Thank you for setting up this session, As we understand all OEMs are already providing updated certificates on new devices delivered in 2025 and existing certiticates get addressed part of the upcoming windows updates or respective OEMs firmware update.  

How do we analyze in an enviroment which endpoints need this update and which are already up to date either via Intune other form of reporting , That helps in understanding the current posture and action required 

For device with require diagnostic and CFR joined, when will it be updated? (On next cumulative update?)

Is the high confidence bucket list already available? Does it get updated every month? 

Is it enough to install the Firmware/BIOS provided via the computer manufacturer, example HP, Dell etc? 

We have tested a scripted method for updating the keys which works but ideally we want to deploy the policy through Intune. The policy we created with the setting

Enable Secureboot Certificate Updates 

(Enabled) Initiates the deployment of new secure boot certificates and related updates.

But on both 24H2 and 25H2 this seems to do nothing. Will this be usable soon?

It looks like the new Intune Settings Catalog policies to manage the rollout of the new secure boot certs is not properly working. When trying to deploy the policy it returns an error code 65000, which is a generic error code that intune usually returns for a variety of reasons, sometimes when a pre-req is not met.

I've seen this error in multiple tenants and several different customer environments. Is this something that is on your radar?

This is the policy that I'm testing from Intune:

Same question about: if I have devices in Autopatch & diagnostics being sent. Do I need to implement any other configuration policies or registry keys or is it all automatically completed? Or do we need this policy?

As 

I'm trying to apply the new Intune Policies under "secure Boot" but they don't apply to the devices I get error "65000" which usually indicates the policy cannot be found. 

Edit:
You said to look at Event logs but can we rely on the UEFICA2023Status reg key instead? I'm working on a BI report so that's why I'm asking. 

If secure boot is not enabled, is there anything that needs to be done?

- The GPO (ADMX) sets a value of 0x5944. How can we then revoke the 2011 certificates (0x80)?
- Are there any details about SVN (0x200)? What is the exact mechanism?
- Will Bitpixie and BlackLotus be mitigated with just 0x5944?
- Is SecureBootRecovery.efi application set after bootmgfw.efi if the new certificates 2023 aren't in the defaultDB?
- Can we use SecureBootRecovery.efi for warehoused devices as a PXE boot file?
- What happens on devices without Secure Boot enabled now? Will they get the Boot Manager signed with 2023 installed automatically? What happens if we enable Secure Boot at a later point as AvailableUpdates only works with Secure Boot enabled?

For corporations that use a patch management software instead of Windows Update, is there any action required besides the BIOS update on the laptop?

From what I understand, this is all done via the Cumulative updates so the patch management software can do this without us having to enable Windows Update via Intune.