Academy hub

Secure Boot certificates are expiring pt. 3

๐Ÿ”’ย Secure Bitsย ๐Ÿ’ก

๐—จ๐—ฝ๐—ฑ๐—ฎ๐˜๐—ถ๐—ป๐—ด ๐—ฆ๐—ฒ๐—ฐ๐˜‚๐—ฟ๐—ฒ ๐—•๐—ผ๐—ผ๐˜ ๐—ฐ๐—ฒ๐—ฟ๐˜๐—ถ๐—ณ๐—ถ๐—ฐ๐—ฎ๐˜๐—ฒ๐˜€ ๐—ผ๐—ป ๐—ช๐—ถ๐—ป๐—ฑ๐—ผ๐˜„๐˜€ ๐—ฆ๐—ฒ๐—ฟ๐˜ƒ๐—ฒ๐—ฟ ๐—ฐ๐—ผ๐—ป๐˜๐—ถ๐—ป๐˜‚๐—ฒ๐˜€ (๐˜ฑ๐˜ต. 3)

Last puzzle in this series isย ๐—บ๐—ผ๐—ป๐—ถ๐˜๐—ผ๐—ฟ๐—ถ๐—ป๐—ด. Because as you can see, this process is ๐—ป๐—ผ๐˜ ๐˜๐—ฟ๐—ถ๐˜ƒ๐—ถ๐—ฎ๐—น ๐—ผ๐—ฟ ๐˜€๐˜๐—ฟ๐—ฎ๐—ถ๐—ด๐—ต๐˜๐—ณ๐—ผ๐—ฟ๐˜„๐—ฎ๐—ฟ๐—ฑ. Some devices will go through smoothly, others will hit different errors depending on firmware / platform / history โ€” and thatโ€™s the worst case.

Thatโ€™s why ๐—บ๐—ผ๐—ป๐—ถ๐˜๐—ผ๐—ฟ๐—ถ๐—ป๐—ด ๐—ถ๐˜€ ๐—ฐ๐—ฟ๐˜‚๐—ฐ๐—ถ๐—ฎ๐—น: you need aย central viewย of where each device is in the process.

โธป

๐Ÿงญย ๐— ๐—ผ๐—ป๐—ถ๐˜๐—ผ๐—ฟ๐—ถ๐—ป๐—ด ๐—ฎ๐—ฝ๐—ฝ๐—ฟ๐—ผ๐—ฎ๐—ฐ๐—ต๐—ฒ๐˜€ย (pick what fits your environment):

๐Ÿ”น manual checks

๐Ÿ”น PowerShell checks

๐Ÿ”น startup script that uploads status to a file share

๐Ÿ”น scheduled tasks / inventory tooling

๐Ÿ”น โ€ฆ

In my demo ๐—œ ๐˜‚๐˜€๐—ฒ๐—ฑ ๐˜๐˜„๐—ผ ๐—ฎ๐—ฝ๐—ฝ๐—ฟ๐—ผ๐—ฎ๐—ฐ๐—ต๐—ฒ๐˜€: a PowerShell status collector from my friend Andrรฉ Estรชvรฃo (thanks!) – that is the first example, and Microsoftโ€™s sample script that writes results to a file share + GPO – that is the second example. Your โ€œbestโ€ option depends on how you manage servers and how you want to store/report results.

โธป

โœ…ย ๐—ช๐—ต๐—ฎ๐˜ ๐˜๐—ผ ๐˜๐—ฟ๐—ฎ๐—ฐ๐—ธ:

1๏ธโƒฃ ๐—˜๐˜ƒ๐—ฒ๐—ป๐˜ ๐—Ÿ๐—ผ๐—ด (๐—ฆ๐˜†๐˜€๐˜๐—ฒ๐—บ)

1808ย โ†’ success / device is updated (certs applied to firmware)

1801ย โ†’ not applied to firmware (still not updated / blocked)

1795ย โ†’ firmware handoff error (platform/firmware problem)

There are more events, but in my tests these three were the ones I ran into most often.

