Hi everyone! I'm trying to update Secure Boot certificates through the Group Policy method known as "Certificate Deployment via Controlled Feature Rollout." I've seen some devices get updated in about 10 days, while others have been stuck on "Under Observation" for over 30 days. Has anyone else had a similar experience?
I'm curious if anyone knows what might be causing this delay. From what I've gathered, it seems like the devices could be waiting for a certain kind of update, maybe a cumulative one, to finish updating the certificates. I've also disabled driver updates due to issues with graphics card updates on one of our models. I did update the firmware across the board before applying the policy—could the certificate update only happen during the next firmware update? Any insights would be greatly appreciated!
2 Answers
We've noticed that some devices, especially older ones like Lenovo desktops, can be pretty picky about the payload from Windows. We had to go into the BIOS and manually activate the new certificate by resetting the secure boot keys. A good rule of thumb is that if the device is over a year old, it should ideally have a firmware version published within the last 5-6 months that includes the new certificate.
We just let Windows Update handle it all, and we didn't run into any issues on our end. Everything went smoothly!
What do you mean by 'handle it all'? Did you do anything specific?
Oh, I totally forgot to mention: some models might still need that firmware update too!