Event details
We started a while before the playbook came out – using previous instructions on how to update the db and verify the 2023 certificate in the EFI file.
Only recently noticed that this does not update KEK automatically.
Could we in confidence, target out confirmed db\efi file updated devices with the script to update the AvailableUpdates key and the Scheduled Task to complete the update?
On the handful of devices I tried this on, the UEFICA2023Status value changed to Updated after a few moments.
We are not able to enable the share diagnostic data with Microsoft settings to allow MicrosoftUpdateManagedOptin, so we’ll be managing this ourselves.
If you used older AvailableUpdate flags, it may not have included KEK updates, yes.
I would just re-run with the current flags to get the KEK updated as well, as well as any other things not updated yet. The system will automatically skip flags that have already been applied, and they will get set back to zero (except the 0x4000 flag), so that you will end up with 0x4000 or 0x0 at the end.
Or set it to 0x4004 to only update the KEK, if you prefer going that route.