I am struggling to update our fleet of Dell devices to the 2023 UEFI Secure Boot Certificates on Windows 11.
Dell has included these certificates in their latest BIOS updates, but when I update a device to the latest BIOS and run the following PowerShell command, I unfortunately get "False":
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
All our laptops have BitLocker active, and I suspect this might be the root cause—that BitLocker is preventing the certificates from being updated in the NVRAM.
As a test, I disabled BitLocker on one device and ran the following:reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /fStart-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
After doing this, the PowerShell command returned "True."
Is there anyone else experiencing this with Dell devices who has found a solution to update these certificates without needing to disable BitLocker on every machine?
Additionally, is it possible to deploy a Windows update via SCCM that handles this certificate update automatically?
Dell has included these certificates in their latest BIOS updates, but when I update a device to the latest BIOS and run the following PowerShell command, I unfortunately get "False":
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
All our laptops have BitLocker active, and I suspect this might be the root cause—that BitLocker is preventing the certificates from being updated in the NVRAM.
As a test, I disabled BitLocker on one device and ran the following:reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /fStart-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
After doing this, the PowerShell command returned "True."
Is there anyone else experiencing this with Dell devices who has found a solution to update these certificates without needing to disable BitLocker on every machine?
Additionally, is it possible to deploy a Windows update via SCCM that handles this certificate update automatically?
