Event details
Hello. I've go a query re: Hotpatch and Secure Boot certificate updates. At around 17 minutes in the AMA it's mentioned that Secureboot certs are not applied with Hotpatch updates. We were informed several weeks ago that the default Autopatch configuration for Intune managed devices is being changed this month, so that Hotpatch is turned on by default. Does this mean that for those devices, they will not apply Secureboot certs to UEFI firmware until another baseline is released a few months down the line? If so, then that would seem like really bad timing and would potentially change our approach to allowing Hotpatch to be turned on by default. Will we be forced to apply them via CFR if so? Can you clarify please, thanks.
It is already possible to deploy the latest Bucket confidence data to a machine without having to install the update it came with (avoiding the reboot). This is commonly used to use the Bucket confidence data shipped with a monthly non-security update without applying the rest of the changes.
https://support.microsoft.com/en-us/topic/a-closer-look-at-the-high-confidence-database-32382469-4505-4ed4-915b-982eff09b5d2#bkmk_deploying_to_other_versions
This will not include fixes of the servicing components (like the one shipped in April that addressed some Bitlocker recovery scenarios) but if your goal is to always use the latest bucket confidence data, it should solve your situation without having to fallback to regular LCU that require a restart.
