Secure Boot

Start-ScheduledTask -TaskName “\Microsoft\Windows\PI\Secure-Boot-Update”

[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023’

I found that in the BIOS of those laptops under “Security\Secure Boot” the “Platform Mode” was “Setup Mode” and the “Secure Boot Mode” was “Custom Mode”. After I hit “Restore Factory Keys” it changed to “User Mode” (for Platform Mode) and “Standard Mode” (for Secure Boot Mode). Then the Secure Boot Certficates 2026 updated without any problems.

<#
.SYNOPSIS
    PowerShell script to detect the status of the UEFI 2023 CA certificate update process for SecureBoot on Windows devices and output the status for reporting in Microsoft Endpoint Manager/Intune Proactive Remediations.
.DESCRIPTION
    This PowerShell script is deployed as a detection script using Remediations in Microsoft Endpoint Manager/Intune.
.LINK
    https://support.microsoft.com/en-us/topic/registry-key-updates-for-secure-boot-windows-devices-with-it-managed-updates-a7be69c9-4634-42e1-9ca1-df06f43f360d#bkmk_how_keys_work_together
    https://docs.microsoft.com/en-us/mem/analytics/proactive-remediations
.NOTES
    Version:        1.2
    Creation Date:  2026-01-28
    Last Updated:   2026-02-10
    Author:         Harris Bowman
    Repository:     https://github.com/harris-bowman/RemediationScripts
    Requires Local Admin Privileges: Yes
#>

$path = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing'
$log = ""

$keyItem = Get-Item -Path $Path
$UEFICA2023StatusVal = $keyItem.GetValue('UEFICA2023Status', $null)
$UEFICA2023ErrorVal = $keyItem.GetValue('UEFICA2023Error', $null)

$value = Get-ItemPropertyValue -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\' -Name 'AvailableUpdates' -ErrorAction SilentlyContinue
if ($null -eq $value) {
    $log += "AvailableUpdates is not set. "
} else {
    $AUKeyHex = ('0x{0:X}' -f $value)
    $log += "AvailableUpdates=$AUKeyHex. "
}

if (!(Test-Path $Path)) {
    Write-Host "SecureBoot Servicing registry not present."
    exit 1
} elseif ($null -eq $UEFICA2023StatusVal) {
    Write-Host "UEFICA2023Status key not present. "
    exit 1
} else {
    
    if ((Get-ItemProperty -Path $path -Name 'UEFICA2023Status' -ErrorAction SilentlyContinue).UEFICA2023Status -eq "NotStarted") {
        $log += "The update has not yet run. "
    } elseif ((Get-ItemProperty -Path $path -Name 'UEFICA2023Status' -ErrorAction SilentlyContinue).UEFICA2023Status -eq "InProgress") {
        $log += "The update is actively in progress. "
    } elseif (((Get-ItemProperty -Path $path -Name 'UEFICA2023Status' -ErrorAction SilentlyContinue).UEFICA2023Status -eq "Updated") -and (([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'))) {
        $log += "The update has completed successfully! "
        Write-Host $log
        exit 0
    }

    if ($null -eq $UEFICA2023ErrorVal) {
        $log += "UEFICA2023Error value not present. "
        Write-Host $log
        exit 1
    } elseif ((Get-ItemProperty -Path $path -Name 'UEFICA2023Error' -ErrorAction SilentlyContinue).UEFICA2023Error -ne 0) {
        $errCode = (Get-ItemProperty -Path $path -Name 'UEFICA2023Error' -ErrorAction SilentlyContinue).UEFICA2023Error
        $valHex = ('0x{0:X}' -f $errCode)
        $errCodeEvent = (Get-ItemProperty -Path $path -Name 'UEFICA2023ErrorEvent' -ErrorAction SilentlyContinue).UEFICA2023ErrorEvent
        $valHexEvent = ('0x{0:X}' -f $errCode)
        $log += "Error: $errCode (Hex: $valHex.) - ErrorEvent: $errCodeEvent (Hex: $valHexEvent.) "
        Write-Host $log
        exit 1
    } else {
        Write-Host $log
        exit 1
    }

}
<#
.SYNOPSIS
    PowerShell script to apply the settings and trigger the UEFI 2023 CA certificate update process for SecureBoot on Windows devices.
.DESCRIPTION
    This PowerShell script is deployed as a remediation script using Remediations in Microsoft Endpoint Manager/Intune. It will set the following, and Exit 0 if all are completed successfully:
    - The SecureBoot registry path is created if it doesn't exist.
    - The HighConfidenceOptOut value is set to 0
    - The MicrosoftUpdateManagedOptIn value is set to 1.
    - The AvailableUpdates value:
        -If it doesn't exist, set to 0x5944.
        -If it exists and is set to 0, set to 0x5944.
        -If it exists and is set to 0x400, the update is stuck at the boot manager stage without
         the CA 2023 cert having been written to the DB first. Reset to 0x5944 to restart the
         full sequence.
        -If it exists and is not set to 0 or 0x400, leave it alone as this suggests the update
         is already in progress or has completed, and we don't want to interfere with that.

