Event details
177 Comments
Our devices are shipped with OEM Windows Pro and are later upgraded to Windows Enterprise via Intune policy. On a large subset of these devices, the Intune configuration profile used to opt devices into Microsoft‑managed Secure Boot certificate updates is failing with Intune error 65000, and corresponding event logs indicate the policy is being rejected by licensing rather than by Secure Boot or firmware state.
My question is:
- Is this a known and acknowledged issue when Secure Boot certificate updates are applied to devices that have undergone OEM Pro → Enterprise conversion via Intune? and what what is the workaround?
I am currently experiencing this issue as well and working with Microsoft through an open support case.
To kick off Secure Boot cert updates, do we have to set the registry value (or Intune policy that sets it)?
If the Boot Cert is not updated, and an attempt to install a CU that contains updates to the Secure Boot - will the entire CU KB fail to install?
No.
- Updates to DBX will be applied after the reboot by the scheduled task anyway.
- CUs will continue to ship two boot managers, one for 2011 cert and one for 2023 cert. The update will install the 2011 boot manager (without the new fixes) if the 2023 cert is not present.
Simonb1Microsoft
Any particular attention point or difference on the process for Azure Confidential Compute virtual machines?
Answered at 31:15
Is there an Official Rollback option incase of any booting issues after updating?
Answered at 43:00
In order to do the secure boot certificates updates, do I need to follow the vendor's steps on updating secure boot certificate? For example, dell has a website that states pre-requisites that it need tpm 2.0 and windows server 2022 or later then able to update the secure boot certificate. Is it necessary to follow or I can proceed to update the secure boot certificate via registry keys or the playbook that you provided?
Answered at 34:00
In response to the answer, this is the website url: https://www.dell.com/support/kbdoc/en-us/000402373/poweredge-server-bios-update-guidelines-for-microsoft-secure-boot-certificates
Is there a tool that can help us to check whether the server is ready for secure boot certificate update also perform the update for us?
Will the clients still boot after June if no steps are taken?
YES.
How do we confirm that a Windows device is actively booting using the Windows Boot Manager signed by the 2023 Secure Boot CA , rather than just having the 2023 certificates present or staged in firmware?
So just to confirm is it "Basic - required" or do we need "full - optional diagnostic data"?
"Basic - required" is enough.
We have an issue where vmware vm servers upgraded via ipu from 2012 to 2024 are failing with a tpm error when running the windows-secure-boot-update scheduled task so they don't get the event id 1808, newer 2022 servers don't have that issue and have the same configuration. None of the servers have tpm enabled in vcenter. Can you confirm that secureboot is enabled by running
Confirm-SecureBootUEFI = True, even though the event id 1808 doesnt show.
Can you share the exact errors you are seeing?
All Secure Boot related events are logged with an event source of TPM-WMI, regardless whether they have a TPM enabled or not.
Can it be that the newer VMs have been created from a VM template that already included the certificates?
