MS-DEFCON 4: Skip those Secure Boot scripts

Topic

New Reply

ISSUE 20.21.1 • 2023-05-23 By Susan Bradley Deploy May updates — and nothing but the updates. I’m lowering the MS-DEFCON level to 4 to encourage you t
[See the full post at: MS-DEFCON 4: Skip those Secure Boot scripts]

Susan Bradley Patch Lady

11 users thanked author for this post.

jburk07, J9438, TechTango, mpw, deuce120, flyingdutchgirl, abbodi86, Kathy Stevens, lmacri, Pim, Alex5723

Reply | Quote

Replies

On a new Win11 Pro machine, 22H2 , KB5012170 was apparently installed on Jan. 30, before the machine was delivered to me.

msinfo32 says:
BIOS Mode : UEFI
Secure Boot State: On

The following are present:
C:\Windows\WinSxS\amd64_microsoft-windows-s..boot-firmwareupdate_31bf3856ad364e35_10.0.22621.1702_none_948b3ff48131c4d8\SKUSiPolicy.P7b  (159 kB)
C:\Windows\WinSxS\amd64_microsoft-windows-s..boot-firmwareupdate_31bf3856ad364e35_10.0.22621.1702_none_948b3ff48131c4d8\n\SKUSiPolicy.P7b (81 kB)

Does this mean the revocations have been applied?  Am I better or worse off for that?

Do I assume updates here are acceptable, given that you said “We have repeatedly seen updates for Secure Boot to fix vulnerable boot-loader files.”

If rootkits are the problem, what is the best way of detecting them?

It is all very confusing.

Thanks.

Reply | Quote

I have similar issues as @cynicalsnail

After the update my msinfo32 says:
BIOS Mode : UEFI
Secure Boot State: Off

I have a Custom Build – Intel i5 9400 5 Core CPU & ASUS TUF Z390 Plus Motherboard and don’t know the myinfo32 was before the current update.

Do I need to do anything to change the above?  If so, how do I correct this?

 

Custom Build - Intel i5 9400 5 Core CPU & ASUS TUF Z390 Plus Motherboard
Edition Windows 10 Home
Version 22H2
OS build 19045.2965

Reply | Quote

And for me, before update, SysInfo reports Secure Boot State: On.  How does this then affect me?

 

Thanks.

Reply | Quote

In all of these – if it ain’t broke….. read the secure boot article from yesterday’s newsletter.

Susan Bradley Patch Lady

Reply | Quote

ain’t broke: sure, but I do not actually know the full status of my machine.

I have read several articles – several times – and I do not understand very well any of it.  There are simply too many options, all with inadequate explanations for those not immersed.  What is needed is a plain English glossary for each of the terms and their options – with their implications.  At the moment it is all blind trust.  Having followed your advice for years, finding that it has all been pre-empted now is somewhat unsettling.

Reply | Quote

Susan,

Any thoughts on the issues mentioned in this article on Neowin?

1 user thanked author for this post.

geekdom

Reply | Quote

The folks on Reddit tend to be gamers.  The issues seen there typically aren’t widespread. I’m not seeing those issues in my computers.

Susan Bradley Patch Lady

Reply | Quote

I did read the article and my msinfo32 doesn’t match what you say is safe. Does this my computer doesn’t support a secure boot?  If not, is there anyway to make my PC safe without buying a new one?

Custom Build - Intel i5 9400 5 Core CPU & ASUS TUF Z390 Plus Motherboard
Edition Windows 10 Home
Version 22H2
OS build 19045.2965

Reply | Quote

I don’t consider secure boot that much of an advantage these days.  Get a new computer when it gets so slow or you can’t upgrade it to a supported platform.

Susan Bradley Patch Lady

Reply | Quote

blueboy714 wrote:

… my msinfo32 doesn’t match what you say is safe. Does this my computer doesn’t support a secure boot? If not, is there anyway to make my PC safe without buying a new one?

Hi blueboy714:

According to your post # 2561265 when you open a Run dialog box (Windows key + R) and enter msinfo32 you see that “BIOS Mode” is UEFI and “Secure Boot State” is OFF.

