Computers

1. Information

1.1. BIOS/UEFI

How to enter the BIOS/UEFI.

Dell Inspiron
MSI Katana notebooks    DEL key <1>     Hold Shift key during restart


BIOS/UEFI
Boot Menu
Advanced Startup Options / Windows Recovery Environment (WinRE)
WinRE   Hold Shift key while selecting Restart          (1)


In Windows 11, go to Start > Settings > System > Recovery. Next to Advanced startup, select Restart now.        NOT WORKING
CMD: shutdown.exe /r /o /f /t 00        # Fails with: The parameter is incorrect.(87)
CMD: shutdown.exe /r /f /t 00           # Not working.
Hold Shift key while selecting *Restart*.

1	There is a hidden advanced menu for MSI Katana notebooks. Navigate to Advanced en press Left ALT + Right SHIFT + Right CTRL + F2. See also Advanced BIOS for MSI Katana 15.

wt.exe -p "Command Prompt"
wt.exe -p "PowerShell"

Run Dell Update.

2. Issues

GRENDELL02

Program Compatibility Assistant

A driver cannot load on this device

Driver: pcdsrvc_x64.pkms
pcdsrvc_x64.pkms

A security setting is dettecting this as a vulnerable driver and blocking it from loading.
You'll need to adjust your settings to load this driver

See Learn more.

3. Essential

Fix double quote issue by settings language ???

Configure Windows Terminal.
- Enable Settings > Interaction > Automatically copy selection to clipboard.

Add Admin account.

net.exe user
net.exe user Admin <pw> /add
net.exe user Admin
net.exe localgroup "Administrators" "Admin" /add

Install latest updates.
- Select Settings > System > Windows Update.
Install latest options updates.
- Select Settings > System > Windows Update > Advanced options > Optional updates.

Set default shell to PowerShell instead of Command Prompt.
Select Settings > System > Advanced > Terminal > Let Windows decide.

Enable Settings > System > Privacy & security > Device encryption.

3.1. Windows Pro

Enter the following commands at a Command Prompt with administrative privileges.

manage-bde.exe -status
manage-bde.exe -protectors -add C: -TPM                 (1)
manage-bde.exe -protectors -add C: -RecoveryPassword
:: Copy and paste the recovery password to a save location.
:: Copy and paste the recovery passwords in the RootPasswords.kdbx KeePass database under "Additional Attributes".
manage-bde.exe -on C: -EncryptionMethod xts_aes128 -SkipHardwareTest
manage-bde.exe -status
:: Wait for the encryption to finish.
manage-bde.exe -status

1	Type `manage-bde.exe -tpm -TurnOn` when you get the following error: ERROR: The TPM cannot be used to protect this volume. The TPM is off. If you still get the above error, Type `move C:\Windows\System32\Recovery\ReAgent.xml C:\Windows\System32\Recovery\ReAgent.old`.

Save downloaded installers in the C:\Users\Douwe\OneDrive - Grendel Games BV\Software folder.
Note: Inventories should be saved in a secure location because they contain the BitLocker or Device Encryption recovery passwords.
Run cleanmgr.exe.
Run and save inventories in the C:\Users\Douwe\OneDrive - Grendel Games BV\Inventory folder.
Run and save inventories in the C:\Users\Admin\OneDrive - Grendel Games BV\Inventory folder. ???

Your PIN is no longer available due to a change to the security settings on this device. Click to set up your PIN again. * Select Set up my PIN. * Select Use your password instead.

A code is sent to thomas@grendelgames.com. https://account.live.com/proofs/marklost https://account.live.com/names/manage https://support.microsoft.com/en-us/account-billing/change-the-email-address-or-phone-number-for-your-microsoft-account-761a662d-8032-88f4-03f3-c9ba8ba0e00b https://superuser.com/questions/1279400/unable-to-set-or-remove-a-login-pin-on-windows-10

Browse to https://account.live.com/proofs/marklost.
Sign in with grenasus01@outlook.com.
Optional: If asked for a code try another computer/device. For example, KATANA1 asked for a code, but KATANA3 didn’t.
Select Add another way to sign in to your account.
Select Email a code.
Enter an email account where you like to receive the codes.
Click Next.
Enter the code recieved by email.
Click Next.
Expand the obsolete Email a code.
Click Remove.
Click Remove to confirm.

