What is currently relevance 7 for fixlet ID 502588501 does not include Windows 11 25H2. Is this by design or an oversight? Also relevancies 1-6 are just copies of the same 2 relevancies.
((name of it = "Win2012" AND value "CurrentVersion" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry as string is "6.2" AND NOT ia64 of it) of operating system OR ((name of it = "Win8" AND value "CurrentVersion" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry as string is "6.2") AND NOT x64 of it AND NOT ia64 of it) of operating system OR (name of it = "Win8" AND value "CurrentVersion" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry as string is "6.2" AND x64 of it AND NOT ia64 of it) of operating system OR ((((name of it = "Win8" AND value "CurrentVersion" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry as string is "6.3" AND (not exists value "CurrentMajorVersionNumber" of it OR value "CurrentMajorVersionNumber" of it as integer < 10) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry) OR name of it = "Win8.1") AND service pack major version of it = 0) AND NOT x64 of it AND NOT ia64 of it) of operating system OR ((((name of it = "Win8" AND value "CurrentVersion" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry as string is "6.3" AND (not exists value "CurrentMajorVersionNumber" of it OR value "CurrentMajorVersionNumber" of it as integer < 10) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry) OR name of it = "Win8.1") AND service pack major version of it = 0) AND x64 of it AND NOT ia64 of it) of operating system OR ((name of it = "Win2012" AND value "CurrentVersion" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry as string is "6.3") OR name of it = "Win2012R2" AND NOT ia64 of it) of operating system OR (it starts with "Win" AND it does not start with "Win20") of name of operating system AND(exists value "CurrentMajorVersionNumber" of it AND value "CurrentMajorVersionNumber" of it as integer = 10) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry AND (NOT x64 of it AND NOT ia64 of it) of operating system OR (it starts with "Win" AND it does not start with "Win20") of name of operating system AND(exists value "CurrentMajorVersionNumber" of it AND value "CurrentMajorVersionNumber" of it as integer = 10) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry AND ( x64 of it AND NOT ia64 of it) of operating system OR (name of it = "Win2016" OR name of it starts with "Win20" AND (exists value "CurrentMajorVersionNumber" of it AND value "CurrentMajorVersionNumber" of it as integer = 10) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry) of operating system OR ((exists value "ReleaseID" of it AND exists value "ReleaseID" whose (it as integer = 1809) of it) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry AND (name of it = "Win2016" OR name of it starts with "Win20" AND (exists value "CurrentMajorVersionNumber" of it AND value "CurrentMajorVersionNumber" of it as integer = 10) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry)) of operating system OR (((it starts with "Win" AND it does not start with "Win20") of name of operating system AND exists value "CurrentBuild" whose (it >= "22000") of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" of native registry) and (exists keys whose ( (value "DisplayVersion" of it = "21H2" OR value "DisplayVersion" of it = "22H2") AND (value "CurrentBuild" of it = "22000" OR value "CurrentBuild" of it = "22621")) of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT" of native registry)))
I have several endpoints on 25H2 and the probe fixlet for Secure Boot DBX is returning these results for the output which I believe indicates it is applicable.
if (exists files "CVE-2023-24932-Probe.json" of storage folder of client) then (not conjunction of ((it as boolean) of values of keys of jsons of files "CVE-2023-24932-Probe.json" of storage folder of client)) else (true)
Thanks, that helps a lot. I don't have the ability to test it myself but I've reported it internally to our patch team to determine what's needed in this case.
Could that be false negative creating a false positive? If that fixlet ran as the ActionScript variant (Action2), as the update has not been applied quite possibly due it not being applicable to a newer build in Win11, it would not find any indicators of the update being applied in the event logs so would return a false result.
Some relevance examples of from my insider build of 25H2
Q: operating system
A: Win11 10.0.26220.7271 (25H2)
T: 1411.612 ms
I: singular operating system
Q: "Event_1036: " & (exists records whose (time generated of it > ("Tue, 09 Jul 2024 00:00:00 +0000" as time) AND source of it as lowercase = "microsoft-windows-tpm-wmi" AND event id of it = 1036 AND description of it as lowercase is "secure boot db update applied successfully") of system event logs) as string as lowercase & ","
A: Event_1036: false,
T: 1411.468 ms
I: singular string
If this is referring to the same thing as this document Act now: Secure Boot certificates expire in June 2026 - Windows IT Pro Blog it seems like it affects practically everything except Copilot+PCs released in 2025. I have recently been tracking this down as well and my approach was a little different because we have a hybrid environment where Intune and BigFix are in play. Microsoft updates the UEFI 2023 certificates automatically if a few registry configurations are set.
Telemetry data has to be enabled.
waithidden cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v AllowTelemetry /t REG_DWORD /d 1 /f
Registry key for Available updates to be set to 0x5944 (All updates: PK/KEK/DB + BootMgr)
Registry key for MicrosoftUpdateManagedOptIn
//Opt-in to Microsoft-managed rollout (if needed for controlled feature)
waithidden cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot" /v MicrosoftUpdateManagedOptIn /t REG_DWORD /d 1 /f
After these keys are updated then the UEFI Certificate is renewed. There is a registry key for UEFICA2023Status that will update that you should monitor.
if (exists value "UEFICA2023Status" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing" of native registry) then ((value "UEFICA2023Status" of it as string) of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing" of native registry) else "Key Missing"
@skyler I’m actively researching this item with our Microsoft counterparts. For example, if you review the following advisory: Security Update Guide - Microsoft Security Response Center , you’ll see that Microsoft made a change to it on Feb 11, 2025 (see revision 5.0) to also include Win2025 and Win11 24H2. We’re seeking Microsoft’s assistance to see if they are going to also include Win11 25H2 in CVE-2023-24932. More details to follow. -Gus
