Event details
Hi,
We have already completed the BIOS update roll-out across all PC models in our environment.
In parallel, we are deploying the Secure Boot CA 2023 certificate upgrade using a Microsoft Intune configuration profile. Due to the very slow adoption rate observed during monitoring—both through Intune policy status and Secure Boot compliance reports—we have also introduced a remediation script to support the deployment.
Despite these efforts, the increase in deployed devices remains limited. This behavior may be related to policy application constraints or required system restarts. According to several references, the Secure Boot update process may require up to two device restarts before the changes are fully applied and reported.
Questions:
1- what is the Best way to complete the task, is to go with Registry settings and schedule the task, or with Config profile over Microsoft Intune?
2- Will the May Patch Tuesday update scheduled for May 12 guarantee a resolution of this issue and help increase the deployment and compliance numbers?
- Regardless which way you are choosing (Intune, Group Policy, manual), each way will ultimately result in setting the same registry key. So there should not be any "Best way" for triggering the job. Probably the "Best way" is to actually monitor the reasons why adoption rate is not going up (e.g. errors in event log, if any) to determine whether the devices do not get compliant due to hardware incompatibilities or due to a missing restart)
- The May Patch Tuesday will obviously provide one more chance for a restart, but I doubt it will guarantee resolution of anything. In case the devices have a known hardware issue (also present in the latest firmware version) preventing the update running automatically, this will not "magically" make the updates work. But there should be a sufficient amount of error information in the event log to diagnose this and to decide whether any actions other than waiting are needed.
