Event details
327 Comments
Can you please explain if we must deploy some Registry Keys to enable the new Certificates or the Intune CSP is the solution to apply the new Certificates (this not work actualy)
Are you able to advise on the three SecureBoot options that are available in the Intune Settings Catalog
We would like to use this approach to ensure the updated certs for SecureBoot are deployed to our EUD's
Don't worry, already very well explained here - Registry key updates for Secure Boot: Windows devices with IT-managed updates - Microsoft Support
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot
If i'm reading it right, the top one set to Enabled would set the HighConfidenceOptOut reg key in the above location to 1 which means updates will be applied as part of the LCU
The second one set to enabled would set the MicrosoftUpdateManagedOptIn reg key in the above location to 1 which would enable the updates to come through the (Controlled Feature Rollout)
The third one set to enabled would set the AvailableUpdates reg key in the above location to 0x5944 - Deploy all needed certs and update to the PCA2023 signed boot manager
Please correct me if i'm wrong on any of this. I will be putting together an Intune policy as a test today to see how things go.
The new report Secure Boot status, does only cover entra joined devices (or managed by WU4B)? What about hybrid joined devices what still stay out of WU4B and are utilizing SCCM/WSUS?
What is the possibility this firmware update / certificate update will trigger a BitLocker recovery?
If you have Active Directory, can the policies in Server 2019 AD be used to push out policies that allow the machine to download the certificate. Also how can we update our severs?
Does PXE use a 2011 signed bootloader? How can we update PXE (WinPE) so that it will boot to a machine that has 2011 in the DBX?
what is being done with OEM's to make sure that images are updated out of box with everything being enabled correctly within OS without needing to trigger manual available updates key along with 0x5944. We dont want devices shipped from suppliers and warehouses if secureboot is bad out of box.
Logo requirements for "Designed for Windows 11 25H2" requires the machine to ship with the new certificates, and any physical recovery media (if any) also having the new boot manager on them.
I have some models where the DB and DBx update succeeds, but the KEK fails (gives a specific Access Denied, which can be resolved with booting into the BIOS itself).
Is there any issue in not having the KEK updated?
You won't receive any future DBX updates if the KEK is not updated.
But maybe the vendor will still submit a signed KEK update or a firmware update for your device so it can be updated automatically in the future. If not, you'd probably need to apply it manually in the UEFI setup.
What is the source of truth for whether a device is using the new certificate?
The Intune Secure Boot Status report indicates 1 number of devices being compliant with the new certificate, while a proactive remediation script I am using which checks the registry key UEFICA2023Status, looking for "In progress" or "Updated".
The built-in Intune report shows me 700+ devices, while the remediation script shows ~150. What is the built-in report using to validate the certificate status?If the certificates are applied via LCU, is an additional restart required?
