Event details
Hey guys đź‘‹,
In the last Secure Boot AMA (https://techcommunity.microsoft.com/event/windowsevents/ama-secure-boot/4472784) someone asked about the UEFICA2025Status Reg Key showing an unexpected status of "NotStarted". You responded to say you would investigate and advise what to do in this situation. We have this in our environment. When will we be told what to do please?
From my understanding, the AvailableUpdates (0x5944) reg key needs to be applied and then a manual fire-off of the scheduled task needs to happen afterward. Once I did this, in this order, the status of UEFICA2023Status went from “NotStarted” to “InProgress”. It took me about 2-3 reboots for changes to take effect.
Questions I hope to have answered are below:
- Are all 3 certificates (2 DB and 1 KEK) required to rotate in? How many certificates do we need to check for to meet compliance? Some are checking for just one, some are checking for 3… which is it?
- If one certificate is missing in either the DB or KEK databases, is a firmware upgrade of the BIOS required?
- According to the documentation, there is an option for “Controlled Feature Rollout” using Microsoft Update Managed certificates (MicrosoftManagedUpdateOptIn). Not too concerned about the level of telemetry that is pulled; however, just curious if this is something that customers can turn on to quickly retrieve these certs. Or if it’s necessary for future cert rotations.
- And! What happens if a computer doesn’t have Secure Boot enabled? Or if Secure Boot is enabled, what happens to that device if not compliant by June of 2026?