Hey folks! I'm working on Secure Boot changes coming up in June 2026 and could use some clarity. We use co-management with SCCM and Intune, distributing Windows updates through WUfB while managing device configurations via SCCM. I recently activated the new Group Policy Object (GPO) for Secure Boot following Microsoft's guidance. Now, I'm puzzled about the two options described: 'Certificate Deployment via Controlled Feature Rollout' and 'Enable Secure Boot Certificate Deployment.' It seems both initiate the rollout of new certificates, but what's the difference? Which option is best for our setup? Thanks for any insights!
3 Answers
Here's the scoop:
- **Enable Secure Boot Certificate Deployment** gives you control. Flip the switch, and you're responsible for the rollout. It's more hands-on but lets you test things your way.
- **Certificate Deployment via Controlled Feature Rollout** means Microsoft takes the reins. They roll it out based on their diagnostics, so it should be less chaotic since they’ve tested it on various setups.
If you want more control, go for the first option. If you prefer a managed approach, the second is likely the way to go.
Regarding your VM setup, it sounds like you've already done some key updates: new hardware version, new .nvram file, and you've confirmed that the KEK and certificates are updated via PowerShell. You should be good to go.
Just keep an eye on updates from Broadcom—they’re working on a better process to manage these updates without issues.
Just a heads up, if you're running VMWare, you’ve got some extra steps. Their secure boot setup can block OS updates, so be ready to manually update each VM. Check out Broadcom's guidance to make sure you're covered.
A lot of people are struggling with this, so you're not alone!
I get what you're saying! It's frustrating—I'm just trying to make sure everything's ready for these changes.
Honestly, I can't believe how complicated this is. There has to be a simpler solution out there.