Event details
197 Comments
How do we confirm that a Windows device is actively booting using the Windows Boot Manager signed by the 2023 Secure Boot CA , rather than just having the 2023 certificates present or staged in firmware?
So just to confirm is it "Basic - required" or do we need "full - optional diagnostic data"?
"Basic - required" is enough.
We have an issue where vmware vm servers upgraded via ipu from 2012 to 2024 are failing with a tpm error when running the windows-secure-boot-update scheduled task so they don't get the event id 1808, newer 2022 servers don't have that issue and have the same configuration. None of the servers have tpm enabled in vcenter. Can you confirm that secureboot is enabled by running
Confirm-SecureBootUEFI = True, even though the event id 1808 doesnt show.
Can you share the exact errors you are seeing?
All Secure Boot related events are logged with an event source of TPM-WMI, regardless whether they have a TPM enabled or not.
Can it be that the newer VMs have been created from a VM template that already included the certificates?
The new panel in Windows Security is supposedly released in April LCU, but I don't have the new UI. My secure boot status shows green but i dont have the new certs. Did the update get pulled from the April LCU?
mumraaMicrosoft
have you published published a mandatory DBX enforcement date that is explicitly tied to the 2011 certificate expiry yet? Or can you indicate roughly when this is likely?
Somewhat answered at 38:00
Can you explain more about error event 1795 and 1797? all the necessary prerequisites are met including recommended firmware version and secure boot state enabled
- 1795 usually points at a firmware issue, more details are in the event text
- You should only see 1797 when you manually revoke 2011 cert in DBX but you are still booted from 2011 boot manager. If there are no other error events, this should resolve by rebooting after the 2023 boot manager has been installed.
What are the possible impact after Jun/26 for those devices that were unable to get Certs or updates at all?
The machines will still boot, LCUs will still apply, but any updates to the boot loader or secure boot configuration will no longer be applied.
We have several devices which are managed by Intune and WUfB - these devices do not have a high ConfidenceLevel assigned (None or Under Observation) however all SecureBoot Certificates were updated.
We have not deployed the Intune Secure Boot Certificate Policy, neither set the AvailableUpdates regkey to kick-off the update.
Looking for clarification how the certificates were updated.- Are you absolutely sure that the devices did not come with the new certificates applied from the factory?
- Do you participate in CFR? CFR can result in updated certificates even if the bucket is not in high confidence.
Here is the autopatch report:
https://intune.microsoft.com/#view/Microsoft_EMM_ModernWorkplace/AutopatchDevicesReport.ReactView/gridV2Filters~/%7B%22alertNames%22%3A%5B%22SecureBootCertificateUpdateRequired%22%5D%7DWhat exact checks and data sources drive the Secure Boot Update Report in Intune, and does a device showing updated status guarantee the full 2023 Secure Boot trust chain (KEK, DB, boot manager) is in place?
