Event details
72 Comments
So far all the AMAs i have watched are mostly focused on endpoints. Can we have a session solely for servers/VMs? It seems that this category is being left out.
An AMA tends to focus on the questions being asked. More questions got asked about endpoints, so they get handled in the AMA. (Your message also did not ask any questions about servers :D)
That being said, there is
http://aka.ms/SecureBootForServer
with resources for servers.
Agreed. I forget where/when it was said, but I think in a previous AMA one of the group said they're not doing any CFR or High Confidence Buckets for servers.
I don't think most IT Pros are super aware of that and the implications.
Are there any Updates regarding my Question: "Will Microsoft and/or Broadcom provide a solution to automatically update ESXi VMs with missing KEK/PK?"
The last Answer from PrabhakarMSFT was: "...we are coordinating with Broadcom to bring support in Windows to update KEK on the ESXI VMs. If new VMs are created on latest versions on ESXI, VMs get created with new certificates. For pre-existing VMs, Microsoft is coordinating with Broadcom and will be enabled in the future update."I posted a question about this as well before seeing this. Definitely interested in everyone's stance on this. Time is running out and I don't want to have to import PK/KEK certificates manually into thousands of VMware VMs.
I'm also very interested in the answer for this question.
We absolutely need to know when the solution created by Microsoft & Broadcom will be released? Time is running... And if it maybe will require a newer ESXi release (newer than 8.0 U3j (P09)) to be installed beforehand, we'll for sure not be able to do the work before June 24th when the Microsoft Corporation KEK CA 2011 certificate expires.
Broadcom documents that for Windows VMs with vTPM it's recommended to wait for an automated solution to become available in a future release. But how long do we need to wait...?
https://knowledge.broadcom.com/external/article/423893/secure-boot-certificate-expirations-and.html
We use SCCM in our environment for client deployment. A few months ago, we updated the boot image with the latest compatible Windows ADK, but when I checked the bootloader certificates, they appeared to still be the old ones. What does the update process look like in this case? I know that a new feature for certificate updates was added in SCCM 25.09. Is this sufficient to update an existing image and continue using PxE boot for all clients? Or does the boot image actually need to be completely rebuilt?
Hi JonasKrueger
Maybe I can help you on this point.
The new option "Use Windows Boot Loader signed with Windows UEFI CA 2023" is only for PXE Responder without Windows Deployment Service. If you don't configure the PXE with "Eanble a PXE responder wihtout Windows Deployment Service" the UEFI CA 2023 option has no effect.If you still want to rely on PXE with WDS you need to copy wdsmgfw.efi and bootmgfw.efi from %windir%\System32\RemInst\boot_EX\x64 from your up to date server to %RemoteInstallFolder%\SMSBoot\x64. Then remove the "_EX" suffix from the files.
I hope this information helps.
Kind regards,
MatiasThank you, I will try this out. I have been mounting and patching winpe.wim trying to get a 2023 signed copy of bootmgfw.efi to copy out to ADK as bootx64.efi as I'm sure I had done about a year and a half ago, and I just keep getting 2011 signed .efi files except for bootmgfw_EX.efi. I kept the files to manually swap out, but trying to avoid that if possible. I don't recall simply renaming and overwriting, but maybe that's what I had done.
Then the next step was to try to address for WDS and I haven't been able to get any AMA replies about this, or even on my opened MS case via 3rd party. If struggling with WDS, next step to try moving away from it working with the NET team on iphelpers and DHCP options.
Can we get in plain english how everything is going to be affected? It is near impossible to get a clear picture on how, when, and what is happening and going to happen. Seems like we are spending a lot of time chasing our tails on this, and we have little to no control over what and when we can do anything about this.
We tested mitigating BlackLotus (Windows UEFI 2011 -> DBX). 0x80 applied to test devices, then a pilot devices. No problems.
It was decided to not mitigate BlackLotus. Is there a way to remove the Windows UEFI 2011 from the DBX, outside of booting into BIOS and reseting Secure Boot keys to factory defaults?There is no way to undo DBX revocations from inside the operating system. (Think about it, otherwise Black Lotus could do that as well). So you will have to do that from within the firmware setup somehow - if there is no separate option to undo DBX updates (which I've seen only very rarely), you'd have to restore the keys to factory defaults, properly taking care of BitLocker and/or SecureBootRecovery in that process, if applicable.
