Thread Rating:
  • 3 Vote(s) - 4.67 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Hasleo Backup Suite V5.8.2.2 Released!
Is it no longer possible to create an ISO or USB stick with the free version?

   

or is it because the Enterprise version is running here?
Reply
(06-29-2026, 01:13 PM)Zombo Wrote:
(06-27-2026, 12:51 PM)admin Wrote: @all,

Now that UEFI firmware checks the Security Version Number (SVN) of boot files during startup, a practical issue arises: Windows security updates may raise the minimum allowed SVN recorded in the firmware, causing any Emergency Disk created before that update to become unbootable because its boot loader is too old. This means we can no longer guarantee that an Emergency Disk will always boot properly with Secure Boot enabled. In such cases, users must either recreate the Emergency Disk or temporarily disable Secure Boot to boot from the old one.

Best regards,

The SVN is only checked if the 2011 cert is revoked.

To make sure you are always using the latest boot files for making rescue media using 2023 is to copy the file from C:\Windows\Boot\EFI_EX as that will always have the latest update to secure boot after Windows Updates.

What I was doing before 5.8.2.2 was just copying the file to Hasleo then creating rescue media within the Hasleo GUI and even if 2011 was revoked this would boot without any SVN mismatch error.

copy C:\Windows\Boot\EFI_EX\bootmgfw_EX.efi "C:\Program Files\Hasleo\Hasleo Backup Suite\bin\WADK\Boot\EFI_EX\bootmgfw.efi"

You're right. SVN is only checked when the 2011 certificate is revoked. For a Emergency USB Drive, replace X:\EFI\Boot\bootx64.efi (or bootaa64.efi for ARM64) with C:\Windows\Boot\EFI_EX\bootmgfw_EX.efi, where X: is the drive letter of the USB drive.
Reply
(06-29-2026, 03:28 PM)sugram Wrote: Is it no longer possible to create an ISO or USB stick with the free version?



or is it because the Enterprise version is running here?

The free version still supports creating emergency media. The issue is caused by the fact that you are using the Enterprise edition. Thanks.
Reply
(06-29-2026, 04:59 PM)admin Wrote:
(06-29-2026, 01:13 PM)Zombo Wrote: The SVN is only checked if the 2011 cert is revoked.

To make sure you are always using the latest boot files for making rescue media using 2023 is to copy the file from C:\Windows\Boot\EFI_EX as that will always have the latest update to secure boot after Windows Updates.

What I was doing before 5.8.2.2 was just copying the file to Hasleo then creating rescue media within the Hasleo GUI and even if 2011 was revoked this would boot without any SVN mismatch error.

copy C:\Windows\Boot\EFI_EX\bootmgfw_EX.efi "C:\Program Files\Hasleo\Hasleo Backup Suite\bin\WADK\Boot\EFI_EX\bootmgfw.efi"

You're right. SVN is only checked when the 2011 certificate is revoked. For a Emergency USB Drive, replace X:\EFI\Boot\bootx64.efi (or bootaa64.efi for ARM64) with C:\Windows\Boot\EFI_EX\bootmgfw_EX.efi, where X: is the drive letter of the USB drive.


If there have not been any updates to the program I use but Windows has updated the secure boot variables I just run this command to update the USB media.

In this example F: is the drive letter.

copy C:\Windows\Boot\EFI_EX\bootmgfw_EX.efi F:\EFI\boot\bootx64.efi
Reply
(06-30-2026, 12:18 AM)Zombo Wrote:
(06-29-2026, 04:59 PM)admin Wrote: You're right. SVN is only checked when the 2011 certificate is revoked. For a Emergency USB Drive, replace X:\EFI\Boot\bootx64.efi (or bootaa64.efi for ARM64) with C:\Windows\Boot\EFI_EX\bootmgfw_EX.efi, where X: is the drive letter of the USB drive.


If there have not been any updates to the program I use but Windows has updated the secure boot variables I just run this command to update the USB media.

In this example F: is the drive letter.

copy C:\Windows\Boot\EFI_EX\bootmgfw_EX.efi F:\EFI\boot\bootx64.efi

So can you make something like this work if you boot using the HBS.ISO from a Ventoy drive? Or if not just turn off Secure Boot?
Reply
(06-30-2026, 08:43 AM)Epictetus Wrote:
(06-30-2026, 12:18 AM)Zombo Wrote: If there have not been any updates to the program I use but Windows has updated the secure boot variables I just run this command to update the USB media.

