I made a post earlier with a bunch of questions but seems the post is deleted (annoying because it took a lot of time)? Can someone pm me to tell me why? Maybe links to external sites (trusted partners I believe), PatchMyPC want to be clear before I post again what the issue is. 

Thank you. 

For devices that specifically require a firmware update, should we expect Windows Update to provide that firmware, or should we proactively start pushing firmware to those devices?  

We have a fleet of HP EliteBook 600 series, G9/G10/G11, and initial testing has all of them throwing Event ID 1802 in the System event log - 'The Secure Boot update Option ROM CA 2023 (DB) was blocked due to a known firmware issue on the device. Check with your device vendor for a firmware update that addresses the issue.'

Updating the firmware on the devices in question allows the certificate update to complete, and we eventually get Event ID 1808 in the System event log.

tl;dr -Who is handling firmware updates?  Microsoft or individual customers?  If it's Microsoft, will these updates install as part of a monthly LCU?  Our organization currently blocks driver updates via Windows Update.

Hi, 

Question 1

I'd like to know when the report in Intune will be complete? You've got something in the works but no announcement on it or when it will be ready. Currently the report is not working properly (as can be expected by it not being complete), but time is moving closer to the deadline.

Info

https://patchmypc.com/blog/the-secure-boot-status-report-coming-soon-to-intune/

Link to report 

https://intune.microsoft.com/#view/Microsoft_EMM_ModernWorkplace/securebootreport.reactview

Question 2

Will the report have more useful information than what is in their currently? I don't want to just see if it has the new cert or not, I want to see the steps I need to take, such as if a device does not have the certificate, is the bios up to date? This can be done to varying degrees via a custom compliance policy, but it is not easy for a few reasons.

1. Intune only allows you to use a custom compliance script for one policy, we have 30+ laptop models out there, all with different minimum bios versions. Can be done anyway by making duplicated scripts, but it is messy.
2. Different vendors report their bios versions into windows differently, Dell, Surface it is easy to make a version check because they report for example, Dell 5420 needs a minimum bios version of 1.31.0, so I can do a version check greater than or equal to against that, easy. Lenovo however name their firmware back like R1TET46W (v1.25), I can't do a version check against that and a string check would also not be helpful as the text characters change from version to version not just the version number.

Ideally, we want something that has the following in the report.

1. Is the device compliant fully, i.e. has a bios version that is current enough and has the keys / Intune policy set to start using them for windows.
2. If not, why not?
   1. Is it that the bios version is not up to date? If so, what is on the device, and what is the minimum version required from the vendor, something like "meets minimum bios revision, compliant or not compliant".
   2. If the bios is current, is it just that the keys are not set correctly so Windows knows to set the new secure boot certificate?
   3. What about devices that will never get bios updates because they are out of support? Can that information be presented in the report. 

Question 3

What are the actual impacts of devices which do not have everything completed by the time the deadline rolls around. 

Will they be unable to boot? Will we be unable to install fresh Windows, will it continue ticking away but be insecure i.e. someone could bypass secure boot if they had physical access to the device?

Question 4

This seems important enough that it should have a built in compliance policy in intune to check going forward if the certificate is valid and current. 

Thank you! :)

Three questions related to Secure Boot:

• When updating Secure Boot variables (like this db update but also on some older dbx updates), some older firmware has problems due to maximum variable size or size of variable store. UEFI exposes this information via RT:QueryVariableInfo, and when booting Linux, you can see by querying free space of efivarfs. Is there a way from Windows userspace (e.g. Powershell or a NTDLL exported function) to get this information? Max variable length, max variable store, remaining variable store.
• When applying the hardening measures for Black Lotus and adding SVN values to dbx, some older versions of bootmgfw.efi deny booting due to SVN mismatch. This is by design. BUT: When you boot from some recovery media that comes with its own loader that sets its own security protocol file authentication callback (like shim does), to use a fixed set of hashes, and bypasses DBX that way, and chainload this (whitelisted) bootmgfw.efi, the SVN values are still checked in DBX and deny booting. Is this by design? If yes, what is the preferred way to set up such media? Try to remove the signature from bootmgfw and patch the check out? Or use an old version of bootmgfw that does not check SVN yet (like one from 2017 I found on an old Win10 install disk)? Always having the latest bootmgfw on these media is not an option for us, and we'd like to apply the SVN hardenings for "normal" boots (not via this recovery media) if possible.
• The current certificate update will install the replacements for the Third Party EFI CA to DB only if the old Third Party EFI CA is included in DB. However, as Microsoft published signed variable updates for adding them to DB on every system that has the old KEK, nothing prevents an adversary from doing so. Is this taken into account when evaluating security implications of adding anything to DBX which is signed by these keys (nothing revoked yet, but in the future?). E.g. by applying these DBX updates when old KEK is in DB, even when new Third party EFI CA replacements are not there? Or by adding those replacements to DBX at a later stage if not present in DB?

