Just found out about the bios cert expiry. God damn.

[-]

Int-Merc805@reddit

If you are using something like PDQ Deploy and Inventory (not sponsored) you can run a quick powershell scanner to check. We found a couple that were in legacy bios, about 10% that had not gotten the firmware update, and the rest of the fleet was fine.

Took me one work week to fix them all. Had to force a reboot on the lagging ones, no intervention needed otherwise.

I really feel for folks that have non-standard devices out there though. Mine are all basically the same. OCD FTW. I have heard some nightmares from other admins about dealing with lesser manufactuers issues. Dell command is one and done across the fleet.

[-]

afcujstrick@reddit

Tell us more about the powershell scanner please?

[-]

Int-Merc805@reddit

You can set up a powershell scanner that runs on heartbeat. It pulls the status of the uefi (up to date, out of date, and disabled). Then I made three dynamic inventories so I could target each. Disabled went to help desk to be physically remediated. Out of date got pushed the dell command bios update, and up to date got a crisp high five.

I’ll find the article I followed and link it. I use power shell scanners for all sorts of terrific logic!

[-]

The_Lez@reddit

The what? Fuck me am I out of the loop again?

[-]

techb00mer@reddit

It’s fair to be out of the loop. If you’re not a big MS shop or heavily into MDM there is a good chance you would never know.

I had absolutely no idea about the 980 Pro bug (https://www.tomshardware.com/news/samsung-980-pro-ssd-failures-firmware-update) which I was told everyone knew about. I found out when it was too late, and had confused looks when I took it up with my vendor like “how did you not know?”

[-]

Formal-Knowledge-250@reddit

Damn. Haven't heard of this before, too. My private device will be effected but I'm not in the country until July.

[-]

DJKaotica@reddit

I found out when an open source app started failing and I went looking for help and they were like ... that's a Windows Exception bubbling up through the app when it goes to try to read the file.

Luckily I didn't have too much damage at that point and was able to update the firmware and carry on but...yeah. I too was one of the "did not know about the 980 Pro bug" people.

[-]

freekers@reddit

Totally random, but I'm hearing about this 980 Pro bug as well for the first time. Thnx

[-]

Standard-Potential-6@reddit

Wait till you hear about the SK hynix bugs too

[-]

freekers@reddit

Dang, I also have one of those... Tell me lol

[-]

Standard-Potential-6@reddit

Write performance tanks, stops using pSLC, unless you reset/wipe the drive. Affects a few models.

https://forum.level1techs.com/t/all-sk-hynix-p41-ssds-suffer-from-write-performance-loss/225118

[-]

freekers@reddit

Thank you kind internet stranger :)

[-]

The_Lez@reddit

Nope. Just hearing about this too.

Thank you

[-]

SchlafSchafXY@reddit

First time I heard about this as well, but checks out: https://support.microsoft.com/en-us/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e

[-]

StatementOwn4896@reddit

Wait haven’t the new carts been out since 2023?

[-]

IDontKnowBetter@reddit

Yes but only in the last \~6 months have vendors and MS been swapping them out. Super frustrating

[-]

DevelopersOfBallmer@reddit

Not sure about others but Dell has been including them in all machines built mid 2024 onwards.

[-]

RiceeeChrispies@reddit

If you’re using Intune, it’s easy enough to resolve with the ‘Secure Boot’ policies. There is even a secure boot report under the quality updates autopatch section.

Things will still work if you miss the deadline, but obviously not great.

[-]

TheDroolingFool@reddit

I don’t disagree this has been a big help for us but be careful it’s not a magic bullet - we have a number of devices left over we need to take care of manually due to firmware updates being on hold or paused.

[-]

Gullible-Surround486@reddit

yep, the stragglers are always the pain. one paused firmware push and it turns into manual hell.

[-]

RiceeeChrispies@reddit

I’ve done a few tenants. I was surprised how well it worked for those running older firmware (2yr+) which don’t get updates anymore.

Agree though, trust but verify.

[-]

ryryrpm@reddit

We did it and had a bunch of machines reboot into bitlocker

[-]

TechAdminDude@reddit

Yeah we had ALOT of our machines also require the bitlocker key after update.

