Will HCL be updating or creating new fixlets and workflows based on MS recently released and rolled out new regkeys for tracking and potentially updating SecureBoot Certs and Boot loaders?
The past workflow of running the same task multiple times is a bit awkward at best.
@mesee2 yes, we are actively putting together content to address the Windows Secure Boot certificate expiration and CA updates. We are finalizing this content and making it ready for customer use. The content will be based on the Microsoft documented instructions at “Registry key updates for Secure Boot: Windows devices with IT-managed updates”. We’ll provide additional details once this content is published. Thanks, Gus.
I can share what I've already created for our environment if anyone is interested in the interim. I am still working on testing everything so test within your test environment before implementing.
Analysis for reporting -
if (exists value "UEFICA2023Status" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing" of native registry) then ((value "UEFICA2023Status" of it as string) of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing" of native registry) else "Key Missing"
if (exists value "WindowsUEFICA2023Capable" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing" of native registry) then ((value "WindowsUEFICA2023Capable" of it as string) of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing" of native registry) else "Key Missing"
if (exists value "AvailableUpdates" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot" of native registry) then (if (value "AvailableUpdates" of it as integer as hexadecimal = "5944") of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot" of native registry then "UpdateAllCerts" else if (value "AvailableUpdates" of it as integer as hexadecimal = "4100") of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot" of native registry then "UpdatesApplied-PendingRestart" Else if (value "AvailableUpdates" of it as integer as hexadecimal = "4000") of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot" of native registry then "UpdateAppliedSuccessfully" Else "Disabled") else "Key Missing"
if (exists value "MicrosoftUpdateManagedOptIn" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot" of native registry) then (if (value "MicrosoftUpdateManagedOptIn" of it as integer = 1) of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot" of native registry then "Enabled" else "Disabled") else "Key Missing"
Actionscript - Note: We also use Intune policies that set Telemetry I have a check to verify that it doesn't have a telemetry policy from Intune already before setting it in the System GPO policy registry key.
//Set Diagnostic Data to Required (if not already; path for Win10/11) - unchanged, as it's regset
if {not(exists value "value" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\System\AllowTelemetry" of native registry and ((value "value" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\System\AllowTelemetry" of native registry) as integer = 1))}
waithidden cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection" /v AllowTelemetry /t REG_DWORD /d 1 /f
endif
//Trigger full certificate deployment: Add/Update AvailableUpdates to 0x5944 (all updates: PK/KEK/DB + BootMgr)
waithidden cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot" /v AvailableUpdates /t REG_DWORD /d 0x5944 /f
//Opt-in to Microsoft-managed rollout (if needed for controlled feature)
waithidden cmd.exe /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot" /v MicrosoftUpdateManagedOptIn /t REG_DWORD /d 1 /f
I put in a ticket with support about two months ago asking if they would be supplying content. I am very happy to announce that they did a fantastic job on creating this content. Through the ticket they provided us a beta version of the content.
I asked when it would be released to all customers but they did not have a firm date. The last request I had was to add a legend to the values in the analysis. The beta content did not have a legend. So I am hoping once they vet the content, they will add the legend before release.
Example as to why we would like a legend. If you follow the link to the article, you can see that 'Windows UEFI CA 2023 Capable' can have three different values. It would be much better to explain that in the description...
Curious if you have Telemetry enabled, and if this process requires the systems to send diagnostic info to MS directly or not.
I have several systems which have no connectivity to MS or the internet directly.
That's great, thanks for sharing. I think the majority of people have to get started on this ASAP so I hope they release it very soon.
Is this available in Beta on Bigfix.me or anywhere else? Really interested in this as the powershell solutions are a nightmare to implement for 550+ machines.
Not that I am aware of. It was content they sent to me as part of my ticket. The analysis was the critical piece I was looking for.
I will email them and ask when they think it will be released to customers.
Was this not already included in BigFix Action 5025885 Manage of the Windows Boot Manager revocations for Secure Boot changes associated with (CVE-2023-24932) - KB5025885?
The content I mentioned above is used to identify systems that are not capable of supporting the 2023 certificate. Once the appropriate updates to support the certificate, are made, then there is a fixlet to set the registry keys to allow the update to the 2023 certificate.
Did they share an ETA for this content? I’m very interested.
I will update this post as soon as I hear back about the content.
I heard back from HCL this morning.
Right now the plan is for this to be released in February. The exact date is still to be determined. I will keep you posted.
