Hey everyone! I'm currently looking into the UEFI Secure Boot certificate situation for my organization since a lot of our devices still seem to have outdated certificates. With the expiration deadline approaching in June 2026, it's quite pressing. I found that many devices need their BIOS updated for the workaround to function properly, which complicates matters. We don't have System Center Configuration Manager (SCCM), but we do use Windows Server Update Services (WSUS). In a pilot group, I successfully deployed BIOS updates using an Intune app and a remediation script that checks for outdated BIOS versions, which worked for 150 devices with no issues so far. While it's true that WSUS can deploy drivers, I've heard it's not the best for BIOS updates, and I'm hesitant to add such significant updates to WSUS. Manual updates won't work for our scale, as we need a solution for over 10,000 devices. It's crucial we address this before any BitLocker issues arise. Since budget is a concern, I'm wondering if anyone has tackled this challenge without SCCM? How would you manage it? Thanks for any help!
1 Answer
You might want to update your Active Directory Administrative Template (ADMX) files; there’s a new WSUS policy that allows selecting different update sources. This way, you can get cumulative updates from your WSUS server while pulling BIOS updates directly from Microsoft. I've had luck with HP and Dell devices this way. If you have an MDM solution, you could package BIOS updates into that. Dell devices can be managed through Dell Command Update, which can also be scripted and set up via Group Policy for driver and BIOS updates.
I’ll check into that configuration! However, I think our policy may require using WSUS exclusively, which could be preventing those updates from coming through. We don’t have many Dell devices left; most of our fleet is HP and Lenovo. Management isn’t keen on using HP's tools for Intune driver updates since they’re considered too pricey.