Click OK.

Windows Hello lets you sign in to your device apps, online services and networks using your face, fingerprint or a PIN.
You can also reset Windows Hello so that nobody can use it to access your Microsoft account services,
including Xbox cloud services. You will still be able to unlock your devices.

Select Reset Windows Hello on all of my Windows devices.
Click Reset Windows Hello.

*Settings > Accounts > Your accounts *Settings > Accounts > Other users

Note: PIN (Windows Hello) prevents to sign in when connecting to a remote computer with RDP.
Disable PIN (Windows Hello) from user account.
- Log in as user.
- Select Settings > Accounts > Sign-in options.
- Disable For improved security, only allow Windows Hello sign-in for Microsoft accounts on this device (Recommended).
- Expand PIN (Windows Hello).
- Select Remove this sign-in option > Remove.
- Click Remove to confirm.
- Type the account’s password and click OK.

Allow ping from other subnets for Domain, Private and Public profiles.

    $DisplayName = "File and Printer Sharing (Echo Request - ICMPv4-In)"
    netsh.exe advfirewall firewall show rule name="$DisplayName"
    $DisplayName = "File and Printer Sharing (Echo Request - ICMPv6-In)"
    netsh.exe advfirewall firewall show rule name="$DisplayName"

    $DisplayName = "File and Printer Sharing (Echo Request - ICMPv4-In)"
    if (Get-Command -ErrorAction SilentlyContinue -Module NetSecurity) {
        $Rules = Get-NetFirewallRule -DisplayName $DisplayName -ErrorAction SilentlyContinue | Where-Object { $_.Direction -eq "Inbound" }
        foreach ($Rule in $Rules) { Set-NetFirewallRule -Enabled True -InputObject $Rule -RemoteAddress Any }
    } else {
        if (netsh.exe advfirewall firewall show rule name="$DisplayName") {
            $Null = netsh.exe advfirewall firewall set rule name="$DisplayName" new enable=yes remoteip=any
        }
    }

    $DisplayName = "File and Printer Sharing (Echo Request - ICMPv6-In)"
    if (Get-Command -ErrorAction SilentlyContinue -Module NetSecurity) {
        $Rules = Get-NetFirewallRule -DisplayName $DisplayName -ErrorAction SilentlyContinue | Where-Object { $_.Direction -eq "Inbound" }
        foreach ($Rule in $Rules) { Set-NetFirewallRule -Enabled True -InputObject $Rule -RemoteAddress Any }
    } else {
        if (netsh.exe advfirewall firewall show rule name="$DisplayName") {
            $Null = netsh.exe advfirewall firewall set rule name="$DisplayName" new enable=yes remoteip=any
        }
    }

4. Pritunl Dashboard

Select Users.
Select <User> | Get two-step authentication key.
Copy and paste the key in the KeePassXC password manager.
Click Close.
Select <User> | Get temporary profile links.
Copy and paste the Temporary uri link for Pritunl Client, expires after 24 hours in the Pritunl Client.

5. Setup

5.1. Installations

Install Thinstuff.
Install KeePassXC.

Install OpenSSH Server.

Remove-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
Remove-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Add-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0
Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Get-WindowsCapability -Online | Where-Object Name -like "OpenSSH*"
Get-NetFirewallRule -Name *ssh*
Get-ChildItem "${Env:SystemRoot}\System32\OpenSSH\ssh.exe"  | Format-List *
Get-ChildItem "${Env:SystemRoot}\System32\OpenSSH\sshd.exe" | Format-List *

Install Pritunl VPN.

Configure Pritunl VPN.
See client-software/pritunl.adoc
See http://kb.grendelgames.com/books/network-infrastructure/page/how-to-connect-to-the-new-vpn-pritunl.

5.2. Configurations

Add a local Admin user account that has administrative privileges.

Install KeePassXC Password Manager.
Install Pritunl VPN Client.
Install Thinstuff-RDH.
Install OpenSSH Server.

