Something interesting yesterday, device asking for BitLocker Recover Key, due to "Secure Boot policy has unexpectedly changed". Is this expected for some devices?

Hi,

We have already completed the BIOS update roll-out across all PC models in our environment.

In parallel, we are deploying the Secure Boot CA 2023 certificate upgrade using a Microsoft Intune configuration profile. Due to the very slow adoption rate observed during monitoring—both through Intune policy status and Secure Boot compliance reports—we have also introduced a remediation script to support the deployment.

Despite these efforts, the increase in deployed devices remains limited. This behavior may be related to policy application constraints or required system restarts. According to several references, the Secure Boot update process may require up to two device restarts before the changes are fully applied and reported.

Questions:

1- what is the Best way to complete the task, is to go with Registry settings and schedule the task, or with Config profile over Microsoft Intune?
2- Will the May Patch Tuesday update scheduled for May 12 guarantee a resolution of this issue and help increase the deployment and compliance numbers?

Updating the firmware, can it impact on other drivers? Any observations at this point?

We are considering a script that sets HKLM\SYSTEM\CurrentControlSet\Control\SecureBoot\AvailableUpdates to 0x5944 and starts the \Microsoft\Windows\PI\Secure-Boot-Update task.

Can you confirm exactly what this does, and what the risks are of doing this manually or at scale?

I missed the beginning of this meeting. Did you address if Windows update will automatically update certificates after the 2011 certificates expires given updates that resolve other secure boot boot loader related issues won't be installed if the 2023 certs aren't installed?

Hello :)

In Intune I've set 

Configure High Confidnece Opt Out - Disabled
Configure Microsoft Update Managed Opt In = Enabled

The only policy I haven't enabled is... 

Enable SecureBoot Certificate Updates = Enabled (as this will actually force the certificates to deploy). As we don't have a way to easily target this ie there is no entra group property Secure Boot ready = yes that we can make a group for and deploy, it is either deploy to all, or manual groups which will take ages in a huge environment. 

As I understand, with the top two policies, the devices are being checked for confidence and when it is high, Microsoft are switching the reg key to set the update to happen. Is this correct or I mis understand? 

I have the remediation check running which is checking compliance however most are Confidence = Under Observation - More Data Needed and it's Not Started. These are all devices like Dell Latitude 5550, 5430, 5450, etc etc nothing obscure. 

Is there something more I should be doing at this point? BIOS updates are being done, Secure boot is on so not sure why it still isn't moving forward?

Thank you. :)

How to I know if a particular computer is "high confidence" and likely to get an automatic security update from microsoft?  We have many systems that have compatible FW but still not receiving the 2023 updates including systems bought in 2025/2026.

There was a mention that the April update would address BitLocker recovery issues caused by the Secure Boot update.We have been experiencing BitLocker recovery issues, and it has been very difficult to identify a clear pattern from Event Viewer that would tell us exactly when BitLocker should be suspended to prevent recovery after reboot.Do you know exactly what Microsoft changed to prevent these recovery events?

we're updating BIOS on all devices, as requested by vendor and using Intune CSP for all devices enrolled in Intune as below: 

Configure High Confidence Opt Out = Disabled.

Configure Microsoft Update Managed Opt In = Enabled

Enable Secureboot Certificate Updates = (Enabled) Initiates the deployment of new Secure Boot certificates and related updates

Is this supported also on Win10 LTSC 1809? 

What would be the best option for devices NOT in Intune (like Process Control) or LTSC 1809