Is this entire process (Microsoft, OEM, and admin communication) the best -- most clear and efficient method -- of getting these certificates updated?  I thank you for doing this AMA, but one would think the necessity of an AMA would imply that there's been some failures on communications to make this a smooth process for admins.

If we are having issues updating certs on our Endpoints, should we open a support case or are there other paths available for support?

In regards to reporting. Will there be any type of reporting to track org impact? Which machines are done, which cannot be done or need additional work?

This may already be in another comment, I just need to know what needs to be done if I have devices in Autopatch & diagnostics being sent. Do I need to implement any other configuration policies or registry keys or is it all automatically completed?

Hello,

Could we get specific and precise requirements on the expected Secure Boot variables' states for each of the 4 steps of the revocation (adding CA 2023, replacing Boot Manager, revoking PCA 2011, updating SVN)?

For each of these steps, is the scheduled task expecting any specific state such as:
- Secure Boot variable update date (datetime of when the variable was initialised, eg. with: Set-SecureBootUEFI -Time ...)
- Secure Boot variable content: what is the minimum set of certificates/hashes required to start the 4-step update? Are there any more needed than MS KEK 2011 in KEK, MS Production PCA 2011 in DB and up-to-date hashes in DBX?
- Secure Boot variable content GUID: is there a hidden requirement for Microsoft certificates and DBX hashes to be under EFI signature lists with GUID 77fa9abd-0359-4d32-bd60-28f4e78f784b?
- SVN verification: When applying step 4, are there any other system changes than boot manager identifiers being added to the DBX? For example 01612B139DD5598843AB1C185C3CB2EB92000007000000000000000000000000 to ensure bootmgfw.efi with version 7.0.

I have seen strange behaviors of the DBX not being reachable anymore through GetFirmwareEnvironmentVariableA when MS certificates were not added with the previously mentioned GUID for example. I'd like to know if any requirements on the system are checked through the scheduled task but not documented online.

Thank you

Will MSFT be providing guidance on how to validate the Secure Boot certs on platforms such as RHEL?

Welcome to the Secure Boot AMA! Let's get started. Post your questions here-- our experts are standing by, ready to answer!

Update: Never mind, I was a goof, I was querying the wrong registry key. 

To follow up on asaund28's comment, when I looked at my environment even brand new devices are showing that registry the UEFICA2023Status regkey is NotStarted. Even on brand new devices we've deployed. Does NotStarted also mean the device may not need it? 

or was i querying the wrong registry key?

Hello, 

When reviewing https://support.microsoft.com/en-us/topic/registry-key-updates-for-secure-boot-windows-devices-with-it-managed-updates-a7be69c9-4634-42e1-9ca1-df06f43f360d

Towards the bottom it gets into detail regarding the registry keys and their values. I want to get an idea of what my environment looks like. It states that the WindowsUEFICA2023Capable is not recommended for general use. However, can it be used to query devices in my environment to get an accurate picture of how many devices have the certificate in the DB already? 

Thank you, 

I have a few questions on this:

1.) We have diagnostic data turned on in our intune environment, but I'm not seeing the registry key "MicrosoftUpdateManagedOptIn". Should I be worried about this? If this key does not exist, MS will not push the certificates down, correct?

2.) When will the certificates come down with Windows Updates? Is there a expected month they will be delivered ?

3.) Am I right to say if the "HighConfidenceOptOut" registry key does not exist, this means we have opted in?

4) if the key "WindowsUEFICA2023Capable" is set to 1 instead of 2? This means the device is still not in a "secure state". The key needs to be set to 2?