SOLVED Secure Boot Certificates for SCCM

[Harshit Pandey]

Secure Boot certificates, specifically the Microsoft 2011 CA, expire in June 2026, requiring an update to 2023 certificates to maintain security. SCCM (ConfigMgr) can be used to deploy this update by pushing firmware updates and managing certificate deployment via PowerShell scripts or software updates to avoid device boot failures. Anyone knows how to do this?

 

[Harshit Pandey]

Also, how are you managing boot images?

 

[Prajwal Desai]

The Microsoft Secure Boot 2011 CA certificate expires in June 2026, and every organization using SCCM needs to ensure devices receive the 2023 Secure Boot certificates to avoid boot failures.

Most devices receive the new certificates automatically through: Windows Update and OEM firmware/BIOS updates.

Starting with Configuration Manager 2509, Microsoft added a checkbox that updates the bootloader files on PXE‑enabled DPs. This ensures your OSD environment continues to boot securely with the 2023 certificates. If you’re on an older version, you may need to:

• Rebuild boot images
• Redistribute them
• Update PXE DP bootloaders manually

 

[Garth]

Secure Boot certificates, specifically the Microsoft 2011 CA, expire in June 2026, requiring an update to 2023 certificates to maintain security. SCCM (ConfigMgr) can be used to deploy this update by pushing firmware updates and managing certificate deployment via PowerShell scripts or software updates to avoid device boot failures. Anyone knows how to do this?

FYI only, I have create a method to inventory Certs with CM via HW inv. (with dashboards). If I make it public via Recast's website. Would that be of interest to you? Just curious and no promises.

 

[Harshit Pandey]

FYI only, I have create a method to inventory Certs with CM via HW inv. (with dashboards). If I make it public via Recast's website. Would that be of interest to you? Just curious and no promises.

Please share if you can @Garth

 

[Chewychewytoo]

The Microsoft Secure Boot 2011 CA certificate expires in June 2026, and every organization using SCCM needs to ensure devices receive the 2023 Secure Boot certificates to avoid boot failures.

Most devices receive the new certificates automatically through: Windows Update and OEM firmware/BIOS updates.

Starting with Configuration Manager 2509, Microsoft added a checkbox that updates the bootloader files on PXE‑enabled DPs. This ensures your OSD environment continues to boot securely with the 2023 certificates. If you’re on an older version, you may need to:

• Rebuild boot images
• Redistribute them
• Update PXE DP bootloaders manually

The Microsoft Secure Boot 2011 CA certificate expires in June 2026, and every organization using SCCM needs to ensure devices receive the 2023 Secure Boot certificates to avoid boot failures.

Most devices receive the new certificates automatically through: Windows Update and OEM firmware/BIOS updates.

Starting with Configuration Manager 2509, Microsoft added a checkbox that updates the bootloader files on PXE‑enabled DPs. This ensures your OSD environment continues to boot securely with the 2023 certificates. If you’re on an older version, you may need to:

• Rebuild boot images
• Redistribute them
• Update PXE DP bootloaders manually

Actually, it seems that Microsoft Configuration Manager may support that setting for PXE, but a customer of ours and my lab, it seems that no matter what you do, the bootable media from MCM 2509 with the latest ADK and hotfixes applied, and the new CA 2023 setting enabled on the boot image, and DP's updated and media recreated, they still have the 2011 certs on the boot media.iso
PS C:\WINDOWS\system32> $sig = Get-AuthenticodeSignature `
>> "C:\Mount\Windows\Boot\EFI\bootmgfw.efi"
>>
>> $sig.SignerCertificate.Subject
>> $sig.SignerCertificate.Issuer
CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
PS C:\WINDOWS\system32>