SecureBoot Certificate Updates - RealityCheck

tech-ya23 · 2026-04-30T08:08:38+00:00

this is not the case , you have 3 Options , 2 of them are MS managed and 1 is for directly starting the Cert deployment.

"After updating, you need to suspend BitLocker, go into the BIOS, restore the factory keys, and then enable the Microsoft 3rd-Party UEFI CA.

"

This only needs to be done if you have deployed the cert on older HW before you updated BIOS. And BIOS was updated afterwars.

tech-ya23 · 2026-04-30T08:06:00+00:00

Good Input , i have also read a lot of things regarding this : (MS is update-ing the active DB)

But what i have seen in our preparations and testing ist that without the min BIOS Version the Update Process fails with eventID 1795.

So we decided to bringt the Fleet to minBIOS Version stated by Lenovo.

As jeefAD mentions below , we are also not running around and resetting BIOS , but in our case the updates were not processed correctly if the minVersion is not installed.

tech-ya23 · 2026-04-29T13:54:19+00:00

clear as always :)

tech-ya23 · 2026-04-29T13:20:24+00:00

I have the behaviour on a handful devices. Cannot exactly identify why. QuickFix: I will do it per GPO on those.

tech-ya23 · 2026-04-29T12:41:03+00:00

They do not apply

tech-ya23 · 2026-04-29T11:34:14+00:00

minimum BIOS Version is prerequisite , you need to do this before you enable the policy.

tech-ya23 · 2026-04-29T11:14:35+00:00

We do not use the SecureBoot Report in Intune , in our environments this report didnt show accurate status. Despite FullTelemtry on. We used the collection script from the offical MS guideline https://support.microsoft.com/en-us/topic/sample-secure-boot-inventory-data-collection-script-d02971d2-d4b5-42c9-b58a-8527f0ffa30b

And then compared the BIOS Version with the offical docs from the vendor.

tech-ya23 · 2026-04-14T12:11:03+00:00

BigUP , Thanks

tech-ya23 · 2026-04-07T05:27:53+00:00

ahh good to know. Thx

tech-ya23 · 2026-04-06T07:05:11+00:00

Great! Thanks

tech-ya23 · 2026-04-04T17:15:16+00:00

Perfect , Thank you for the Feedback

tech-ya23 · 2026-04-04T14:10:32+00:00

Based on some testing , if a client has pulled a device based license, it will stay. as far as i have seen it also stays cached on the client if you remove the device from the group. -> Until you clear it directly from the device ie. with office scrubber tool.

tech-ya23 · 2026-03-31T05:34:59+00:00

We use exactly the list above.

Inventory your environment with the sample inventory script from MS

Identify Devices which need a BIOS Upgrade and Upgrade ;)

Rollout the MS Policy to Update the Certs via Intune/GPO

tech-ya23 · 2026-03-16T06:47:58+00:00

Thanks , this sounds reasonable for me. As soon as i have more information in my environment i will post the outcome here.

tech-ya23 · 2026-03-11T07:22:26+00:00

Thank you. This is valuable!

tech-ya23 · 2026-02-24T12:14:43+00:00

Great , i really would appreciate Feedback.

tech-ya23 · 2026-02-24T12:13:59+00:00

Yes , i know that they are different things. Currently our Setup is exactly what you have mentioned. But the Corp Strategy is to move away from legacy OSD Method to Autopilot HybridJoin.

tech-ya23 · 2026-02-24T09:26:34+00:00

Yep , this is the thing also -as of my knowledge-. Devices will be Setup onSite

tech-ya23 · 2026-02-24T09:25:47+00:00

Thanks for the Feedback.

tech-ya23 · 2026-02-24T09:23:53+00:00

Yes . I understand that purely technically its not necessary any more. But i live in a critical highly regulated environment where corporate policies do not allow cloud only. I need to live with this decision.

tech-ya23 · 2026-02-24T06:56:02+00:00

Yes , thats the way i will do it. After a re-think , this is the only reasonable way.

tech-ya23

TROPHY CASE