....I might go so far as to say it's overkill for everyday users. ....
There are three possibilities:I installed it last Sunday, and spent the entire day trying to sort out booting from usb drives.
.....
I'll be skipping that SkuSiPolicy.p7b step for now as well.
- Don't activate SkuSiPoilicy.p7b at all. That resolves all (some) trouble with different boot media, but leaves the first step after the UEFI chain (winload.efi / winresume.efi) at least partitally unprotected.
- Activate SkuSIPolicy.p7b on the main system. Disable Windows secure boot before booting from all other media than the installed 'main' system and enabling Windows secure boot again before starting the main system again.
- Activate SkuSiPoilicy.p7b and update all boot media
This would include exchanging the bootloader to a 2023 certified one which in case of secure boot anyway would be necessary.
In addition one would have to update all wim- files on the media with latest service- pack- for a windows boot media there a boot.wim and sources.wim (with winre.wim), for PE solutions there's normally a boot.wim:- Mount the wim- file with DISM (as administrator)
- Dism /Mount-Wim /WimFile:*dir of wimfilw\abc.wim* /index:*d* /MountDir:*empty directory of your choice*
- Dism /Add-Package /Image:*mountdir* /PackagePath:*path to latest cumulative update.msu/cab*
- Dism /Unmount-Image /MountDir:*mountdir* /Commit
(For an install media the installed WInre.wim in the recovery partition still would'nt boot, but MS has own updates for winre, so that should be possible to do after an installation.)
I'd say one has to understand how it works and has to have a plan when the main system isn't booting any longer and one needs other boot media. I assume I'd go for the second solution, simply disable secure boot when not booting from the main system.
This involves some dangers, too, in the 'unprotected' phase, but there's some protection left when normally working with the system.
My Computer
At a glance
W10
- OS
- W10







