Hello.

For Virtual Machines running with Windows Server 2012 R2, 2016, 2019, 2022 with all the Windows updates applied until April 2026, this VMs are in Vmware 8.0.3.0, if the update process for the CA2023 certificate is not executing automatically, do I need to update some kind of Bios in Vmware or in the VM itself to get enough confidence and get the updates of CA2023 run automatically? Or if I force the process with the key in registry, schedule the update and restart several times the server, do I need some kind of update in Vmware or in the VM itself?

Thanks.

Hello.  I've go a query re: Hotpatch and Secure Boot certificate updates.  At around 17 minutes in the AMA it's mentioned that Secureboot certs are not applied with Hotpatch updates.  We were informed several weeks ago that the default Autopatch configuration for Intune managed devices is being changed this month, so that Hotpatch is turned on by default.  Does this mean that for those devices, they will not apply Secureboot certs to UEFI firmware until another baseline is released a few months down the line?  If so, then that would seem like really bad timing and would potentially change our approach to allowing Hotpatch to be turned on by default.  Will we be forced to apply them via CFR if so?  Can you clarify please, thanks.

Hello, I made a test in Windows Server 2022, executed this 2 commands in powershell:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f

Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Then restart the server 4 times, the new certificate was downloaded but I am getting this message UEFI2023Status: Capable, KEKLastUpdateErrorReason: Firmware_MissingKEKInPackage, what this means the certificate is downloaded but not applied correctly?

Thanks.

Thank you to everyone who posted questions in advance or joined today's AMA live. We'll host our next edition on May 18. To add it to your calendar, visit Ask Microsoft Anything: Secure Boot - May 18, 2026

You mentioned the ConfidenceLevel registry value being useful to see which devices are under observation to potentially become high confidence in the future. There are also registry values showing an error state if one occurs when attempting the certificate update. Can the Intune Secure Boot status report get those values added to it so the report helps us determine which devices need manual intervention?

Bitlocker:
I am not sure if this has been answered.  What is the expected behavior when it comes to enterprise deployment and the prompting of bitlocker recovery keys?  Will customers be prompted for entering bitlocker keys due to the changes in BIOS?

Need a way to update all secure boot certs without booting Windows. securebootrecovery.efi utility exists, but only updates Windows UEFI CA 2023 as far as I know. Need to be sure that mechanism to update bootloader related components can still be forced after updating all certs beforehand.

Does failing to complete the Secure Boot 2023 transition impact Microsoft Defender for Endpoint protections or visibility,

Will you answer questions missed/skipped in the meeting please? 🙏 Thank you!

We have approx. 60k devices, split across Intune and Legacy (Config Manager). A LOT of the older devices are on old BIOS versions - are we ok to deploy the certs using remediation scripts (setting applicableUpdates to 5944 on devices that have Secure Boot). We want to do this so we have control over the rollout. Will the certs remain if we subsequently update the vendor BIOS on these machines ?