I'm finishing the UEFI Certificate update - sharing my experience
Posted by PrettyFlyForITguy@reddit | sysadmin | View on Reddit | 22 comments
So I am currently just wrapping up the UEFI certificate rollout, and it did not go smoothly. Even after having updated countless BIOS' the last few months, the update rolled itself out on about only 70% of machines. The rest needed manual intervention.
-Some needed May BIOS updates
-
Some needed me to manually initiate the trigger (shown below)
-
I needed to disable bitlocker manually
-
It often took multiple tries.
-
I still have machines that say the update is in progress (updating the key in the BIOS), but also that it successfully booted from the new certificate. Not sure what is going on here.
- Hyper-V VM's always needed manual deployment. If on the latest configuration, they updated smoothly.
I started the manual process of by first running the following code, and rebooting twice:
Suspend-BitLocker -MountPoint "C:" -RebootCount 2
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot" -Name AvailableUpdates -Value 0x5944
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
Most of the time this did not complete properly and I had to do it again, but it seems I didn't need to restart the task.
Suspend-BitLocker -MountPoint "C:" -RebootCount 2
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot" -Name AvailableUpdates -Value 0x5944
Sometimes it took several tries of this, with nothing changed, to actually take effect.
With the help of AI, I created a script to check:
$ErrorActionPreference = "Stop"
$sbPath = "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot"
$servicePath = "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing"
Write-Output "SECURE BOOT CERTIFICATE CHECK"
try {
$sbEnabled = Confirm-SecureBootUEFI
if ($sbEnabled -eq $false) {
Write-Output "Result: [ERROR] Secure Boot is Disabled on this endpoint."
exit 2
}
Write-Output "[INFO] Secure Boot is currently ENABLED."
} catch {
Write-Output "Result: [ERROR] System does not support UEFI or Secure Boot is entirely unconfigured."
exit 3
}
if (Test-Path $servicePath) {
$statusValue = (Get-ItemProperty -Path $servicePath -Name "UEFICA2023Status" -ErrorAction SilentlyContinue).UEFICA2023Status
$capableValue = (Get-ItemProperty -Path $servicePath -Name "WindowsUEFICA2023Capable" -ErrorAction SilentlyContinue).WindowsUEFICA2023Capable
$errorValue = (Get-ItemProperty -Path $servicePath -Name "UEFICA2023Error" -ErrorAction SilentlyContinue).UEFICA2023Error
Write-Output "[INFO] UEFICA2023Status: $statusValue"
Write-Output "[INFO] WindowsUEFICA2023Capable: $capableValue"
if ($errorValue) {
Write-Output "[WARNING] Secure Boot Update Error Detected: $errorValue"
}
if ($statusValue -eq "Updated") {
Write-Output "Result: COMPLIANT (The Windows UEFI CA 2023 Certificate is successfully applied.)"
exit 0
} elseif ($statusValue -eq "PackageInstalled") {
Write-Output "Result: [ERROR] Stage 1 Complete. Endpoint requires a reboot cycle to write to UEFI nvram."
exit 5
} else {
Write-Output "Result:[ERROR] The 2023 Certificate has not been deployed to this machine."
exit 4
}
} else {
# Check if the baseline Microsoft update staging key is configured
$availableUpdates = (Get-ItemProperty -Path $sbPath -Name "AvailableUpdates" -ErrorAction SilentlyContinue).AvailableUpdates
Write-Output "[INFO] AvailableUpdates Mask: $availableUpdates"
Write-Output "Result: [ERROR] Secure Boot Servicing paths do not exist. KB fixes or update flags are missing."
exit 9
}
I still have a few machines that are not taking it (probably missing BIOUS updates), but 99% of the ones I've manually tried have worked this way.
I would just plan on a lot of reboots. If it fails, trying again will likely succeed.
Rockz1152@reddit
Just finished our rollout with Group Policy, though I never had to disable Bitlocker on any systems.
Computer Configuration > Admin Templates > Windows Components > Secure Boot
Most systems updated within two reboots after receiving this policy. Deployed to a test ring with all hardware configurations. Had some endpoints not upgrade after a few weeks. Somehow SecureBoot was disabled on them despite clean Win11 installs.
Tracked which systems had updated certs available in firmware with these:
Tracked this registry key for successful boot manager updates
Get-ItemPropertyValue -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing" -Name "UEFICA2023Status"Hope this helps anyone else
QuietThunder2014@reddit
I’ve downloaded the latest GP update and still this path isnt showing for me for some reason.
