If you wish to proactively update your Secure Boot certificates this playbook outlines the initial steps you can take and tools you can use at a minimum we encourage you to monitor the progress of your device fleet from the start
Step 1: Inventory and prepare your environment
Step 2: Monitor and check your devices for Secure Boot status
Step 3: Apply OEM firmware updates before Microsoft updates
Step 4: Plan and pilot Secure Boot certificate deployments
Option 1 (recommended): Deploy certificates using Microsoft Intune
Option 2: Deploy certificates with registry keys
Option 3: Deploy certificates via WinCS
Option 4: Deploy certificates using Group Policy
Step 5: Troubleshoot and remediate common issues
It shouldn’t look like that …
PS C:\Users\josef> [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI -Name db).bytes) -match ‘Windows UEFI CA 2023’
False
PS C:\Users\josef> [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI kek).bytes) -match ‘Microsoft Corporation KEK 2K CA 2023’
False