I am aware you probably cannot answer them  by heart, therefore I'll give you a week advance notice :)

How dependent are we on FW updates by vendors? Does Microsoft expect most devices to need updates before cert updates can occur? Or do y'all anticipate most Tier 1 and 2 OEM devices to "just work"?

On my Azure Gen2 VM, Secure Boot reports True and the dbx entry is present with non‑volatile attributes:

• Secure Boot enabled: Confirm‑SecureBootUEFI → True
• DBX present: Get‑SecureBootUEFI -Name dbx showing active firmware data

Does this confirm that Secure Boot and the updated Secure Boot revocation list (DBX) have already been applied automatically through Windows Update or the underlying Azure platform firmware?

GOOD news:

It looks like all Windows 11 virtual machines running on Hyper-V in our environment successfully updated their certificates already back in early December. This, independently of their hosts, who have NOT (yet).

Karl-WE​ Does this apply to Windows Server VMs on Hyper-V as well?

Hi community, SochiOgbuanya​ Ashis_Chatterjee​, 

I am providing my PowerShell script below, which makes diagnosing the state across computers easier. It can be used locally or remotely, as a remediation script in Intune, or for exporting events. If you do not need all events, you can customise the script.

When using Event Viewer or Azure Monitoring, this XPath syntax can be used to fetch all relevant events.

In Event Viewer, you can create a custom view on a specific computer to monitor these events.

<QueryList>
  <Query Id="0" Path="System">
    <Select Path="System">*[System[Provider[@Name='Microsoft-Windows-TPM-WMI'] and (Level=1  or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and (EventID=1032 or EventID=1033 or EventID=1034 or EventID=1036 or EventID=1037 or EventID=1043 or EventID=1044 or EventID=1045 or EventID=1795 or EventID=1796 or EventID=1797 or EventID=1798 or EventID=1799 or EventID=1801 or EventID=1808)]]
  </Select>
  </Query>
</QueryList>

function Get-SecureBootDbxEvents {
<#
.SYNOPSIS
Collects Secure Boot DBX–related TPM-WMI events from the System event log,
grouped by Event ID, with optional diagnostics, time filtering, and export.

.DESCRIPTION
This function retrieves TPM-WMI events associated with Secure Boot DBX update
processing, as referenced in Microsoft KB5016061.  
To ensure reliable performance on systems with large event logs, each Event ID
is queried in parallel using thread jobs, avoiding the 256‑event limitation of
Get-WinEvent.

The function supports optional diagnostics for Secure Boot, DBX, and TPM
readiness, UTC-normalized time filtering, remote computer targeting, and
structured export of collected events.

.PARAMETER ComputerName
Specifies the target computer to query.  
Defaults to the local machine.

.PARAMETER StartTime
Returns only events with a TimeCreated value greater than or equal to the
specified timestamp.  
The timestamp is normalized to UTC to ensure consistent filtering across
systems and time zones.

.PARAMETER ExportCsv
Specifies a file path for exporting all collected events in CSV format.

.PARAMETER ExportJson
Specifies a file path for exporting all collected events in JSON format.

.PARAMETER Diagnostics
Runs Secure Boot, DBX, and TPM readiness checks before event collection.

.EXAMPLE
Get-SecureBootDbxEvents -StartTime (Get-Date).AddDays(-7)

Retrieves all Secure Boot DBX–related TPM-WMI events from the past seven days.

.EXAMPLE
Get-SecureBootDbxEvents -Diagnostics -Verbose

Runs diagnostics and displays detailed progress information.

.EXAMPLE
Get-SecureBootDbxEvents -ComputerName SERVER01 -Diagnostics -Verbose

Runs diagnostics and collects events from a remote server.

.NOTES
Event IDs are derived from Microsoft KB5016061.  
Requires read access to the SYSTEM event log and the
Microsoft-Windows-TPM-WMI provider.

