Event details
177 Comments
You mentioned that autopatch doesn't apply the cert that a task does, what task?
Autopatch just installs the LCU. If your device is high confidence, the Secure-Boot-Update task will apply the certificates on next boot. If not, you have to set the AvailableUpdates registry key via one of the supported ways (Group Policy, Intune, WinCS, manually) to trigger the secure boot updates like on any other machine not managed by Autopatch.
TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
I enabled the settings with my InTune policy to opt in to secure boot for my Enterprise environment. Nearly all of them are showing failed applying these entries. Is this something I should be worried about?
How do i update the certifacites on Windows 11 Insider Beta?
There should not be a difference between Insider builds and normal builds. I have updated certificates on some VMs running Insider builds without any issues.
Note that the build needs to be from Mid-2025 or later so it has the new certificates.
If you are having issues with that, please post your exact build number (and used Insider channel) and the error you are receiving.
Is the confidence database found in the autopatch report? where do I find the confidence database?
Never mind, I found it here https://github.com/microsoft/secureboot_objects/blob/main/HighConfidenceBuckets/README.mdWill pushing out BIOS updates at the same time as Secure Boot certificate updates from intune increase the risks of the device becoming bitlockered?
There are safeguards in place that prevent Secure Boot certificate updates if there is a firmware update pending. Also, unless you bind to PCR 0 or 2 in your TPM configuration, BIOS updates will not affect Bitlocker at all.
Still, there might be a minimal risk that these processes interfere, especially since firmware update process heavily depends on how the manufacturer implemented it.
Will new certificates can be installed in a Physical server even if the secure boot is in off state? And will the certificate be used only when the device has secure boot turned ON?
They will only be installed (and used) if the device has secure boot turned on. The bootloader will also be updated if Secure Boot is disabled. So at the point when you enable Secure Boot later, you will have to make sure that the certificates in UEFI match the bootloader installed on the machine.
We have windows updates through Intune to all devices, we have half of the devices doesn't have secure boot enabled, are those are point of concern since they don't have secure boot enabled,
So we will be pushing the setting catalog policy to only devices that have Secure boot enabled to update certs?Hello, can we use this 3 instructions to force the Windows Servers to update the CA2023 certificate?
- reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f
- Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
- And restart the server two times.
If
- The server patch level is at least mid 2025
- The machine has UEFI Secure Boot enabled
- There are no known blocks for the hardware configuration
These three instructions will update to CA2023 certificates. Make sure to wait at least 5 minutes before each restart so that all the actions to be performed have been finished.
How do i update the certificates on Windows Insider Beta
There should not be a difference between Insider builds and normal builds. I have updated certificates on some VMs running Insider builds without any issues.
Note that the build needs to be from Mid-2025 or later so it has the new certificates.
If you are having issues with that, please post your exact build number (and used Insider channel) and the error you are receiving.
Please talk about the default versus the active database. Specifically, what are the pitfalls in continuing to use a system that has the active database updated but does not have an available OEM update for the default database.
The risk is in somebody resetting Secure Boot to defaults in the UEFI setup and having a device that does not boot or may go through BitLocker recovery.
As mentioned in the video, a countermeasure may be to set a Setup passsword for the UEFI setup so that end-users cannot mess with their settings.