Configure OpenSSH Server.
- Open Services (services.msc).
- Set Startup type to Automatic for the OpenSSH Server service.
- Start the OpenSSH Server service.
- Quit Services.

6. Information

Grendel Games has Windows 11 Home and Windows 11 Pro computers.

A shared device will not be used by a single person. An example of such a device is a testing laptop.

Note: The winver command shows the account that Windows is licensed to.

Computers that have been configured.

Computer Name   Model                           OS Version      Build   Licensed to
-------------   -----------------------------   --------------- -----   -----------------------
Asus Vivo       ???                             ???             ????    ???
BACKSLASH3      HP OMEN 30L Desktop GT13-1xxx   Windows 11 Home 25H2    erwinterpstra@gmail.com
GRENDELL01      Dell Inspiron 7590              Windows 11 Pro  25H2    user name, org name             8152HX2
GRENDELL02      Dell Inspiron 7590              Windows 11 Pro  25H2    user name, org name             1252HX2
KATANA1         MSI Katana A15 AI B8VF          Windows 11 Home 25H2    grenasus01@outlook.com
KATANA3         MSI Katana A15 AI B8VF          Windows 11 Home 25H2    grenasus01@outlook.com

Inventory.bat Show-Inventory
Set-ExecutionPolicy Bypass
.\Downloads\Get-UEFICertificate.ps1 | Sort-Object -Property Subject | Select-Object -Property Subject, Description, Expires
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) -match 'Windows UEFI CA 2023')

Computer Name           Encryption      Protection      KeePassXC       OpenSSH Pritunl         Thinstuff       TOTP.kdbx       UEFI Cert (Active)      UEFI Cert (Default)
-------------           ----------      ----------      ---------       ------- -----------     ---------       ---------       ------------------      -------------------
Asus Vivo               ???             ??              ???             ???     ???             ???             -               ???                     ???
BACKSLASH3              Fully Encrypted On              2.7.12          9.5.5.1 -               1.0.974         -               True                    False
GRENDELL01              Fully Encrypted On              2.7.12          9.5.0.1 1.3.4566.62     1.0.974         Yes             False                   False
GRENDELL02              Fully Encrypted On              2.7.12          9.5.5.1 1.3.4566.62     1.0.974         Yes             False                   False
Grendel Asus TUF
KATANA1                 Fully Encrypted On              2.7.12          9.5.5.1 1.3.4566.62     1.0.974         Yes             True                    True
KATANA2
KATANA3                 Fully Encrypted On              2.7.12          9.5.5.1 1.3.4566.62     1.0.974         Yes             True                    True
Macbook (Old)
Macbook Pro (Newton)

    Database Name:      TOTP
    Description:

Start KeePassXC.
Click Create Database.
Type TOTP for the Database Name.
Click Continue.
Click Continue.
Type the user account’s password.
Type the user account’s password.
Click Done.
Click Continue with weak password.
Type TOTP and click Save.
Close KeePassXC.

Passwords for shared/test devices are at RootPasswords > Computers.

Password for TOTP.kdbx KeePassXC is Windows account password.

Computer Name           Shared/Test Device      IP Address      Local Account                   Pritunl VPN Account
-------------           ------------------      ----------      -----------------------------   -------------------
Asus Vivo                                                                                       Shared_ASUSVivo01
BACKSLASH3              No                      10.1.7.96       Admin/Douwe                     x
GrenDell01              Yes                     10.1.7.133      xxx/Grendel                     Shared_GrenDell01
GrenDell02              Yes                     10.1.7.113      Admin/AlexWijnbeek/Grendel/nx   Shared_GrenDell02
Grendel Asus TUF
KATANA1                 Yes                     10.1.7.231      Admin/Grena                     Shared_Katana1
KATANA2
KATANA3                 Yes                     10.1.7.241      Admin/Grena                     Shared_Katana3
Macbook (Old)
Macbook Pro (Newton)                                                                            Shared_Newton

grena, Microsoft account, Grendel Asus 1, grenasus01@outlook.com, Grendel password at *GrendelPasswords > OS    > GrenDell (01 and 02)*.

6.1. Shared Devices

A shared device will not be used by a single person. An example of such a device is a testing laptop.

