Event details
Are there any known differences how the Secure-Boot-Update task behaves on Windows 10 ESU as compared to Windows 11 Home/Pro?
Recently some more threads of users popped up where Windows freezes during Secure Boot updates after a LCU (e.g. a Dell user here:
https://www.tenforums.com/general-support/223137-windows-10-freezes-3-minutes-after-start-up-since-last-two-updates-2.html )
And the one common point is that all of them use Windows 10 ESU. Might be a coincidence (as users on older machines are more likely sticking with that), but it seems to be increasingly likely that it is in fact a difference in how the servicing behaves between Win10 and Win11...
I already reported a similar behavior the March session of ¨Ask Microsoft Anything: Secure Boot". To which you replied properly an issue with the confidenceLevel - as you did too in the link you put.
My machine was also using Windows 10 ESU.
I believe the coincidence of those machines using Windows 10 ESU is simply they are older machines that don´t have recent firmware update and thus outdated default certificates, and maybe not able to update the KEK.
I ended up going your workaround 1, disabling the related task from the TaskScheduler.
But the real solution I got to update all current certificates is using Mosby:
https://github.com/pbatard/Mosby
(from the creator of Rufus)
This wonderful tool is running from a usb key, so independently from the OS. It creates a new PK, then sign the KEK and update all certificates to 2023.
Obviously, Mosby it bypassing the OEM recommendation and ConfidenceLevel keys, but for older machines without any support, I believe it is a great solution.
I wish Microsoft would recommand this or propose alternative solutions for older machines, e.g. using the default Windows OEM KEK as from https://github.com/microsoft/secureboot_objects/releases as suggested here: https://github.com/cjee21/Check-UEFISecureBootVariables/issues/31