what about AVDs?  can they be added to the configure policy for secure enable?  we this a few weeks ago and a few devices got blue screens related to the policy.  What about surface hubs?  should both be handled separately and not through the policy?  Please advise, thank you

I have about 6500 devices in our environment with various Win 10 and Win 11and I'm worried that I won't have enough time to get all these updated.  They have recently been updated to the May update.  Please let me know if the June Windows Update will take care of the boot cert issue

For Configuration Manager, An LCU must be applied to the Dec. 2024 ADK winpe.wim and files copied out to ADK install directories to get 2023 signed .efi files in place, correct? What is the intended/expected outcome of this? I am only finding bootmgfw_EX.efi getting 2023 signed while all others remain 2011. Even if "Legacy", MS is still supporting?

"The Secure Boot update failed to update a Secure Boot variable with error The parameter is incorrect." Event ID 1796

I have not been able to find a solution for this as it is so vague, are there any troubleshooting steps to take to identify the actual problem?

Follow-up to the temporarily paused question. How can we know if upgrading to 'OEM recommended' bios version will actually fix the issue and/or make it safe to update the certs via the reg key or Intune policy?

Should we just upgrade the bios on some devices and see if it's ok to update the certs and skip the confidence level and do more and more if our initial tests have been successfull post bios upgrade

Why are we not getting guidance/support on Configuration Manager ADK/PE/PXE? (Particularly with WDS.)

I work for a small company and all our rollouts for the update have gone well for user workstations, however I am having difficulty updating windows server 2016 VM's. They are returning an error:

"The Secure Boot update failed to update a Secure Boot variable with error The parameter is incorrect." Event ID 1796
I have not been able to find a solution for this as it is so vague, are there any troubleshooting steps to take to identify the actual problem?

Is it safe to assume that the buckets listed in the csvs in the github repository (https://github.com/microsoft/secureboot_objects/tree/main/HighConfidenceBuckets) will be part of the June update?

Not a question - but I wanted to say thank you for hosting these sessions. It has given myself a confidence level of high (pun intended) to roll this out in my environment.

Thanks again! 

Less a question more a comment, for future rollouts of this type, it would be really nice if the "high-confidence" value wasn't waiting until the month of the certificate expiration before being applied. While you have consistently stated "don't worry, we're handling it" it is worrisome to be less than 30 days out from the expiration and not having most of our devices (running new firmware versions, with the certs in place from those updates) running with the new certificate yet.

Additionally, the reporting from Intune only recently started working as well as the rollout of the settings catalog/config profile was plagued with 6500 errors.