    The Detection script to pair with this is: https://github.com/harris-bowman/RemediationScripts/blob/main/Detect_SecureBootRegKeys.ps1
.LINK
    https://support.microsoft.com/en-us/topic/registry-key-updates-for-secure-boot-windows-devices-with-it-managed-updates-a7be69c9-4634-42e1-9ca1-df06f43f360d#bkmk_how_keys_work_together
    https://docs.microsoft.com/en-us/mem/analytics/proactive-remediations
.NOTES
    Version:        1.4
    Creation Date:  2026-01-28
    Last Updated:   2026-05-08
    Author:         Harris Bowman (modified by PA)
    Repository:     https://github.com/harris-bowman/RemediationScripts
    Requires Local Admin Privileges: Yes

    Changelog:
        1.4 - Added handling for AvailableUpdates = 0x400 (stuck at boot manager stage).
              Devices in this state have skipped the cert-into-DB step and will loop on
              Event ID 1796 (0x800700c1) indefinitely. Reset to 0x5944 to restart the
              full cert + boot manager sequence.
#>

$Path  = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\'
$log = ""
$value = $null

#Safeguard if certificates are already installed:
if ((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing' -Name 'UEFICA2023Status' -ErrorAction SilentlyContinue).UEFICA2023Status -eq "Updated" -and (([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'))) {
    Write-Host "SecureBoot updates already installed successfully. No remediation needed."
    exit 0
}

#Check the registry key SecureBoot exists.
if (!(Test-Path $Path)) {
    New-Item -Path $Path -Force
    $log += "SecureBoot registry path created. "
}
$keyItem = Get-Item -Path $Path

$value = $keyItem.GetValue('HighConfidenceOptOut', $null)
if ($null -eq $value) {
    #If HighConfidenceOptOut doesn't exist, create it and set to 0.
    New-ItemProperty -Path $Path -Name 'HighConfidenceOptOut' -PropertyType DWord -Value 0 -Force
} elseif ($value -ne 0) {
    #If HighConfidenceOptOut exists but is not set to 0, set it to 0.
    Set-ItemProperty -Path $Path -Name 'HighConfidenceOptOut' -Value 0 -Force
    $log += "Configured HighConfidenceOptOut to 0. "
}   

$value = $keyItem.GetValue('MicrosoftUpdateManagedOptIn', $null)
if ($null -eq $value) {
    #If MicrosoftUpdateManagedOptIn doesn't exist, create it and set to 1.
    New-ItemProperty -Path $Path -Name 'MicrosoftUpdateManagedOptIn' -PropertyType DWord -Value 1 -Force
} elseif ($value -ne 1) {
    #If MicrosoftUpdateManagedOptIn exists but is not set to 1, set it to 1.
    Set-ItemProperty -Path $Path -Name 'MicrosoftUpdateManagedOptIn' -Value 1 -Force
    $log += "Configured MicrosoftUpdateManagedOptIn to 1. "
}   

$val = $keyItem.GetValue('AvailableUpdates', $null)
if ($null -eq $val) {
    #If AvailableUpdates doesn't exist, create it and set to 0x5944.
    New-ItemProperty -Path $Path -Name 'AvailableUpdates' -PropertyType DWord -Value 0x5944 -Force
    $log += "Configured AvailableUpdates to 0x5944 (key didn't exist.). "
    #Start the Scheduled Task to kick off the update process.
    Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update" -ErrorAction SilentlyContinue
    $log += "Attempted to start Scheduled Task. "
} elseif (0 -eq $val) {
    #If AvailableUpdates exists but is set to 0, set it to 0x5944.
    Set-ItemProperty -Path $Path -Name 'AvailableUpdates' -Value 0x5944 -Force
    $log += "Configured AvailableUpdates to 0x5944 (was 0). "
    #Start the Scheduled Task to kick off the update process.
    Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update" -ErrorAction SilentlyContinue
    $log += "Attempted to start Scheduled Task. "
} elseif (0x400 -eq $val) {
    #If AvailableUpdates is 0x400, the device is stuck at the boot manager update stage without
    #the Windows UEFI CA 2023 cert having been written to the Secure Boot DB first.
    #This causes a recurring Event ID 1796 (0x800700c1) on every boot.
    #Reset to 0x5944 to restart the full cert + boot manager sequence from the beginning.
    Set-ItemProperty -Path $Path -Name 'AvailableUpdates' -Value 0x5944 -Force
    $log += "Configured AvailableUpdates to 0x5944 (was stuck at 0x400 - boot manager stage without cert). "
    #Start the Scheduled Task to kick off the update process.
    Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update" -ErrorAction SilentlyContinue
    $log += "Attempted to start Scheduled Task. "
} else {
    #If AvailableUpdates exists and is not 0 or 0x400, leave it alone as this suggests
    #the update is already in progress or has completed, and we don't want to interfere with that.
    $valHex = ('0x{0:X}' -f $val)
    $log += "AvailableUpdates present but set to $valHex, Leaving alone. "
}

