Event details
112 Comments
Are there any known differences how the Secure-Boot-Update task behaves on Windows 10 ESU as compared to Windows 11 Home/Pro?
Recently some more threads of users popped up where Windows freezes during Secure Boot updates after a LCU (e.g. a Dell user here:
https://www.tenforums.com/general-support/223137-windows-10-freezes-3-minutes-after-start-up-since-last-two-updates-2.html )
And the one common point is that all of them use Windows 10 ESU. Might be a coincidence (as users on older machines are more likely sticking with that), but it seems to be increasingly likely that it is in fact a difference in how the servicing behaves between Win10 and Win11...
Trying to keep tabs on progress of cert rollout, I had a Dell device initiate the cert update process after applying the May LCU but with an oddity:
After reboot and waiting for the scheduled task to run, AvailableUpdates=0x4100 but UEFICA2023Status=NotStarted. I've never seen this combination, which skews reporting. 0x4100 is usually accompanied with InProgress status.
TPM-WMI event cadence looks normal with 1036/1044/1045/1043 then 1801 re: pending reboot (Reason: Boot Manager (2023)).
Get-SecureBootUEFI confirms 2023 certs are reflected in the db and kek variables.
So if the intention is to rely on UEFICA2023Status, am I missing something or does something seem off here? Any thoughts or direction would be most appreciated.
Arden_White
Heather_Poulsen- Arden_White
Microsoft
jad I have not seen this before. Two questions:
- Did you initiate the updates or was this done automatically as a high confidence update?
- Which version of Windows is this?
I'll check with our team to see if they know why.
Many thanks for the reply, Arden_White To answer your questions:
- No, I did not initiate the cert updates -- the update was applied on reboot after applying May updates so I anticipate LCU was the update mechanism.
- Yes, ConfidenceLevel=High Confidence in registry. Was "Under Observation..." prior to applying the May LCU.
- OS is Windows 11 24H2.
Looking for guidance on an issue I have been fighting. I have 300 to 400 devices that have the newest firmware installed however, the UEFICA2023Status value doesn't exist. Instead, it has the WindowsUEFICA2023Capable value set to 2. How do I fix this issue?
For anyone looking for how to monitor the Secure Boot certificate status, it's in Intune admin center > Reports > Windows Autopatch - Windows quality updates > Reports tab > Secure Boot status.
Additionally if you are a PMPC premium customer there is now a Secure Boot dashboard under Security and Compliance which I think does a better job at providing the secure boot status for devices.The 2023 cert expires on 6/13/2035 or in about 9 years, when will Microsoft start working on pushing the next CA to partners so we don't have the last minute push like we are having with the 2011 cert? With web PKI it's common to start pushing a new root 5 years before the current root expires aka around 2031.
Thanks, all! I would welcome another AMA as we roll into June. And will anyone be replying to comments/questions posted here? I appreciate there is only so much time during the AMA so not all questions can be addressed live.
would like to see an early June session with guidance on servers in DMZ and firewalled off so they not running windows update to get the certificates
How are you currently deploying your windows updates now? If it's through WSUS via SCCM we use the same utility. The registry key is what allows the certificates to be applied.
Assuming you are still applying patching to these servers manually, you would just have to apply the registry key, but Microsoft provides the High Confidence buckets for you to verify if they believe it is safe or not to apply.
Yes please anther AMA in June
- Heather_Poulsen
Community Manager
Thanks for joining today's AMA. We tried to answer as many questions as we could during the hour, and will continue to review and reply over the next few days.
Question: Should we host another AMA in June? Thanks for hosting, this is really useful. My question was regarding VMWare and issues seen where NVRAM files seem to have a NULL value or empty - is there a strategy for getting the 2023 PK and KEK into the key provider?
When attempting to switch bootloader I get non-booting machines, so following process as best I can but drawing a blank...For VMware virtual machines, you can use a method similar to what is currently proposed in the official VMware guielines, but without the need for external disks or manual UEFI UI interaction. The approach involves adding the Microsoft provided Windows OEM Devices PK certificate directly to the UEFI from within the guest OS, which unblocks the automatic certificate update process and allows it to complete successfully.
The process in brief involves shutting down the VM, adding a vSphere advanced parameter to put the machine into UEFI SetupMode on next power-on, then once booted, verifying SetupMode is active and enrolling the Windows OEM Devices PK certificate using built-in PowerShell cmdlets. After enrollment, setting the AvailableUpdates registry key to trigger the Windows certificate update task and rebooting is all that is needed for the automated process to complete.
For the detailed commands, a Google search for "Secure Boot 2023 Certificate Remediation - Manual Procedure (No Scripts)" will lead you to a community published article on GitHub that covers this. You only need Step 12 from that guide and nothing else. The preceding steps handle NVRAM regeneration and manual KEK enrollment which are not necessary here — once the PK is corrected, the Windows automated update process takes care of the KEK, DB and boot manager updates by itself.
