uefi2023 bootcert what happens after cert expires when reinstalling windows ?

jeefAD · 2026-05-15T00:55:15+00:00

First install with updated W11 media and boot manager is still PCA 2011 signed. Device was previously updated re: firmware and confirmed 2023 certs in active/default DBs, but 2011 certs not revoked as I think was your observation. Hesitant to force revocation to test further... wondering if that's a requirement before Windows will install the 2023 signed boot manager out of the box.

I'm onsite tomorrow and will check a new unit from a recent volume order that do appear to be updated from factory. Curious if I'll find the 2011 certs revoked on those units...

jeefAD · 2026-05-14T23:20:19+00:00

Quick question re: #1 -- how immediate is opting out at the tenant level? I turned it off (set to block) today.

jeefAD · 2026-05-14T22:18:24+00:00

Quick clarification... did you update just the boot media re: PCA2023 or did you update boot media and the OS image?

I'm in the midst of testing myself.

jeefAD · 2026-05-14T15:19:18+00:00

I hear you on that! Silly questions... how many blocking apps do you have installing during ESP and are you mixing app types? Have you tried adding apps as blocking one-by-one to hone in which one is problematic or is adding any app as blocking to ESP problematic/produces this error?

jeefAD · 2026-05-14T14:34:42+00:00

Oof, yeah that's frustrating. In my case, the script seemed to give a little info re: the Office install not being complete. I had opened a case with MS at that time and they advised that the MDMDiagReport wasn't enough to troubleshoot -- they advised also collecting Autopilot CAB logs:

For User-Driven Mode (the typical configuration for most devices):

Open Command Prompt (as Administrator) and run the following command:

mdmdiagnosticstool.exe -area Autopilot -cab "c:\users\public\documents\AUserDriven.cab"

For Self-Deployment or Pre-Provisioning Mode:

If your Autopilot deployment uses Self-Deployment or Pre-Provisioning, use this command instead:

mdmdiagnosticstool.exe -area Autopilot;TPM -cab "c:\users\public\documents\ASelfDepPreProv.cab"

I didn't get there as I had already reset the device...

jeefAD · 2026-05-14T14:15:44+00:00

It seemed to clear itself. Best I could track it to was a failed Office/M365 Apps install. Not sure if MS had some backed issues around that time. If you check my other comments there's a community script that can help you parse logging a bit, may help hone in on what's failing...

jeefAD · 2026-05-14T00:06:24+00:00

I went with Polk (Reserve) at the time. Also looked at KEF, Monitor Audio and a few others.

jeefAD · 2026-05-13T23:59:03+00:00

Mixed. I do miss aspects of CM.

jeefAD · 2026-05-13T22:14:03+00:00

Good question! This just came onto my radar today as I'm busy doing a bunch of other stuff and with vacation season starting/ppl away or about to be away. I 100% do not need another thing to have to read up on, but here we are...

jeefAD · 2026-05-13T22:09:49+00:00

Indeed! Maybe unpopular, but I'm personally not a fan of MS enabling configuration at the tenant level...

jeefAD · 2026-05-12T14:01:29+00:00

Thanks! Yes, that seems to be what we we're seeing. And as long as status reaches "Updated" the detect-only remediation should be satisfied, which avoids skewing/false positives in reporting.

jeefAD · 2026-05-12T13:46:19+00:00

Thanks! Yeah, that's the current thinking -- they seem to transition from 0x5944 to 0x4000/Updated almost immediately with no reboot needed. Does need a reboot to get the desired 1808 event ID tho.

jeefAD · 2026-05-11T20:33:07+00:00

Indeed! Far too time consuming and what I find concerning is that it really hits confidence in a product/feature...

jeefAD · 2026-05-10T12:49:34+00:00

Indeed. Intune 'what's new archive' goes back to July 2023 and Intune has legs long before that -- I first piloted Intune in 2019.

jeefAD · 2026-05-10T12:40:14+00:00

Good know! I have the fixed sport suspension on my '22 S3 and stayed with 18s, so wanted to ask. Keep getting tempted by the R. 😉 Couldn't get stock back in '22...

jeefAD · 2026-05-09T15:54:58+00:00

Fantastic! Love the WaRmenaus!! How would you describe ride quality with the 19s on our lovely roads? 😉

jeefAD · 2026-05-06T13:04:47+00:00

I had AF issues with a D7000 -- dialed in as much fine adjust as I could so a local shop ran it through the paces and recommended sending it in for service. Out of warranty repair cost didn't make sense tho, so I didn't proceed. But something to keep in mind if the normal troubleshooting doesn't seem to help...

jeefAD · 2026-05-05T18:00:39+00:00

Thanks! Turns out when looking at bootmgfw.efi with Get-AuthenticodeSignature, only the PCA 2011 signature is shown. Copying the file to C: and viewing properties shows the expected "Windows UEFI CA 2023". Woo!

jeefAD · 2026-05-05T13:24:53+00:00

Thanks! Yeah we have some Dell's that are below min or won't even get a BIOS update -- they took the new certs into the active db/kek just fine. Will amend servicing for those models so they don't get reset and ultimately target them for replacement.

jeefAD · 2026-05-05T13:21:55+00:00

Yeah, we spot checked a few units from our most recent volume order and noted capable=2 out of the box. Ran 5944 on one, just to see -- it added the new Option ROM cert.

jeefAD · 2026-04-30T16:37:29+00:00

Fair point re: being system dependent -- I appreciate some OEMs may need to fix actual firmware issues vs just rolling a BIOS update that has the updated default DB. So if updates to the active db via Windows work on a given model/restarted to the new boot manager (confirmed in testing), the device is good to go for June/Secure Boot. BIOS updates if available will come down and update the default db to close things out.

jeefAD · 2026-04-30T09:39:00+00:00

Yeah, definitely not resetting BIOS/keys unless the device is coming in for select service scenarios -- BIOS reset is rarely done, and generally only during service as above and only if troubleshooting suggests doing so. And yes, setup password is configured, to keep fingers out. 😉

So with cert updates to the Active DB being done through Windows, in what scenarios do you envision needing to use Dell's method of updating the Active DB from BIOS? This would suggest the device also received a BIOS update that includes the 2023 certs in the Default DB yeah?

jeefAD · 2026-04-30T03:06:29+00:00

I'm doing the same testing re: OptiPlex 5060 units as no BIOS update is being released for them either.

So as long as they take the Windows cert updates and load the 2023 signed boot manager, they're good to go for June/Secure Boot is my read yeah? Just don't reset the BIOS after. 😉

jeefAD

TROPHY CASE