Event details
202 Comments
We have several devices which are managed by Intune and WUfB - these devices do not have a high ConfidenceLevel assigned (None or Under Observation) however all SecureBoot Certificates were updated.
We have not deployed the Intune Secure Boot Certificate Policy, neither set the AvailableUpdates regkey to kick-off the update.
Looking for clarification how the certificates were updated.- Are you absolutely sure that the devices did not come with the new certificates applied from the factory?
- Do you participate in CFR? CFR can result in updated certificates even if the bucket is not in high confidence.
Here is the autopatch report:
https://intune.microsoft.com/#view/Microsoft_EMM_ModernWorkplace/AutopatchDevicesReport.ReactView/gridV2Filters~/%7B%22alertNames%22%3A%5B%22SecureBootCertificateUpdateRequired%22%5D%7DWhat exact checks and data sources drive the Secure Boot Update Report in Intune, and does a device showing updated status guarantee the full 2023 Secure Boot trust chain (KEK, DB, boot manager) is in place?
What would be a good date to include the new certificate to the SCCM boot image?
Will there be a situation where a device will be prevented from booting?
eg a moment where the 2011 certificate will be added to the DBX revocation list?The most likely scenario is that the certificates and boot manager are updated, and then you reset certificates to default. In that case you need to run securebootrecovery.efi.
Or when you later enable Secure Boot on a device installed without Secure Boot enabled with new boot manager, but the new certificates are not in the DB.
Or when you boot an ISO from a manufacturer that has the new boot loader on another machine that does not have the certs.
The system will not allow applying 2011 cert to DBX in case the system is still booted from that boot loader. So it can only happen with external media or when you manually downgrade your bootmanager after you added 2011 cert to DBX.
Are you sure the New ADMX has Secure Boot GPO settings?
I used the new 25H2 GPO templates and this setting was still missing :(
Yes it's definitely in there, we updated ours recently specifically for the SB settings.
Scroll to the bottom of this page to "Resources" for the right ADMX templates to use 😊
https://support.microsoft.com/en-gb/topic/group-policy-objects-gpo-method-of-secure-boot-for-windows-devices-with-it-managed-updates-65f716aa-2109-4c78-8b1f-036198dd5ce7
You mentioned that autopatch doesn't apply the cert that a task does, what task?
Autopatch just installs the LCU. If your device is high confidence, the Secure-Boot-Update task will apply the certificates on next boot. If not, you have to set the AvailableUpdates registry key via one of the supported ways (Group Policy, Intune, WinCS, manually) to trigger the secure boot updates like on any other machine not managed by Autopatch.
TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
I enabled the settings with my InTune policy to opt in to secure boot for my Enterprise environment. Nearly all of them are showing failed applying these entries. Is this something I should be worried about?
How do i update the certifacites on Windows 11 Insider Beta?
There should not be a difference between Insider builds and normal builds. I have updated certificates on some VMs running Insider builds without any issues.
Note that the build needs to be from Mid-2025 or later so it has the new certificates.
If you are having issues with that, please post your exact build number (and used Insider channel) and the error you are receiving.
Is the confidence database found in the autopatch report? where do I find the confidence database?
Never mind, I found it here https://github.com/microsoft/secureboot_objects/blob/main/HighConfidenceBuckets/README.md
