Event details
327 Comments
Are there plans to prevent SB enabled devices without updated certs from upgrading to future OS versions where the Boot Manager is signed with the 2023 certs (26H2?)
25H2 shipped with both boot managers, and insider builds do as well (\Windows\Boot\EFI vs \Windows\Boot\EFI_EX). I would assume that 26H2 will still ship with both boot managers, albeit the 2011 signed one not being updated any longer.
Nobody knows about the more distant future, but my guess is that even 27H2 will ship with both boot managers.
If I am not mistaken it was mentioned about updating firmware and installing related windows update. My question: Do we need to do both or just update the firmware or install the related Windows update? Thank you.
Both will have different effects. Firmware updates will fix firmware bugs and change the "default db" which is/may be used for Secure Boot if you reset your UEFI settings. OS updates will udpate the "active db" which is used by the current system.
In case there are no firmware bugs related to UEFI variable updates, and you won't mess with your UEFI settings, you only "need" the Windows updates.
If you only install the firmware updates, you will have to mess with the UEFI settings (reset UEFI settings) for it to take effect for the current system. Not recommended in case BitLocker or TPM are used.
I can see from event ID 1801 that devices are in buckets but there's nothing listed for BucketConfidenceLevel. Does this mean Microsoft isn't confident enough? Why is it just blank? If there is a BucketId shown, do we need to do anything else other than keep an eye on it? For context, we use WSUS -- not sure if that matters.
we've seen in our estate that users are getting prompted for bitlocker recovery keys, is this expected behaviour?
- Mabel_Gomes
Microsoft
Bitlocker recovery is not expected assuming the key updates are being done following our documentation; it can happen in some specific occasions or if you are doing it directly via firmware update.
Why have you made it so difficult to join this event. I am not able to join and signed up over a week ago. It will not add to my calendar.
if we update the PK file via efi for vmware guest os, is there a future update for updating KEK since its not occurring? some coordination between microsoft and broadcom on this? or do we need to apply the KEK manually via the efi then I see it going to status Updated.
what is the best way to validate systems are completed, just be in Updated status?
I’m planning to enable the Intune policy and use Intune reporting to target BIOS updates only to devices that still show they don’t have the updated Secure Boot certificates. The goal is to avoid a blanket, enterprise-wide BIOS update rollout given our size (150000+ devices) and the 150 hardware models we support. Any concerns or recommendations?
how can I validate my WINRE has been updated correctly I havent seen any commands to run from WINRE only seen scripts which is in powershell which isnt in WINRE.
I'm seeing the below error: Write-Host "Event 1801 found but confidence value not in expected format? How can we troubleshoot this error when machines are sending telemetry to Microsoft, and Firmware is updated.
Will Microsoft force the revocation of the 2011 certs at some point?
- Pearl-Angeles
Community Manager
Thanks for your question! In addition to Mabel's response below, the panelists answered this live at 35:34.
- Mabel_Gomes
Thanks for the question. There is no immediate plan to automatically apply 2011 certificate revocation. Enterprises can plan the 2011 certificate revocation once all boot sources have been updated.
