Event details
334 Comments
2. When the CSP deployed, we see CSP sets policy as
"AvailableUpdatesPolicy=0x00005944(22852)". Will this move 2011 certificate to DBX? and when it will move? Will there be time for enterprise admin to know this and take actions on iPXE and Bootable Media?
3. The "secure boot status" report in Intune has a column "certificate status". What goes behind the scenes to say, "Up to date"? "Up to date" means certificate in UEFI?
Or Certificate in UEFI and booting from the 2023-signed boot manager?
DBX update flag is 0x80, so it is not included in 0x5944. You would need to set to 0x59C4 to push it alongside, or individually set to 0x80 after the other updates have been applied and the value returned to 0x4000/0x0.
Is it accurate to say that CFR is generally enabled for devices managed by Windows Update for Business, but not for devices managed by WSUS?
I don’t think I fully grasp the distinction between LCU vs. CFR in the context of delivering the Secure Boot update. Is there a Microsoft blog post or documentation that explains how these mechanisms differ and how the Secure Boot update is actually rolled out?
Why was the Secure Boot certificate validity set to about 15 years? Why not 30 years? Why not 10 years? Will Secure Boot certificate updates happen every 15 years in the future?
1. When we set the CSP as
(a) HighConfidenceOptOut = Disable
(b) MicrosoftUpdateManagedOptin = Enable
(c) AvailableUpdates = Enable, When the
certificate deployment starts? provided device has latest firmware and patch (meeting requirement for secure boot)?
Am I correct in assuming that the default db will only be updated by an OEM's BIOS update? In other words, Microsoft updates would only update the Active db, and never the default. Follow up question: What is the risk of not updating the default db when the active db is up to date?
- Pearl-Angeles
Community Manager
Panelists covered your question at 48:01 during the live AMA!
Aside from creating the intune configuration, is there a way to report success or readiness
so if you are saying that you are looking after the consumer updates so they dont need to worry about the cert? why as organization with 6k machines I need to do anything ? thanks
So the cert is already on OS this is a plan to make sure that it will be deployed properly to the bios?Organizations tend to block telemetry, that's why Microsoft cannot look after them :)
All of this is updating your UEFI firmware (which nowadays usually does not contain a BIOS any more) to have the latest certs, and to switch your installed system to actually use them.
have we got event id' to validate if all the default certs have been updated and not just current.
What is Microsoft's recommendation for managing firmware on Surface devices for customers using WUfB?
Assuming from an effort perspective that Enabling Driver Update policies is better than custom SCCM deployments.Can you clarify what needs to be done to a MECM environment to prepare for this?
