x800700c1**
### **0x800700c1 = ERROR_BAD_EXE_FORMAT**
This error is thrown when:

- The firmware rejects the authenticated variable payload
- The firmware does not recognize the variable format
- The firmware cannot parse the SBAT CSV
- The firmware does not support SBAT at all
- The firmware rejects the signature on the update capsule

### **Most likely cause on your HP/Insyde system**
Your firmware **does not implement SBAT support**, so when Windows attempts to write
the SbatLevel authenticated variable, the firmware returns:

- "Invalid format"
- "Unsupported variable"
- "Malformed authenticated payload"

Windows surfaces this as **0x800700c1**.

This is consistent with other HP and Intel systems reporting the same error.

---

## **5. Why the Registry shows SBAT data even though firmware rejected it** Windows stages SBAT data in:

HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\SBAT

This is **not** the authoritative store.
It is only the *input* for the Secure-Boot-Update scheduled task.

The firmware is the authoritative store.

If the firmware rejects the update, the Registry still shows the staged SBAT data, but:

- `UpdateStatus` remains non‑zero
- Event ID 1796 continues
- Event ID 1801 continues
- No SbatLevel variable is written to UEFI

---

## **6. Why PCA2023 succeeded but SBAT did not**
PCA2023 updates:

- PK
- KEK
- db
- dbx

These are **standard UEFI variables** supported by all Secure Boot firmware.

SBAT is **not** standard UEFI.

Your firmware supports PCA2023 but **does not support SBAT**, so:

- PCA2023 --> success
- SBAT --> 0x800700c1 failure

This is exactly the pattern seen across many HP and Intel systems.

---

## **7. Summary - direct answers to your questions**

### **Q: What is the target storage location of the four SBAT lines?**
**A: The UEFI authenticated variable `SbatLevel` in NVRAM.**
Not the Registry, not DBX.

### **Q: Does the UEFI BIOS recognize SBAT encoding?**
**A: Only if the OEM implemented SBAT support.**
Your HP/Insyde firmware almost certainly did not.

### **Q: Why is the update failing with 0x800700c1?**
**A: The firmware is rejecting the SBAT authenticated variable as an unsupported or invalid format.**
This is a firmware limitation, not a Windows error.

---

## **8. The real root cause**
Your HP 17t‑cn400 (Insyde F.13) firmware **does not support SBAT**, and Windows cannot force it to.

This is why:

- SBAT variable cannot be written
- Event 1796 persists
- Event 1801 persists
- UpdateStatus remains non-zero
- 0x800700c1 appears

This is a firmware defect or omission — not a Windows configuration issue. ****************** End: CoPilot Answer ****************************

Paul

What a joke.
At this point all it looks like I can do to eliminate the error and
possible bricking (seems unlikely per Frank) is to keep checking on a
bios update.
--
Science Doesn’t Support Darwin. Scientists Do

--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 2026/5/22 10:45:3, Daniel70 wrote:
[]

My Laptop had Win7 and a couple of Linuxs on it.

[]
My spidey sense says the plural should be Linuces (pronounced Lie noo seez).
My spidey sense could be wrong :-)
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()ALIS-Ch++(p)Ar++T+H+Sh0!:`)DNAf

From Newsgroup: alt.comp.os.windows-11

On Fri, 5/22/2026 12:15 PM, sticks wrote:

What a joke.
At this point all it looks like I can do to eliminate the error
and possible bricking (seems unlikely per Frank) is to keep checking
on a bios update.

Yes, that seems to be it.

So now, purely as an exercise, I'll try on the Big Machine (EATX sized metal box).
It appears a BIOS was delivered in Feb 2026 (and I don't exactly hang out on the web
page looking for these). It's like Christmas in May.

ROG-STRIX-B550-F-GAMING-WIFI-II-ASUS-3636.zip
BIOS
Version 3636
16.49 MB
2026/02/03
SHA-256 ：2191F8FCA83D7EFE407A74780CB1F7194C4EB1B50925B6E654AE8A243C794DE0

"Improve system compatibility
Before running the USB BIOS Flashback tool, please rename the BIOS file (R550FGW2.CAP) using BIOSRenamer."
[The EXE is in the ZIP file]

The Secure Boot registry section notes "version 3634" after
the flash was completed. It only gets the hardware info,
if you manually trigger the scheduled task.

*******

That seemed to make things slightly worse.

The thing still Secure Boots. it's PCA2023.
The SBAT registry entry did not go away. It dropped from
"High Confidence" to "Under Observation".

Paul
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On Fri, 5/22/2026 3:52 PM, J. P. Gilliver wrote:

On 2026/5/22 10:45:3, Daniel70 wrote:
[]

My Laptop had Win7 and a couple of Linuxs on it.

[]
My spidey sense says the plural should be Linuces (pronounced Lie noo seez).

My spidey sense could be wrong :-)

There aren't any Latinos involved. Only
a pasty white guy, and a bunch of helpers
that wear hoodies :-)

https://en.wiktionary.org/wiki/Linuxes

This is the computer Linus used, at the start. At the moment,
I believe they are removing 486 support from the kernel.
By the way, that's enough memory for 1% of a Firefox tab.

https://www.cs.helsinki.fi/u/kutvonen/index_files/humalluoto.html

Intel 80486SX @ 25 MHz, 8 Mbytes memory, 100 Mbytes hard disk

He even got some awards.

https://en.wikipedia.org/wiki/Linus_Torvalds

"Two years later he received honorary doctor status at Stockholm University,
and in 2000, he received the same honor from his alma mater."

At the all-you-can-eat shrimp bar, with that honorary degree in hand,
you can then have as many shrimp as you want.

Paul
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 05/22/2026 5:50 PM, Paul wrote:

https://en.wiktionary.org/wiki/Linuxes

This is the computer Linus used, at the start. At the moment,
I believe they are removing 486 support from the kernel.
By the way, that's enough memory for 1% of a Firefox tab.

Well, Linus always served the neighborhood as the intellectual and voice
or reason, always employing and carrying his security protection.

Every year explaining what Christmas is all about.

Oops, wrong comic strip.
--
...w¡ñ§±¤ñ
--- Synchronet 3.21d-Linux NewsLink 1.2

From Newsgroup: alt.comp.os.windows-11

On 23/05/2026 5:52 am, J. P. Gilliver wrote:

On 2026/5/22 10:45:3, Daniel70 wrote:
[]

My Laptop had Win7 and a couple of Linuxs on it.

[]
My spidey sense says the plural should be Linuces (pronounced Lie noo seez).

My spidey sense could be wrong :-)

I had NO idea ... so went with 'Linuxs' .. but I could have been wrong!! ;-P
--
Daniel70
--- Synchronet 3.21d-Linux NewsLink 1.2