2๏ธโƒฃ ๐—ฅ๐—ฒ๐—ด๐—ถ๐˜€๐˜๐—ฟ๐˜† ๐—ธ๐—ฒ๐˜†๐˜€

๐˜๐˜’๐˜Œ๐˜ _๐˜“๐˜–๐˜Š๐˜ˆ๐˜“_๐˜”๐˜ˆ๐˜Š๐˜๐˜๐˜•๐˜Œ๐˜š๐˜ ๐˜š๐˜›๐˜Œ๐˜”๐˜Š๐˜ถ๐˜ณ๐˜ณ๐˜ฆ๐˜ฏ๐˜ต๐˜Š๐˜ฐ๐˜ฏ๐˜ต๐˜ณ๐˜ฐ๐˜ญ๐˜š๐˜ฆ๐˜ต๐˜Š๐˜ฐ๐˜ฏ๐˜ต๐˜ณ๐˜ฐ๐˜ญ๐˜š๐˜ฆ๐˜ค๐˜ถ๐˜ณ๐˜ฆ๐˜‰๐˜ฐ๐˜ฐ๐˜ต

๐Ÿ”น AvailableUpdates

0x0ย โ†’ nothing being performed

0x5944ย โ†’ deploy all needed certs + boot manager update (full rollout trigger)

๐˜๐˜’๐˜Œ๐˜ _๐˜“๐˜–๐˜Š๐˜ˆ๐˜“_๐˜”๐˜ˆ๐˜Š๐˜๐˜๐˜•๐˜Œ๐˜š๐˜ ๐˜š๐˜›๐˜Œ๐˜”๐˜Š๐˜ถ๐˜ณ๐˜ณ๐˜ฆ๐˜ฏ๐˜ต๐˜Š๐˜ฐ๐˜ฏ๐˜ต๐˜ณ๐˜ฐ๐˜ญ๐˜š๐˜ฆ๐˜ต๐˜Š๐˜ฐ๐˜ฏ๐˜ต๐˜ณ๐˜ฐ๐˜ญ๐˜š๐˜ฆ๐˜ค๐˜ถ๐˜ณ๐˜ฆ๐˜‰๐˜ฐ๐˜ฐ๐˜ต๐˜š๐˜ฆ๐˜ณ๐˜ท๐˜ช๐˜ค๐˜ช๐˜ฏ๐˜จ

๐Ÿ”น UEFICA2023Status

NotStartedย โ†’ update hasnโ€™t run

InProgressย โ†’ update running / mid-flight

Updatedย โ†’ update completed

๐Ÿ”น UEFICA2023Errorย โ†’ error code (if any)

๐Ÿ”น UEFICA2023ErrorEventย โ†’ event ID tied to the error

โธป

๐—œ๐—ฟ๐—ผ๐—ป๐—ถ๐—ฐ๐—ฎ๐—น๐—น๐˜†, I fought the most with monitoring onย ๐—”๐˜‡๐˜‚๐—ฟ๐—ฒ ๐—ฉ๐— ๐˜€ย in my demo โ€” I couldnโ€™t get reliable signals that matched what the documentation suggests. Nothing initiated, nothing done, and the MS script didnโ€™t help me explain why. If anyone has cracked that in a clean way, Iโ€™d love to compare notes.

These are the ๐—บ๐—ผ๐˜€๐˜ ๐—ถ๐—บ๐—ฝ๐—ผ๐—ฟ๐˜๐—ฎ๐—ป๐˜ ๐—ฝ๐—น๐—ฎ๐—ฐ๐—ฒ๐˜€ to look for signals/status.

โธป

๐Ÿ“Œย ๐—ช๐—ต๐—ฎ๐˜โ€™๐˜€ ๐—ป๐—ฒ๐˜…๐˜

Next week Iโ€™m going to merge all three parts into a singleย field notes documentย you can follow end-to-end.

But one more time: these posts areย ๐—ป๐—ผ๐˜ ๐—ผ๐—ณ๐—ณ๐—ถ๐—ฐ๐—ถ๐—ฎ๐—น ๐—ด๐˜‚๐—ถ๐—ฑ๐—ฒ๐˜€ย โ€” just field notes from admins who had to go through it in real environments, so you can be better prepared.

buy a course