Event details
202 Comments
Will pushing out BIOS updates at the same time as Secure Boot certificate updates from intune increase the risks of the device becoming bitlockered?
There are safeguards in place that prevent Secure Boot certificate updates if there is a firmware update pending. Also, unless you bind to PCR 0 or 2 in your TPM configuration, BIOS updates will not affect Bitlocker at all.
Still, there might be a minimal risk that these processes interfere, especially since firmware update process heavily depends on how the manufacturer implemented it.
Will new certificates can be installed in a Physical server even if the secure boot is in off state? And will the certificate be used only when the device has secure boot turned ON?
They will only be installed (and used) if the device has secure boot turned on. The bootloader will also be updated if Secure Boot is disabled. So at the point when you enable Secure Boot later, you will have to make sure that the certificates in UEFI match the bootloader installed on the machine.
We have windows updates through Intune to all devices, we have half of the devices doesn't have secure boot enabled, are those are point of concern since they don't have secure boot enabled,
So we will be pushing the setting catalog policy to only devices that have Secure boot enabled to update certs?Hello, can we use this 3 instructions to force the Windows Servers to update the CA2023 certificate?
- reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f
- Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
- And restart the server two times.
If
- The server patch level is at least mid 2025
- The machine has UEFI Secure Boot enabled
- There are no known blocks for the hardware configuration
These three instructions will update to CA2023 certificates. Make sure to wait at least 5 minutes before each restart so that all the actions to be performed have been finished.
How do i update the certificates on Windows Insider Beta
There should not be a difference between Insider builds and normal builds. I have updated certificates on some VMs running Insider builds without any issues.
Note that the build needs to be from Mid-2025 or later so it has the new certificates.
If you are having issues with that, please post your exact build number (and used Insider channel) and the error you are receiving.
Please talk about the default versus the active database. Specifically, what are the pitfalls in continuing to use a system that has the active database updated but does not have an available OEM update for the default database.
The risk is in somebody resetting Secure Boot to defaults in the UEFI setup and having a device that does not boot or may go through BitLocker recovery.
As mentioned in the video, a countermeasure may be to set a Setup passsword for the UEFI setup so that end-users cannot mess with their settings.
Is it true, once the expiration date has passed, there will be no way to update the certificates after the fact? No tool or utility for client end (I've heard MFGs are making Server hardware tools possible)?
No, this is not true. Certificate updates that have already been signed before expiration (which includes all the updates this whole topic is about) can still be applied after the expiration date. Only new boot managers or new KEK/DBX updates can no longer be signed by Microsoft (by the old certs) once the expiration date passed.
Is there an intune export that can tell me which of my global devices are on the new certs or the old ones? I don't overly care which devices are high confidence, I care more about which ones are already done and which ones aren't?
Yes, there is one available within Reports> Windows Quality Updates> Secure Boot Status
https://intune.microsoft.com/#view/Microsoft_EMM_ModernWorkplace/SecureBootReport.ReactView
How Hyper-V env will work ? All Virtual Machines will be ok, if a hyper-v host will have new certifiacates?
Prabhakar_MSFTMicrosoft
Hi Marcin_Kolodziejczak​, Hyper-V host updates does not change the existing VMs that did not already have the new certificates. All new Hyper-V VMs created have the new certificates pre-installed. If you have long running VMs, certificates need to be deployed. Microsoft will be updating the VM devices as part of high confidence based roll out in the future update. You can also apply the certificates to firmware by configuring AvailableUpdates registry value to 0x5944 after updating VM device to latest available windows patches.
Thank You for your answer !
Which OS flavours does this apply to ??
- Prabhakar_MSFT
Hi @Sanjeev0112 The certificates apply to all Secure Boot enabled devices including Windows server 2012 and up
