Event details
I would like to verify something that we are seeing. We elected to set MicrosoftUpdateManagedOptIn to 1 in the registry however, we are not seeing any movement on the certificates installing. If I run reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f, I see movement. Am I correct in thinking that when we set the initial setting, Microsoft will eventually start the process automatically for these devices?
MicrosoftHi jeddunn, all roads lead to the AvailableUpdates registry key.
- If you opt in to MicrosoftUpdateManagedOptIn and Microsoft is receiving diagnostic data, the Controlled Feature Rollout (CFR) should get to those devices - when it does, it will set AvailableUpdates and the certificates should begin to deploy.
- If you set AvailableUpdates on a device, the certificates will begin to deploy.
- For High Confidence devices in the monthly updates, this will also set AvailableUpdates. As does Group Policy and Intune.
The Microsoft Managed updates through CFR are cautiously deploying to more and more devices each day.
Arden - Microsoft
Hi Arden_White I had a similar question so thought I'd jump on here. :)
In Intune, if we set...Configure Microsoft Update Managed Opt In to Enabled
Configure High Confidence Opt-Out to Disabled
and ignore Enable SecureBoot Certificate Updates for common devices ie Dell, Lenovo, Surface etc, then the secure boot certs will only be rolled out when Microsoft deem it safe? We can leave the Enable SecureBoot Certificate Updates policy and not deploy it?
I think that will be safest for us if I understand it right, we are still working to get our bios versions updated, but want to get started on those which are ready to go with modern bios versions.
Thank you! :)
- Arden_White
Regarding "Configure High Confidence Opt-Out to Disabled", my recommendation is to not disable this. This is where devices have demonstrated, through observed data, that they can successfully update firmware using the new Secure Boot certificates.
Regarding "Configure Microsoft Update Managed Opt In to Enabled", this is also useful in ensuring that you get good coverage on your devices. It does require that diagnostic data is being sent from the device.
The above will help with coverage on your Windows client devices. If you manage non-client devices (servers, IoT, conference room devices, etc., these are the ones to focus on monitoring and deploying.
ArdenHey Arden_White, apologies for the slow reply.
Thanks for the info really helpful, my only confusion is on the Configure High Confidence Opt-out, if we set it as 'disabled', that is effectivly opting out of the opt out, so not opting out? Although not opting in (you need the 2nd policy for that), setting the policy as disabled will stop anyone with local admin rights manually setting the high confidence opt out to enabled and then blocking the update, am I reading that right?
Hope that makes sense. :')
We do have some conference room devices but those are surface hubs using teams room system, am I right to assume they are treated like clients and will be allowed to get in on the CFR?Servers thankfully is another team's fun to handle in my org but I have shared the articles with them so they can get started on it. :)
In Windows Server Secure Boot playbook for certificates expiring in 2026, the deployment method does not include CFR or high confidence bucket, does it means the two method will be apply for server OS?
- Arden_White
Controlled Feature Rollout (CFR) only targets client versions of Windows. CFR contributes data to the high confidence buckets. It's possible that server devices show up in the high confidence buckets, but not very likely. Similarly, with IoT devices. Not client devices (servers, IoT, etc.) are the ones to focus on in terms of deployment.
