First, thank you for your response, dear abbodi1406 I also never use Secure Boot, because my HP BIOS/UEFI Default Settings disable that option, and I don't want to use it because in the future I can boot to Linux without any problems. Ok, so the default setting of "UpdtBootFiles=0" is currently recommended, because we know very well it will work from ancient to newest UEFI, unlike the "2023 UEFI" that maybe cannot boot in old motherboards.
With SecureBoot disabled, or in CSM/BIOS Legacy mode, the choice of 2011 vs. 2023 UEFI is actually irrelevant. You can always install from a trusted source with SecureBoot disabled, update the OS, and then enable it again, if you want. SecureBoot is only relevant with non-trusted sources.
If you add the CA 2023 cert to the UEFI's DB (allow list), but don't add CA 2011 to DBX (disallow list) -- then you can boot from either version with Secure Boot enabled.
Yeah, but you have to do it manually, and never run the Windows DBX update, as that one will update the blacklist, too.
So, to avoid any problem, and have the totally confidence your Windows/Linux ISO will boot, you can have always Secure Boot disabled. Because in reality, there's a more important setting you always have to enable: BIOS Password (for Setup/Configuration and Boot-Menu). Because an advanced user will always get/generated Windows ISOs from trusted source (UUP Dump, or SFV+GenuineVerification). Also, if someday a user wants to boot/install Linux, and has NVIDIA GPU, it's very recommended to disable permanently Secure Boot. This feature is oriented to people that don't have BIOS Password and want to prevent a malicious device to Boot in the computer/laptop. But again, without password, a bad guy can enter very easily to BIOS Setup, disable "SB" and boot whatever he wants.
Anyway, it's always recommended to Encrypt your Hard Drive if you have important files. Of course if that's only a Gaming PC and no more than that, the security is no so important.
https://github.com/gravesoft/CAS/tree/main/exe # Added .NET Framework console application to display the status without the need for Windows Powershell - runs with NetFx 3.5/2.0 family or 4.x family - works on Windows XP or later - supports the same features and command line parameters as equivalent powershell script - does not implement vNextDiag.ps1 functions (yet) use the Download ZIP from Code button to download the files properly (.exe.config file is needed to run on either NetFx 4 or 2)
Microsoft has blocked Shift+F10 in OOBE in latest updates. Can you add an option in W10UI to add bypassnro registry when making ISOs? Thanks in advance. Registry: Code: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE] "BypassNRO"=dword:00000001
You can still implement it through unattend.xml in $OEM$ folder. Code: <settings pass="specialize"> <component name="Microsoft-Windows-Deployment" processorArchitecture="amd64" language="neutral" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" publicKeyToken="31bf3856ad364e35" versionScope="nonSxS"> <RunSynchronous> <RunSynchronousCommand wcm:action="add"> <Order>1</Order> <Path>reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\OOBE /v BypassNRO /t REG_DWORD /d 1 /f</Path> </RunSynchronousCommand> </RunSynchronous> </component> </settings>
Heyho Probably it's here the better place to ask: Another thing: Some feature request/wish: Option to make possible to chose edition while install-process. Or just... how to make it? I don't remember how it was possible with LTS boot etc. (I'm just used to create multi-choice [several sku based editions) images) Earlier it was with the removal of ei.cg but now/with LTS.. seems different or messed up some idk. With NTLite it works, but would love to make it by the script and using NTLite only for customizing. Now I see why I forgot how to make it: unattended.xml (that I only put in customs, not the to "untouched" updated one. I hope they will improve install.wim mechanic soon - its too unflexible ) Well, I guess it's time to generalize one (like what you can choose whatever for kind of customers) So not just make one normal OEM-like, nope, that one that fits 24000 till 26200+ while it's doing prework. lol. So I guess its time for copy the section of some other script, that I modified in a way it "pause" before creating iso.
Yep, how to make the script only picks and put build number in the name and build the iso then etc. I guess its only a few lines via cmd, but idk what to write exactly... I would like to do it with dism + oscdimg only instead of other tools.
Damn, I was afraid of that. Okay, then I'll start all over again with my “AIOs”. It's very much "just" an inner-monk-issue...
DISM kind of stucks: I think it was the old problem, I was greedy for space. So the VM got too less, in result dism kind of crashed. And now it tries to repeat steps n stuff... I tried a few commands (yea the failure removal scripts several times ofcs too) but still stuff fails now. Any ways to reset dism to a clean, ready state without pending stuff? (Later)
Okay no matter what, x86 fails... I remember I had that already long ago.. mhh.. (Later) @abbodi1406 any idea what that stuff means?