See http://kb.grendelgames.com/books/network-infrastructure/page/how-to-setup-pritunl-vpn-on-a-sharedtest-device.

Create a TOTP password database in the C:\Users<User> folder.
Set up an entry for the Pritunl VPN Client.

7. Device Encryption

See https://learn.microsoft.com/en-us/answers/questions/1188577/tpm-is-not-usable-pcr7-binding-is-not-supported-(s. ACPI Configuration settings and change the Deep Sleep settings to "S4 and S5 enabled". How to enter bios: Katana: Esc/F2/F10/DEL Clear TPM: tpm.msc
See https://learn.microsoft.com/en-us/answers/questions/3239671/pcr7-configuration-binding-not-possible?forum=windows-all&referrer=answers.
See https://www.makeuseof.com/windows-11-pcr7-binding-not-supported.
See https://support.microsoft.com/en-us/topic/registry-key-updates-for-secure-boot-windows-devices-with-it-managed-updates-a7be69c9-4634-42e1-9ca1-df06f43f360d. ←-------
See https://www.experts-exchange.com/articles/33596/How-to-use-Bitlocker-on-Windows-10-Home.html.
See https://www.isunshare.com/computer/how-to-enable-bitlocker-on-windows-11-10-home.html.

Enter the following commands at a PowerShell Command Prompt with administrative privileges.

Enter the following commands in Windows Terminal at a PowerShell shell with administrative privileges.

${Env:ComputerName}
(Get-Partition -DriveLetter ($Env:SystemDrive.TrimEnd(':')) | Get-Disk).PartitionStyle          # GPT
TpmTool.exe GetDeviceInformation

COMPUTERNAME=KATANA3
GPT

-TPM Present: True
-TPM Version: 2.0
-TPM Manufacturer ID: MSFT
-TPM Manufacturer Full Name: Microsoft
-TPM Manufacturer Version: 6.4.1.383
-PPI Version: 1.3
-Is Initialized: True
-Ready For Storage: True
-Ready For Attestation: True
-Is Capable For Attestation: True
-Clear Needed To Recover: False
-Clear Possible: True
-TPM Has Vulnerable Firmware: False
-Bitlocker PCR7 Binding State: Binding Possible
-Bitlocker PCR7 Binding State: Binding Not Possible                             <-----------------------------------------------
-Bitlocker PCR7 Binding State: Bound
-Maintenance Task Complete: True
-TPM Spec Version: 1.38
-TPM Errata Date: Wednesday, December 18, 2019
-PC Client Version: 1.04
-Lockout Information:
        -Is Locked Out: False
        -Lockout Counter: 0
        -Max Auth Fail: 32
        -Lockout Interval: 7200s
        -Lockout Recovery: 86400s

Enter the following commands at a Command Prompt with administrative privileges.

msinfo32.exe
manage-bde.exe -Status

PCR7 Configuration                      Binding Possible
PCR7 Configuration                      Binding Not Possible
PCR7 Configuration                      Bound
Automatic Device Encryption Support     Meets prerequisites
Automatic Device Encryption Support     Reasons for failed automatic device encryption: Disabled by policy
Automatic Device Encryption Support     Reasons for failed automatic device encryption: PCR7 binding is not supported, Un-allowed DMA capable bus/device(s) detected, Disabled by policy

Note: Make sure that in the System Information window PCR7 Configuration shows Binding Possible or Bound and that Automatic Device Encryption Support shows Meets prerequisites. If not, Device encryption is missing under Security in Settings > Privacy & security.
Note: Make sure the drives are Fully Encrypted instead of Used Space Only Encrypted.

Enter the following commands at a Command Prompt with administrative privileges.

:: See https://superuser.com/questions/1856940/enabling-device-encryption-support-in-windows-11-but-errors-pcr-7-binding-is-n
reg.exe query HKLM\SYSTEM\CurrentControlSet\Control\BitLocker /v PreventDeviceEncryption
reg.exe add   HKLM\SYSTEM\CurrentControlSet\Control\BitLocker /v PreventDeviceEncryption /t REG_DWORD /d "0" /f

:: Turn off device encryption when the conversion status is "Used Space Only Encrypted".
manage-bde.exe -Off D:
manage-bde.exe -Off C:

:: Show status and wait for the conversion status to be "Fully Decrypted".
:: Wait for the decryption to finish.
manage-bde.exe -Status

Enter Windows Recovery Environment (WinRE) to enable Device Encryption.
- Option 1: Select Settings > System > Recovery > Advanced startup > Restart now.
- Option 2: Hold the Shift key and select Restart from the Start menu.
Select Troubleshoot > Advanced options > Command Prompt.

