We've been seeing devices that appear to be eligible for the automatic Secure Boot cert updates based on the documentation available via MS but don't seem to progress. Can you confirm the minimum “eligibility checklist” for the automatic Secure Boot certificate update (OS baseline, update level, UEFI + Secure Boot, diagnostic data level, etc.), and which items are hard blockers vs “recommended”? Once a device is eligible, what is the typical timeline (hours, days, weeks) to observe progress?

Will the Intune 65000 error being fixed, hampering Intune Policies to update the certificates soon?

If we are checking to see if a PC is fully updated are these the registry keys and value, we need to have.   Also the required BIOS version.

Dell BIOS Requirements – Each model has a specific version it must be on or newer to be able to update the UEFI 2023 Certificates. https://www.dell.com/support/kbdoc/en-us/000347876/microsoft-2011-secure-boot-certificate-expiration

UEFICA2023Status – Required to be set as Updated.   Other known settings are NotCapable, InProgress.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecureBoot\Servicing

AvailableUpdates – 0 is required Value.   Other possible values are set depending on stages of the process, restarts required or errors. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecureBoot

WindowsUEFICA2023Capable – 2 is required value.

0 = or key does not exist - “Windows UEFI CA 2023” certificate is not in the DB

1 = “Windows UEFI CA 2023” certificate is in the DB

2 = “Windows UEFI CA 2023” certificate is in the DB and the system is starting from the 2023 signed boot manager ​​​​​​​

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecureBoot\Servicing

UEFISecureBootEnabled – 1 is required value.

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecureBoot\State

can we use older ESXi like version 7 seeing issue where its not applying the KEK and giving error. solution is to renaming the nvram which is not really ideal for large enterprise. 

Can you elaborate on the differences between the active db and the default db? This seems to be a common point of confusion. 

If diagnostic data/telemetry is disabled, what specifically stops working? Does it prevent Microsoft from delivering the secure boot update altogether, or does it mainly impact reporting and insights?

how to monitor the secure certificate deployment? If we do the deployment from Intune. and choose MS patch to obtain it.

If you select to push the certificate update through GPO / Intune, with the policy Enable Secure Boot certificate deployment / Enable SecureBoot Certificate Updates

How far does the process go?

As I understand it, there 4 steps
1. DB is updated with certificates
2. Boot manager is updated to use the new certificate
3. Old 2011 certificate is untrusted in DBX
4. SVN is updated

My concern is step 3, because that causes the machine to no longer trust ones current pxe boot image, and it’s not ideal that happens at some random time.

Does the GPO / Intune setting go through all 4 steps in a matter of x reboots, or are the last steps something that happens in a windows update?

The Intune policies that configure the secure boot cert updates - are those needed or will Microsoft automatically deploy the certs? Testing those policies in Intune are giving us a 65000 error - any idea why?

what is the process to update devices with currently safeboot disabled.