Event details
I am about to enable the Secure Boot policy via Intune - specifically "Enable Secureboot Certificate Updates = Enabled". I am 99% sure this will not have an adverse effect on devices with BIOS not ready\or where certificate import fails. I'd like to confirm that is still the case.
We're still getting error code of doom (65000) on every device for these policy settings, but I heard a rumour this will be fixed for everyone by the end of Feb 🤞
- Jason_Sandys
Microsoft
Hi Dan Alvarado​, Great question. First please make sure that you have reviewed and are familiar with our guidance including Secure Boot Certificate updates: Guidance for IT professionals and organizations - Microsoft Support.
Next, there is some small amount of risk with this so we strongly encourage that orgs do not enable this across the board without proper testing and validation in their environment first. This testing and validation should follow your standard practices, similar to rolling out any update including Windows Updates (in ring/waves). You should also take into account different device types in your environment as there is a dependency on the firmware properly accepting the certificate update that may necessitate updating the firmware on specific device models first. For information on firmware compatibility, please check with your OEMs as they are the keeper and controller of this info.Bottom line is that we strongly recommend a slow, controlled roll out just in case you are impacted or encounter something unique.
We're about to do the same Dan Alvarado​ , but have gone with all three options in the Intune policy
I have read somewhere that MS have no plans to remove the 2011 certificates, so I guess if the 2023 certs fail then the device would just revert back to using the 2011 ones. Would be good to get MS clarification here though
- Jason_Sandys
Hi nlmitchell​, Correct that we will not remove the old certs as doing so would break the boot process since all boot critical components are still signed using these old certs.
As noted, we strongly recommend a slow, ring/wave based, controlled rollout based on your org's standard update rollout and device type distribution.
Agreed, a controlled approach seems sensible for this one Jason_Sandys​
We have done initial testing across several model types. Next is ICT (dog fooding I think you guys call it), then a couple more 'Test Rings' totalling approx. 400 devices. If all goes well there, which we will monitor in the Secure Boot Report that's available in Intune, then it's the rest of our estate, approx. 5,500 devices.
Note, we are part of the 'Autopatch update readiness private preview' and have seen the Secure Boot 'v2' report that's coming soon in Intune and it contains a lot more detail and looks very good. I will likely wait for this report to become available before deploying the policy to our wider estate.
