Event details

Want to ensure you maintain a trusted boot environment for your Windows devices? Walk through essential guidance - including how to test firmware, monitor device readiness, deploy updated certificate...
Pearl-Angeles
Updated Mar 05, 2026
Technical Takeoff
mijedanofficeit's avatar
mijedanofficeit
Copper Contributor
Mar 26, 2026

Hi Guys. After watching this very informative video, I'm still left with a single question.

Assume a customer decides to apply Intune policy to "push" new certs via CFR, and some devices does not have a hardware BIOS, that is updated. Will the deployment just fail silently or can It cause any issues on those devices.

  • mihi's avatar
    mihi
    Brass Contributor
    Mar 26, 2026

    If the device does not use Secure Boot, the deployment will do nothing.

    If the device has Secure Boot, it has some kind of firmware where environment variables are stored (or else Windows could not boot as it could not store the location of Windows Boot Manager) - an attempt is made to update those variables with the latest certs.

    This update can fail (both on hardware and virtual machines) due to implementation bugs in the firmware, causing a freeze or in the unlikely worst case a system that won't boot automatically again. That is the whole reason why Microsoft is adding so many switches and does not just apply the update everywhere. But this is unrelated whether the firmware is "a hardware BIOS" or "not a hardware BIOS", whatever that might refer to (e.g. a firmware that is not called BIOS but UEFI++, or a firmware that does not have a built-in setup menu, or the virtual firmware of a virtual machine).