Enter the following commands at the Command Prompt.

:: Enable device encryption.
manage-bde.exe -On C: -EncryptionMethod xts_aes128 -SkipHardwareTest
manage-bde.exe -On D: -EncryptionMethod xts_aes128 -SkipHardwareTest
manage-bde.exe -Status

Restart the computer. There is no need to wait for the encryption to finish.

Enter the following commands at a PowerShell Command Prompt with administrative privileges.

# Show status and wait for the conversion status to be "Fully Encrypted".
manage-bde.exe -Status

# List and save the recovery passwords in the RootPasswords.kdbx KeePass database under "Additional Attributes".
manage-bde.exe -Protectors -Add C: -RecoveryPassword -TPM
manage-bde.exe -AutoUnlock -Enable D:
manage-bde.exe -Protectors -Add -RecoveryPassword D:

# Enable the protector.
manage-bde.exe -Protectors -Enable C:
manage-bde.exe -Protectors -Enable D:
manage-bde.exe -Status
manage-bde.exe -Protectors -get C:
manage-bde.exe -Protectors -get D:

BitLocker Drive Encryption: Configuration Tool version 10.0.26100
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Key protectors are enabled for volume D:.

C:\Users\Douwe>manage-bde.exe -status
BitLocker Drive Encryption: Configuration Tool version 10.0.26100
Copyright (C) 2013 Microsoft Corporation. All rights reserved.

Disk volumes that can be protected with
BitLocker Drive Encryption:
Volume C: [Windows]
[OS Volume]

    Size:                 952.82 GB
    BitLocker Version:    2.0
    Conversion Status:    Fully Encrypted                               <----------------------------
    Percentage Encrypted: 100.0%
    Encryption Method:    XTS-AES 128
    Protection Status:    Protection On                                 <----------------------------
    Lock Status:          Unlocked
    Identification Field: Unknown
    Key Protectors:
        Numerical Password
        TPM

Volume D: [DATA]
[Data Volume]

    Size:                 953.87 GB
    BitLocker Version:    2.0
    Conversion Status:    Fully Encrypted                               <----------------------------
    Percentage Encrypted: 100.0%
    Encryption Method:    XTS-AES 128
    Protection Status:    Protection On                                 <----------------------------
    Lock Status:          Unlocked
    Identification Field: Unknown
    Automatic Unlock:     Enabled
    Key Protectors:
        External Key (Required for automatic unlock)
        Numerical Password

List and save the recovery passwords in the RootPasswords.kdbx KeePass database under Additional Attributes.

manage-bde.exe -Protectors -Get C:
manage-bde.exe -Protectors -Get D:
powershell.exe -Command "(Get-BitLockerVolume -MountPoint C:).KeyProtector.RecoveryPassword"
powershell.exe -Command "(Get-BitLockerVolume -MountPoint D:).KeyProtector.RecoveryPassword"

Note: In Settings > Privacy & security > Device encryption it shows None of your drives can be managed with device encryption. However, the drive(s) are fully encrypted.

Sign in to Windows with a Microsoft account.
Select Back up your recovery key in Control Panel > Device Encryption.
Select Save to your Microsoft account.

8. UEFI Boot Certificates

See https://github.com/richardhicks/uefi.

