Event details
114 Comments
Our devices are on Intune but we use a third party patch management software for updates.
Is there a specific update name to look out for to make sure the patching software does deploy this update? Or will the SB cert be deploy as part of future Windows Cumulative/Security updates as well?
Of course, we will need to make sure the devices BIOS are updated to the latest version before such deployment can occur.
"For Windows running long term in a VM, the updates can be applied through Windows like any other devices, if the virtualized firmware supports Secure Boot updates."
- What do you mean by "Windows running long-term in a VM"
- How can I determine if my VMs are long-term?
prabhv1982Microsoft
Long running virtual machines refers VMs that have been operating for extended period for years rather than short-lived or disposable VMs used for quick testing
Most recent Virtual machines created from up-to-date Hyper-V hosts already have the new certificates deployed. To verify if your VM has the required Secure Boot certificate updates:
- Refer to
https://aka.ms/getsecureboot ->Guidance for IT professionals and organizations -> Monitoring Event Logs section for guidance on how to determine if VM has latest certificates.
- Refer to
Does this have any relation with Defender ASR rule 'Block rebooting machine in Safe Mode'? https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference#block-rebooting-machine-in-safe-mode
- Pearl-Angeles
Community Manager
This question was answered during the live AMA at 12:50.
- prabhv1982
No. This is not related to Windows Defender's feature to block boot to Safe Mode.
1. What's the easiest way to determine if a device is compliant to below two prerequisites, to receice automatic secure boot certificates updates? Does Microsoft provide a "quick check", which can be run on a device?
"The system shares diagnostic data + is managed by Microsoft Cloud or Intune"
2. Looks like updating virtual machines by using the "AvailableUpdates" Registry Key (value 0x5944), currently results in an error state (see details in the Secure Boot playbook for certificates expiring in 2026 - Windows IT Pro Blog comments)
- The certs are up to date except for current "Microsoft Corporation KEK 2K CA 2023"
- Status of UEFICA2023Status Registry Key = "InProgress"
- UEFI2023Error Registry Key = "800703e6"
- Event log ID 1796 error "The secure boot update failed to update a secure boot variable with error invalid access to memory location"
Question 1: Is this a know error, which Microsoft / Broadcom are working on?
Question 2: The "Microsoft Option ROM UEFI CA 2023" DEFAULT certificate has not been updated by this process. Is Broadcom responsible to do so and will this happen by installing a new version of VMware tools?
3. According to https://support.microsoft.com/en-us/topic/frequently-asked-questions-about-the-secure-boot-update-process-b34bf675-b03a-4d34-b689-98ec117c7818 a device will continue to boot, if it does not have the new secure boot certificates updated, after old certificates exipres in June / October 2026, but "it will no longer be eligible to receive security fixes related to the Windows boot manager updates or Secure Boot".What does this mean in detail and how to bring a device back to a compliant state?
Just 3 questions:
- Will we need to update the WinPE build media and Windows Install Source Images if the device has the new certs installed (or the old have expired)?
- Will the Windows Install process update the Certs if the Windows Install source media has been updated and the device has not?
- Will any future cumulative patches that require new certs for a security vuln patch also force the upgrade of the cert if the device has yet to be updated?
- Pearl-Angeles
Chiming in that your second question was addressed live in the AMA at 7:42.
- prabhv1982
- If Boot Manager revocations are not deployed, existing boot media will continue to boot even after the certificate expires and/or new certificates are deployed to firmware. If revocations are deployed, all bootable media must be updated to include the new Boot Manager to ensure continued boot functionality.
Guidance on deploying Boot Manager revocations is available here:
How to manage the Windows Boot Manager revocations for Secure Boot changes associated with CVE-2023-24932 – Microsoft Support. -
Devices that do not have the required certificates will not receive proactive certificate updates from the Windows installer.
- If you attempt to boot from media that uses a Boot Manager signed with the new certificate, the device will fail to boot unless the updated certificates are already present.
- For in-place upgrades, the boot service installer will not update the Boot Manager to avoid a no-boot scenario.
- Cumulative updates include High confidence data list that includes device classes deemed safe for deployment. This data will be updated refreshed regularly as part of cumulative updates.
- The latest high-confidence list is located at: %systemroot%\System32\SecureBootUpdates\BucketConfidenceData.cab
- If your device’s BucketID is included, the update will be applied automatically if certificates are not already present.
- You can find the BucketID in Secure Boot events. Refer to https://aka.ms/getsecureboot ->Guidance for IT professionals and organizations -> Monitoring Event Logs section for details on Secure boot certificate related events
- Future cumulative updates will apply these changes automatically for devices identified by Microsoft as ready, based on a high-confidence list.
- If Boot Manager revocations are not deployed, existing boot media will continue to boot even after the certificate expires and/or new certificates are deployed to firmware. If revocations are deployed, all bootable media must be updated to include the new Boot Manager to ensure continued boot functionality.
starting from what OS build are the Secure Boot certificates renewed?
- prabhv1982
Renewed secure boot certificates are applicable for all Secure Boot enabled devices. Latest windows cumulative updates include the renewed certificates. Refer to https://aka.ms/getsecureboot on how to safely roll out certificates in your environment.
How about updating the WinPE boot image for SCCM?
- prabhv1982
This link WinPE: Create bootable media | Microsoft Learn explains how to update WinPE bootable images.
Additional references:
- WinPE: Mount and Customize | Microsoft Learn
- Makewinpemedia Command-Line Options | Microsoft Learn
- BCDBoot Command-Line Options | Microsoft Learn
- Capture and Apply Windows using a WIM file | Microsoft Learn
- https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/oem-deployment-of-windows-de
When should we expect the ConfidenceLevel registry to be populated?
Our devices are managed with WUFB, but the key is emptyAfter ConfidenceLevel is populated, does that mean the update will be triggered on next Windows Update?
Any news/eta for Option 4: Deploy certificates using mobile device management (coming soon)?
thks
What can we do if a device won't update it's secureboot cert?
We have updated to the latest bios version, released a few months back, set the registry key and started the scheduled task and rebooted multiple times, but the cert is still not updated.
Are there some logs/events that we can look at?
Thks- prabhv1982
Secure boot update failure events are logged in the System Event log under TPM-WMI channel. Refer to Secure Boot DB and DBX variable update events - Microsoft Support for list of Secure Boot event IDs to monitor.