[-]

cluberti@reddit

For people doing this in the future, usually bitlocker recovery after this is because the device is using legacy PCR banks (0,2,4,11) rather than the "modern" PCR bank scheme (7,11). I like to grab some data about Bitlocker on a machine before making any changes, and I wrote a script a long time ago to grab some things.

Clear-Host

    # Get $Volume key protectors
    $KeyProtectors = Invoke-CimMethod -InputObject $Volume -MethodName GetKeyProtectors
    ForEach ($ProtectorID in $KeyProtectors.VolumeKeyProtectorID)
    {
        # Get all key protectors for $BitlockerVolume
        $ProtectorItem = Invoke-CimMethod -InputObject $Volume -MethodName GetKeyProtectorType -Arguments @{ VolumeKeyProtectorID = $ProtectorID }
        # Find bound TPM PCRs
        If ($ProtectorItem.KeyProtectorType -eq 1)
        {
            $PlatformValidationProfile = Invoke-CimMethod -InputObject $Volume -MethodName GetKeyProtectorPlatformValidationProfile -Arguments @{ VolumeKeyProtectorID = $ProtectorID }
            $PlatformValidationProfile = $PlatformValidationProfile.PlatformValidationProfile
        }
        # Find 48-character Bitlocker numeric recovery key
        If ($ProtectorItem.KeyProtectorType -eq 3)
        {
            $NumericalPassword = Invoke-CimMethod -InputObject $Volume -MethodName GetKeyProtectorNumericalPassword -Arguments @{ VolumeKeyProtectorID = $ProtectorID }
        }
    }

    Write-Host "Bound TPM PCRs:       " -NoNewLine
    Write-Host "$($PlatformValidationProfile)" -ForegroundColor Cyan

If Bitlocker is bound to PCRs 7 and 11, it shouldn't cause a recovery if the root cert is changed, although I have seen some OEM machines that do still cause this - I don't know why that is, as it's not supposed to trigger, but the event log (Applications and Services Logs > Microsoft > Windows > BitLocker-API > Management) on a Windows 10 or 11 machine will tell you what PCR values mismatched after you have hit and gotten through recovery on the next boot, so there's always that to investigate. PCR7 is the Secure Boot measurement, so if a device isn't using PCR's 7 and 11 (11 is the Bitlocker measurement), and instead 0,2,4,11, a change of the security chain is going to trigger PCR0, or 2, or 4 and cause it to mismatch on that boot until recovery is passed.

Just my 2 cents from having to know how this works in the past.

[-]

tgulli@reddit

same, along with another issue, very model specific though as that was one area of like 100 or so devices out of 30000

[-]

RiceeeChrispies@reddit

Not had that happen yet, maybe I'm just lucky!

[-]

nope586@reddit

Yup, we've been rolling out firmware updates for weeks now to get non-compliant systems able to get the new cert.

[-]

Izual_Rebirth@reddit (OP)

Ok great. Not idea but something we need to get on ASAP.

[-]

BlackV@reddit

Do you though? Do you?

[-]

inaddrarpa@reddit

No, you should get on it ASAP, even if it doesn’t break anything.

[-]

RiceeeChrispies@reddit

that is pretty much exactly what they said

[-]

josephcoco@reddit

What group policy can be used to help with this? Is there a guide for this?

[-]

TheGeneral9Jay@reddit

Absolutely to this! I was so concerned it was going to be a huge deal then say how easy it was to spin up the configuration profile in intune. Also noticed that some devices seemed to fix themselves, as the report started shrinking without endpoints being added to config profile

[-]

BlackV@reddit

See this post

https://www.reddit.com/r/sysadmin/s/RyesmOHtKD

[-]

wrootlt@reddit

It is not like your computers/servers will stop booting. Will not be able to patch boot components, which is bad, but apparently not so bad for anyone in my company to care although i have brought it up a few times.

[-]

marklein@reddit

Make it sound bad then. "Servers will suddenly stop booting at an unexpected and unknown time" which is neither lying nor hyperbole. It's just that the time in question is probably 2+ years from now, but don't tell them that.

[-]

jgross-nj2nc@reddit

The main issue for now will be that the boot manager cannot receive updates. It should not cause an issue with the machines booting. Like anything else different cases may lead to issues, so getting this done before is obviously the best way to go.

What happens if my device doesn’t get the new Secure Boot certificates before the old ones expire?

