Academy hub

New Microsoft procedure for Secure Boot Certificate Updates

๐Ÿ”’ Secure Bits ๐Ÿ’ก

๐—ก๐—ฒ๐˜„ ๐— ๐—ถ๐—ฐ๐—ฟ๐—ผ๐˜€๐—ผ๐—ณ๐˜ ๐—ฝ๐—ฟ๐—ผ๐—ฐ๐—ฒ๐—ฑ๐˜‚๐—ฟ๐—ฒ ๐—ณ๐—ผ๐—ฟ ๐—ฆ๐—ฒ๐—ฐ๐˜‚๐—ฟ๐—ฒ ๐—•๐—ผ๐—ผ๐˜ ๐—–๐—ฒ๐—ฟ๐˜๐—ถ๐—ณ๐—ถ๐—ฐ๐—ฎ๐˜๐—ฒ ๐—จ๐—ฝ๐—ฑ๐—ฎ๐˜๐—ฒ๐˜€

I tested the new Microsoft procedure I shared last time (link in comments).

Iโ€™ll be honest โ€” I was a bit ๐—ผ๐˜ƒ๐—ฒ๐—ฟ๐˜„๐—ต๐—ฒ๐—น๐—บ๐—ฒ๐—ฑ at first. There are multiple scripts, and I ran into a few โ€œpaper cutsโ€, so itโ€™s still not as straightforward as the article makes it look.

This post covers ๐—ฃ๐—ต๐—ฎ๐˜€๐—ฒ ๐Ÿญ: ๐——๐—ฒ๐˜๐—ฒ๐—ฐ๐˜๐—ถ๐—ผ๐—ป & ๐—ฆ๐˜๐—ฎ๐˜๐˜‚๐˜€ ๐— ๐—ผ๐—ป๐—ถ๐˜๐—ผ๐—ฟ๐—ถ๐—ป๐—ด (enterprise level) โ€” which, for many orgs, is already the most useful part: enable the process with GPO + get recurring monitoring you can trust.

โธป

โœ… ๐—ฃ๐—ต๐—ฎ๐˜€๐—ฒ ๐Ÿญ โ€” ๐˜„๐—ต๐—ฎ๐˜ ๐— ๐—ถ๐—ฐ๐—ฟ๐—ผ๐˜€๐—ผ๐—ณ๐˜ ๐—ถ๐˜€ ๐˜๐—ฟ๐˜†๐—ถ๐—ป๐—ด ๐˜๐—ผ ๐—ฎ๐—ฐ๐—ต๐—ถ๐—ฒ๐˜ƒ๐—ฒ

Central monitoring of where your servers/clients are in the Secure Boot cert update process.

1๏ธโƒฃ ๐—–๐—ฟ๐—ฒ๐—ฎ๐˜๐—ฒ ๐˜๐—ต๐—ฒ ๐—ฐ๐—ผ๐—น๐—น๐—ฒ๐—ฐ๐˜๐—ถ๐—ผ๐—ป ๐˜€๐—ต๐—ฎ๐—ฟ๐—ฒ + ๐—ฝ๐—ฒ๐—ฟ๐—บ๐—ถ๐˜€๐˜€๐—ถ๐—ผ๐—ป๐˜€

Run Microsoftโ€™s script that creates the file share and sets ACLs.

2๏ธโƒฃ ๐—ฃ๐—ฟ๐—ฒ๐—ฝ๐—ฎ๐—ฟ๐—ฒ ๐˜๐—ต๐—ฒ ๐˜€๐—ฐ๐—ฟ๐—ถ๐—ฝ๐˜๐˜€ ๐—ณ๐—ผ๐—น๐—ฑ๐—ฒ๐—ฟ

At minimum youโ€™ll work with:

โ€ข Deploy-GPO-SecureBootCollection.ps1

โ€ข Detect-SecureBootCertUpdateStatus.ps1

3๏ธโƒฃ ๐—ฅ๐˜‚๐—ป ๐——๐—ฒ๐—ฝ๐—น๐—ผ๐˜†-๐—š๐—ฃ๐—ข-๐—ฆ๐—ฒ๐—ฐ๐˜‚๐—ฟ๐—ฒ๐—•๐—ผ๐—ผ๐˜๐—–๐—ผ๐—น๐—น๐—ฒ๐—ฐ๐˜๐—ถ๐—ผ๐—ป.๐—ฝ๐˜€๐Ÿญ

I noticed mismatches in names/paths in the article + scripts. For example in the top part of the article the share path is referenced as SecureBootLogs, but the script creates SecureBootData.

๐Ÿ‘‰ My recommendation: follow the bottom part of the article โ€” it looked the most consistent/precise during my testing.

After running the script, youโ€™ll be guided through prompts and it will create a new GPO called: SecureBoot-EventCollection

At first glance, it may look empty in GPMC โ€” itโ€™s not. This is what happens when settings are injected into the GPO via PowerShell.

To verify / โ€œmake it visibleโ€:

Computer Configuration โ†’ Preferences โ†’ Control Panel Settings โ†’ Scheduled Tasks โ†’ SecureBoot-EventCollection

Open the task, click OK, refresh policy view โ€” and you should see the settings appear.

(the script mentions โ€œComplete the scheduled task configuration in GPMC (see instructions above)โ€ โ€” but there are none.

4๏ธโƒฃ ๐—ง๐—ฒ๐˜€๐˜ ๐—ผ๐—ป ๐—ฎ ๐—ณ๐—ฒ๐˜„ ๐—บ๐—ฎ๐—ฐ๐—ต๐—ถ๐—ป๐—ฒ๐˜€

Run gpupdate /force on a few servers/clients and run the scheduled task manually. You should see a new task: SecureBoot-EventCollection

If it runs correctly, youโ€™ll start seeing JSON files created on the file share.

5๏ธโƒฃ ๐—”๐—ด๐—ด๐—ฟ๐—ฒ๐—ด๐—ฎ๐˜๐—ฒ ๐˜๐—ต๐—ฒ ๐—ฟ๐—ฒ๐˜€๐˜‚๐—น๐˜๐˜€

Now test:

โ€ข Aggregate-SecureBootCertStatus.ps1

Youโ€™ll likely need to:

โ€ข adjust paths

โ€ข modify the Start-Process part (it didnโ€™t work for me as-is)

After that, you should get the report.

โธป

๐—œโ€™๐—น๐—น ๐—ฎ๐—น๐˜€๐—ผ ๐—ฐ๐—ผ๐˜ƒ๐—ฒ๐—ฟ ๐—ฃ๐—ต๐—ฎ๐˜€๐—ฒ ๐Ÿฎย โ€” I already tested it, but I hit an error and Iโ€™m contacting Microsoft. Some of the script/path mismatches may be fixed by the time you read this (Iโ€™m communicating this in real-time).

Links to the official procedure + my field notes are in the comments.

#SecureBoot #SecureBits #HorizonSecured

buy a course