When “BIOS Mode” is UEFI and “Secure Boot State” is OFF that means Secure Boot is either disabled or not available. My Dell Inspiron 5584 uses the UEFI platform and Secure Boot was disabled by default when it shipped from the factory (see image below), but secure boot can be enabled / disabled on my Dell laptop from the Secure Boot section of my BIOS settings (i.e., if I re-boot and tap the F2 key as soon as my Dell logo appears to enter my BIOS settings). You have an ASUS TUF Z390 motherboard so I believe that restarting your computer and tapping the F2 key during the POST test (i.e., before Windows is loaded) should also open the BIOS settings on your computer, but if you have problems see the ASUS support article [Notebook/Desktop/AIO] How to Enter the BIOS Configuration for an alternate method.

The KB5012170 Security Update for Secure Boot DBX mentioned by CynicalSnail in post # 2561260 was installed on my Win 10 Pro v22H2 OS by Windows Update during my August 2022 Patch Tuesday updates and did not cause any issues.  However, note that BitLocker Disk Encryption (which is not available on your Win 10 Home v22H2 OS) is disabled on my Win 10 Pro machine, which means that I didn’t have to worry that installation of KB5012170 would disrupt my boot process and ask me to enter a BitLocker recovery key to proceed with the boot-up like it did for many Win 10 and Win 11 Pro users – see the 16-Aug-2022 BleepingComputer article Windows KB5012170 Update Causing BitLocker Recovery Screens, Boot Issues for more information.  As far as I know, KB5012170 would not change whether Secure Boot was enabled / disabled on your computer – the release notes <here> only state that “This security update addresses the vulnerability by adding the signatures of the known vulnerable UEFI modules to the DBX” (where DXB is the Secure Boot Forbidden Signature Database). The three bootloader bypass vulnerabilities patched for Secure Boot by KB5012170  are listed at the bottom of those release notes.
————-
Dell Inspiron 5584 * 64-bit Win 10 Pro v22H2 build 19045.2965 * Firefox v113.0.1 * Microsoft Defender v4.18.2304.8-1.1.20300.3 * Malwarebytes Premium v4.5.29.268-1.0.2022-1.0.69620 * Macrium Reflect Free v8.0.7279 * Dell Inspiron 5583/5584 BIOS v1.22.1

2 users thanked author for this post.

MrToad28, Cybertooth

Reply | Quote

Did read the article. Did not feel it particularly clear.

1 user thanked author for this post.

blueboy714

Reply | Quote

What needs to be more clear?  Secure boot for consumers really doesn’t add much. Secure boot for businesses is more of a check off box of compliance.

Susan Bradley Patch Lady

Reply | Quote

Oh no, its happening again. And my pc will update itself on June 9th. It is a gaming pc just running regular win 10 22h2, I in danger here?

Reply | Quote

Just installed, I survived!

Reply | Quote

In my opinion, the confusion is seen when people use msinfo32 and see that Secure Boot says ON, rather than Unsupported, and they think they need to do something to change to an Unsupported state.

I have bitlocker turned off, and in msinfo32 Secure Boot is ON, Windows 10 Pro 22H2.

If I understand the Microsoft article correctly, one has to type in commands in the command prompt to apply these revocations.

If I have read what Susan says correctly, install the May updates, don’t invoke a command prompt to apply revocations, and even if Secure Boot is ON, for the May Updates, things should be ok.

 

Reply | Quote

I updated this morning as per Susan. Along with whatever else I got, this popped up in the event viewer as a Warning. I don’t know which update contained it. There were two packages: Security Update for Microsoft Windows (KB 5026361) and Servicing Stack 10.0.19041.2905.

Forgot the question.  Anyone know what this is and if it matters?

HP Pavilion Desktop TP01-0050 – 64 bit
Windows 10 Home Version 22H2
OS build 19045.2965
Windows Defender and Windows Firewall
Microsoft Office Home and Business 2019
-Version 2303(Build 16227.20258 C2R)

Reply | Quote

flyingdutchgirl wrote:

In my opinion, the confusion is seen when people use msinfo32 and see that Secure Boot says ON, rather than Unsupported, and they think they need to do something to change to an Unsupported state.

I have bitlocker turned off, and in msinfo32 Secure Boot is ON, Windows 10 Pro 22H2.

If I understand the Microsoft article correctly, one has to type in commands in the command prompt to apply these revocations.

If I have read what Susan says correctly, install the May updates, don’t invoke a command prompt to apply revocations, and even if Secure Boot is ON, for the May Updates, things should be ok.