Also did you target only the devices that needed the update or just blanket roll this out wide for all devices?
I’ve run a report and about 80% of my devices are up to date but I’m worried about the ones saying in progress.
PrettyFlyForITguy@reddit (OP)
I disabled bitlocker because I wasn't on site. If it triggered a recovery screen, there is no way I would've been able to handle it.
randomman87@reddit
First up I collected all the models in my environment and then checked the vendors (HP & MS) websites for the minimum BIOS version for the UEFI CA 2023 support. Models without were reported to procurement for replacement. Models on too old a version were updated with bimonthly driver/BIOS patching. Those that didn't take were reported to help desk for manual updating.
In my testing I was just able to set the AvailableUpdates and in a month I was up to date. I didn't monitor it but I tried it again on another test device and same thing, it worked. Tried to scale up with pilot and maybe 1/3 updated. Apparently it wants 2 reboots in most cases. Setup a package to set the key, start the scheduled task, confirm sched task success, suspend Bitlocker for 1 reboot, add sched task for 2nd reboot. Deployment settings handle prompting user for 1st reboot. Just went to pilot group and 95% success.
floatingby493@reddit
That’s crazy, we got lucky and didn’t really have any issues besides a small number of machines prompting for bitlocker. Most of our fleet of 650ish devices have been updated without having to do anything besides pushing out the device config in Intune.
tarvijron@reddit
What loser downvoted this.
Darkhexical@reddit
The ones who don't like ai
PrettyFlyForITguy@reddit (OP)
I was just being honest and not taking full credit for something I didn't entirely write myself... It was just quicker than writing it myself. I actually have a computer science degree and have written full applications, but if it I can turn 20 minutes into 6 seconds of work I'm going to do that.
Darkhexical@reddit
I don't have anything against it personally. But there are many people that have turned AI into their crutch and stop doing work themselves.
TheG0AT0fAllTime@reddit
Yeah. As much as I hate AI on principle, it's here to stay and what you describe there is only going to get worse
tarvijron@reddit
I hate shitty admins on their own merits and I hate shitty refusing-to-admit-its-AI hack jobs trying to get $100 for a reimagined piece of 1990s freeware but I just don't get the hatred for Normal Admin Does Normal And Annoying Job with Modern Tool.
ThatsNASt@reddit
Odd. I just push a check script and then the registry edit to force them. Out of about 100 machines only one had issues. I never disabled bitlocker at all and had no calls about bitlocker prompts.
BigBangFlash@reddit
On my side I never had to disable bitlocker either but the registry edits and the configuration profiles didn't really work, maybe on like 20% of the devices? We have mainly Lenovos.
What ended up working was the utility and then waiting a few days for the users to reboot a few times.
with the detection
PrettyFlyForITguy@reddit (OP)
The disabling of bitlocker was in case it triggered the recovery screen... I am not on site, so it was a precaution
PrettyFlyForITguy@reddit (OP)
Honestly, I was a little surprised at how many machines had issues. I'm not sure if it was a Dell thing, or a Microsoft thing, or maybe a security setting (we have all those virtualization based security settings on, some of which enforce uefi protections).
ThatsNASt@reddit
All of mine were Dell machines as well and none had enterprise licensing so no credential guard or vbs.
CharacterLimitHasBee@reddit
Yeah, same. Just pushed the GPO and the magic happened.
HankMardukasNY@reddit
Been using these detection/remediation scripts along with the three recommended settings in a config profile. The scripts give you a lot of information on what’s going on or what the hold up is
https://blog.mindcore.dk/2026/04/secure-boot-certificate-update-intune/
PrettyFlyForITguy@reddit (OP)
That would've been useful, I wish I had seen this earlier... might have saved me from brute forcing it onto all of those machines.
F1Phreek@reddit
how many machines are you updating? How many models are in your fleet? We have one laptop model and one desktop model. I haven't seen update issues yet.
PrettyFlyForITguy@reddit (OP)
Not all that many. Under a couple hundred desktops... but they are various models of Dells. The laptops, managed separately, all seem fine and needed zero intervention.
Alert_Post@reddit
Funnily enough, I just woke up to this that's crazy. I have an Acer Nitro ANV15-51. I didn't know about the secure boot certificates expiring until today. This is another hassle that I'll have to go through, seeing that Acer is not the best when it comes to updates in my opinion.