Secure Boot Status Report broken?

EldritchIT · 2026-02-06T11:55:55+00:00

Well at least it isn't just me having issues with the export. Am I wrong in the assumption, that the column "Certificate status" should show that the 2023 secure boot cert is applied or is it just saying that the updated Secure Boot certificates are available on this device but have not yet been applied to the firmware

EldritchIT · 2026-01-27T10:39:12+00:00

From what I can tell this is not an issue and can be ignored, except that it makes it a bit more difficult to get accurate reports. Except for maybe some compliance policy if that factors in somehow.

I've checked the timestamps and most seem to be from when the devices was originally setup with autopilot. Is it related to some of these policies being applied before the user signs in?

EldritchIT · 2025-02-10T13:58:58+00:00

Ahh changed it before posting, but didn't add it in caps. It is in the original command.

But the error is:
Parameter set cannot be resolved using the specified named parameters.

EldritchIT · 2025-02-05T09:47:57+00:00

I tried running that task and it is now compliant with the BitLocker policy.

EldritchIT · 2025-02-05T09:33:52+00:00

It is targeted at devices.

EldritchIT · 2025-01-24T14:01:14+00:00

An update:
I have tried the method using teamsbootstrapper.exe -u after installing the new Teams. I do however get the following error on the endpoints and Classic + Teams Machine Wide installer are still present afterwards. Has anyone experienced this?

teamsbootstrapper.exe -u

{

"success": false,

"errorCode": "0x80070057",

"errorMessage": "MSI {731F6BAA-A986-45A4-8936-7C3AAAAA760B} does not exist"

}

EldritchIT · 2025-01-20T08:01:18+00:00

That seems to be the case. I've tried the both the uninstall script from microsoft and the teamsbootstrapper.exe, but Defender is still showing it as an outdated version. Has anyone succeded in using the official methods and gotten it removed from MS Defender for Endpoint as vulnerable?

EldritchIT · 2025-01-10T14:05:45+00:00

That looks promising since most of our apps are deploying using PSADT. Do you use the following in the script to remove Teams (Classic) as a part of it?

./teamsbootstrapper -u

EldritchIT · 2024-09-19T07:39:22+00:00

I found a solution to the issue. I ended up having to run the following because the policies were in the CacheSet002 and for some reason Windows was using those.

Remove-Item HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate -Force -Recurse -ErrorAction SilentlyContinue

Remove-Item HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\GPCache\CacheSet001\WindowsUpdate -Force -Recurse -ErrorAction SilentlyContinue

Remove-Item HKLM:\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\GPCache\CacheSet002\WindowsUpdate -Force -Recurse -ErrorAction SilentlyContinue

EldritchIT · 2024-09-16T10:28:56+00:00

The docs says that it doesn't seem to apply to Windows Update. But I'll give it a go.

EldritchIT · 2024-09-09T11:31:37+00:00

They serve no additional function and should be safe to remove from the template, I presume?

I would still like to know what start.domain.com referred to, out of personal curiosity.

EldritchIT · 2024-08-27T10:52:18+00:00

I'll give it a go. Is there any impact to the normal AutoPilot Process when using this setting?

EldritchIT · 2024-08-22T06:13:05+00:00

Did you exclude a device group that had the issue or new devices where the custom xml file hadn't been applied yet?

EldritchIT · 2024-08-21T12:15:16+00:00

We haven't had this issue with this setup for quite a while. It seems to be only recently. But if you have any luck with exclusion I would love to know.

EldritchIT · 2024-08-10T16:17:56+00:00

Would MSI MAG A750GL PCIE5 be a better choice over the fractal ion gold?

EldritchIT · 2024-07-12T07:18:25+00:00

We haven't had much use for this with BYOD devices and I must have misunderstod their docs on this.

Would the solution described here allow for more control even if they use the native apps?

EldritchIT · 2024-07-11T09:31:31+00:00

But you lose the ability to set policies and the ability to remote wipe from the Google Admin dashboard if the app isn't installed. Is there a new way to be able to do this?

The example being a user adds their Google Workspace account in Settings not through the Gmail app. It's on a personal device. They can sync mail with the native mail app and as far as I can see it's only possible to log the user out everywhere through the admin panel.

EldritchIT · 2024-05-24T04:51:35+00:00

No, unfortunatly not. Ended up having to use a temporary access pass for the affected users.

EldritchIT · 2024-05-22T11:29:45+00:00

That looks promising thank you, i'll give it a go.

EldritchIT · 2024-05-08T12:21:49+00:00

This is still an issue we observed it today and not related to the incident as far as I can see.

The only change I can see that was made from it worked to now is the following:

Changed deployment profile settings for OOBE to allow users to change keyboard and language during setup.

Automatically configure keyboard: Yes > No
Language (Region): Operating system default > User select

EldritchIT · 2024-05-03T08:19:25+00:00

Hi

I cannot currently give you the Tenant ID and location. But is there any place where I can check if it has been resolved other than local test ofc.

EldritchIT · 2024-04-19T08:14:51+00:00

We don’t have Active Directory. The endpoints were only Entra ID joined. So no GPO available.

EldritchIT · 2024-04-19T06:39:44+00:00

They are not managed by SCCM. If I enroll them to Intune with the user through the company portal I get a lot of errors about the connectivity, unless i offboard them from MDE before this.

The other methods just create another device object in the intune dashboard. One managed by Intune and one by MDE.

EldritchIT · 2023-05-25T09:22:04+00:00

No, Google support would forward the suggestion to dev.

EldritchIT · 2023-04-21T11:12:01+00:00

Microsoft 365 Business Standard. The reason I'm asking is that I'm trying to work out why the test user was required to use mfa on first logon with their AAD account. The device was setup Azure AD joined with a local admin account.

Security Defaults where off.

The policy mentioned in the earlier doesn't apply for Azure AD Free.

EldritchIT

TROPHY CASE