 

BINGO!!!

I saw no instructions for what to do if Secure Boot is ON. That is what is/was unclear.

I think on your last proofread before posting Suan, you might want to drop down to your viewers knowledge level and point of view.

For that matter, I am not even sure when or how the scripts to be avoided are offered up???

Reply | Quote

Install the  update.  That’s it.  The scripts have to be run manually and I don’t recommend it.

Susan Bradley Patch Lady

Reply | Quote

rebop2020 wrote:

For that matter, I am not even sure when or how the scripts to be avoided are offered up???

The scripts will install as part of patch Tuesday sometime in the future.

For now the scripts are to be run manually, if a user wants to run them.

1 user thanked author for this post.

sheldon

Reply | Quote

Thank you for this latest update!

I am confused re/what my BIOS settings should be.

I am a Home User with WIN10 64 PRO 22H2 with all updates deployed.

My settings are:
Secure Boot State – OFF
BIOS Mode – UEFI

Are those OK?

Thanks very much !!

Reply | Quote

Bill wrote:

Are those OK?

Yes.

Reply | Quote

Thank you!

Reply | Quote

Possible stupid question here.

I recently updated my wife’s laptop from Win8.1 to Win10 21H2. Now I want to do the feature update to 22H2. I use InControl and wumgr to control updates. So, I turned InControl off and in wumgr under “Upgrades” I see the feature update. Then I notice that it’s 106.59 GB in size.

Hmm. This laptop has a 128 GB SSD with the current Win10 install + software eating up about 32 GB. A 250-ish GB mSata SSD holds her stuff (currently about 70 GB used).

Is there an easy way to direct the 22H2 download to the larger SSD or an external HDD?

Thanks.

Reply | Quote

If your Win10 20H2 is up to date, the upgrade to 22H2 is simply the turning on of the Experience Pack, a very small download.  The base for 21H2 and 22H2 are the same. The base is already there. The download will be quite small.

The size you are seeing in not correct (a complete clean install of Win10 wouldn’t be 106GB).

Reply | Quote

Thanks PKCano.

You were correct. The download through wumgr was quick and small – not even 1 GB, let alone 100+. No idea why wumgr reports the size as 106 GB.

Reply | Quote

Microsoft has quietly posted “V2” Windows 11 22H2 ISO downloads with build 22621.1702 (KB5023672 update integrated) on the Windows 11 download page today May 23:
https://www.microsoft.com/software-download/windows11

instead of downloading something like “Win11_22H2_English_x64.iso” or “Win11_22H2_English_x64v1.iso”, it will recently download Win11_22H2_English_x64v2.iso.

gonna wait and see if patch lady Susan will recommend Win11 users whether to upgrade to the 22H2 version or not. MS will be releasing a 23H2 version (for Win11) sometime in the 2nd half of 2023

1 user thanked author for this post.

fernlady

Reply | Quote

Compared to the posts and replies already in this thread, I have a very minor and not very important observation, and “gripe” I suppose.
With Patch Lady Defcon 4 blessing to go ahead and install May updates,
after installing the May 2023-05 KB5026361 Cumulative Update for Win10 64 bit version 22H2 – I found the Taskbar Search icon has grown to an unattractive size that I do not like. An internet search found a Microsoft answers topic with others complaining about the larger search icon, but no instructions or advice on how to restore the original smaller size icon. Do other AskWoody participants like the new larger size? And does anyone know how to restore the older smaller size without having to remove this current May 2023 update? I know about hiding the Windows Search completely by right clicking the Taskbar, and using other Search programs like voidtools Everything or NirSoft SearchMyFiles, but I like the smaller icon unobtrusively sitting down by the Start Menu, and I do not have a problem with Microsoft Windows Search, it works ok for me.
– Just wondering… constantly it seems… after Windows Updates… Sigh…

Windows 10 Search Icon suddenly increased in size on new install

https://answers.microsoft.com/en-us/windows/forum/all/windows-10-search-icon-suddenly-increased-in-size/0aa47027-04a2-4689-8507-ef6d83b60e65?page=1 ( = 1 of 3 )

1 user thanked author for this post.

Cybertooth

Reply | Quote

Eh, as long as it didnt change the height of the whole thing. There should be an option for the classic icon though.

