Hi,

As per article https://support.microsoft.com/en-gb/topic/how-to-manage-the-windows-boot-manager-revocations-for-secure-boot-changes-associated-with-cve-2023-24932-41a975df-beb2-40c1-99a3-b3ff139f832d Step 4 'Apply the SVN update to the firmware' of the Mitigation Deployment Guidelines refers to enabling a self revocation feature, which is straight forward.

However, there is no additional information how to query if the feature has been successfully applied! Even the support https://support.microsoft.com/en-gb/topic/secure-boot-db-and-dbx-variable-update-events-37e47cf8-608b-4a87-8175-bdead630eb69, does not include event log listed, which by the way is 'ProviderName: Microsoft-Windows-TPM-WMI Event ID: 1042'. The Event ID will indicate that the command was successful, which is great, but i am hoping to be able to query this directly on the UEFI DB if possible.

The reason:

• I am deploying this to a Tenancy via Intune 'Detection and Remediation' script pair and will need to be able to query, in the Detect script, devices that have the SVN enabled after a device OS reset!
  (an OS reset after applying the referred secure boot changes, in the above articles, clears the event log and any query targeting an event ID is irrelevant)

For example:

• I can query (ps command below) the PCA 2011 certificate revocation directly on the UEFI dbx (very helpful for a device after OS reset as the event log is cleared):[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbx).bytes) -match 'Microsoft Windows Production PCA 2011'

At this time i have not been able to find a similar solution to query whether the SVN feature if it is ENABLED or still needs to be enabled.

Any assistance will be appreciated.

Thank you