.LINK
https://github.com/cjee21/Check-UEFISecureBootVariables

Related project to identify the current state around Secure Boot

.LINK
https://techcommunity.microsoft.com/users/karl-we/289393?wt.mc_id=mvp_338345

Contact the author

.LINK
https://support.microsoft.com/topic/secure-boot-db-and-dbx-variable-update-events-37e47cf8-608b-4a87-8175-bdead630eb69?wt.mc_id=mvp_338345

Microsoft Guidance on related Event IDs

.LINK
https://techcommunity.microsoft.com/blog/windows-itpro-blog/secure-boot-playbook-for-certificates-expiring-in-2026/4469235#community-4469235-_option2?wt.mc_id=mvp_338345

Microsoft Guidance on Secure Boot Deployment 

.VERSION
1.2.0

# Version History (Semantic Versioning)
# MAJOR version — increment when making incompatible changes
# MINOR version — increment when adding functionality in a backward-compatible manner
# PATCH version — increment when making backward-compatible bug fixes

1.2.0
- Output per EventID to avoid hitting the maximum item count
- Added per‑ID statistics (count, first, last)
- Added color‑coded severity output
- Grouped output per EventID
- Remote computer support

1.1.0
- Added CSV and JSON export options
- UTC-normalized StartTime filtering

1.0.0
- Initial release with:
  - Secure Boot / DBX / TPM diagnostics
#>

    [CmdletBinding()]
    param(
        [string]$ComputerName = $env:COMPUTERNAME,
        [datetime]$StartTime,
        [string]$ExportCsv,
        [string]$ExportJson,
        [switch]$Diagnostics
    )
    #region Event IDs from KB5016061
    # These are the documented Secure Boot DBX update and remediation events.
    $EventIds = @(
        1032, 1033, 1034, 1036, 1037,
        1043, 1044, 1045,
        1795, 1796, 1797, 1798, 1799,
        1801, 1808
    )
    #endregion Event IDs from KB5016061

    #region Time filter normalization
    # Detect whether StartTime was explicitly provided.
    $HasStartTime = $PSBoundParameters.ContainsKey('StartTime')

    # Convert StartTime to UTC for consistent filtering across systems.
    $StartTimeUtc = $null
    if ($HasStartTime) {
        $StartTimeUtc = $StartTime.ToUniversalTime()
    }
    #endregion Time filter normalization

    #region Diagnostics
    if ($Diagnostics) {
        Write-Verbose "Running Secure Boot, DBX, and TPM diagnostics on $ComputerName..."

        # Secure Boot state (local only)
        if ($ComputerName -ne $env:COMPUTERNAME) {
            Write-Warning "Diagnostics are local-only (Confirm-SecureBootUEFI/Get-SecureBootUEFI). Remote diagnostics not supported."
        }

        try {
            Write-Host "Secure Boot Enabled:" (Confirm-SecureBootUEFI) -ForegroundColor Green
        } catch {
            Write-Warning "Secure Boot state could not be determined."
        }

       try {
            Write-Host "Secure Boot CA2023 deployed" ([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023’) -ForegroundColor Green
        } catch {
            Write-Warning "Secure Boot state could not be determined."
        }

        # DBX variable
        try {
            $dbx = Get-SecureBootUEFI -Name dbx
            Write-Host "DBX Bytes:" $dbx.Bytes.Length  -ForegroundColor Cyan
        } catch {
            Write-Warning "DBX variable could not be retrieved."
        }

        # TPM state
        try {
            $tpm = Get-Tpm -ComputerName $ComputerName
            Write-Host "TPM Present:" $tpm.TpmPresent
            Write-Host "TPM Ready  :" $tpm.TpmReady
            Write-Host "TPM Version:" $tpm.ManufacturerVersion
        } catch {
            Write-Warning "TPM state could not be retrieved."
        }

        Write-Host ""
    }
    #endregion Diagnostics

    #region Parallel Fetch
    Write-Verbose "Fetching events per Event ID in parallel from $ComputerName..."

    # Thread-safe collection for results
    $Results = [System.Collections.Concurrent.ConcurrentBag[object]]::new()

    # Store job handles
    $Jobs = @()

    foreach ($EventID in $EventIds) {

        # Start a thread job for each Event ID
        $Jobs += Start-ThreadJob -ArgumentList $EventID,$ComputerName,$HasStartTime,$StartTimeUtc -ScriptBlock {
            param(
                [int]$EventID,
                [string]$ComputerName,
                [bool]$HasStartTime,
                $StartTimeUtc
            )

            # Build filter for Get-WinEvent
            $Filter = @{
                LogName      = 'System'
                ProviderName = 'Microsoft-Windows-TPM-WMI'
                Id           = $EventID
            }