Reply | Quote

Question: Looked up in MSINFO32 the information. My Secure Boot State is “Off”. The bios shows UEFI, using Lenovo latest bios update for my machine. Is this of any concern, the SBS being off?

Reply | Quote

No.

Susan Bradley Patch Lady

Reply | Quote

EP wrote:

Microsoft has quietly posted “V2” Windows 11 22H2 ISO downloads with build 22621.1702 (KB5023672 update integrated) on the Windows 11 download page today May 23

A new Windows 10 22H2 V2 too. it will contain the latest Patch Tuesday update (KB5026361) for Windows 10.

Reply | Quote

I’ve already installed them to no ill effects.  Note the red in my signature line.

YMMV

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We were all once "Average Users". We all have our own reasons for doing the things that we do to our systems, we don't need anyone's approval, and we don't all have to do the same things.

Computer Specs

1 user thanked author for this post.

geekdom

Reply | Quote

W10 22H2 Secure Bot State is ON. What does this mean?

Reply | Quote

While we may simplify life for the time being by not running those manual scripts relating to Secure Boot, Microsoft will eventually force-feed them to us via Windows Updates. (Forced-fed, at any rate, to those who don’t use tools to control the monthly patches.)

Assuming I understand the situation correctly, this change will render unbootable any live CD or live USB drive that we may have been using for troubleshooting or experimental purposes. It will also render unbootable the rescue CDs from backup programs such as Macrium Reflect that we use when the boot drive fails and we need to restore an image from a backup to a replacement drive.

When the Secure Boot patch gets forced through, will we need to create new rescue media–and will that alone be sufficient, or will we need to get an up-to-date version of the backup software in order to create new rescue media?

Additions and clarifications are welcome!

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

2 users thanked author for this post.

jburk07, Fred

Reply | Quote

Cybertooth wrote:

Assuming I understand the situation correctly, this change will render unbootable any live CD or live USB drive that we may have been using for troubleshooting or experimental purposes. It will also render unbootable the rescue CDs from backup programs such as Macrium Reflect that we use when the boot drive fails and we need to restore an image from a backup to a replacement drive.

bbearren wrote:

I’ve already installed them to no ill effects. Note the red in my signature line.

In my experience, you don’t understand the situation correctly.

bbearren wrote:

As for booting other devices, I went into UEFI Settings and turned off Secure Boot (in my case, disabling the TPM) and booted TeraByte’s BootIt UEFI partitioning tool via USB without issue. I then rebooted, went back into UEFI Settings, re-enabled the TPM, and booted back into Windows.

Cybertooth wrote:

When the Secure Boot patch gets forced through, will we need to create new rescue media–and will that alone be sufficient, or will we need to get an up-to-date version of the backup software in order to create new rescue media?

In my case, no, that is unnecessary.  My boot USB’s work by disabling Secure Boot.  Recreating boot media after running the scripts still requires disabling Secure Boot before they will boot.  Susan advises that the scripts not be run.  Microsoft advises that the scripts will be run by Windows Update in the coming months.

In either case, my red signature line still applys.

 

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We were all once "Average Users". We all have our own reasons for doing the things that we do to our systems, we don't need anyone's approval, and we don't all have to do the same things.

Computer Specs

1 user thanked author for this post.

jburk07

Reply | Quote

Cybertooth wrote:

Assuming I understand the situation correctly, this change will render unbootable any live CD or live USB drive that we may have been using for troubleshooting or experimental purposes. It will also render unbootable the rescue CDs from backup programs such as Macrium Reflect that we use when the boot drive fails and we need to restore an image from a backup to a replacement drive.

To my knowledge your fears are not necessary. I myself have used from the beginning activated SecuredBoot and the Uefi startpartition(s). All the boot_dvd’s and usb_thumbdrives work just fine with Macrium Reflect and Acronis and O&O AOmei EaseUS diskimagingsoftware. Booting is done by using the keycombinastion to call for the PC’s BootMenu. So restoring Windows and Linux-Mint works just fine.    Mind you to check it all before to rely on it.

To my knowledge, work and relations in computer security  the SecuredBoot and UefiBoot are essential for security. That’s why this hardly traceable malware installed/implemented by using these stolen ∅Day’s is *such a big deal*

 

* _ the metaverse is poisonous _ *

2 users thanked author for this post.

jburk07, Cybertooth

Reply | Quote

Cybertooth wrote:

(Forced-fed, at any rate, to those who don’t use tools to control the monthly patches.)

