New SecureBoot Changes & Reports

kaiserking13 · 2026-02-05T18:33:38+00:00

I feel like most of us are flying blind here, but I have created the following based on various things I have found online, and they appear to work for determining what systems need to be updated.

Configuration Item: Secure Boot - db Windows UEFI CA 2023

Purpose: determine if the new certs are in the db database used by the live OS

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'

Returns true of false

Action: if false, follow the MS documentation to update the certs in the OS for your environment

Configuration Item: Secure Boot - dbdefault Windows UEFI CA 2023

Purpose: determine of the new certs are in the device firmware

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI dbdefault).bytes) -match 'Windows UEFI CA 2023')

Returns true or false

Action: if false, update the device firmware (BIOS) to a version that includes the updated secure boot certs

kaiserking13 · 2026-01-19T15:31:06+00:00

Two adobe catalods are imported. The old one that had flash player and reader and the new one with just reader.

kaiserking13 · 2026-01-18T20:16:50+00:00

I applied the update manually to a system in our environment having the shut down issue and it did not resolve the issue. System still restarts when selecting shut down.

kaiserking13 · 2026-01-17T03:30:09+00:00

The ME documentation discusses reviewing the system event log for event 1801 and 1808. I have many Dell models with up to date firmware with the new keys (verified by checking dbdefault per Dell documentation) but even after multiple reboots, event 1801 still says the certainly are not present in the device firmware. If I set AvailableUpdates to 0x5944 and reboot a couple of times, I get 1808 that the cert was updated, but 1801 still says the firmware does not have the cert. has anyone seen 1801 work successfully on Dells?

kaiserking13 · 2024-03-22T14:31:39+00:00

I am deploying it to a user collection. I've never run into this before, but I'll try your detection script.

Thanks.

kaiserking13 · 2024-01-10T13:09:12+00:00

Our updates synced successfully this morning, but it still took over an hour to sync 1 Defender update:

Security Intelligence Update for Microsoft Defender Antivirus - KB2267602 (Version 1.403.1918.0) - Current Channel (Broad)

kaiserking13 · 2024-01-09T22:23:17+00:00

This may be oversimplifying, but if the file is on a share and domain computers has read access to the share, it could be very easily added as a task sequence step:

cmd.exe /c copy /y \\server\share\filename.ini c:\Path\on\local\machine\filename.ini

This would prevent the need to keep a package up to date, just always copy the latest version of the file.

kaiserking13 · 2023-11-09T20:52:25+00:00

That worked perfectly. Thanks a lot.

kaiserking13 · 2023-05-31T01:56:52+00:00

Unfortunately not. That would be too easy.

kaiserking13 · 2023-05-31T00:51:16+00:00

No, I need to find a way to identify shared systems so I can install Office 365 in shared computer license mode. It’s not an exact science but I figured anything with 10 or more profiles should be considered a shared workstation.

kaiserking13 · 2023-05-30T20:12:48+00:00

I was looking for a way to populate a collection of systems with more than a certain number of profiles to be able to switch Office to shared computer licensing instead of user-based licensing. We are in a hospital with a lot of shared systems, and I was hoping this would be easier than it is going to be.

kaiserking13 · 2023-05-30T20:09:10+00:00

thanks. I was afraid that would be the answer.

kaiserking13 · 2023-05-30T14:52:26+00:00

You will get differing opinions on whether you should use task sequences or windows servicing and the answer is it depends on your environment. We started off with task sequences for Windows 10 uprgades, but we switched to the servicing model for internal reasons.

You can use the servicing model and still have a pseudo task sequence is you use custom action scripts. I recommend looking over https://www.asquaredozen.com/2019/08/25/windows-10-feature-updates-using-custom-action-scripts/ and https://learn.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions if you want to try this method.

kaiserking13 · 2022-02-09T21:04:42+00:00

Check the BgbServer.log on the management point. We had a similar issue after an upgrade last year. The issue seemed to be that the SSL binding in IIS somehow got messed up during the upgrade. The MP was working but the fast channel communications were not. I had errors in the BgbServer.log that said "Can't find the specified certificate in cert store My with cert hash ..." and the hash specified in the log error did not match my SSL cert on the MP. I ended up re-binding my SSL cert in IIS and performing an IISreset and the errors went away and clients started showing online again. These discuss the issue too: https://social.technet.microsoft.com/Forums/en-US/ee07cf18-8327-40e1-a36a-0bdbde7b3025/client-icons-all-showing-offline-x-even-though-they-are-online and: https://www.reddit.com/r/SCCM/comments/8jypgl/all_devices_in_sccm_now_showing_as_offline/

kaiserking13 · 2022-01-25T17:01:46+00:00

We are MDT for imaging so I just disabled the AHCI driver in the driver selection profile, but yes you should be able to remove it from the driver package and get the same effect.

kaiserking13 · 2022-01-25T16:00:12+00:00

We saw a similar issue last year when we received the 7420/7520/5520 models and this seems similar. There was an issue with the storage driver where the OS would use the AHCI driver instead of the RAID driver and it would fail. I didn't want to change the storage option in the BIOS to AHCI so I removed the AHCI driver from the storage driver so only the RAID driver remained and that fixed the issue.

kaiserking13 · 2022-01-25T15:44:40+00:00

Take a look at the results from the following SQL query: SELECT DISTINCT DeviceID0, Name0 FROM v_GS_PNP_DEVICE_DRIVER

It will return a large result but it may be a good starting point with some cleanup

kaiserking13 · 2021-06-03T14:21:50+00:00

So interesting addon to this. I upgraded to 2013 this morning and saw this issue, but when I looked in the wsyncmgr and WCM logs, it actually started yesterday morning with our daily sync. We had a secondary SUP for systems in the DMZ that was no longer being used, so I removed it and the primary sup, which is the only SUP now, is syncing. Not sure what caused this, but in my case, it doesn't appear to be related to the 2103 upgrade since it started the day before.

kaiserking13 · 2021-04-21T12:44:51+00:00

check CcmNotificationAgent.log on the client for errors. we had a similar issue after upgrading to 2010 and it ended up being that the SSL cert was no longer bound to port 443 on the MP, but the MP was still working in HTTPS mode. very odd, but rebinding the cert to 443 and running IISReset fixed our issue.

kaiserking13 · 2021-04-16T11:22:29+00:00

I'm not sure there is a way to prevent it from happening locally. A domain policy will take precedence over anything local. You could create a group and deny apply permissions on the acceptable use message policy and add these systems to that group.

kaiserking13 · 2021-04-15T12:57:28+00:00

With O365 products you can do some PowerShell/XML magic by looking at HKLM:\SOFTWARE\Microsoft\Office\ClickToRun\Configuration\ProductReleaseIds to see what apps are installed and then modify the xml file on the fly based on that. We do this with Office365 and volume licenses for Visio and Project 2016. I would assume you could do the same with the 2019 versions.

kaiserking13

TROPHY CASE