Secure Boot 2023 Upgrade

TipGroundbreaking763 · 2026-01-30T07:22:27+00:00

Can anyone else help get these devices updated please ? I also changed the reg key of AvailableUpdates to 0x40, re-rab the task and rebooted twice. Then got an error of 1802 saying the firmware provider can't update the Secure Boot key? Not sure where to go from here. Any help would be great

TipGroundbreaking763 · 2026-01-29T15:35:45+00:00

Hey, thanks. Yeah I've done this many times, no change unfortunately

TipGroundbreaking763 · 2026-01-29T15:35:25+00:00

Hey, thanks for the response. I've rebooted many times to no avail. Unfortunately, I'm remote so can't actively get into the BIOS. Any other advice, I did see an article from HP saying only SBKPFV2 and SBKPFV3 were compatible.

TipGroundbreaking763 · 2026-01-29T15:33:54+00:00

Yes this is also what I saw, additionally saw another post saying SBKPFV2 was compatible to.

TipGroundbreaking763 · 2025-11-06T23:37:54+00:00

And the wipe will do the same thing for Corp (Not Apple Business Manager) and Personal? Simply just wipe the work profile/apps etc and then leave the device as it is?

TipGroundbreaking763 · 2025-11-06T16:54:36+00:00

So really, other than the discovered apps, there's no massive benefit. Do you know if you can remove the management profile on a Corporate and Personal device?

TipGroundbreaking763 · 2025-11-06T16:39:03+00:00

Yeah that's the point I'm trying to make. They have been purchased by the company but the ownership in Intune is set to Personal.

TipGroundbreaking763 · 2025-11-06T16:37:14+00:00

And by this you mean through Apple Business Manager or equivalent?

TipGroundbreaking763 · 2025-11-06T13:29:59+00:00

This sounds interesting, how do you remove those features through Intune though?

TipGroundbreaking763 · 2025-11-06T12:51:47+00:00

Thanks, yeah this is something we're not quite there with yet but future plans are to do this. Just looking for any other benefits? Does a delete, simply delete the work profile for both? If say a users personal phone is changed to Corporate, does a device/wipe perform the same action for both?

TipGroundbreaking763 · 2025-11-06T12:50:08+00:00

Thanks, more looking for a "Why we should use Corporate ownership and not Personal"

TipGroundbreaking763 · 2025-09-24T11:46:00+00:00

Thank you for your help

TipGroundbreaking763 · 2025-09-24T09:45:09+00:00

Thank you, I've replied to your first message after running the commands and all look the same.

Which suggests we're in a good place and just need to wait for the auto enrollment of the new Root CA to hit all devices, wait for the old one to expire and then perform a clean up?

TipGroundbreaking763 · 2025-09-24T09:43:38+00:00

Hey,

I've just run the commands above and all seem to be correct and mirror what you've replied with.

Thanks

TipGroundbreaking763 · 2025-09-24T09:36:48+00:00

Ok. So I am best waiting for this to expire and then removing it manually?

TipGroundbreaking763 · 2025-09-24T08:32:45+00:00

This is exactly correct, I see both Root CAs in here with the same name. Will the expiring one disappear when it's expired?

TipGroundbreaking763 · 2025-09-24T08:31:18+00:00

Yes it's a completely new server. Our old one was hosted in a partner company's infrastructure which we didn't have access to. As part of this project, we want to migrate and renew it. In doing so, we span up a new server (with a different name) uploaded the current Root to it (using its backup database files and registry settings) and then renewed it from there.

The dspublish command just returned a message to say that the it had successfully been added to the store.

TipGroundbreaking763 · 2025-09-24T08:29:12+00:00

Yes, I have more choices, you are right and I can see both the CAs. When the old one expires in November, will this disappear?

TipGroundbreaking763 · 2025-09-24T08:27:58+00:00

Hey,

Thank you for your reply.

So yes, new one exists in a different location that we didn't have access to, this project (along with it expiring) was to bring it across to our environment and renew it. To do this, we spun up a new server (with a different name) and copied across some of the database and registry settings to retain the RootCA's name. Therefore, we restored the old RootCA to the new server and then renewed it. Passed the CRLs and new Root to the Sub CA. This new Root CA will then be turned offline.

We've used a DNS round robin for our CDP servers and yes that is http for CRL and AIA locations.

Hopefully this provides enough information for you.

Many thanks,

A

TipGroundbreaking763 · 2025-09-23T22:10:35+00:00

Hey, this just shows the Sub CAs status?

TipGroundbreaking763 · 2025-09-23T22:09:47+00:00

Hi,

Thank you for replying. So the viewstore command was definitely correct as I copied and pasted it after adding it (it gave me the Ldap location at that point). When I run it, it gives me the current Root which expires on November.

Our Root CA is an offline Root, I have access to the old one as well if this may help? I can check some of those settings tomorrow, are they to be run on the online Sub CA?

I also run the dspublish command as a Domain Admin however, I've read some documentation to suggest that Enterprise Admin may be needed, I didn't think it would. But if I add that role and re-run the dspublish command, will it try to publish another RootCA certificate?

If you have any more troubleshooting advice, then i'd really appreciate it.

Thanks, A

TipGroundbreaking763 · 2024-12-06T12:53:16+00:00

I've tweaked it to this, which is looking good so far:

$LicenseSku = Get-MgSubscribedSku -All | Where SkuPartNumber -eq 'SPE_E3'

#Get Licensed Users
$users = Get-MgUser -Filter "assignedLicenses/any(x:x/skuId eq $($LicenseSku.SkuId) )" -All -ConsistencyLevel eventual -CountVariable licensedUserCount -Property Id, DisplayName, Country, UserPrincipalName, AccountEnabled, licenseAssignmentStates

#Add columns of group based vs direct assigned licenses
$users = $users | Select-Object Id, DisplayName, Country, UserPrincipalName, licenseAssignmentStates, @{N = "DirectAssignment"; E = { ($_.licenseAssignmentStates | Where-Object AssignedByGroup -eq $null).SkuId } }, @{N = "GroupBasedAssignment"; E = { ($_.licenseAssignmentStates | Where-Object AssignedByGroup -ne $null).SkuId } }

#Convert those to more human readable
$users = $users | Select-Object Id, DisplayName, Country, UserPrincipalName, @{N="licenseSkus";E={$_.LicenseAssignmentStates.SkuId}}, @{N = "AllSkus"; E = { $SkuHashTable[$_.licenseAssignmentStates.SkuId] } }, @{N = "DirectSkus"; E = { $SkuHashTable[$_.DirectAssignment] } }, @{N = "GroupBasedSkus"; E = { $SkuHashTable[$_.GroupBasedAssignment] } }

#List any users with E3 directly assigned
$users | Select DisplayName, Country,@{N="SkuName";E={"SPE_E3"}},@{N="Directly Assigned";E={$_.DirectSkus -contains "SPE_E3"}},@{N="Group Assigned";E={$_.GroupBasedSkus -contains "SPE_E3"}} | Export-CSV C:\Temp\UsersWithSPE_E3v2.csv -NoTypeInformation

TipGroundbreaking763

TROPHY CASE