This is opt in policy that enterprises need to enable to be opted into Microsoft Managed Controlled Feature Rollout of certificate updates.   Note that, this requires enabling Diagnostics data to enable Microsoft to have visibility to the device bucket to enable the Microsoft managed rollout.

Refer to following links

Group Policy Objects (GPO) method of Secure Boot for Windows devices with IT-managed updates - Microsoft Support for details on the policy

Microsoft Intune method of Secure Boot for Windows devices with IT-managed updates - Microsoft Support for Intune based policies

Configure Windows diagnostic data in your organization - Windows Privacy | Microsoft Learn  for how to configure diagnostic data

Hi jbennett,

MicrosoftUpdateManagedOptIn is not enabled by default. You must enable it and ensure that the devices are sending Diagnostic data. This works for client versions of Windows. If you are managing server or IoT devices, you should be sure to focus on getting those updated.

Arden

Hi VaishnavK1993.

the devices will continue to boot and operate normally. The steps to get them remediated are the same steps as before the certificates expire.

https://support.microsoft.com/topic/when-secure-boot-certificates-expire-on-windows-devices-c83b6afd-a2b6-43c6-938e-57046c80c1c2

Test devices and apply across the devices. Update firmware where necessary.

There are a lot of good resources at this link below and these resources are being updated regularly.

https://aka.ms/GetSecureBoot 

Arden

Hello VaishnavK1993​,  Has your organization attempted installation of certs and encountering errors when applying the updates?  Secure Boot Update task logs error events in System event log indicating why update could not be applied.   In most cases device may be in known block list

If your organization have not yet initiated update process, Microsoft recommend testing on few similar machines that represent your environment before applying the policy broadly.  For devices that have known issues, have been blocked and you will see an error 1802 under TPM-WMI source in System event log indicating update could not be installed due to known issue.   For most issues, OEMs may already have firmware updates available.  If OEM has new firmware update available, recommended to install the latest available firmware updates to unblock the certificate updates.

We also use ADK Version 10.1.26100.1 (May 2024) and this is enough. Starting with SCCM/MEM 2509 there's a new option on every single boot image called "Use Windows Boot Loader signed with Windows UEFI CA 2023". This is for PXE boots and will only work if you use the SCCM PXE Responder (WDS-less).

But as long as you don't revoke the old 2011 certificates on your devices, you don't need to set that option. If you're sure all your devices have the new 2023 certificates installed, you can then do the switch and consider revoking the old ones.

Thank you for your question.  Microsoft is doing Controlled Feature Roll out on Consumer devices grouped by device attributes into a unique device bucket (Caled BucketID).   BucketId represents group of devices that behave similarly when certificate updates are applied.   If Microsoft observe enough evidence of successes within a bucket, respective device group is marked as High Confidence in the public Confidence Database (BucketConfidenceData.cab).      If a device is identified as High Confidence, certificates will be automatically installed as part of monthly Security updates Microsoft release every Patch Tuesday.

For devices that are not visible to Microsoft, Enterprises need to take action.  Microsoft recommend testing on few similar machines that represent your environment before applying the policy broadly.  For devices that have known issues, have been blocked and you will see an error 1802 under TPM-WMI source in System event log indicating update could not be installed due to known issue.   For most issues, OEMs may already have firmware updates available.  If OEM has new firmware update available, recommended to install the latest available firmware updates to unblock the certificate updates.

Refer to Understanding Secure Boot Events 1802 and 1803 - Microsoft Support for details about known issues preventing the certificate updates.  

Interesting feedback! On my side I was surprised by your experience regarding BIOS versions — I've been able to successfully deploy all the new certificates and the updated boot manager on Lenovo devices with BIOS from 2019 and 2020, without any issues.

Of course, OEM BIOS updates that embed the new certificates are always a good practice — but in my experience they are not strictly required. At least on every Lenovo I've tested, there was no minimum BIOS version needed to get the Microsoft certificates installed properly.

For your 20% in manual remediation, you might want to give https://github.com/claude-boucher/CheckCA2023 a try — it's a PowerShell + XAML utility that helped me a lot to diagnose machines where the process wasn't going smoothly. It visualizes all Secure Boot certificate stores, the relevant registry keys and the Event IDs Microsoft asks us to monitor. Might help identify exactly where things are getting stuck.
Would love to hear your feedback if you get a chance to try it! 😊

Thank you for your question.  Due to the impact to recovery boot media and other external boot sources such as Network boot, the revocation of old 2011 certificate and SVN is not automatically applied to UEFI firmware. Enterprises need to ensure all boot sources have been updated to latest 2023 signed Boot manager before applying the revocations to UEFI DBX.