In this example F: is the drive letter.

copy C:\Windows\Boot\EFI_EX\bootmgfw_EX.efi F:\EFI\boot\bootx64.efi

So can you make something like this work if you boot using the HBS.ISO from a Ventoy drive? Or if not just turn off Secure Boot?
This is uncharted territory as MS only updates the SVN when a vulnerability in the Boot Manager has been fixed. This has not been a common activity. It is possible that an update to Ventoy or HBS is all that may be required. Until these occur you may need to turn off Secure Boot. An alternate may be to use the above to update Ventoy.

We will know better when MS next updates the Boot Manager. It could be months or years.
Reply
(06-30-2026, 09:48 AM)Bespoken Wrote:
(06-30-2026, 08:43 AM)Epictetus Wrote: So can you make something like this work if you boot using the HBS.ISO from a Ventoy drive? Or if not just turn off Secure Boot?
This is uncharted territory as MS only updates the SVN when a vulnerability in the Boot Manager has been fixed. This has not been a common activity. It is possible that an update to Ventoy or HBS is all that may be required. Until these occur you may need to turn off Secure Boot. An alternate may be to use the above to update Ventoy.

We will know better when MS next updates the Boot Manager. It could be months or years.

If you load Hasleo ED directly through the UEFI firmware (not via Ventoy or other tools), then you need to update the boot files. Since modifying the files inside the ISO is rather complicated, I think it would be simpler to just recreate the ISO from scratch.

I am not very familiar with Ventoy. Technically speaking, if Ventoy's boot files can be loaded by the UEFI firmware, then Ventoy should be able to load the unmodified Hasleo ISO normally.
Reply
(06-30-2026, 11:52 AM)admin Wrote:
(06-30-2026, 09:48 AM)Bespoken Wrote: This is uncharted territory as MS only updates the SVN when a vulnerability in the Boot Manager has been fixed. This has not been a common activity. It is possible that an update to Ventoy or HBS is all that may be required. Until these occur you may need to turn off Secure Boot. An alternate may be to use the above to update Ventoy.

We will know better when MS next updates the Boot Manager. It could be months or years.

If you load Hasleo ED directly through the UEFI firmware (not via Ventoy or other tools), then you need to update the boot files. Since modifying the files inside the ISO is rather complicated, I think it would be simpler to just recreate the ISO from scratch.

I am not very familiar with Ventoy. Technically speaking, if Ventoy's boot files can be loaded by the UEFI firmware, then Ventoy should be able to load the unmodified Hasleo ISO normally.

OK - thanks both. As usual, very educational here.
Reply
(06-30-2026, 09:48 AM)Bespoken Wrote:
(06-30-2026, 08:43 AM)Epictetus Wrote: So can you make something like this work if you boot using the HBS.ISO from a Ventoy drive? Or if not just turn off Secure Boot?
This is uncharted territory as MS only updates the SVN when a vulnerability in the Boot Manager has been fixed. This has not been a common activity. It is possible that an update to Ventoy or HBS is all that may be required. Until these occur you may need to turn off Secure Boot. An alternate may be to use the above to update Ventoy.

We will know better when MS next updates the Boot Manager. It could be months or years.


 SVN is always increasing counter stored in your motherboard's UEFI/BIOS (meaning it only ever goes up). If a boot manager file carries an SVN lower than the minimum allowed value in your firmware, the PC will refuse to load it. This stops attackers from replacing updated boot files with older, vulnerable ones.

You have three different SVN which may or may not match depending on if you revoked 2011 cert.


FirmwareSVN <-- UEFI's current value

BootManagerSVN <-- boot manager's current value

StagedSVN <-- latest possible value from \Windows\System32\SecureBootUpdates\DBXUpdateSVN.bin, if you haven't applied revocation or recent Secure Boot updates

You can see all these SVN with the powershell command: Get-SecureBootSVN

The only time you will have a SVN mismatch right now is if you revoke the 2011 cert and as far as Microsoft are concerned you should not be doing that.
The only step Microsoft expects people to be at right now is updated to the 2023 cert.
On the latest update Microsoft extended the expire date of 2011 cert to October 2026.

The last three monthly windows updates have updated the SVN from 7 then 8 and now 9.

All these files are in C:\Windows\System32\SecureBootUpdates
Reply


Forum Jump:


Users browsing this thread: Zombo, 8 Guest(s)