You mentioned the ConfidenceLevel registry value being useful to see which devices are under observation to potentially become high confidence in the future. There are also registry values showing an error state if one occurs when attempting the certificate update. Can the Intune Secure Boot status report get those values added to it so the report helps us determine which devices need manual intervention?

Bitlocker:
I am not sure if this has been answered.  What is the expected behavior when it comes to enterprise deployment and the prompting of bitlocker recovery keys?  Will customers be prompted for entering bitlocker keys due to the changes in BIOS?

Need a way to update all secure boot certs without booting Windows. securebootrecovery.efi utility exists, but only updates Windows UEFI CA 2023 as far as I know. Need to be sure that mechanism to update bootloader related components can still be forced after updating all certs beforehand.

Does failing to complete the Secure Boot 2023 transition impact Microsoft Defender for Endpoint protections or visibility,

Will you answer questions missed/skipped in the meeting please? 🙏 Thank you!

We have approx. 60k devices, split across Intune and Legacy (Config Manager). A LOT of the older devices are on old BIOS versions - are we ok to deploy the certs using remediation scripts (setting applicableUpdates to 5944 on devices that have Secure Boot). We want to do this so we have control over the rollout. Will the certs remain if we subsequently update the vendor BIOS on these machines ?

Something interesting yesterday, device asking for BitLocker Recover Key, due to "Secure Boot policy has unexpectedly changed". Is this expected for some devices?

Hi,

We have already completed the BIOS update roll-out across all PC models in our environment.

In parallel, we are deploying the Secure Boot CA 2023 certificate upgrade using a Microsoft Intune configuration profile. Due to the very slow adoption rate observed during monitoring—both through Intune policy status and Secure Boot compliance reports—we have also introduced a remediation script to support the deployment.

Despite these efforts, the increase in deployed devices remains limited. This behavior may be related to policy application constraints or required system restarts. According to several references, the Secure Boot update process may require up to two device restarts before the changes are fully applied and reported.

Questions:

1- what is the Best way to complete the task, is to go with Registry settings and schedule the task, or with Config profile over Microsoft Intune?
2- Will the May Patch Tuesday update scheduled for May 12 guarantee a resolution of this issue and help increase the deployment and compliance numbers?

Updating the firmware, can it impact on other drivers? Any observations at this point?

We are considering a script that sets HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\AvailableUpdates to 0x5944 and starts the \Microsoft\Windows\PI\Secure-Boot-Update task.

Can you confirm exactly what this does, and what the risks are of doing this manually or at scale?