Welcome to today's Secure Boot AMA! We'll start with the questions posted in advance below, but keep them coming and we'll do our best to help.

Hi
question:
Lets say I will update our cert via Intune or Registry keys. What will happen if I will have to reset UEFI for some reasons?
Will the new cert stay or I will have to install them again?

Can you confirm please, is event ID 1808 absolute confirmation that the certs are all in place and there's nothing left to do.  Thanks.

What telemetry level should we have set in our org for the certs to properly install? Currently we have them set to blocked here and I know that is wrong, but I'm unsure what would be correct for this case. Is there any sort of guidance available for this?

I got to the report in Intune, but is there a way to get better data besides yes/no, not applicable? the results appear to be random in nature and not sure if it's properly reporting on secure boot status. I have multiple new computers that were purchased and distributed around the same time and some are and some aren't showing as set to secure boot. I thought this was set on by default these days.

Will Microsoft keep updating the High Confidence list after the 2011 certificates expire for devices that we configure for High Confidence before deploying?

On a Hyper-V host, regarding the certificate update process, is there an order to do things in meaning does it matter if the secure boot certificate update process is started first on the host and does the host need to be fully updated before starting the VMs?  I am aware of the requirements of the firmware needing to be up to date and at least the March updates being installed on both the host and VMs.  Thank you.

I'm curious about an updated ADK as well as official guidance on how to address PXE w/ WDS:

"A new checkbox, Use Windows Boot Loader signed with Windows UEFI CA 2023, is available in the Data Source tab of boot image properties. When enabled, it updates the boot image to use the boot loader signed with Windows UEFI CA 2023. The checkbox automates the mitigation steps described in KB5025885.

The new functionality only works on WDS-Less PXE-enabled Distribution Points."

On the Intune Secure Boot Status Page - https://intune.microsoft.com/#view/Microsoft_EMM_ModernWorkplace/SecureBootReport.ReactView - all of my 900+ devices are showing as Certficate Status = "not applicable".

3rd party scripts are helping to confirm that updated certs are in place on my devices, but I would like to see the official status page working properly.

What are the pre-requsite factors needed in order to make this report on our devices provide accurate statuses on my laptops? 

What do I have to do to get the new certificates to Windows 11 and server ISOs? Will they be integrated in newer ISOs in the near future or do I have to do something manually to add them?