Your control tools won’t help you if the scripts will be part of CU.

Reply | Quote

bbearren wrote:

My boot USB’s work by disabling Secure Boot. Recreating boot media after running the scripts still requires disabling Secure Boot before they will boot.

So the bottom line is that the old boot media will still work, but if we use such media (whether old or new), we will have to add the steps of first turning off Secure Boot, then turning it back on. Is that right?

New question: After Microsoft force-feeds these scripts onto customers’ PCs, will it be possible for us to simply do without Secure Boot? That would be one way to simplify matters.

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

1 user thanked author for this post.

jburk07

Reply | Quote

Cybertooth wrote:

So the bottom line is that the old boot media will still work, but if we use such media (whether old or new), we will have to add the steps of first turning off Secure Boot, then turning it back on. Is that right?

In my experience, yes it is.

Cybertooth wrote:

New question: After Microsoft force-feeds these scripts onto customers’ PCs, will it be possible for us to simply do without Secure Boot? That would be one way to simplify matters.

Susan advises that Secure Boot isn’t particularly necessary for consumers, however, I prefer to  use it.  I use TeraByte’s Image For Windows, and I am unfamiliar with any other drive imaging software.  Image For Windows has a utility for incorporating it into the Windows Recovery Environment.  Then just go to Settings > Windows Update > Advanced options > Recovery > Advanced startup > Restart now, and the Recovery Environment, including Image For Windows, boots without issue, no finagling with settings in UEFI.  That’s my preferred method.

I have the USB recovery media (also created with IFW’s utility) in the event of Windows getting pooched and not allowing Advanced startup, or of drive failure, which could include one’s Windows Recovery Environment if it’s located in the standard Windows position, a small partition after the Windows partition.  I have mine on a separate SSD in its own 1GB partition, but I’m also a belt and suspenders kind of guy.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We were all once "Average Users". We all have our own reasons for doing the things that we do to our systems, we don't need anyone's approval, and we don't all have to do the same things.

Computer Specs

2 users thanked author for this post.

jburk07, Fred

Reply | Quote

bbearren wrote:

I’m also a belt and suspenders kind of guy.

“but I’m also a belt and suspenders kind of guy” is a lovely parable. Meaning probably that you do not wash the trousers and dispensers too warm either, for the penalty will be you will lose their functionality to be useful in the greater sense. In computerterms this means equally than that losing functionality is noticeable for the common user?, And if so: what does this mean?

* _ the metaverse is poisonous _ *

Reply | Quote

“belt and suspenders” is a common idiom:
https://duckduckgo.com/?t=ffab&q=belt+and+suspenders+meaning&ia=definition

Carpe Diem {with backup and coffee}
offline▸ Win10Pro 2004.19041.572 x64 i3-3220 RAM8GB HDD Firefox83.0b3 WindowsDefender
offline▸ Acer TravelMate P215-52 RAM8GB Win11Pro 22H2.22621.1265 x64 i5-10210U SSD Firefox106.0 MicrosoftDefender
online▸ Win11Pro 22H2.22621.1778 x64 i5-9400 RAM16GB HDD Firefox115.0b1 MicrosoftDefender

Reply | Quote

geekdom wrote:

“belt and suspenders” is a common idiom:

“: involving or employing multiple methods or procedures to achieve a desired result especially out of caution or fear of failure”

 

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We were all once "Average Users". We all have our own reasons for doing the things that we do to our systems, we don't need anyone's approval, and we don't all have to do the same things.

Computer Specs

Reply | Quote

Fred wrote:

In computerterms this means equally than that losing functionality is noticeable for the common user?, And if so: what does this mean?

For me, “belt and suspenders” means having the capabilities to overcome any computer malfunction, whether software or hardware.  In the mid ’00’s I had a hard hardware failure, to the extent that my desktop would not boot at all, not even the BIOS splash screen.  The red “power on” light would light, but the screen remained black.  There was no accompanying beep code, so I assumed that the motherboard might be OK, but there could be a severe internal peripheral hardware failure.  The desktop had four HDD’s on PATA connections and dual booted Windows 2K Pro.

