Event details
197 Comments
What would be a good date to include the new certificate to the SCCM boot image?
Will there be a situation where a device will be prevented from booting?
eg a moment where the 2011 certificate will be added to the DBX revocation list?The most likely scenario is that the certificates and boot manager are updated, and then you reset certificates to default. In that case you need to run securebootrecovery.efi.
Or when you later enable Secure Boot on a device installed without Secure Boot enabled with new boot manager, but the new certificates are not in the DB.
Or when you boot an ISO from a manufacturer that has the new boot loader on another machine that does not have the certs.
The system will not allow applying 2011 cert to DBX in case the system is still booted from that boot loader. So it can only happen with external media or when you manually downgrade your bootmanager after you added 2011 cert to DBX.
Are you sure the New ADMX has Secure Boot GPO settings?
I used the new 25H2 GPO templates and this setting was still missing :(
Yes it's definitely in there, we updated ours recently specifically for the SB settings.
Scroll to the bottom of this page to "Resources" for the right ADMX templates to use 😊
https://support.microsoft.com/en-gb/topic/group-policy-objects-gpo-method-of-secure-boot-for-windows-devices-with-it-managed-updates-65f716aa-2109-4c78-8b1f-036198dd5ce7
You mentioned that autopatch doesn't apply the cert that a task does, what task?
Autopatch just installs the LCU. If your device is high confidence, the Secure-Boot-Update task will apply the certificates on next boot. If not, you have to set the AvailableUpdates registry key via one of the supported ways (Group Policy, Intune, WinCS, manually) to trigger the secure boot updates like on any other machine not managed by Autopatch.
TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
I enabled the settings with my InTune policy to opt in to secure boot for my Enterprise environment. Nearly all of them are showing failed applying these entries. Is this something I should be worried about?
How do i update the certifacites on Windows 11 Insider Beta?
There should not be a difference between Insider builds and normal builds. I have updated certificates on some VMs running Insider builds without any issues.
Note that the build needs to be from Mid-2025 or later so it has the new certificates.
If you are having issues with that, please post your exact build number (and used Insider channel) and the error you are receiving.
Is the confidence database found in the autopatch report? where do I find the confidence database?
Never mind, I found it here https://github.com/microsoft/secureboot_objects/blob/main/HighConfidenceBuckets/README.mdWill pushing out BIOS updates at the same time as Secure Boot certificate updates from intune increase the risks of the device becoming bitlockered?
There are safeguards in place that prevent Secure Boot certificate updates if there is a firmware update pending. Also, unless you bind to PCR 0 or 2 in your TPM configuration, BIOS updates will not affect Bitlocker at all.
Still, there might be a minimal risk that these processes interfere, especially since firmware update process heavily depends on how the manufacturer implemented it.
Will new certificates can be installed in a Physical server even if the secure boot is in off state? And will the certificate be used only when the device has secure boot turned ON?
They will only be installed (and used) if the device has secure boot turned on. The bootloader will also be updated if Secure Boot is disabled. So at the point when you enable Secure Boot later, you will have to make sure that the certificates in UEFI match the bootloader installed on the machine.
We have windows updates through Intune to all devices, we have half of the devices doesn't have secure boot enabled, are those are point of concern since they don't have secure boot enabled,
So we will be pushing the setting catalog policy to only devices that have Secure boot enabled to update certs?