$log = "SecureBoot registry keys configured successfully: " + $log
Write-Host $log
exit 0
<#
.SYNOPSIS
    PowerShell script to detect the settings needed to trigger the UEFI 2023 CA certificate update process for SecureBoot on Windows devices.
.DESCRIPTION
    This PowerShell script is deployed as a detection script using Remediations in Microsoft Endpoint Manager/Intune. It will Exit 1 (Remediation Needed) if any of the following are true:
    - The SecureBoot registry path doesn't exist.
    - The HighConfidenceOptOut value is not set to 0.
    - The MicrosoftUpdateManagedOptIn value is not set to 1.
    - The AvailableUpdates value doesn't exist, is set to 0, or is set to 0x400 (stuck at
      boot manager stage without the CA 2023 cert having been written to the DB first).

    The Remediation script to pair with this is: https://github.com/harris-bowman/RemediationScripts/blob/main/Remediate_SecureBootRegKeys.ps1
.LINK
    https://support.microsoft.com/en-us/topic/registry-key-updates-for-secure-boot-windows-devices-with-it-managed-updates-a7be69c9-4634-42e1-9ca1-df06f43f360d#bkmk_how_keys_work_together
    https://docs.microsoft.com/en-us/mem/analytics/proactive-remediations
.NOTES
    Version:        1.3
    Creation Date:  2026-01-28
    Last Updated:   2026-05-08
    Author:         Harris Bowman (modified by PA)
    Repository:     https://github.com/harris-bowman/RemediationScripts
    Requires Local Admin Privileges: Yes

    Changelog:
        1.3 - Added detection for AvailableUpdates = 0x400 (stuck at boot manager stage).
              Devices in this state loop on Event ID 1796 (0x800700c1) indefinitely and
              require remediation to reset to 0x5944.
#>

$Path = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\'
$log = ""
$fail = $false

#Safeguard if certificates are already installed.
if ((Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing' -Name 'UEFICA2023Status' -ErrorAction SilentlyContinue).UEFICA2023Status -eq "Updated" -and (([System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'))) {
    Write-Host "SecureBoot updates already installed successfully. No remediation needed."
    exit 0
}

#Check the registry key SecureBoot exists.
if (!(Test-Path $Path)) {
    $log += "SecureBoot registry path not found. "
    $fail = $true
}

#Check if HighConfidenceOptOut is not set to 0.
if ((Get-ItemProperty -Path $Path -Name 'HighConfidenceOptOut' -ErrorAction SilentlyContinue).HighConfidenceOptOut -ne 0) {
    $log += "HighConfidenceOptOut is not set to 0. "
    $fail = $true
}

#Check if MicrosoftUpdateManagedOptIn is not set to 1.
if ((Get-ItemProperty -Path $Path -Name 'MicrosoftUpdateManagedOptIn' -ErrorAction SilentlyContinue).MicrosoftUpdateManagedOptIn -ne 1) {
    $log += "MicrosoftUpdateManagedOptIn is not set to 1. "
    $fail = $true
}

#Check if AvailableUpdates doesn't exist, is set to 0, or is stuck at 0x400.
$value = Get-ItemPropertyValue -Path $Path -Name 'AvailableUpdates' -ErrorAction SilentlyContinue
if ($null -eq $value) {
    $log += "AvailableUpdates is not set. "
    $fail = $true
} elseif ($value -eq 0) {
    $log += "AvailableUpdates is set to 0. "
    $fail = $true
} elseif ($value -eq 0x400) {
    $log += "AvailableUpdates is stuck at 0x400 (boot manager stage without cert in DB). "
    $fail = $true
}

#If any of the above checks have set $fail to true: Remediation is needed, we Write-Host $log to send the report back to Intune Remediations and Exit 1.
#If not, we Write-Host the current key values to send the report back to Intune Remediations and Exit 0.
if ($fail) {
    $log = "Remediation Needed: " + $log
    Write-Host $log
    exit 1
} else {
    $hkOO = (Get-ItemProperty -Path $Path -Name 'HighConfidenceOptOut' -ErrorAction SilentlyContinue).HighConfidenceOptOut
    $mkMUI = (Get-ItemProperty -Path $Path -Name 'MicrosoftUpdateManagedOptIn' -ErrorAction SilentlyContinue).MicrosoftUpdateManagedOptIn
    $auKey = (Get-ItemProperty -Path $Path -Name 'AvailableUpdates' -ErrorAction SilentlyContinue).AvailableUpdates
    $auKeyvalHex = ('0x{0:X}' -f $auKey)
    Write-Host "All SecureBoot registry keys are correctly configured: HighConfidenceOptOut: $hkOO MicrosoftUpdateManagedOptIn: $mkMUI AvailableUpdates: $auKeyvalHex"
    exit 0
}

The long term fix seems to be disabling this cert:

Comment Image

Secure Boot Certificate Update – Making It Happen with Intune Remediations – Mindcore Techblog

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

Powered by WordPress | Made with ❤ by Themely