I've heard that Secure Boot certificates in the firmware of many computers are expiring this June. These certificates were originally issued back in 2011 and it looks like they're all expiring at the same time, kind of reminiscent of the Y2K situation. Windows Update takes care of home computers by updating the certificates, but for computers in domains or managed through services like SCCM or Intune, the updates seem to be more complicated. We've got hundreds of thousands of devices from Dell and Lenovo, and while they've updated their firmware to include the new certificates, it feels like a nightmare when it comes to testing each model released over the last five years. I've heard that if the certificates aren't updated, the computers will simply fail to boot. This situation doesn't even consider devices from other manufacturers, which might not support remote installation at all. I'm curious if anyone has a plan in place or any useful tips for this issue. I worry that many small businesses might be caught off guard and have no idea this is on the horizon.
5 Answers
I can't believe a sysadmin with 100,000 endpoints is asking this out in the open. Maybe you should have someone competent look into it internally?
Right? Not everyone has the time to research everything; sometimes you just need a second opinion.
Dell and Lenovo devices will get updates through Windows Update as long as they’re connected. You could speed things up by deploying registry settings to help Microsoft gather metrics, but I doubt they will mess up the updates for such popular brands.
Just a heads up, what if someone's BIOS wipes after getting patched? They'll end up not being able to boot. Organizations must ensure that their BIOS has the necessary keys. I've seen issues with newer Dell Pro models not having the keys even after the latest BIOS updates.
Yeah, that's a real concern. Especially since it's been a while and you'd think it would be covered by now.
You can script the certificate check and push silent BIOS updates through Intune. Just tag any devices that need replacement before June to avoid surprises. No one wants a situation where their machines don’t boot up!
If you’re not using Intune or SCCM, Windows Update probably won’t push the new secure boot certificates for domain-joined machines. That could be a huge oversight for many setups if they aren’t aware.
Relax, everyone has questions sometimes. It’s better to ask than to assume!