UEFI Secure Boot CA 2023

 

 How frequently do you observe this topic on LinkedIn or X? Perhaps your organization is discussing it. Upon logging into Intune, you will notice this banner at the top of your Intune dashboard. 

Microsoft announced this issue back in 2025, but surprisingly, it didn’t get much attention until recently. While Microsoft shared some details about the registry keys involved, clear step-by-step instructions for fixing the problem are quite hard to find.

Last week, I was working on this issue on my own tenant and one of the customers, and I decided to share this information so that you can address it earlier and avoid waiting until the last minute.

What is Secure Boot:-

Secure Boot, a UEFI security feature, ensures only trusted software runs during boot by verifying digital signatures against trusted certificates stored in firmware. UEFI Secure Boot standardizes how platform firmware manages certificates, authenticates firmware, and interfaces with the OS.

 

For example, imagine an attacker trying to infect a computer with a boot kit, a type of malware designed to load before the operating system starts. The attacker modifies the boot loader with malicious code, but if Secure Boot is enabled, the firmware checks the digital signature of the boot loader against its list of trusted certificates. Since the infected boot loader has an invalid or unknown signature, the firmware blocks it from running. This prevents the boot kit from loading and helps protect the system from unauthorized software.

For more details on UEFI and Secure Boot, please see Secure boot.

How can we identify if our device has CA 2011 or 2023 Secure Boot?

Basically, you can run the command below  

([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -like "UEFI CA 2023")

 

If returns ‘True’, your device is in good shape. Keep in mind, though, that most devices now will return ‘False’. The only exceptions will be the newest release devices coming out at the end of 2025 and into 2026.

‘True’ indicates that the device is functioning properly and will receive the device from Microsoft during the monthly update.

‘False’ indicates the device requires actions to receive the update from Microsoft.

As long as most of the devices return ‘false,’ you cannot run the command on each device individually. Instead, you can deploy this tool to determine whether the value is ‘True’ or ‘False’ using your management system. If you are using Configuration Manager, I recommend creating a Configuration Item / Configuration Baseline (CI/CB) and two collections, one for compliant devices and one for non-compliant devices, and deploying the fix only to the non-compliant group.

 

And because most companies are using Co-Manage or Intune for their devices, I will discuss the Intune solution in this blog post. Here are some tips if you are using GPO to fix this issue.

 

Ensure the Secure Boot status is enabled, you go to Settings > Privacy & Security > Windows Security > Device Security. Under Device security, the Secure boot section should indicate that Secure Boot is on.

Or run this command  

confirm-SecureBootUEFI

If returns ‘True’, that means it is enabled.

If returns ‘True’, that means it is enabled.

§ SCCM/GPO

If you check non complaint device registry key in this location

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot

Value Name: AvailableUpdates

Value data: 0

And this location

 Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing

Value Name: UEFICA2023Status

Value data: NotStarted

 

According to Microsoft, if you change the value date from 0 to 0x5944 and refresh, you will see the value named ‘UEFICA2023Status’. The data will change from ‘NotStarted’ to ‘In progress’, and after 12 hours or if you restart once or twice, it will change to ‘Updated’, and ‘WindowsUEFICA2023Capable’ value is ‘2’.

If you are using GPO, go to this path

Computer Configuration->Administrative Templates->Windows Components->Secure Boot, all 3 GPOs are disabled by default.

1.      Enable Secure Boot Certificate Deployment: When enabled, Windows will automatically begin the certificate deployment process to devices where this policy has been applied

Select Enabled 

2.      Automatic Certificate Deployment via Updates: This policy controls whether Secure Boot certificate updates are applied automatically through Windows monthly security and non-security updates. Devices that Microsoft has validated as capable of processing Secure Boot variable updates will receive these updates as part of cumulative servicing and apply them automatically.

Select Disabled to make the device receive certificate updates automatically during servicing, and HighConfidenceOptOut Value to 0, if you select Enabled, this will block updates and must and HighConfidenceOptOut Value to 1.

3.      Certificate Deployment via Controlled Feature Rollout: For enterprises that desire assistance in deploying the new Secure Boot certificates to their devices, this setting can be enabled.

Select Enabled

Note: The device must be sending the required diagnostic data to Microsoft to use this feature.

