Insider stuff, Recent Activity, Secure Boot, Updates, WED Blog, Windows 11

Pondering UEFI Updates

Leave a comment

I’m still getting settled in with my new production desktop environment. ICYDK, it’s built around an MSI MAG Tomahawk B550 mobo, with Ryzen 5800X, NVIDIA 3070Ti GPU, and 64GB DDR4 RAM. This morning, I started digging into the MSI Center app that orchestrates other system utilities, and handles updates for drivers and firmware. In my investigation, I discovered a “new” update for the mobo firmware. In turn, that has me pondering UEFI updates.

Where Does Pondering UEFI Updates Take Me?

I had to figure out that MSI’s once-standalone “Live Update” utility now sits beneath its top-level Support tab (top middle of option bar in the lead-in graphic). Then I had to figure out that UEFI updates appear only when one clicks the “Advanced” button, rather than the more pedestrian “Scan” button (which scans only for driver updates).

As  you can see in that graphic, the company shares its guidance in eye-catching red text at the head of the MB BIOS list. That guidance reads: “MSI does not recommend to update BIOS when system has no issue” in somewhat fractured English. However rough the wording might be, the guidance is still pretty good. Let me explain…

If It Ain’t Broke, Don’t Fix It!

The reason why I recently rebuilt my Flo6 desktop stemmed from UEFI problems with the previous ASRock B550 Extreme4 mobo. It kept sticking halfway between Secure Boot old/updated data sets. That resulted in extreme boot requirements, when I might sometimes have to reset CMOS just to get the PC to boot.

Most of the time I had to shut it down, and cut power, then wait a while to bring it back to life. That went on for weeks before I made the switch to the MSI board. Since then, boot and update operations have been blissfully boring. Things just work, and I can use all of the various boot options and related keyboard options to do exactly what I want.

Reading over Copilot’s summary of what UEFI v2.A0 brings me, as compared to the running v2.90, I don’t see anything I need. Nor do I see anything that would improve Flo6’s currently rock-solid and dependable, fully caught-up Secure Boot Status.

Hence my decision: I’m not going to update. Nothing is causing problems. Everything is working dependably and reliably. Secure Boot is golden. This time, I’ll pass… Maybe next time?

Facebooklinkedin
Facebooklinkedin
Cool Tools, Insider stuff, PowerShell, Recent Activity, WED Blog, Windows 11

How-To: Light Up Winget Icons

Leave a comment

Thanks to numerous requests, I’m providing step-by-step instrux in this unusual second blog post for today. It’s based on something that made me unreasonably happy earlier this week. That is:  WinGet can now display colorful package icons right inside Windows Terminal, rendered via sixel graphics. It’s a small visual upgrade that makes winget list –details output dramatically more readable. You get actual application icons inline with package data instead of a wall of monochrome text. But getting there requires a few specific steps. Here’s the complete recipe so you, too, can light up WinGet icons.

Why Must You Light Up WinGet Icons?

The current production version of WinGet is v1.28.220 as I write this post. The latest Preview version is v1.29.70-preview. Production is still catching up, so preview is a must for the moment. I imagine, though, that this will change with the next production version update. As with all moving targets, this one keeps changing along with everything else!

Step 1 — Get a Preview Version of Winget

Sixel icon support requires WinGet version 1.29.50-preview or later. The current stable release doesn’t include it. Check your version with winget -v. If you’re behind, try this first:

winget upgrade Microsoft.AppInstaller –source winget

If that doesn’t pick up the preview build, head to the microsoft/winget-cli releases page on GitHub, download the latest .msixbundle. If a double-click won’t install it, you can install it manually with Add-AppxPackage. Fair warning: on some machines the Microsoft Store installer handles dependencies automatically. On others, you’ll need to sideload VCLibs and Microsoft.UI.Xaml packages yourself.

Step 2 — Enable Sixels in Winget’s Settings (Not Terminal’s!)