After the Secure Boot certificates expire, devices that haven’t received the newer 2023 certificates will continue to start and operate normally, and standard Windows updates will continue to install. However, these devices will no longer be able to receive new security protections for the early boot process, including updates to Windows Boot Manager, Secure Boot databases, revocation lists, or mitigations for newly discovered boot level vulnerabilities.

Over time, this limits the device’s protection against emerging threats and may affect scenarios that rely on Secure Boot trust, such as BitLocker hardening or third-party bootloaders. Most Windows devices will receive the updated certificates automatically, and many OEMs have provided firmware updates when needed. Keeping your device current with these updates helps ensures it can continue receiving the full set of security protections that Secure Boot is designed to provide.

And yes the documentation is a little rough to get through.

[-]

tastyratz@reddit

It sounds critical like everything is going to die but in the end everything is going to boot just fine afterwards out of secure boot and Microsoft themselves only gave it a Medium CVE! That last part I was surprised to see.

[-]

xSchizogenie@reddit

It won’t be stressful. Your windows won’t stop working. It’s just not safe by default anymore.

[-]

throwaway0000012132@reddit

This is an issue for security reasons and for insurance as well, not to mention its also an issue for booting new ISOs that only have the new certs.

[-]

tastyratz@reddit

It's a medium CVE, not a high, is insurance even worried?

[-]

mjfutures@reddit

No they are not. Some insurance are opposite they try to tell clients they don’t need all the security they have. Crazy …. I see companies getting hacked weekly, not my clients.

[-]

throwaway0000012132@reddit

It's not a major risk, but the risk is there.

Over the deadline, newer security patches from Microsoft may not be signed with the old certs, meaning no more patches.

Newer firmware updates for UEFI may enforce the validation of secure boot security chain, that it will fail because of the expired patches.

In reality, nobody knows exactly the actual risk because it depends on the vendor of the hardware and the OS as well, we just know there is a risk (albeit it could be minimal or worse case scenario, it could break stuff).

Anyways, better to patch those devices before the due date.

[-]

xSchizogenie@reddit

True points but none of them is a technical thing. There are company’s out there that still run windows 10. they will have bigger struggle.

[-]

throwaway0000012132@reddit

Well, it's a technical issue once you can't boot newer ISOs, if they are burned with only newer certs.

And you are right, it's not a major security risk, but it really depends on the company: security risks and lack of compliance are a big no no for some companies that deal with classified information

And unfortunately there are companies that are still running Windows Server 2003... It is what it is.

[-]

jamesaepp@reddit

not safe by default anymore

Not as safe. Secure boot still functions. Can't get new bootloaders until the new certs are in place. Nothing else changes.

[-]

Mayorbbee@reddit

Anyone got an idea of where to start for airgapped network? Heavy vmware

[-]

throwaway0000012132@reddit

vSphere 7? No current automatic solution for that, only manual. For newest versions there is a Broadcom solution.

[-]

Mayorbbee@reddit

We’re on 8 thankfully

[-]

ImNotABotScoutsHonor@reddit

https://github.com/haz-ard-9/Windows-vSphere-VMs-Bulk-Secure-Boot-2023-Certificate-Remediation

[-]

ngjrjeff@reddit

Where have you been?😂

[-]

Izual_Rebirth@reddit (OP)

Call it a case of being over worked and not having enough time to breathe most days.

[-]

chicaneuk@reddit

It annoys me how many people don't seem to understand how insanely understaffed some IT departments are these days. The amount of technology has gone through the roof and the people have been reduced. I get your pain man.

[-]

Izual_Rebirth@reddit (OP)

I was recently described as "he's our Microsoft Expert" in front of a customer and then the CEO went on to list Intune, SQL Server, ADDS, Azure, M365, Purview and a few others off the bat!

I'm thinking "bitch in a bigger company you'd have at least one person responsible for each of those!"

[-]

eater_of_spaetzle@reddit

That's why they pay you the big bucks!

[-]

Izual_Rebirth@reddit (OP)

To be fair I don't actually get paid that badly. I do sometimes think maybe money isn't everything especially with a kid on the way 😞

[-]

jacobcz@reddit

It definitely isn't. I was lucky to spend the first years of my kids growing up in a company with a very friendly work-life balance environment (Central Europe, so not that uncommon here). Sounds like a cliche, but they're only little once, and time really does flies fast. Slow down and enjoy the time with them, if your situation allows it.