To monitor your device, you can run this script from the Microsoft Detect-SecureBootCertUpdateStatus.ps1 script to collect device status data 

Then place the output on your device

.\Detect-SecureBootCertUpdateStatus.ps1 -OutputPath "C:\Temp\SecureBootTest"

Your JSON file will contain a lot of information, such as the following

Now, let's use the Aggregate script from Microsoft to help us build the report HTML file 

.\Aggregate-SecureBootData.ps1 -InputPath "C:\Temp\SecureBoot\" -OutputPath "C:\Temp\SecureBootReports"

Note: ‘SecureBootReports’ will be created by the Aggregate script and will have some CSV files and HTMLs 

Then run this command to generate the Microsoft Dashboard

 Start-Process "C:\Temp\SecureBootReports\SecureBoot_Dashboard_*.html"

§ Intune 

       In Intune, I felt it was much easier to fix the Registry Key and value, then convert the device(s) from ‘NotStarted’ to ‘Updated.’

1.      I used the same Microsoft Detection Script mentioned above to help me find out how many devices have a cert issue.

Added the detection script.

I did not add anything to the remediation script.

Run script using the logged-on credentials ‘NO’

Enforce script signature check ‘NO’.

Run script in 64 bit ‘’Yes.

 

For testing, I made the script to run every 3 hours to get faster results.

First, I had one VM   without issues, which means the registry key value is ‘Updated’, and the one device above, named ‘Dell’, has an issue.

Now let’s configure a policy to fix this issue.

This is optional; if you do not want to, you can pass to the next point.

Before I started with policy, I was to test with Dell devices, so I created a filter based on the model in my case, Dell Latitude

§  Go to  Devices > Manage devices > Configuration.

§  Select the platform Windows 10 and later.

§  Give it a name, in the configuration setting search for Secure Boot, and you will see 3 options just like the GPO above, select them all 

Settings:- the resource from Microsoft Document

1.      Configure High Confidence Opt Out: Disabled,

Value name=ConfigureHighConfidenceOptOut, Value date = 0
Disabled. Devices that have validated their update results will automatically get certificate updates as part of the monthly updates.

1.      Configure Microsoft Update Managed Opt In: Enabled,

Value Name = MicrosoftUpdateManagedOptin, Value data = 1
This policy controls provides permission to opt-in to CFR servicing (Microsoft Managed.

 

 

2.      Enable Secureboot Certificate Updates: Enabled,

Value Name = AvailableUpdatePolicy, Value data = 22852

This policy supports smooth updates to the Secure Boot certificates. When you set it to Enabled, it helps install the latest Secure Boot certificates and the 2023 signed boot manager on all devices where this policy is in effect, ensuring everything stays secure and up to date.

If you used the filter as I did in the previous step in Assignment, select the filter you want to apply to your test devices. In my case, I used Latitude-Dell.

I gave the policy a little time to sync. I had one device before, and when I checked the Secure Boot report, the Dell device cert status is up to date.

This part below is an extra for monitoring use, the nice Microsoft dashboard.  You can also stick with Intune Report, it's great and easy. I just want to provide multiple options.

From the Intune detection script. If you check Device Status, Pre-remediation detection output, and click on Review, you will get a full JSON file.

You can download them all, and ensure to save each JSON file with this format Hostname_Latest.json 

Then run the aggregate script above with this command line

.\Aggregate-SecureBootData.ps1 -InputPath "C:\Temp\SecureBoot\" -OutputPath "C:\Temp\SecureBootReports"

And then this command line to generate the dashboard

 Start-Process "C:\Temp\SecureBootReports\SecureBoot_Dashboard_*.html"

Very important to start enabling SecureBoot if it's returned Off, as in the 4 devices above.     

In this report, you can focus on 4 parts

1. Updated device, No action needed.

2.    SecureBoot OFF, you need to enable it

3. 3. Not updated, you need to take action on those devices. This will be the majority of the devices.

4.  Update Pending, waiting for policy or report.

Finally, the only thing I haven't found is an explanation of how to decrypt the BucketID, since you will have a group of devices sharing the same BucketID, which indicates the same problem. So, if you fix one, you can fix them all.

Thanks for reading this long post. I hope it helps you and your organization.