Secure Boot - BIOS question

Posted by K1NGxp@reddit | sysadmin | View on Reddit | 6 comments

Hello all,

I have a question about the device's firmware when it comes to updating the Secure Boot certificates, specifically the difference between Active Secure Boot and Default. I understand that Microsoft is handling the update of the Active Secure Boot certs through their updates, but when a device shows as up to date (either in the Intune report or through SCCM compliance with the UEFICA2023Status registry value), does that mean it's fully updated (Active AND Default) or is MS is just reporting on the Active side?

[-]

EidorianSeeker@reddit

Dell explicitly states they are going to provide the updates for the default database and will include it as a note on the driver page.

Also, Dell has started adding the phrase; This BIOS contains the new 2023 Secure Boot Certificates, in the Important Information field of the Driver Details page.

https://www.dell.com/support/kbdoc/en-us/000347876/microsoft-2011-secure-boot-certificate-expiration

Microsoft considers non-domain computers as "managed by Microsoft."

If the computer is managed by Microsoft, Secure Boot certificates are updated through Windows Update.

https://support.microsoft.com/en-us/topic/frequently-asked-questions-about-the-secure-boot-update-process-b34bf675-b03a-4d34-b689-98ec117c7818

The Secure Boot Firmware Default values are maintained in the Firmware which is released by the OEM. The guidance is to not change or update the Secure Boot configuration unless the OEM has released an update to change the Firmware defaults to the new certificates.

Microsoft is only doing the attestation on the software side and then enforcement at boot.

[-]

jeefAD@reddit

I'm doing the same testing re: OptiPlex 5060 units as no BIOS update is being released for them either.

So as long as they take the Windows cert updates and load the 2023 signed boot manager, they're good to go for June/Secure Boot is my read yeah? Just don't reset the BIOS after. 😉

[-]

EidorianSeeker@reddit

Just don't reset Secure Boot or reset the keys. You'll get a secure boot signature warning. This happens even on systems with the UEFI CA 2023 dbdefaults in firmware after Windows is enforcing the new active certs. I tested this on an Optiplex 7490.

https://www.dell.com/support/kbdoc/en-us/000368610/how-to-update-secure-boot-active-database-from-bios

So it comes down to your BIOS password keeping curious or malicious eyes out of clearing out the active keys being used in the Secure Boot process.

[-]

jeefAD@reddit

Yeah, definitely not resetting BIOS/keys unless the device is coming in for select service scenarios -- BIOS reset is rarely done, and generally only during service as above and only if troubleshooting suggests doing so. And yes, setup password is configured, to keep fingers out. 😉

So with cert updates to the Active DB being done through Windows, in what scenarios do you envision needing to use Dell's method of updating the Active DB from BIOS? This would suggest the device also received a BIOS update that includes the 2023 certs in the Default DB yeah?