starting from what OS build are the Secure Boot certificates renewed?

How about updating the WinPE boot image for SCCM?

When should we expect the ConfidenceLevel registry to be populated?

Our devices are managed with WUFB, but the key is empty

Any news/eta for Option 4: Deploy certificates using mobile device management (coming soon)?

thks

What can we do if a device won't update it's secureboot cert?

We have updated to the latest bios version, released a few months back, set the registry key and started the scheduled task and rebooted multiple times, but the cert is still not updated.

Are there some logs/events that we can look at?

Thks

How do you recommend that we update our sccm boot images to support those new certificates?

Saw that 2509 can do it for WDS-Less PXE, but what about WDS PXE?

is there an official doc/post mentioning the required steps?

Thks in advance.

For machines imaged with Win11 Pro Edition and signed into Work accounts that are E5 licensed, using the Intune Settings catalog CSP for Secure Boot, we are seeing the following errors in Event Viewer:

• Event ID 404: MDM ConfigurationManager: Command failure status. Configuration Source ID: (***Omitted***), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./Device/Vendor/MSFT/Policy/Config/SecureBoot/EnableSecurebootCertificateUpdates), Result: (Unknown Win32 Error code: 0x82b00006).
• Event ID 809: MDM PolicyManager: Set policy int, Policy: (EnableSecurebootCertificateUpdates), Area: (SecureBoot), EnrollmentID requesting set: (***Omitted***), Current User: (Device), Int: (0x5944), Enrollment Type: (0x6), Scope: (0x0), Result:(0x82B00006) Unknown Win32 Error code: 0x82b00006.
• Event ID 827: MDM PolicyManager: Policy is rejected by licensing, Policy: (EnableSecurebootCertificateUpdates), Area: (SecureBoot), Result:(0x82B00006) Unknown Win32 Error code: 0x82b00006.
• Event ID 2204: Caching uri for blocking mapped GP location. URI: (./Device/Vendor/MSFT/Policy/Config/SecureBoot/EnableSecurebootCertificateUpdates), Operation: (0x0).
• Event ID 2204: Caching uri for blocking mapped GP location. URI: (./Device/Vendor/MSFT/Policy/Config/SecureBoot/EnableSecurebootCertificateUpdates), Operation: (0x0).

Seems after creating the previously non-existent Secure Boot key at Computer\HKEYLOCALMACHINE\SOFTWARE\Microsoft\PolicyManager\current\device\ fixes errors related to deployment attempts of the ConfigureHighConfidenceOptOut_ values, but not the MicrosoftManagedOptIn and AvailableUpdates values:

Using slmgr /dli, noticing the Windows OS edition is Professional, with the Subscription edition of the user account that is E5 licensed as Enterprise:

Created an Intune detection script that also verifies the same OS edition in-relation to CSP failures (Event 827, etc.):

Does the Secure Boot CSP require Enterprise OS edition, rather than just Win11 Enterprise subscription from the user account context?

If so, does this then mean we would need to upgrade the OS edition using the Intune template to Enterprise with a valid key? We are assuming other CSPs will also fail given the OS edition is Pro and not Enterprise.

Thanks for your feedback on this! 

If a computer can't be updated for any number of reasons and is using UEFI, can you simply disable the Secure Boot option in BIOS to avoid this certificate issue affecting boot?

We have been testing a bit and have so far not seen any issues. What I would like to know is whether a report will become available in Intune any time soon so we can monitor the update proces in our organisation...

What qualifies a device as "high-confidence" please?