Event details
114 Comments
For anyone looking for how to monitor the Secure Boot certificate status, it's in Intune admin center > Reports > Windows Autopatch - Windows quality updates > Reports tab > Secure Boot status.
Additionally if you are a PMPC premium customer there is now a Secure Boot dashboard under Security and Compliance which I think does a better job at providing the secure boot status for devices.The 2023 cert expires on 6/13/2035 or in about 9 years, when will Microsoft start working on pushing the next CA to partners so we don't have the last minute push like we are having with the 2011 cert? With web PKI it's common to start pushing a new root 5 years before the current root expires aka around 2031.
Thanks, all! I would welcome another AMA as we roll into June. And will anyone be replying to comments/questions posted here? I appreciate there is only so much time during the AMA so not all questions can be addressed live.
would like to see an early June session with guidance on servers in DMZ and firewalled off so they not running windows update to get the certificates
How are you currently deploying your windows updates now? If it's through WSUS via SCCM we use the same utility. The registry key is what allows the certificates to be applied.
Assuming you are still applying patching to these servers manually, you would just have to apply the registry key, but Microsoft provides the High Confidence buckets for you to verify if they believe it is safe or not to apply.
Yes please anther AMA in June
- Heather_Poulsen
Community Manager
Thanks for joining today's AMA. We tried to answer as many questions as we could during the hour, and will continue to review and reply over the next few days.
Question: Should we host another AMA in June? Thanks for hosting, this is really useful. My question was regarding VMWare and issues seen where NVRAM files seem to have a NULL value or empty - is there a strategy for getting the 2023 PK and KEK into the key provider?
When attempting to switch bootloader I get non-booting machines, so following process as best I can but drawing a blank...For VMware virtual machines, you can use a method similar to what is currently proposed in the official VMware guielines, but without the need for external disks or manual UEFI UI interaction. The approach involves adding the Microsoft provided Windows OEM Devices PK certificate directly to the UEFI from within the guest OS, which unblocks the automatic certificate update process and allows it to complete successfully.
The process in brief involves shutting down the VM, adding a vSphere advanced parameter to put the machine into UEFI SetupMode on next power-on, then once booted, verifying SetupMode is active and enrolling the Windows OEM Devices PK certificate using built-in PowerShell cmdlets. After enrollment, setting the AvailableUpdates registry key to trigger the Windows certificate update task and rebooting is all that is needed for the automated process to complete.
For the detailed commands, a Google search for "Secure Boot 2023 Certificate Remediation - Manual Procedure (No Scripts)" will lead you to a community published article on GitHub that covers this. You only need Step 12 from that guide and nothing else. The preceding steps handle NVRAM regeneration and manual KEK enrollment which are not necessary here — once the PK is corrected, the Windows automated update process takes care of the KEK, DB and boot manager updates by itself.
can you share the script for MECM?
In the Secure Boot status report in Intune, what is the column Confidence level for? Most of my systems show "Under Observation - More Data Needed" for that column. My Certificate status column shows "Up to date" for all the same systems. I thought I was done, is there more I need to do?
Using Intune CSP - the majority of our devices, including ones with updated firmware, are still in the "Under observation" confidence level bucket, according to Autopatch Secure Boot report.
We haven't seen it changing with latest CUs.
should we now push using the AvailableUpdare=0x5944 before June?
