Hey everyone, I need some guidance on whether I'm correctly implementing the Secure Boot changes in my environment. I've set up some Group Policies as follows: I've enabled diagnostic data sharing to send required data, and I've also enabled certificate deployment through a Controlled Feature Rollout. It's been several reboots since I made these changes, and when I ran the Microsoft remediation script, I got a report that shows Secure Boot enabled, but the confidence level is 'Under Observation - More Data Needed.' I noticed there's an event log error (Event ID 1801) indicating that updated Secure Boot certificates are available but haven't been applied yet. I'm unsure if I should be receiving automatic updates through Windows Update for Business or if I need to approve them in Intune. Any advice would be greatly appreciated!
4 Answers
It sounds like you're on the right track, but the 'Under Observation' status suggests that there may still be unresolved issues with your Secure Boot setup. The fact that you're getting Event ID 1801 means you'll need to ensure that the updated certificates are applied to the firmware properly. Sometimes, multiple reboots are necessary, but also check that nothing in your BIOS settings is preventing the updates from taking effect. I had to reboot about four times before everything settled down on my devices, so hang in there!
Just a heads up, if your GPOs are configured correctly and you're still seeing issues, it's possible that updates through Windows Update for Business might require manual approval in Intune, especially if your devices are in a managed environment. You should have a procedure set up for that as part of your update management plan.
If you’re trying to run this update on many devices at once, consider running a batch process to reset the Secure Boot keys for all of them in BIOS rather than doing it one by one. But definitely keep in mind the BitLocker key situation! It’s a real hassle if you get locked out!
When I encountered a similar situation, manual intervention was necessary. I had to check the firmware version and make sure it was fully compatible with the latest Secure Boot standards. I would suggest reviewing the documentation provided by Microsoft and ensure nothing is being blocked by your Group Policies. If it still shows 'NotStarted,' it might be worth resetting the factory Secure Boot keys in the BIOS, but do make sure to note your BitLocker key first to avoid any recovery issues!
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures