I've been trying to figure out the correct process for enabling the Microsoft managed Secure Boot Certificate Update toggle in Intune, especially for devices that haven't been updated to the latest BIOS version yet. From what I understand, older BIOS versions don't include the necessary certificates, which is why I'm waiting to update all endpoints. My main question is, if I turn on the Secure Boot toggle now, what happens to devices that are still on the old BIOS? Will they just throw an error (EVID 1801), or is it better to wait until all updates are complete? I've also read that doing the updates out of order could risk replacing new certificates with the old ones, which confuses me. Any advice?
5 Answers
I wouldn't recommend flipping that switch globally just yet. Devices not on the latest BIOS won’t apply the update properly, leading to errors like event 1801. It might create a messy situation later on, so it’s wise to prioritize updating the BIOS fleet first, then enable the toggle progressively. Keep an eye on everything before rolling out fully!
It's usually safe to enable the toggle, but devices without the required BIOS will log an EVID 1801 error without causing any major issues. However, to be on the safer side, it’s better to complete all the BIOS updates first to avoid any potential complications or inconsistent states across your devices.
Thanks for clarifying! I'm leaning toward waiting until everyone is updated to prevent any edge cases.
You're good to enable the toggle; devices without the required BIOS will log Event ID 1801, but nothing will break. Just make sure you complete the BIOS updates before the deadline to avoid any future enrollment issues.
Exactly what we're planning to do!
Nothing will break, but it's important to follow the order: update BIOS first, enable Secure Boot, then update the certificates. Doing it in the wrong order can complicate the process.
Got it! I was tempted to push updates for eligible devices now, but I see the value in waiting.
I can confirm that we had no issues with our approach. We updated the BIOS first, then enabled Secure Boot, and everything went smoothly.
We’re going to wait until all updates are done. There aren't many left now, so I think we can manage it!