${Env:ComputerName}
BACKSLASH3
PS C:\Users\Douwe> .\Get-UEFICertificate.ps1 | Sort-Object -Property Subject | Select-Object -Property Subject, Description, Expires

Subject                                                                                          Description        Expires
-------                                                                                          -----------        -------
CN=Microsoft Corporation KEK 2K CA 2023, O=Microsoft Corporation, C=US                           Key Exchange Key   2038-03-02 21:31:35
CN=Microsoft Corporation UEFI CA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US    Signature Database 2026-06-27 23:32:45
CN=Microsoft Option ROM UEFI CA 2023, O=Microsoft Corporation, C=US                              Signature Database 2038-10-26 21:12:20
CN=Microsoft UEFI CA 2023, O=Microsoft Corporation, C=US                                         Signature Database 2038-06-13 21:31:47
CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US Signature Database 2026-10-19 20:51:42
CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US                                           Signature Database 2035-06-13 21:08:29
O=HP Inc., C=US, OU=CODE-SIGN, CN=HP UEFI Secure Boot DB 2017                                    Signature Database 2033-01-17 00:59:59
O=HP Inc., C=US, OU=CODE-SIGN, CN=HP UEFI Secure Boot PK 2017                                    Platform Key       2033-01-17 00:59:59


PS C:\Users\Douwe> ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023')
True
PS C:\Users\Douwe> ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) -match 'Windows UEFI CA 2023')
False

9. Updates

Open Settings.
Select System > Windows Update.
Click Check for updates
Select Advanced options > Optional updates.
Expand Driver updates.
Check all available updates.
Click Download & install.
Quit Settings.

10. Inventory Issues

GRENDELL01

Collecting OS license information.
Method invocation failed because [System.Object[]] does not contain a method named 'op_Division'.
At line:10398 char:9
+         $RemainingDays = [String] [System.Math]::Truncate($RemainingM ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (op_Division:String) [], RuntimeException
    + FullyQualifiedErrorId : MethodNotFound

Collecting OS version information.

GRENDELL02

User Profiles:                          Admin, Default, Grendel, nx
Users with administrative privileges:   AzureAD/AlexWijnbeek, GRENDELL02/Admin, GRENDELL02/Administrator, GRENDELL02/Grendel, GRENDELL02/nx, S-1-12-1-2496101075-1165365848-1414977203-1217886771, S-1-12-1-2612883194-1121266140-874514105-3787975292
Users with OpenVPN privileges:

KATANA1

Collecting TeamViewer information.
The property 'Version' cannot be found on this object. Verify that the property exists.
At line:22132 char:9
+     if (($TeamViewer -ne "") -and ($TeamViewerInfo.Version -ne "")) {
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], PropertyNotFoundException
    + FullyQualifiedErrorId : PropertyNotFoundStrict

Collecting VMware Workstation information.

Fully Qualified Domain Name:            WORKGROUP
Please enable location services.
Enable Settings > Privacy & security > Location > Let apps access your location.
Enable Settings > Privacy & security > Location > Let desktop apps access your location.
IP Address:                             10.1.7.231, Dynamic, Ethernet

TeamViewer:                             TeamViewer {15.67.5} [64~bit]
The property 'UseWhitelist' cannot be found on this object. Verify that the property exists.
At line:24205 char:9
+     if (($SWInfo.TeamViewer) -and ($SWInfo.TeamViewerInfo.UseWhitelis ...
+         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], PropertyNotFoundException
    + FullyQualifiedErrorId : PropertyNotFoundStrict

Key Implications for Inspiron 7590:

Certificate Expiration: The 2011 Secure Boot certificates expire starting June 2026.
No Planned Updates: There are no planned BIOS updates to include the 2023 certificates for this model.
Booting After 2026: This does not mean the laptop will stop working in June 2026. The system can still boot, but it may not receive further security component updates via Windows Update, leaving it in a compromised security state.
Warning: Do not reset the Secure Boot Certificates to default if they are updated by Windows Update, as the 7590 BIOS cannot restore the new certificates from its firmware.

How to Check Your Current Certificates: You can check if your system already has the updated 2023 certificates via PowerShell (run as Administrator):

Type the following command to check if "Windows UEFI CA 2023" is in the Active DB:
([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db.bytes)) -match 'Windows UEFI CA 2023')
If this returns True, your system is updated.
If this returns False, your system is only using the 2011 certificates and will be affected by the June 2026 expiration.

If you have already encountered issues or toggled Secure Boot, you may need to look for specific BIOS updates, though for the 7590, the chances of a new certificate update are low based on current documentation.