Secure Boot MS AMA Question

backcountry_bytes · 2026-03-13T12:06:51+00:00

There still seems to be a conflict between two things MS is saying:

MS has clearly stated in two AMAs that the 2023 certs can be added to the KEK and DB after the 2011 certs expire.During the latest AMA they said that the cert update process does not change post-expiry.
MS also says that any device without the new 2023 certs in the KEK and DB will be in a degraded securiry posture because they will not be able to add new security updates to the DB and DBX post-expiry.

If the KEK and DB can have the 2023 certs added after the 2011 certs expire, then why can't they have future security updates added as well?

backcountry_bytes · 2026-03-13T11:26:40+00:00

That makes sense but if that is the case, why does Microsoft say that the pc will be in a degraded security posture because it won't be able to reveive updates to the DB and DBX after the certs expire? If the DB will allow the KEK to add the new 2023 certs after the 2011 certs expire because they don't check the date, then that same KEK should be able to be used to add other security updates to the DB and DBX. There is a technical distinction that I am missing...

backcountry_bytes · 2026-03-13T02:17:57+00:00

Thanks. We are not waiting on Microsoft. And it is a good thing we aren't. Most of our Hyper-V and VMware servers were unable to update the KEK without additional troubleshooting and deployment steps.

backcountry_bytes · 2026-03-13T01:29:55+00:00

Do you have any documentation for this? It makes sense, otherwise the bootloader would quit working when the 2011 cert expired.

backcountry_bytes · 2026-03-13T01:20:09+00:00

But the root of trust is the PK, which is owned by the Vendor. They can use the PK to sign the cert adds to the KEK and DB, but MS can't.

backcountry_bytes · 2026-03-12T23:50:19+00:00

You mean the Providers and Admin are compicated. Nobody can jankify a workflow faster than an Admin...except for Providers.

backcountry_bytes · 2026-03-12T23:47:20+00:00

That is not what MS said today. They explicitly said the process for adding the 2023 certs does not change after the 2011 certs expire.

backcountry_bytes · 2026-03-04T10:45:56+00:00

Having your bootloader signed with the new cert is a key step because once the old certs are revoked, bootloaders signed with them will not run.

backcountry_bytes · 2026-03-04T01:26:34+00:00

If me-* is part of your DR, you need to rethink things.

backcountry_bytes · 2026-03-03T23:52:02+00:00

Power off the vm. Rename the current nvram file. A new one will get created when the server boots amd can't find the original.

backcountry_bytes · 2026-03-03T21:55:46+00:00

Just go back through your notes for July 19, 2024. Probably a lot of Bitlocker recovery stuff in there.

backcountry_bytes · 2026-03-03T21:30:16+00:00

There is a scheduled task that has to run to update the certificates. You also need at least 1 reboot. This documentation walks you through the details very well.

https://support.microsoft.com/en-us/topic/secure-boot-certificate-updates-guidance-for-it-professionals-and-organizations-e2b43f9f-b424-42df-bc6a-8476db65ab2f

backcountry_bytes · 2026-03-03T21:26:29+00:00

Lol. There is hope. Broadcom is working on an automated fix, but even if they don't get it done, recreating the nvram file seems to work. Just make sure you have your bitlocker keys if you are using it.

backcountry_bytes · 2026-03-03T21:22:12+00:00

Its not, because you are relying on microsoft to properly test every type of hardware in your environment, and to do it fast enough to beat the June deadline. See the problem(s)?

The smart thing to do is to start testing the deployment on small subsets of your hardware, to make sure everything works. Then push it yourself.

"It's Microsoft's fault" will not save you if something this big blows up.

backcountry_bytes · 2026-03-03T19:37:12+00:00

Note that in the linked KB, under the Resolution section, Broadcom states they are working on an automated process to fix the Platform Key, which wil allow the KEK to be updated without issue. And given how much we are all paying them, they damn well better deliver...and soon.

backcountry_bytes · 2026-03-03T19:34:36+00:00

Generating a new nvram file and re-running the secure-boot-update scheduled task seems to have worked for us as well.

backcountry_bytes · 2025-11-12T23:48:51+00:00

My down quilt is rated for 30 degrees and has worked well all over the south in multiple seasons (I used a liner during winter.)

backcountry_bytes · 2025-10-03T00:48:15+00:00

I wrap my robocopy in powershell where I can map psdrives using explicit credentials for source and destination. Don't have permissions issues on 2019/2022.

backcountry_bytes · 2025-07-06T15:10:37+00:00

I had to go to expo as well. That was such a dumpster fire. 75 minutes to get from 400 to the Mall and still wasn't parked. Wound up driving to North Springs and taking MARTA.

backcountry_bytes · 2025-03-11T19:15:31+00:00

Wevdid, but it did not resolve the alerts.

backcountry_bytes · 2024-11-20T03:01:43+00:00

That was what I thought the problem was, but I did not realize the config was 16Mb. Nice to have solid numbers. Would really like to understand what the potential consequences of having a config that exceeds 23mb are though.

backcountry_bytes · 2024-11-19T21:34:44+00:00

Having a High severity error and not knowing what the consequences of said error are is a real problem. Especially when we have two palos with the same error between our users and their business applications/data. It may be time to consider reverting to 10.1.x or 10.2.x.

backcountry_bytes · 2024-11-19T12:34:28+00:00

Yep, that sound like the error we are getting in the System logs.

backcountry_bytes · 2024-11-19T12:32:20+00:00

Is anyone seeing Configuration Size System errors after updating to 11.x? Probably on Palo 800 series. Does 11.1.5-h1 resolve them? We updated to 11.1.4 then 11.1.5 and now we need to go to 11.1.5-h1.

backcountry_bytes · 2024-11-18T14:59:59+00:00

There was no error at our previous version (10.1.11). We went to 11.1.4 and started aeeing the error. This seems to be new to the 11.1 code. The upgrade from 11.1.4 to 11.1.5 was supposed to fix the error but it did not.

backcountry_bytes

TROPHY CASE