Hey everyone! I'm on a tight schedule for the Secure Boot certificate rotation, specifically the Windows UEFI CA 2023. I need to generate a reliable report to check which of my ~10,000 machines still have the old certificate and will be impacted by the upcoming DBX revocations.
I prefer to avoid using Intune Compliance policies since about 50% of our machines are already marked as "Non-compliant" due to various issues like TPM glitches and old BitLocker grace periods. This makes it hard to get a clear report.
Here are my main questions: 1. Has anyone successfully utilized Proactive Remediations for this without causing a "Non-compliant" status? 2. Is there a simple way to extract this data into Log Analytics or Azure Monitor? 3. Does anyone have a solid script that tells apart "Secure Boot Disabled" and "Secure Boot Enabled but with Old Cert"?
Any tips on managing this at scale, especially across both Dell and Lenovo hardware, would be super helpful! Thanks!
4 Answers
Proactive remediations and compliance are separate, so you shouldn't worry about compliance status affecting your remediations.
If you have Intune and can use remediations, set up a detection script that checks for the certificate’s existence in the UEFI. Use "exit 1" if it's not there and "exit 0" if it is. Here's a simple example:
```powershell
$match = [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
if ($match) {
Write-output 'Compliant: Windows UEFI CA 2023 found.'
exit 0
} else {
Write-output 'Non-Compliant: Windows UEFI CA 2023 not found.'
exit 1
}
```
This should help manage compliance more effectively without triggering a noisy non-compliant status.
If your machines are mainly Dell, pulling the BIOS version should be straightforward. Newer Dell BIOS updates handle the Secure Boot certificate automatically. I assume it’s similar for Lenovo as well.
True, but don’t forget that the BIOS updates only modify the default database. You may need to do a factory reset and secure boot reset to transition them to the active database.
Trevor Jones has an informative blog post about checking for updated Secure Boot certificates. You might find it helpful: [link to blog].
Also, a colleague of mine stored that data in WMI with ConfigMgr. It’s something included in Intune licenses, so definitely worth looking into! Given your 10,000 machines, if you're still on ConfigMgr, let me know—we might be able to clean things up together or even blog about it.
Thanks! I'll check out Trevor's blog and might reach out for more tips. Appreciate the information!
This is a great approach! Using scripts like this could really help streamline compliance reporting.