Event details
I am about to enable the Secure Boot policy via Intune - specifically "Enable Secureboot Certificate Updates = Enabled". I am 99% sure this will not have an adverse effect on devices with BIOS not ready\or where certificate import fails. I'd like to confirm that is still the case.
We're about to do the same Dan Alvarado , but have gone with all three options in the Intune policy
I have read somewhere that MS have no plans to remove the 2011 certificates, so I guess if the 2023 certs fail then the device would just revert back to using the 2011 ones. Would be good to get MS clarification here though
- Jason_Sandys
Microsoft
Hi nlmitchell, Correct that we will not remove the old certs as doing so would break the boot process since all boot critical components are still signed using these old certs.
As noted, we strongly recommend a slow, ring/wave based, controlled rollout based on your org's standard update rollout and device type distribution.
Agreed, a controlled approach seems sensible for this one Jason_Sandys
We have done initial testing across several model types. Next is ICT (dog fooding I think you guys call it), then a couple more 'Test Rings' totalling approx. 400 devices. If all goes well there, which we will monitor in the Secure Boot Report that's available in Intune, then it's the rest of our estate, approx. 5,500 devices.
Note, we are part of the 'Autopatch update readiness private preview' and have seen the Secure Boot 'v2' report that's coming soon in Intune and it contains a lot more detail and looks very good. I will likely wait for this report to become available before deploying the policy to our wider estate.
