|
Hasleo Backup Suite V5.8.2.2 Released!
|
(06-29-2026, 01:13 PM)Zombo Wrote:(06-27-2026, 12:51 PM)admin Wrote: @all, You're right. SVN is only checked when the 2011 certificate is revoked. For a Emergency USB Drive, replace X:\EFI\Boot\bootx64.efi (or bootaa64.efi for ARM64) with C:\Windows\Boot\EFI_EX\bootmgfw_EX.efi, where X: is the drive letter of the USB drive.
06-29-2026, 05:03 PM
(06-29-2026, 03:28 PM)sugram Wrote: Is it no longer possible to create an ISO or USB stick with the free version? The free version still supports creating emergency media. The issue is caused by the fact that you are using the Enterprise edition. Thanks.
06-30-2026, 12:18 AM
(06-29-2026, 04:59 PM)admin Wrote:(06-29-2026, 01:13 PM)Zombo Wrote: The SVN is only checked if the 2011 cert is revoked. If there have not been any updates to the program I use but Windows has updated the secure boot variables I just run this command to update the USB media. In this example F: is the drive letter. copy C:\Windows\Boot\EFI_EX\bootmgfw_EX.efi F:\EFI\boot\bootx64.efi
06-30-2026, 08:43 AM
(This post was last modified: 06-30-2026, 08:44 AM by Epictetus.
Edit Reason: typo
)
(06-30-2026, 12:18 AM)Zombo Wrote:(06-29-2026, 04:59 PM)admin Wrote: You're right. SVN is only checked when the 2011 certificate is revoked. For a Emergency USB Drive, replace X:\EFI\Boot\bootx64.efi (or bootaa64.efi for ARM64) with C:\Windows\Boot\EFI_EX\bootmgfw_EX.efi, where X: is the drive letter of the USB drive. So can you make something like this work if you boot using the HBS.ISO from a Ventoy drive? Or if not just turn off Secure Boot?
06-30-2026, 09:48 AM
(06-30-2026, 08:43 AM)Epictetus Wrote:This is uncharted territory as MS only updates the SVN when a vulnerability in the Boot Manager has been fixed. This has not been a common activity. It is possible that an update to Ventoy or HBS is all that may be required. Until these occur you may need to turn off Secure Boot. An alternate may be to use the above to update Ventoy.(06-30-2026, 12:18 AM)Zombo Wrote: If there have not been any updates to the program I use but Windows has updated the secure boot variables I just run this command to update the USB media. We will know better when MS next updates the Boot Manager. It could be months or years.
06-30-2026, 11:52 AM
(06-30-2026, 09:48 AM)Bespoken Wrote:(06-30-2026, 08:43 AM)Epictetus Wrote: So can you make something like this work if you boot using the HBS.ISO from a Ventoy drive? Or if not just turn off Secure Boot?This is uncharted territory as MS only updates the SVN when a vulnerability in the Boot Manager has been fixed. This has not been a common activity. It is possible that an update to Ventoy or HBS is all that may be required. Until these occur you may need to turn off Secure Boot. An alternate may be to use the above to update Ventoy. If you load Hasleo ED directly through the UEFI firmware (not via Ventoy or other tools), then you need to update the boot files. Since modifying the files inside the ISO is rather complicated, I think it would be simpler to just recreate the ISO from scratch. I am not very familiar with Ventoy. Technically speaking, if Ventoy's boot files can be loaded by the UEFI firmware, then Ventoy should be able to load the unmodified Hasleo ISO normally.
07-01-2026, 06:15 PM
(06-30-2026, 11:52 AM)admin Wrote:(06-30-2026, 09:48 AM)Bespoken Wrote: This is uncharted territory as MS only updates the SVN when a vulnerability in the Boot Manager has been fixed. This has not been a common activity. It is possible that an update to Ventoy or HBS is all that may be required. Until these occur you may need to turn off Secure Boot. An alternate may be to use the above to update Ventoy. OK - thanks both. As usual, very educational here.
1 hour ago
(06-30-2026, 09:48 AM)Bespoken Wrote:(06-30-2026, 08:43 AM)Epictetus Wrote: So can you make something like this work if you boot using the HBS.ISO from a Ventoy drive? Or if not just turn off Secure Boot?This is uncharted territory as MS only updates the SVN when a vulnerability in the Boot Manager has been fixed. This has not been a common activity. It is possible that an update to Ventoy or HBS is all that may be required. Until these occur you may need to turn off Secure Boot. An alternate may be to use the above to update Ventoy. SVN is always increasing counter stored in your motherboard's UEFI/BIOS (meaning it only ever goes up). If a boot manager file carries an SVN lower than the minimum allowed value in your firmware, the PC will refuse to load it. This stops attackers from replacing updated boot files with older, vulnerable ones. You have three different SVN which may or may not match depending on if you revoked 2011 cert. FirmwareSVN <-- UEFI's current value BootManagerSVN <-- boot manager's current value StagedSVN <-- latest possible value from \Windows\System32\SecureBootUpdates\DBXUpdateSVN.bin, if you haven't applied revocation or recent Secure Boot updates You can see all these SVN with the powershell command: Get-SecureBootSVN The only time you will have a SVN mismatch right now is if you revoke the 2011 cert and as far as Microsoft are concerned you should not be doing that. The only step Microsoft expects people to be at right now is updated to the 2023 cert. On the latest update Microsoft extended the expire date of 2011 cert to October 2026. The last three monthly windows updates have updated the SVN from 7 then 8 and now 9. All these files are in C:\Windows\System32\SecureBootUpdates |
|
« Next Oldest | Next Newest »
|
Users browsing this thread: Zombo, 8 Guest(s)