[-]

fmdeveloper25@reddit

That is especially true once you start a family!

[-]

eater_of_spaetzle@reddit

Checking this subreddit is a life saver. Helps me catch things that would be easy to miss otherwise.

[-]

Creative-Type9411@reddit

people forget how much of a struggle it is to actually get out into the real world when you're overworked

gif

[-]

shootingdolphins@reddit

I get it.

[-]

shootingdolphins@reddit

Been providing clients with SecureBootCert powershell results checking for the CA2023 cert as well as monitoring the reg keys related to the update status for their RMM tools. Showing them capable/return codes and helping do firmware updates since December 2024 and even felt like that was “where have you been?”

[-]

CrispyTheGoat@reddit

Current certs expire in June and October. The one in June is 24th.

Get an inventory of device models, secure boot states. Use the Intune Secure Boot report is you use it.

Then use that inventory for a smallish test group of all models and then ramp up.

[-]

W-hole_Line@reddit

Yeaaaaah is anyone else alone doing this? Im alone responsible for all end user devices and ot devices. Intune sccm..etc..etc

I knew about this but just remembered last week... Too busy with tons thing and being alone in this section of IT...

Systemdudes also have tutorial on secure boot cert via intune

[-]

Makanly@reddit

Luckily for you it's like 5 minutes in Intune and move along.

[-]

EpicSimon@reddit

We pushed this out via Intune configuration profile to our clients. You can also track progress in Intune (clients only) and since a few weeks also in M365 Defender (clients and servers).

A few days ago I also noticed that MS seems to have started pushing out the certificate update via Windows Update. On a handful of clients I saw them install a "Update for allowed signature database (DB) for secure boot".

On servers we've pushed out the AvailableUpdates registry key. Physical servers worked fine except for two that wont allow installing the new KEK certificate. Will have to live with secure boot disabled on those. VMs were some more work for us on Vmware. Im not sure if its still neccessary currently but we had to manually upgrade the VM compatibility version to the latest one on all affected VMs (which for us is version 21 on ESXI 8) and then remove the ".nvram" file in each VMs' dir on the datastore so that they regenerate the EFI keys on the next boot.

[-]

kukelkan@reddit

I told my boss in January.. we didn't have time to touch this. We still don't..

[-]

Darkchamber292@reddit

It's a Config profile now in Intune. Just turn it on and point to your devices.

[-]

Specialist_Guard_330@reddit

What is the profile?? Plz help!!!

[-]

bfodder@reddit

I don't mean to be rude but have you even just googled "2023 secure boot certificate intune"??

[-]

kona420@reddit

I did and ended back up at this thread. Just kidding but the Microsoft article is some pretty thick reading if you aren't a firmware nerd.

[-]

roboticfoxdeer@reddit

You say that like Google works anymore. Also like Google doesn't send you to reddit 70% of the time

[-]

Specialist_Guard_330@reddit

No I was too lazy which is why I’m asking here🤣

[-]

dedXlights@reddit

Video about it https://youtu.be/MhsoAGyG2D8?si=lPDPT-zBGgVW7Cg5

[-]

kukelkan@reddit

If only I had intune... We also don't have active directory. Yay

[-]

DevelopersOfBallmer@reddit

If you are not managed at all, then it will do the updates for you, assuming auto updates are on.

[-]

Darkchamber292@reddit

Do you have an RMM tool?

[-]

kukelkan@reddit

We are working on deploying JumpCloud. But we need to format most of the pcs at the company, some are moving to Ubuntu (from windows home) And some are on win pro but have a very shitty image on them well before my time. So no we don't have an RMM in place on all pcs.

[-]

Darkchamber292@reddit

Good luck to ya. If you don't even have a way to put a script or fix to all devices at once through an RMM tool or something that's the first thing I'd fix first

[-]

kukelkan@reddit

Yup, working on it. I'm rebuilding the whole network for the company... While doing helpdesk tier 1 stuff

[-]

UninvestedCuriosity@reddit

Two feet and a heartbeat infra lol.

