Event details
197 Comments
What telemetry level should we have set in our org for the certs to properly install? Currently we have them set to blocked here and I know that is wrong, but I'm unsure what would be correct for this case. Is there any sort of guidance available for this?
Answered twice in the video, basic/recommended telemetry is enough if you want to take part in the CFR process. In case your machines are managed, in addition to enabled telemetry, you also need to set the Managed Device Opt In so that you take part in CFR. If you don't take part in CFR, you will get the certificates only for High Confidence devices via the LCU.
I got to the report in Intune, but is there a way to get better data besides yes/no, not applicable? the results appear to be random in nature and not sure if it's properly reporting on secure boot status. I have multiple new computers that were purchased and distributed around the same time and some are and some aren't showing as set to secure boot. I thought this was set on by default these days.
Will Microsoft keep updating the High Confidence list after the 2011 certificates expire for devices that we configure for High Confidence before deploying?
You've mostly answered my question. I was looking for if we need to skip the High Confidence configuration to meet the deadline
I am unsure what deadline you are talking about. Depending on what devices you are using, not all of them may become High Confidence by June. So if you want to make sure to have those devices updated, you need to manually push the updates.
On a Hyper-V host, regarding the certificate update process, is there an order to do things in meaning does it matter if the secure boot certificate update process is started first on the host and does the host need to be fully updated before starting the VMs? I am aware of the requirements of the firmware needing to be up to date and at least the March updates being installed on both the host and VMs. Thank you.
Answered at 14:30 in the video.
Secure Boot process is completely separate between Guest and Host, the order does not matter.
To enable secure boot on the host, the host needs to be powered down. This will obviously prevent the VMs from still running, but it does not matter whether they are shut down or paused.
I'm curious about an updated ADK as well as official guidance on how to address PXE w/ WDS:
"A new checkbox, Use Windows Boot Loader signed with Windows UEFI CA 2023, is available in the Data Source tab of boot image properties. When enabled, it updates the boot image to use the boot loader signed with Windows UEFI CA 2023. The checkbox automates the mitigation steps described in KB5025885.
The new functionality only works on WDS-Less PXE-enabled Distribution Points."
???
Yes, please assist!
On the Intune Secure Boot Status Page - https://intune.microsoft.com/#view/Microsoft_EMM_ModernWorkplace/SecureBootReport.ReactView - all of my 900+ devices are showing as Certficate Status = "not applicable".
3rd party scripts are helping to confirm that updated certs are in place on my devices, but I would like to see the official status page working properly.
What are the pre-requsite factors needed in order to make this report on our devices provide accurate statuses on my laptops?+1 for this, we have some of those too
What do I have to do to get the new certificates to Windows 11 and server ISOs? Will they be integrated in newer ISOs in the near future or do I have to do something manually to add them?
Answered at 5:30 in the video.
One addition, even if they are added to the ISO, this does not mean they will update any "leftover" devices during the installation phase. It only means that those media can boot from machines that do not trust the old certificates any longer.
Hello, there is a way to force the download of the new CA2023 certificate in Windows Server 2012 R2, Windows Server 2016, Windows Server 2019 and Windows Server 2022? I dind't find a way to force them? Thanks.
The AvailableUpdates registry key and the scheduled task should work the same way as on client machines.
On 2012R2 you will need ESU updates since the July 2025 update is required (and the November 2025 update is recommended to avoid compatibliity issues) and 2012R2 won't receive those without ESU. All the other mentioned server OSes should still be in support so you can have them fully updated without requiring ESU.
What happens when you try to use the AvailableUpdates registry key? Will it jump back to zero or 0x4000, and are there any events logged in system event log?
Since devices are getting the latest high confidence database with monthly cumulative updates which they use to determine if they should automatically initiate the certificate update process, what exactly is the point of the Configure Microsoft Update Managed Opt In setting? The description makes it sound like this setting is going to do what the high confidence process is already doing and I'm not seeing that setting change behavior on my devices.
You should not confuse the Controlled Feature Rollout (CFR) process with the High Confidence rollout via latest cumulative update (LCU) process. The CFR process generally only targets devices that show no signs of being managed (e.g. not joined to a Windows domain) and that have telemetry setting sufficiently high, and that can actually communicate with Microsoft servers.
The CFR process will pick random members of each Bucket, and try to install the update on them even if they are not High Confidence yet, in the expectation that if anything goes horribly wrong™, they will quickly notice via telemetry. If first signs look good, they will push it to a larger group (some percent) of that Bucket, and if the telemetry is positive, it will be (a) pushed to all devices of that Bucket via CFR and (b) included into next monthly update. (How exactly the CFR process picks the initial candidates is not published as far as I know, but I assume there will be some more factors, like whether the user is enrolled to Windows Insider program and/or how often the machine is used, to keep the disruption to normal customers low and the telemetry quality high).
Therefore, CFR process will reach devices faster than LCU process, at the expense that you act as Guinea Pigs for Microsoft.
By default, only non-managed devices take part in CFR process; by setting this registry key, you can basically offer your machines to be Guinea Pigs for Microsoft even if they are managed.
We have Autopatch enabled on our devices and the April update has already been deployed. yet autopatch still reports a large qty of devices needing the cert update. Is autopatch going to push those updates or do we need to configure a setting?
- Mabel_Gomes
Microsoft
You will need an Intune policy do deploy the AvailableUpdates registry key to trigger Secure Boot Update tasks on demand. See details here: Microsoft Intune method of Secure Boot for Windows devices with IT-managed updates - Microsoft Support.
Not using Autopatch myself, but I do not think Autopatch will push Secure Boot updates to devices that are not yet marked High Confidence in any way, so if you want the rate to go up, you'd manually need to trigger the updates (or opt into CFR process via Microsoft Managed Opt In) via one of the supported methods (Intune, WinCS, Group Policy, Registry).