This is the gotcha, and it got me for a short while. I confess: I mixed it up myself. The sixel toggle goes in WinGet‘s own settings file, NOT in Windows Terminal’s settings.json. Run winget settings to open the file. Add or merge a visual block so it looks like this:

{
“$schema”: “https://aka.ms/winget-settings.schema.json”,
“visual”: {
“enableSixels”: true,
“progressBar”: “rainbow”
}
}

The enableSixels: true setting tells WinGet to emit sixel graphics in its output. The progressBar key is optional —”rainbow“, “accent”, and “retro” work well (“sixel” works, but is hard to see). Any of these gives you graphical progress bars during installs, as a nice bonus.

Step 3 — Restart Terminal and Run It

Kill Terminal completely — not just close a tab. Right-click the taskbar icon and close the window, or kill the wt process outright. Relaunch. Then run:

winget list –details

Icons should appear for Win32 packages (exe/msi installers). MSIX packages won’t show icons — that’s a known limitation of the current pipeline, not a configuration error on your part. You can filter to a single package to test things quickly (I chose 7Zip, as it’s at the top of my ASCII sort order):

winget list –details 7zip

What to Expect

Not every package gets an icon. In my testing across two ThinkPads, icon coverage ranged from 26% to 31% of total installed packages. The dividing line is 100% correlated with installer category: Win32 packages (exe/msi) get icons, MSIX packages don’t. That’s an architectural gap Microsoft hasn’t bridged yet.

But what works, works beautifully. The icons are crisp, properly sized, and render instantly. It turns a dull text dump into something you can actually scan visually — which matters when you’re staring at 150+ installed packages trying to figure out what needs updating. Once you’ve got it set up, you won’t want to go back to the plain-text version. Cheers!

Facebooklinkedin
Facebooklinkedin
Insider stuff, Recent Activity, Troubleshooting, WED Blog, Windows 11

X12 Tablet Gets Clean Install

Leave a comment

Something cratered the Lenovo ThinkPad X12 Detachable Tablet this weekend. I’d been screwing around with Secure Boot, recent updates, and more. When I sat at my desk Sunday morning, it was refusing to boot, and throwing error code 0xc0000428, which signals a winload.efi signature mismatch with what’s in firmware (see lead-in graphic). I did get the machine booted to recovery media on a UFD. I could’ve repaired and recovered the previous installation. But I decided that X12 Tablet gets clean install instead, so I could check a bunch of things out about a fresh, clean Windows 11 install. Here goes…

After X12 Tablet Gets Clean Install, Some Initial Checks

Having wrestled so much with Secure Boot lately, my first check was on that security layer. Indeed, Garlin’s check script revealed it was present, and more-or-less up-to-date. With minimal effort I was able to bring the X12 into full compliance with modern Secure Boot settings.

Next, I checked Smart App Control in Windows Security. It is currently set to Evaluation mode. I’m supposed to be able to switch between the On and Off states now. I need to finish configuring this PC and get an image backup tool in place, before I start fooling around with things. But the signs are promising. Right now SAC is working, and behaving just the way it’s supposed to work.

More About OOBE

After the post-GUI installation in Windows 11, the Out-of-Box Experience (OOBE) appears to guide users through final steps of the process. This time, I did get to choose the machine name I wanted (kept it at X12Hybrid) where it works properly. The network setup found my WAP right away, and I was off and running right away, too. It was also amusing to see how many, many backups I could’ve used when installing this PC (including an older X12 version dating back to 2022). But since I wanted a clean install experience, I skipped all that stuff.

Now Comes the Rest of the Job…

I’ve got to set up and customize the X12 to my usual liking. That’s probably going to mean an hour or two a day for the next few days. This afternoon I think I’m going to try using WinGet to export most of my app set from Flo6 to X12, and see how that works.

Stay tuned! It’s possible that things in my little corner of Windows-World are about to get interesting. If so, you’ll get more follow-up from  your humble correspondent. So far, so good, though.

