Event details
103 Comments
For anyone looking for how to monitor the Secure Boot certificate status, it's in Intune admin center > Reports > Windows Autopatch - Windows quality updates > Reports tab > Secure Boot status.
Additionally if you are a PMPC premium customer there is now a Secure Boot dashboard under Security and Compliance which I think does a better job at providing the secure boot status for devices.The 2023 cert expires on 6/13/2035 or in about 9 years, when will Microsoft start working on pushing the next CA to partners so we don't have the last minute push like we are having with the 2011 cert? With web PKI it's common to start pushing a new root 5 years before the current root expires aka around 2031.
Thanks, all! I would welcome another AMA as we roll into June. And will anyone be replying to comments/questions posted here? I appreciate there is only so much time during the AMA so not all questions can be addressed live.
would like to see an early June session with guidance on servers in DMZ and firewalled off so they not running windows update to get the certificates
How are you currently deploying your windows updates now? If it's through WSUS via SCCM we use the same utility. The registry key is what allows the certificates to be applied.
Assuming you are still applying patching to these servers manually, you would just have to apply the registry key, but Microsoft provides the High Confidence buckets for you to verify if they believe it is safe or not to apply.
Yes please anther AMA in June
- Heather_Poulsen
Community Manager
Thanks for joining today's AMA. We tried to answer as many questions as we could during the hour, and will continue to review and reply over the next few days.
Question: Should we host another AMA in June?Yes another one helps!
Thanks for hosting, this is really useful. My question was regarding VMWare and issues seen where NVRAM files seem to have a NULL value or empty - is there a strategy for getting the 2023 PK and KEK into the key provider?
When attempting to switch bootloader I get non-booting machines, so following process as best I can but drawing a blank...can you share the script for MECM?
In the Secure Boot status report in Intune, what is the column Confidence level for? Most of my systems show "Under Observation - More Data Needed" for that column. My Certificate status column shows "Up to date" for all the same systems. I thought I was done, is there more I need to do?
Using Intune CSP - the majority of our devices, including ones with updated firmware, are still in the "Under observation" confidence level bucket, according to Autopatch Secure Boot report.
We haven't seen it changing with latest CUs.
should we now push using the AvailableUpdare=0x5944 before June?
