Can you please clarify what does 'Not applicable' means for the certificate status in the Intune report - Reports>Windows quality updates>Reports>Secure Boot Status>Certificate status and if any action is needed for these?

Using PowerShell, this is how we're detecting if the devices have updated their Secure Boot certificates. Is this valid code? Is there better code we should be using?

# Detect if 2023 KEK certificate is installed

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI kek).bytes) -match 'Microsoft Corporation KEK 2K CA 2023'

# Detect if 2023 DB (Windows) certificate is installed

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'

# Detect if 2023 DB (Third Party) certificates are installed

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Microsoft UEFI CA 2023'

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Microsoft Option ROM UEFI CA 2023'

# Detect if boot files are signed by 2023 certificate

$efiPartition = Get-Partition | Where-Object {$_.GptType -eq "{C12A7328-F81F-11D2-BA4B-00A0C93EC93B}"}

Add-PartitionAccessPath -DiskNumber $efiPartition.DiskNumber -PartitionNumber $efiPartition.PartitionNumber -AccessPath "S:"

$efiBootmgfw = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2Collection

$efiBootmgfw.Import("S:\EFI\Microsoft\Boot\bootmgfw.efi", $null, 'DefaultKeySet')

($efiBootmgfw | ? {$_.Subject -eq 'CN=Windows UEFI CA 2023, O=Microsoft Corporation, C=US'}) -ne $null

Remove-PartitionAccessPath -DiskNumber $efiPartition.DiskNumber -PartitionNumber $efiPartition.PartitionNumber -AccessPath "S:"

If my device doesn't have UEFICA2023 cert and can no longer PXE, what would be the process to update that machine if the device is not bootable.

What impact will the TLS lifetime decreasing to 47 days have on these secure boot certificates?  Will these certificates eventually need to be replaced every 47 days?
https://www.digicert.com/blog/tls-certificate-lifetimes-will-officially-reduce-to-47-days

Currently there's only a GPO (ADMX) to do the update of the certificates. Are you also working on a GPO (ADMX) for the "revocation" (dbx) of the 2011 certificates?

We are having some issues getting the new certs installed on our VM guests. Our ESXI is patched to newest level but our hosts are showing the following error: 

The Secure Boot update failed to update KEK 2023 with error Invalid access to memory location

I update the servers to the point where I see the following Reg entries..

• Both Active and Default DBs show both 2023 and 2011.
• AvailableUpdates show 0x00004000
• WindowsUEFICA2023Capable registry key was set to 2
• UEFICA2023Status registry key shows “Updated”
• For Server OS I see the following:
• Server 2019/2022 I see Event ID 1808 in system log
• Server 2025 I see event 1799 in system log

Both events say that the UEFI CA 2023 was installed successfully….so does that mean the system is up to date?  

However, if we run the command below, I get the return code “00” …is that a problem???

• $pk = Get-SecureBootUEFI -Name PK
• $bytes = $pk.Bytes
• $cert = $bytes[44..($bytes.Length-1)]
• [IO.File]::WriteAllBytes("PK.der", $cert)
• certutil -dump PK.der

Follow up on earlier SCCM boot.wim questions:

Can we continue using the boot.wim with 2011 cert past June 2026?

Will that work successfully with devices that only have 2011 cert?

Will devices that have 2023 cert already require a boot.wim that has 2023 cert once June 2026 has passed?

(We have thousands of devices in storage, and need to know sooner, rather than later, if they need to get updated pre-June 2026)

I manually updated the registry on a device, set it to 22852, and forced the Scheduled Task to start, waited 30 seconds and forced a reboot, and the server (server 2019 VM in hyperv with the latest march patches) and it restarted several more times on its own before it settled down and showed updated. Not sure if several reboots are going to be required every time, of if me forcing things my running the scheduled task had this effect.

Oke so we’re pretty much trying to get it in control. So I am wondering the PK (platform key) isn’t present in our hypervisor version at this moment. What does this mean for the whole chain?

cause we have a well guided plan aligned with Microsoft their approval. But after running the workflow 0x5944 , en you go to 0x4100 and after a while you get the 0x4000. This means the flow is done. After this you have the remaining 0x280 (revocation of PCA2011 , and applying SVN). After this you are done. 

reading the march update there is this line: 

KB5079473

Secure Boot] With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.

could you tell us more about this? - my guess is that you need telmetry on to have this nice feature/support?