Facebooklinkedin
Facebooklinkedin
Insider stuff, Recent Activity, Secure Boot, Security, WED Blog, Windows 11

Windows Security Checks Secure Boot

1 Comment

I just read at WindowsLatest that the Windows Security app now includes a Secure Boot check beneath its Device Security left-column head. I checked all of the PCs in my office to make sure (7 of them). Sure enough. each now lists Secure boot amidst its elements. As the aforelinked story shows, when Windows Secure checks Secure Boot status it uses one of three visual symbols as quick indicators:

  • Green checkmark indicates Secure Boot is basically OK. There’s more going on here than meets the eye, as I’ll explain later.
  • Yellow exclamation (warning) indicates Secure Boot is running but the latest certificate (CA-2023) is not yet in place or use.
  • Red X (stop sign, error/problem) indicates the device cannot receive required updates to keep the Windows boot process secure.

Why Windows Security Checks Secure Boot Now

Microsoft added this new entry because Secure Boot certificates from 2011 are expiring in 2026. Thus, Windows needs a user‑visible way to show if a device has received the updated 2023 certificates. Up to now, Secure Boot status was invisible unless users dug into UEFI or used PowerShell.

But with certificates — CA-2011, specifically –expiring, Microsoft now needs some way to:

  • Tell users whether their system is still protected
  • Indicate whether the new certificates have been applied
  • Warn users if action is required (firmware update, OEM tool, etc.)
  • Provide a simple green/yellow/red indicator instead of forcing people to inspect UEFI variables

That makes the new Secure Boot section in Windows Security  essentially an approachable, easy-to-grasp health dashboard for the certificate update.

It’s Not as Easy as It Looks?

The WindowsLatest story shows the same green checkmark text as the lead-in graphic for this story. But when I checked a couple of my other machines, I saw something different. Here ’tis:

Note the difference in the text output here. Even though both forms proffer the green checkmark to denote Status=OK, the first one reads “Secure Boot is on and all required certificate updates have been applied. No further certificate changes are needed (bold emphasis mine).” However, the second one simply says “Secure boot is on, preventing malicious software from loading when your device starts up.”

The second doesn’t say “No further certificate changes are needed.” At first, I thought the difference might be that on some PCs the CA-2011 certificate had already been revoked (all OK PCs must have the CA-2023 cert installed, in use, and recognized in the boot loader to qualify for that status). But on one PC with the simpler message, the CA-2011 certificate shows revoked (it’s in the UEFI DBX Certs database, which means it’s blocked). And on the other PCs with the “no further” language the CA-2011 certs are still enrolled (they’re in the UEFI KEK and UEFI DB databases, and NOT in the UEFI DBX database).

So I’m still wondering exactly what’s going on here, and what MS is trying to tell us with these two different OK messages. I’ll keep digging and write more when I find or figure out what’s going on. A sense of mystery, and a willingness to suspend resolution pending necessary information, are familiar sensations in Windows-World. The plot thickens…but I hope, not too much!

Added 1 Hr Later: Word from the Top

I corresponded with Garlin himself on ElevenForum, and at his suggestion, ran his update_UEFI-CA2023. script on the P16G3. That brought all the DB certs into the UEFI DB (including Option ROM and Windows UEFI). It still shows VBS policy as missing. But it turns out that by running .\Update_UEFI-CA2023 -SkuSiPolicy and rebooting, I can take care of that. Here goes … another reboot. Now the Garlin check script gives the P16G3 a completely clean bill of health, but I still get the short message. Very interesting!

 

 

Facebooklinkedin
Facebooklinkedin
Device drivers, Insider stuff, Recent Activity, WED Blog, Windows 11

Rolling Back Fingerprint Reader Driver

Leave a comment

I have to laugh at myself a little ruefully. In checking over my Canary test platform just now — the snazzy little ThinkPad X12 Detachable Gen 1 hybrid tablet — I found the too-familiar BEX64 error in the mix. To those not already aware, this flags an out-of-bounds memory access, often from a driver or an associated dll. In this case it was the notoriously picky Synaptics Fingerprint reader. After looking over driver dates and versions, I realized my driver was newer than the official Lenovo offering. Thus, rolling back fingerprint reader driver was exactly the right thing to do. But there was a problem, also of my own making…

The Problem with Rolling Back Fingerprint Reader Driver

I’m relentless about using Driver Store Explorer (RAPR.exe) to clean up old drivers. Needless to say, that means the Rollback driver button in the fingerprint reader’s properties sheet was greyed out. Of course, that’s because the older driver had been removed from the Store. So I had to visit Lenovo support and grab the driver from there. Easily done, armed with the unit’s Serial Number thanks to Lenovo Vantage.

