Let's say I have a 2024 HP ProBook Laptop with 2026 latest BIOS update, AD DS joined, with Windows Update activated with basic GPO settings (drivers and quality included).

No telemetry , no diagnostics sent to MS, no Intune.

If I let things go without interfering, when does this laptop will get certificates update from Windows Update ?

Will the update sent from Windows Update will create the scheduled task and run it every 12h ?

Thanks

​ ​ Arden_White​ 

Can you please let us know when the Intune Error Code 65000 issue is expected to be fixed? I've seen this still across multiple tenants but there's been no update to guidance around resolution date. If there's been a delay, can you please let us know? The official doc says "this issue will be resolved for all devices by February 27, 2026." Thanks! 

Will Microsoft and/or Broadcom provide a solution to automatically update ESXi VMs with missing KEK/PK?

The solution from the article https://knowledge.broadcom.com/external/article/421593/missing-microsoft-corporation-kek-ca-202.html is unfortunately no longer available (upgrading the hardware version and deleting/renaming the .nvram file).

This article https://knowledge.broadcom.com/external/article?articleNumber=423893 states:
"There is no automated resolution available at this time. In coordination with Microsoft, Broadcom Engineering Team is actively working towards implementing an automated solution in a future release to update the Platform Key (PK) on the affected VMs, which will facilitate the certificate rollout as outlined in the Microsoft Guideline."

What happens if you set the registry settings on a device that is still using Legacy BIOS? Is the update process smart enough to ignore those devices?

My company has around 2000 servers on VMWare that we need to make sure that get updated.  We don't want to rely on Microsoft to eventually roll out these updates.  I know the February AMA discussed that there might be some tools coming out in March that might help with automating some of this. 

I just spent about 2 hours or so with our server team just going through this process to update these machines manually.  I mean this is asking a lot to have us touch each server, coordinate with folks on their production servers so that we can shut them off, update the NVRAM file, then reboot them about 2 additional times before we get the 1808 event ID that tells us all is well and good. 

I also have a script that supposedly audits our servers and tells us if the certs are active.  I just looked at a few machines where it says the certs are active and it gives it a "pass" on the report, but when I go to the registry under secure boot, the status is set to "not started", there are also no event IDs present for TPM/WMI.  I mean maybe things  updated a while ago, but shouldn't I see "updated" in the registry and not "not started".   Can someone verify what we should see in the registry w/ regards to this just for verification purposes?

There is so much confusion over what we need to do.  We've spent probably too much time looking at Microsoft documentation on this trying to figure out what to do.  My boss doesn't want to wait things out and risk critical servers to have issues with booting at some point.  Also, going through 2000 servers with a team of about 5 of us is also a lot to ask to make sure certificates are installed and active.  There has to be an easier way to do this.  

Our company does not allow us to use Intune. 

Are there any helpful tools or scripts to Inventory?

During the February AMA, you en-phased that enterprises should leverage intune and build their own dashboard to monitor secure boot states. The guide require Enterprises licences. As an MSP that manage thousand of devices with Business Premium Plan for multiple customer with Intune and Lighthouse it doesn't make sense.

Is there a plan to monitor those states via a compliance policy instead?
And also.. regarding the secured boot compliance policy that will happen to devices that will still have an old certificate, will they continue to show as compliant with the 2011 certificate?

Hi guys 👋, thank you for hosting another AMA, and for fixing the Intune Secure Boot report 🙏. 

It was advised the 65000 error on the Intune report would be fixed by now, but it's still showing on every device we apply the policy to:

When will this issue be resolved please?

Thank you 🙂

Could you confirm that the Secure-Boot-Update scheduled task expects Microsoft's Owner GUID on Microsoft's signatures in Secure Boot? We customize the Secure Boot content and it seems that a different GUID causes the task to break the behavior of GetFirmwareEnvironmentVariableA() (used by BitLocker in other things).

Could you also confirm that updating the firmware SVN (4th step of the revocations) only consists in adding SVNs to the DBX? And that for testing purposes, resetting the DBX is enough to cancel the rollback prevention?

I must have a thousand questions. I'm making one comment per question as that seems reasonable. Posted in no particular order. As of 2026-02-26 I have 22 questions.

I typed up all these questions not knowing there was a February AMA. I'll have to watch that later to see if any of my questions are answered there.

---

When do the 2023 keys expire? See you again in ten years? Or will all you brainiacs be retired by then? :)