FYI: Enabling Windows Hotpatch while Update Secure Boot Certs Might Not Be a Great Combination
Posted by bdam55@reddit | sysadmin | View on Reddit | 9 comments
Last month, the Intune product team globally modified everyone's tenant to enable Hotpatch by default. Arguably the 'right' thing to do as it will get devices secure faster.
However, the updates to the Secure Boot certificate whitelist are delivered in the monthly CUs. Since that whitelist is not considered 'security' they are only delivered via the quarterly Hotpatch baseline update.
Further, although it doesn't eliminate reboots (ex. .NET updates) it does generally reduce them. Hotpatch requires an indeterminate number of reboots after Windows Update applies the cert. Average seems to be two, but sometimes more.
If you are currently scrambling to get across the finish line, and based on my conversations that's pretty much everyone, this might not be the greatest time to have Hotpatch enabled. That is to say, at a time when you need monthly LCUs and a bunch reboots you might not want to move to a quarterly reboot less model.
itskdog@reddit
Switching everyone to Hotpatch by default should have waited until after the summer.
xfilesvault@reddit
Probably too many important security updates to patch vulnerabilities found by AI, all coming out soon.
itskdog@reddit
Interesting idea. In that case, why not move it out of Autopatch and make it the default?
Tbf, being restartless, they could even keep monthly reboots but release the security fix as soon as it's ready.
SolidKnight@reddit
Or just let you apply CUs monthly anyway. I don't care how many times a random laptop needs to restart. Eliminating a single monthly CU restart is hardly a productivity boon.
itskdog@reddit
It's not about productivity, or reducing reboots. BIOS updates and .NET updates may still require a reboot. This is about getting the security flaw patched quicker.
bdam55@reddit (OP)
So yea, the timing is absolutely unfortunate and even the product team admitted that when I brought this to them. But the reality is that all the machinations to make it happen were locked into place months ago. It wasn't a train anyone at MS was willing to step in front of.
Took a while to get actual confirmation that Hotpatch would have negative delaying effects on Secure Boot but now that I'm confident ... trying to get the word out.
I present twice in the last two weeks to user groups on this topic and both times no one had actually finished rolling out the new Secure Boot certs. Most were just starting to start; some didn't even realize that Servers were in scope. It's about to get messy.
bjc1960@reddit
We are still trying to get some April systems updated. I had Claude create a detect/remediate to force the May MSU down to some devices. It is working. I notice however the KB for the full patch is not the same has the hotfix one.
HumbleSpend8716@reddit
sigh
bdam55@reddit (OP)
Right: the Hotpatch stream of patches are _not_ the same as the non-Hotpatch LCUs, hence the different KBs and even different OS build numbers.
The monthly (non-HP) LCUs include quality and security updates whereas the monthly HP updates only include security stuff. Hotpatch devices get the quality updates in the quarterly baseline, most recently April I believe.
As this applies to Secure Boot, the whitelist info is not considered security and thus comes in the baseline.