Another complication then presented. Because I was replacing a newer driver with an older one, I had to uninstall the new before attempting to install the old. Why? Because Device Manager doesn’t allow older drivers to over-write newer ones as a matter of policy. That is, Windows enforces this to prevent accidental regressions or security downgrades, so it refuses to overwrite a newer driver with an older one unless the newer one is removed first. An uninstall gets the previous driver out of the way, so the new install can proceed successfully.

All’s Well That Ends Well

I’m 100% confident that the driver swap worked. I’m expecting the fingerprint reader to behave well going forward. What makes me so confident? After installing the driver, I logged out and then used the selfsame fingerprint reader to log back in. It worked, and read my right index fingerprint from the already-defined biometric data at its disposal.

If there had been any issues with compatibility or workability, Windows Hello would have forced me to start afresh. That would mean proving my identity with a PIN, password, or other acceptable data. Then, I’d have had to re-scan my fingerprints to give the reader something to work with to establish my identity.

None of this happened. The fingerprint reader worked on the first try. I’m hopeful this will do away with the error documented in this post’s lead-in graphic. But as with so many other things in Windows-World, we’ll just have to wait and see what happens. Stay tuned!

Facebooklinkedin
Facebooklinkedin
Insider stuff, Recent Activity, WED Blog, Windows 11, Windows Update

OOB KB5086672 Pops Up

Leave a comment

I just got back from my morning constitutional. Windows prompted me for a PIN upon login. Then, the “Welcome” screen took 30-plus seconds to spin before I got to the desktop. “Hmmm,” I said to myself, “whaddya bet an update’s been applied to Flo6?” And indeed, upon inspection of the Update History, out-of-band (OOB) KB5086673 pops up at the head of the Quality Updates list.

Why Say: OOB KB5086672 Pops Up?

Flo6 is set up for maximum stability. Thus, it doesn’t sleep. So, for it to prompt me for system entry, I was pretty sure the PC had rebooted. So I asked Copilot to write me a PowerShell check. And sure enough, the results of running said script (see lead-in graphic) show two quick reboots back-to-back just after 1:30 this morning.

The boot type for both shows up as “0x0” which indicates a cold boot that otherwise proceeded and concluded normally. And indeed certain updates — including this one, as shown — do require a pair of reboots to successfully complete their efforts. Copilot says “That 95-second gap is textbook CU finalization timing” and “the reboot…was Windows completing the update you saw in Update History.” Good stuff!

How the Pop-Up Happened

I’ve got the toggle for “Get the latest updates as soon as they’re available” turned on. I’ve also got active hours set from 7AM to 6PM. So when the update triggered last night nothing stopped it from getting downloaded, applied, and rebooting on its own schedule. That’s how the pop-up happened, and why I saw a login prompt when I sat down in front of Flo6 this morning.

Here in Windows-World, things work the way they’re supposed to quite often behind the scenes and (mostly) unnoticed. The login prompt drew my notice, and I’m happy to say “nothing more to see here.” Let’s get back to work, shall we?

Facebooklinkedin
Facebooklinkedin
Cool Tools, Insider stuff, PowerShell, Recent Activity, WED Blog, Windows 11

Dude, Where’s My Icons?

