Event details
177 Comments
The new panel in Windows Security is supposedly released in April LCU, but I don't have the new UI. My secure boot status shows green but i dont have the new certs. Did the update get pulled from the April LCU?
mumraaMicrosoft
have you published published a mandatory DBX enforcement date that is explicitly tied to the 2011 certificate expiry yet? Or can you indicate roughly when this is likely?
Somewhat answered at 38:00
Can you explain more about error event 1795 and 1797? all the necessary prerequisites are met including recommended firmware version and secure boot state enabled
- 1795 usually points at a firmware issue, more details are in the event text
- You should only see 1797 when you manually revoke 2011 cert in DBX but you are still booted from 2011 boot manager. If there are no other error events, this should resolve by rebooting after the 2023 boot manager has been installed.
What are the possible impact after Jun/26 for those devices that were unable to get Certs or updates at all?
The machines will still boot, LCUs will still apply, but any updates to the boot loader or secure boot configuration will no longer be applied.
We have several devices which are managed by Intune and WUfB - these devices do not have a high ConfidenceLevel assigned (None or Under Observation) however all SecureBoot Certificates were updated.
We have not deployed the Intune Secure Boot Certificate Policy, neither set the AvailableUpdates regkey to kick-off the update.
Looking for clarification how the certificates were updated.- Are you absolutely sure that the devices did not come with the new certificates applied from the factory?
- Do you participate in CFR? CFR can result in updated certificates even if the bucket is not in high confidence.
Here is the autopatch report:
https://intune.microsoft.com/#view/Microsoft_EMM_ModernWorkplace/AutopatchDevicesReport.ReactView/gridV2Filters~/%7B%22alertNames%22%3A%5B%22SecureBootCertificateUpdateRequired%22%5D%7DWhat exact checks and data sources drive the Secure Boot Update Report in Intune, and does a device showing updated status guarantee the full 2023 Secure Boot trust chain (KEK, DB, boot manager) is in place?
What would be a good date to include the new certificate to the SCCM boot image?
Will there be a situation where a device will be prevented from booting?
eg a moment where the 2011 certificate will be added to the DBX revocation list?The most likely scenario is that the certificates and boot manager are updated, and then you reset certificates to default. In that case you need to run securebootrecovery.efi.
Or when you later enable Secure Boot on a device installed without Secure Boot enabled with new boot manager, but the new certificates are not in the DB.
Or when you boot an ISO from a manufacturer that has the new boot loader on another machine that does not have the certs.
The system will not allow applying 2011 cert to DBX in case the system is still booted from that boot loader. So it can only happen with external media or when you manually downgrade your bootmanager after you added 2011 cert to DBX.
Are you sure the New ADMX has Secure Boot GPO settings?
I used the new 25H2 GPO templates and this setting was still missing :(
