If we don't get all the devices up-to-date before June, will it be possible to get them up-to-date later, or will they be stuck on old Boot Certs.

I respect that you are picking and choosing which questions to answer, but before you shut down, could you answer some of the vSphere-related questions? Inquiring minds want to know :-)

On the hyperv question, both the host and the guests were updated with the march CU's, so it resolved the errors with it being read only, but I did not expect it to reboot the computer 4 times in 30 minutes to get the job done, other client testing only one or two reboots were needed, and it was not happening automatically ever 3 or 4 minutes in a row on the device. Also still not seeing an answer for the Capable = 2 versus capable = 0 even though they show updated status otherwise.

Been very disappointed by the new Secure Boot reports in Intune. Months late to the party, and you cannot filter or search on the "Certificate Status" field. And many devices show as 'unknown'. 

Can you please clarify what does 'Not applicable' means for the certificate status in the Intune report - Reports>Windows quality updates>Reports>Secure Boot Status>Certificate status and if any action is needed for these?

Using PowerShell, this is how we're detecting if the devices have updated their Secure Boot certificates. Is this valid code? Is there better code we should be using?

# Detect if 2023 KEK certificate is installed

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI kek).bytes) -match 'Microsoft Corporation KEK 2K CA 2023'

# Detect if 2023 DB (Windows) certificate is installed

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'

# Detect if 2023 DB (Third Party) certificates are installed

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Microsoft UEFI CA 2023'

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Microsoft Option ROM UEFI CA 2023'

# Detect if boot files are signed by 2023 certificate

$efiPartition = Get-Partition | Where-Object {$_.GptType -eq "{C12A7328-F81F-11D2-BA4B-00A0C93EC93B}"}

Add-PartitionAccessPath -DiskNumber $efiPartition.DiskNumber -PartitionNumber $efiPartition.PartitionNumber -AccessPath "S:"

$efiBootmgfw = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection

$efiBootmgfw.Import("S:\EFI\Microsoft\Boot\bootmgfw.efi", $null, 'DefaultKeySet')

($efiBootmgfw | ? {$_.Subject -eq 'CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US'}) -ne $null

Remove-PartitionAccessPath -DiskNumber $efiPartition.DiskNumber -PartitionNumber $efiPartition.PartitionNumber -AccessPath "S:"

If my device doesn't have UEFICA2023 cert and can no longer PXE, what would be the process to update that machine if the device is not bootable.

What impact will the TLS lifetime decreasing to 47 days have on these secure boot certificates?  Will these certificates eventually need to be replaced every 47 days?
https://www.digicert.com/blog/tls-certificate-lifetimes-will-officially-reduce-to-47-days

Currently there's only a GPO (ADMX) to do the update of the certificates. Are you also working on a GPO (ADMX) for the "revocation" (dbx) of the 2011 certificates?

We are having some issues getting the new certs installed on our VM guests. Our ESXI is patched to newest level but our hosts are showing the following error: 

The Secure Boot update failed to update KEK 2023 with error Invalid access to memory location