Event details
Hello, I would like to get some clairty on the following questions.
- Is there a prerequisite of updating the system to the latest BIOS / UEFI version from the vendor to before updating the certificates ?
- Is there a list of High Confidence devices that Microsoft is able to provide ?
- Outside of InTune deployment which method does Microsoft suggest using for the most reliable way to update the certificates ?
- The most recent one via WinCS (Option 3) ? or the (Option 2) via Registry keys?
- In the troubleshooting section Microsoft recommends you have the Bitlocker recovery key available.
- Does the updating the certificates via any of the methods suggest suspend bitlocker for them to apply and how do we monitor this via telemetry, events etc?
- If Secure boot is not on and we let the certificate expire and we enable secure boot at a later date, what is the impact ?
Q1: In the common case (no firmware bugs) it does not matter whether the firmware update is installed before or after updating the certificates. The firmware update will provide new certificates in case the UEFI variables are reset, and the certificate update will provide new certificates for the currently running system. If there is a firmware bug that lets the certificate update run into an error, obviously you need to install the firmware updates.
Q5: You will have to update the certificates at a later date, either from the system or via securebootrecovery.efi, or the system will stop booting in case it got a newer bootloader signed with the new certificates. As UEFI generally cannot securely validate timestamps, the update will either (most likely) just work or will require to switch back the system time before applying securebootrecovery.efi, and fix the system time again afterwards. So, as a worst case, a few more manual steps required.