[-]

brispower@reddit

i had a boss like this, emphasis on had

[-]

Murhawk013@reddit

Same. There’s not time till after the disaster lol

[-]

brispower@reddit

He'd leave everything to the last minute, it shit me to tears. the worst part is when you bring something to him that you can get out ahead of easily (such as this bios stuff) and he'd just wait and wait for no good reason, then at the last minute (or after) decide that was the time to go into drama mode, you know when everyone can be "too busy" for anything because a now critical thing needed to be done

[-]

berryer@reddit

That's because that makes it easier to bully free overtime out of his minions

[-]

network_dude@reddit

I have a saying - "If it were not for the last minute, nothing would ever get done."

[-]

pdp10@reddit

decide that was the time to go into drama mode

It seems like many people are instinctively performative when it comes to "showing activity". They do this on purpose, albeit possibly not consciously.

[-]

3percentinvisible@reddit

Bollocks. That sounds like me.

Jim?

[-]

themightydraught@reddit

Funny how there's no time to do things until it gets to the emergency stage.

[-]

bfodder@reddit

We resolved it on about 6000 machines with about 30 minutes of work.

[-]

kukelkan@reddit

How? We have a lot of pcs with very old bioses.

[-]

bfodder@reddit

Dell Command Update is set to update drivers and firmware. The rest is just enabling a couple of policies to set and then the machines just do it themselves.

[-]

kukelkan@reddit

Ohh I see. Before I came on board everything was random. Laptops/AIO/desktops nothing constant.

So ya fuck me.

[-]

DevelopersOfBallmer@reddit

We are the same with a mix, that's not an issue. It sounds more like it's the wild west there and updating consistency is not a thing. If the bios is up to date, it's easy resolution. If it's not, I would ask why and start pushing that? Most vendors push bios updates in Windows updates or their own software like Dell Command.

15 years ago, yeah I get not doing auto bios updates, but today, that's crazy talk.

[-]

kukelkan@reddit

Yes stuff is very outdated.

There is no domain..

Company servers are on the same Lan as other departments... (Working on that) At least we have crowd strike.

[-]

Cusack67@reddit

June 24th! I'm in charge of 1700 workstations and dealing with Dell bios update process is just insanely difficult. For some models they have updated the bios 3 times in the last 2 months. We started deploying manual updates for VIP stations, just to found out yesterday that we'll need to do another round with newer bios version. Also there are other certificates to be updated from Windows (Win UEFI CA, MS UEFI CA and another one for other hardware (network)), the OS should handle this automatically but NO that would be too easy. I have one laptop model that would update the MS CA only after another bios release this week. Other laptops are getting direct live BIOS update even though we disabled this option in Dell Command Update.
Finally there is one model that we have to manually switch setting in the bios to activate the MS CA (Dell Command Configure is giving us error for this part).
Dell is really dropping the ball on this!!
I'll have a daily report that will run on workstation to give us the CA enrollment status after the bios update.
I forecast this SecureBoot will impact greatly many cie in coming months!

[-]

bfodder@reddit

and dealing with Dell bios update process is just insanely difficult

It's so early though. Are you not using Dell Command Update? Or even just letting them come through Windows Update?

[-]

Cusack67@reddit

Having many PCs in several factories around the world, we need to have a reliable way of pushing updates at specific time to prevent production stopping. We have 50 diff Dell models. We know and use DCU. For our needs we’ll deploy the bios exe instead so we can better track the deployment.

[-]

bfodder@reddit

It can all be scheduled in DCU. You can even use the cli to kick off the scan, download, and installation yourself at your desired time.

[-]

RiceeeChrispies@reddit

It’s shite if you have a BIOS password, doubly so if you use the recommended LAPS (per-device) BIOS password approach from Dell.

You can do Windows Update to solve the problem through capsule updates, if it actually works.

I couldn’t for the life of me get driver update rings working reliably on Intune.

[-]

RiceeeChrispies@reddit

Whilst you should be updating BIOS firmware anyway to address CVEs, the delivery of the Microsoft certificate updates via Intune device configuration policies (using the Windows Update mechanism) should be enough to meet the deadline whilst you sort the firmware upgrades.

[-]

sardonic_balls@reddit

Many shops unfortunately are not able to use Intune.