I powered down, opened the case and unplugged the PATA cable from the top HDD (not HDD0, just the top drive in the case), then powered on; same red light and black screen.  I powered down, reconnected that HDD, and unplugged the second, then powered on; same red light and black screen.  Same procedure with the third HDD, and I got the red light and the BIOS splash screen.  The third HDD was HDD0, and that was where bootmgr was located.

That told me that HDD0 (the third HDD in top-down mounting order) was the likely culprit.  I had a spare HDD of the same size on hand (all four drives were the same size and manufacturer), so I removed HDD0 and replaced it with my spare, with a mental note to order a new spare.  Then I booted into my BootIT NG USB drive (my earliest connection to TeraByte’s imaging software) and got my HDD0 drive image DVD’s ready (I had previously formatted the spare drive). I restored HDD0 to the spare drive. After the restore, I rebooted, removing the USB drive, and booted into Windows 2K Pro, as if nothing had happened.

Another anecdote I’ve told here a number of times, two of my PC’s died in a house fire in January 2011, but their contents were safely tucked away in drive images on offline HDD’s, and I only lost the hardware. The Windows 11 Pro I’m currently dual booting is an upgrade over an upgrade over an upgrade … of Windows 7 Pro from early 2010.

I have spare drives; I have full-drive drive images going back a couple of months on offline HDD’s. As for “noticeable for the common user”, yes, noticeable. The usual trope is “Windows has to be clean-installed about once per year to get it back up to speed.” A dedicated routine maintenance regimen keeps Windows performance from degrading. Without that maintenance regimen, “losing functionality is noticeable for the common user.”

That’s my version of belt and suspenders.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We were all once "Average Users". We all have our own reasons for doing the things that we do to our systems, we don't need anyone's approval, and we don't all have to do the same things.

Computer Specs

Reply | Quote

I build all of our home computers.  We currently have three and the motherboards are from three different manufacturers.  When Microsoft announced that Secure Boot would be a requirement for Windows 11, all three of the manufacturers shipped motherboards with Secure Boot in the ON state.  I was running Windows 10 at the time so this was irrelevant.  I upgraded one PC to Windows 11 just to see how it worked and what the interface was like.  It worked well so the other two were upgraded as well.  If you are running Windows 10 (the recommendation of this website) there are no issues for you whether it is on or off.  If you are running Windows 11 it will be on.

Of more interest to me is the ‘Local Security Protection’ bug that was introduced a couple of months ago with one of the Windows Defender updates.  On bulletin from Microsoft said don’t do anything, that it will be patched at some future date.  I guess that future date has been extended further as I’ve just done the May updates and it’s still there.  All three of our PCs had this turned on and all three show the warning.

Reply | Quote

From Microsoft “While the requirement to upgrade a Windows 10 device to Windows 11 is only that the PC be Secure Boot capable by having UEFI/BIOS enabled, you may also consider enabling or turning Secure Boot on for better security.”

Reply | Quote

So I have Win 10 Home 22h2

UEFI

Secure Boot ON

What danger am I in?

Win 10 Home 22H2

Reply | Quote

Win7and10 wrote:

What danger am I in?

Very little; clicking on a bogus link, visiting a maliciously coded web page, etc.  In other words, safe surfing and prudent examination of emailed links will likely keep you safe.  There’s no need to turn off Secure Boot.

Windows 10 doesn’t get the same update treatment as Windows 11.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We were all once "Average Users". We all have our own reasons for doing the things that we do to our systems, we don't need anyone's approval, and we don't all have to do the same things.

Computer Specs

Reply | Quote

I didn’t have any issues updating Win 10 22H2 per Susan, but it took a really long time, over half an hour after the download before my computer rebooted. Lots of nail-biting until then. Thank you Susan, for all your helpful tips.

1 user thanked author for this post.

LHiggins

Reply | Quote

[NetJunkie]

I have Windows 10 22H2 and secure boot is on with UEFI bios mode.  I have so far blocked the update KB 4012170 and the May updates.  My question is, when MS decides to trigger the forced script installs that messes with the bios.  If I have the setting in my bios refering to UEFI capsule updates disabled will that stop the updated scripts from running?  And would that impact my original install media created in 2017?  If I created new install media will it not install if I do not have these forced updates in my bios?

• This reply was modified 5 days, 9 hours ago by NetJunkie.

Reply | Quote