Leave a comment

I just spent a couple of frustrating but informative hours trying to get icons to show up with WinGet on the latest Canary build (29558.1000). What started out as a minor visual quirk turned into a deep dive into the innards for App Installer, feature flags, and system-level packages. I’ll provide a step-by-step list of what I did, what I learned, and what others running Canary builds should know. At this point I’m still asking “Dude, where’s my icons?” for WinGet output. But I now know I won’t see them any time soon. I’ll explain…

Steps in Resolving “Dude, Where’s My Icons?”

The first step was to verify the WinGet version and its capabilities. Running winget –info revealed I was on version 1.29.50-preview. Notably, that output lacked usual capability lines including VT Support or Rich Output. That was my first clue that something wasn’t quite right.

Next, I visited the Microsoft Store. I navigated directly to the App Installer product page using the canonical link. The Store offered an Install button. When I clicked same, I expected it to overwrite the preview build with the stable version. After installation, the Store indeed reported the app as Installed. It lied!

I then closed all terminal sessions and opened a fresh CMD tab to recheck winget –info. Unfortunately, the version remained 1.29.50-preview. Worse still, the missing icon issue persisted. To investigate further, I ran PowerShell as Administrator and executed Get-AppxPackage Microsoft.DesktopAppInstaller -AllUsers. The output showed only one package: version 1.29.50.0, marked as NonRemovable. Was I stuck?

Yes, I Was Stuck…

The crux of the matter rests on how Canary builds handle App Installer. On these builds, the preview version of App Installer is baked into the OS image. Indeed, it’s registered as a system-level package. Because it is marked NonRemovable, neither the Microsoft Store nor PowerShell can uninstall or override it. That explains why even though the Store shows the stable App Installer as Installed, Windows continues to use the preview version.

Yep, sez right at bottom: NonRemovable: True

This locked-in preview build lacks support for feature flags like Visual Icons and Rich Output. Alas, their lack also explains the missing icon column in WinGet output. No attempts at reinstalling, resetting, or tweaking settings.json can override this limitation. Stuck indeed.

Note: the lead-in graphic for this story comes from the Build 29558.1000 announcement blog. I can see that damnable delectable icon there in the posting, but I’ll be darned if I can make it show up on my Canary install. Go figure!

 

 

Facebooklinkedin
Facebooklinkedin
Cool Tools, Insider stuff, Recent Activity, WED Blog

Magician Internal Updater Lags Behind

Leave a comment

I have to chuckle. In making my morning rounds, I see at TechPowerUp.com that there’s a new version of Samsung Magician out — namely, 9.0.1. So I jump into Magician and check its internal updater, which tells me I’ve got the latest version: 9.0.0. Alas, as Copilot tells me, it’s not unusual for the utility to do this. Indeed, as a matter of observed practice, the Magician internal updater lags behind Samsung’s software release schedule. It’s all laid out in the lead-in graphic. Let’s explore…

Why Magician Internal Updater Lags Behind

Apparently, Samsung waits until a new release has been out for some while before updating its xml-based manifest to make it known to the Magician updater through its update servers. According to Copilot, Samsung has been ill-served during previous release cycles by “buggy Magician releases,” “firmware-pushing issues,” “NVMe driver conflicts,” and so forth.

Thus, the company releases the new software first through public channels such as TechPowerUp, MajorGeeks, SoftPedia and other file-sharing sites. It then watches user responses from early adopters for up to a few days, and sees what the uptake and reactions are like. It’s not unusual for the manifest to lag behind by hours or days.

As you can see from the lead-in graphic, 9.0.1 was released today (3/30/2026). So it could be later today,  tomorrow, or even later this week before the built-in updater catches up. Unless Samsung pulls 9.0.1 back and decides to push out another, hopefully better release later on.

Here in Windows-World, the release paths for software often tell a story. The one for Samsung Magician is pretty interesting, and shows the value of lessons learned from prior history. You might say “Better later than sooner, especially if problems present!”

Note Added 2.5 Hrs Later: It’s Here!

Reading over ElevenForums traffic in the Devices & Drivers forum just now, saw a user report that Magician is offering 9.0.1 now. Just checked here and — there it is! Installing now, and glad to see it was a matter of hours, not days (or a pullback, either).