[-]

RiceeeChrispies@reddit

You can do it through Group Policy as well, it's just a config.

https://support.microsoft.com/en-gb/topic/group-policy-objects-gpo-method-of-secure-boot-for-windows-devices-with-it-managed-updates-65f716aa-2109-4c78-8b1f-036198dd5ce7

[-]

tastyratz@reddit

I'm not sure how many devices are getting covered successfully by the May cumulative, but, Microsoft DOES have a line in there for this as well:

https://support.microsoft.com/en-us/topic/may-12-2026-kb5087545-os-build-20348-5139-6aed2a73-37f9-468c-8bdc-4bae674797cf

How many people are having luck with the rollup?

[-]

_stuxnet@reddit

There's not just one cert expiring but two. One in June, the other in October.

[-]

throwaway0000012132@reddit

It's actually 3 in total lol

2 in 26 June and the third in October.

[-]

DenverITGuy@reddit

The Secure Boot Playbook by Microsoft is probably the best resource to get started. It's detailed and has a lot of information about errors, gotchas, event viewer etc.. You will need to reference your device vendor to see how they're supporting certain models on their end.

[-]

tehreal@reddit

Can Crowdstrike tell me what computers need to be touched?

[-]

eater_of_spaetzle@reddit

You can download scripts to check for you, or create/vibe-code them yourself in minutes.

[-]

tehreal@reddit

I'm a vibe code the shit out of this

[-]

Linkage006@reddit

We use Absolute to track, GPO to enforce. I live in a Legacy world because IT isn't that important to spend $$ on. They'll just spend it on Cybersecurity grads, paying them 200K a year to send us Nessus logs to fix stuff.

[-]

EduRJBR@reddit

I thought it won't affect operating systems of the latest versions and that can (and are) updated regularly, although I don't know if even 2025 servers might require some extra fuckery depending of what and where they are running.

Am I wrong? If the workstations only have with Windows 11 with automatic updates: do I need to worry, do I need to do something?

[-]

aprimeproblem@reddit

Servers are equally affected

[-]

skidleydee@reddit

Don't forget all the other requirements if your going to have secure boot on a VMware vm.

[-]

RiceeeChrispies@reddit

an automated fix is coming soon™ (day before expiry probably)

[-]

skidleydee@reddit

Only for 9

[-]

jamesaepp@reddit

That's incorrect.

https://knowledge.broadcom.com/external/article/423893/secure-boot-certificate-expirations-and.html

Starting from a planned 8.0 U3 patch release, the Windows OEM Devices PK certificate will be automatically initialized in the PK for newly created VMs (HW Version >= 14)

VMware is delivering a comprehensive solution to add the Windows OEM Devices PK certificate into the vUEFI if it is detected as missing from VMs running on ESX 8.x and 9.x hosts (starting from planned future patches). While this solution utilizes automated delivery mechanisms to minimize overhead, it will still require customer actions. (Note: This KB will be updated once the patches are available.)

(FYI /u/RiceeeChrispies)

[-]

RiceeeChrispies@reddit

Awesome! Hopefully soon, thanks for the info.

[-]

chicaneuk@reddit

No 8 is still supported and will be getting the automated fix too. I read it's coming for 9.0/9.1 and 8.0.3.

[-]

RiceeeChrispies@reddit

Really? That's shite, 8 is still under support - typical Broadcom moment.

[-]

skidleydee@reddit

I could be wrong but that's what my boss was told when he spoke to our rep.

[-]

twatcrusher9000@reddit

Thanks for the heads up, had no idea, here's the intune instructions:

https://support.microsoft.com/en-us/topic/microsoft-intune-method-of-secure-boot-for-windows-devices-with-it-managed-updates-1c4cf9a3-8983-40c8-924f-44d9c959889d

[-]

Wolfram_And_Hart@reddit

Is this the 1801 error?

[-]

neresni-K@reddit

Please post in r/shittysyadmin. /s

[-]

jfoust2@reddit

It wouldn't be r/sysadmin without gatekeeping.

[-]

InvoluntaryNarwhal@reddit

I don't know about you, but I know everything about system administration and I dropped fully formed into my role knowing everything about it.

...

Yeah. The gatekeeping can be a bit much. Stack Overflow refugees have to land somewhere, I guess.

[-]

pompousrompus@reddit

I’ll have you know I was a Spiceworks community mod before I was usurped of my signature by an actual mod

[-]

Hemsby1975@reddit

We have self driving cars, everyone has a mobile phone and AI is a thing also. Just keeping you in the loop 🤣😂