            # Add StartTime only if provided
            if ($HasStartTime) {
                $Filter.StartTime = [datetime]$StartTimeUtc
            }

            # Query events and return selected fields
            Get-WinEvent -ComputerName $ComputerName -FilterHashtable $Filter -ErrorAction SilentlyContinue |
                Select-Object TimeCreated, Id, LevelDisplayName, Message
        } # end ScriptBlock
    } # end foreach EventID

    # Collect results from all jobs
    foreach ($job in $Jobs) {
        $out = Receive-Job -Job $job -Wait -AutoRemoveJob
        if ($out) {
            foreach ($evt in $out) {
                $Results.Add($evt)
            }
        }
    }
    #endregion Parallel Fetch

    #region Output Handling
    if (-not $Results.Count) {
        Write-Warning "No TPM-WMI events found for the specified criteria."
        return
    }

    # Group and sort events by Event ID
    $Grouped = $Results | Sort-Object Id, TimeCreated | Group-Object Id

    foreach ($Group in $Grouped) {
        $Events = $Group.Group | Sort-Object TimeCreated

        Write-Host ""
        Write-Host "===== Event ID $($Group.Name) ====="
        Write-Host "Count:" $Events.Count
        Write-Host "First:" $Events[0].TimeCreated
        Write-Host "Last :" $Events[-1].TimeCreated
        Write-Host ""

        # Color-coded severity output
        foreach ($Evt in $Events) {
            $Color = switch ($Evt.LevelDisplayName) {
                'Critical'    { 'Magenta' }
                'Error'       { 'Red' }
                'Warning'     { 'Yellow' }
                'Information' { 'Cyan' }
                default       { 'Gray' }
            }

            Write-Host ("[{0}] {1} - {2}" -f $Evt.TimeCreated, $Evt.LevelDisplayName, $Evt.Message) -ForegroundColor $Color
        }
    }

    # Export CSV if requested
    if ($ExportCsv) {
        Write-Verbose "Exporting results to CSV: $ExportCsv"
        $Results | Sort-Object Id, TimeCreated |
            Export-Csv -Path $ExportCsv -NoTypeInformation -Encoding UTF8
    }

    # Export JSON if requested
    if ($ExportJson) {
        Write-Verbose "Exporting results to JSON: $ExportJson"
        $Results | Sort-Object Id, TimeCreated |
            ConvertTo-Json -Depth 5 | Out-File -FilePath $ExportJson -Encoding UTF8
    }

    # Return sorted objects for pipeline use
    $Results | Sort-Object Id, TimeCreated
    #endregion Output Handling

} # end function Get-SecureBootDbxEvents

This topic comes right in place to share what I saw on a old computer from 2013.

I read carefully the blog page on the topic: Updating Microsoft Secure Boot keys | Windows IT Pro blog

and the registry key settings: 

https://support.microsoft.com/en-us/topic/registry-key-updates-for-secure-boot-windows-devices-with-it-managed-updates-a7be69c9-4634-42e1-9ca1-df06f43f360d#articlefootersupportbridge=communitybridge

If I understand properly, the task

Start-ScheduledTask -TaskName “\Microsoft\Windows\PI\Secure-Boot-Update”

is trying to update the UEFI with the new certificates. It is correct?

BUT the whole is missing a critical scenario: what if the UEFI do NOT support the update of certificates?

On my mainboard from 2013, an Asrock Z87E-ITX, with last bios 2.5 from 2018, out of support from Asrock for years already, running the task is having a very strange behavior on Windows 10 Pro:

• if the wifi is off, I get an error 1801 with "Updated Secure Boot certificates are available on this device but have not yet been applied to the firmware"
• if the wifi is on, the computer is freezing completely (exactly 5 min after start, matching the delay of the trigger in the task), nothing is written is any logs, as if the task trying to touch the UEFI will reach a critical address.

In the bios/UEFI on this machine, there is no way whatsoever to manage the keys and certificates. No way to read (and less to write). It seems Asrock did not implement the SecureBoot completely there...
And there is NO TPM chip on that board...

So next question: what if the certificates are not updated in the UEFI? Should not the update within Windows be enough? 

What manual actions are required on Windows Server operating systems (2012 through 2022) for Secure Boot certificate renewal?
I am using SCCM/Microsoft Endpoint Manager to deploy OS updates to these servers. Some documentation indicates that no manual intervention is required and that the certificates should renew automatically. However, in our environment, the Secure Boot certificates have not been renewed yet.

so looking for the clear instructions.