Works, too! Looks like we get to do things the easy way this time.

Facebooklinkedin
Facebooklinkedin
Insider stuff, Recent Activity, Thoughts & concerns, WED Blog

Sandbox Effect Keeps Spreading

Leave a comment

OK, I admit it. I run Adblocking software inside my web browsers. To see web pages nowadays, that means I bump them up to 150% so I can read the text. That leaves less room for other stuff, especially ads. But I’ve noticed that an increasing number of websites simply won’t let viewers visit unless those visitors permit the ads to show. So I open those sites inside Windows Sandbox because it works as a no-filters and no-blocks-applied environment. Alas, this “Sandbox effect” keeps spreading as more and more sites make me do this.

Why Say: Sandbox Effect Keeps Spreading

I got a particularly rude wake-up call about this on Wednesday. In fact, I didn’t even figure it out until this morning. Two days ago, I noticed that WinAero was coming up in Firefox (where it’s in my favorites) as an all-back page. I even asked Copilot what might be wrong and it speculated that something with the CDN (Content Distribution Network — e.g. Akamai, etc.) might be wonky.

Wrong. This morning, it dawned on me that this “black screen” might be a particularly draconian implementation of a “no ad blocking” policy. And indeed, that’s what it appears to be (lead-in graphic, left). When I open the same site in Windows Sandbox (lead-in graphic, right) it comes up in readable form right away. Wowie-Zowie.

The Sandbox List Is Growing

Minutes ago, I had a similar experience at Thurrott.com. I suppose I should be grateful, because that site operator at least had the courtesy to tell me what was going on. Here’s what it showed me after a click-through from a “problem loading the page” error message:

Life is interesting when one is inclined to appreciate being informed that they must watch ads on a website, or skedaddle. Here in Windows-World, gratitude often takes unusual forms. This one, methinks, is more unusual than most. Happy Friday!

Facebooklinkedin
Facebooklinkedin
Cool Tools, Insider stuff, Networking, Recent Activity, WED Blog, Windows 11

Reverse DNS Lookup Reveals Router Change

2 Comments

I’m pretty fond of the free network scanning tool named Advanced IP Scanner. It’s much more predictable and reliable than the Network facility built into File Explorer. It also makes it easy to do stuff to and over the network. I’ve been noticing on my LAN recently that an increasing number of PCs (and other devices) get DHCP names that end in “.lan” (see the lead-in graphic for more info). So I used a PowerShell script to do a reverse DNS lookup to double-check this. And indeed, this reverse DNS lookup reveals router change in my SAC2V1A Spectrum-supplied router. Looks like it got a recent firmware upgrade that changed its DNS/DHCP behaviors.

How Reverse DNS Lookup Reveals Router Change

I created a PowerShell script to talk to the router and give me DHCP names for all of the nodes it handles, using the ARP (address resolution protocol) as my foundation. If you look at this WinTerm screencap, the pattern is unmistakable:

I forcibly used ARP to drive reverse DNS lookups (from IP address to name from the router’s name table) for all active IP addresses. Notice that every single name here ends with the “.lan” suffix. That tells me Spectrum pushed a firmware update to the box, because it didn’t used to do that consistently for all items.

Why Advanced IP Scanner Shows Some Unadorned Names?

Advanced IP Scanner uses multiple techniques to resolve IP addresses to names. Among this is the NetBIOS Name Service (NBNS), Link-Local Multicast Name Resolution (LLMNR), Multicast DNS (mDNS), SMB/NetBIOS over TCP, and Reverse DNS (PTR lookup). Some or all of these return bare machine names, lacking the .lan suffix. As far as I can, whichever of these lookups responds first is the one that makes it to the name table. And that’s why Advanced IP Scanner shows different name strings than does my script.

Weird and wonderful are the ways of Windows-World. And few are anywhere near as weird, or as wonderful, as the ones that make name resolution work on Windows networks. QED!

Facebooklinkedin
Facebooklinkedin

Author, Editor, Expert Witness