I'm currently in the process of updating devices with a new boot certificate but facing some challenges. We're still using SCCM, so I can't revoke the old PCA2011 certificate, yet I also need to boot from the old boot media (PXE boot). I have been following Anthony Fontanez's scripts with Intune to tackle this, which seem to work—I've received event IDs 1036 and 1799 indicating the boot manager is signed. However, I noticed that the KEK certificate and UEFI ROM certificate haven't been updated on my devices. I'm also encountering event ID 1801 that won't go away despite multiple runs of the scripts.
To address this, I've been experimenting with the available update flag 0x5944. Setting this flag and rebooting resolved the missing KEK and ROM certificate updates, as I now see event ID 1808 for success. But, it seems that setting the 5944 flag also revokes the old PCA2011 certificate. Now, I can't boot from the old boot media due to a secure boot issue.
My main question is whether getting event IDs 1036 and 1799 is sufficient for compliance after June or if there are additional steps I need to take? Also, I'm unsure how to get the bootloader signed with the new certificates without having them installed. Any guidance would be appreciated!
2 Answers
I thought that setting the 0x5944 flag and then running the scheduled task would still allow old certificates to be retained for PXE use. That way, you could update the certs but not completely lose access to the old system. But based on your experience, it seems like it’s not holding up for your testing devices. Maybe there’s a specific step that’s being overlooked or executed incorrectly? It sounds like a bit of fine-tuning might be needed.
You're caught in a tricky situation here. The 0x5944 flag updates the KEK and ROM certificates but also revokes the PCA2011, which you still need for PXE booting. If you set 0x5944 across the board, it might worsen your situation since you need to maintain the legacy boot until SCCM is fully retired.
The event IDs 1036 and 1799 indicate the boot manager was signed, but it doesn't guarantee compliance with June's requirements. You need to ensure that the KEK and ROM certificates are updated without disrupting legacy boot. A phased rollout might be the best approach—update the certs on devices that don't rely on old PXE boot, then tackle the SCCM devices once you have a proper boot image ready.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures