Ask Microsoft Anything: Secure Boot - May 18

Full Transcript

https://www.youtube.com/watch?v=lcrRANfSAZg

[00:21] Hi everyone.
[00:21] Um, hello from Redmond.
[00:24] Hi everyone.
[00:24] Um, hello from Redmond.
[00:24] Welcome to our latest AMA on secure boot.
[00:27] I'm Ardan White.
[00:27] Uh, and um, I'm gonna let my friends introduce themselves.
[00:36] Kevin, hi.
[00:38] It's good to be back here.
[00:38] I'm Kevin Sullivan from our Windows ecosystem and commercial engagement team.
[00:41] Uh, my team works with our OEM partners around the world who have been working hard to prepare for the secure boot updates.
[00:50] I'm Scott Shell.
[00:53] I am an architect in our enterprise and security team and we run uh a lot of the security technologies in Windows.
[00:58] Uh it's great to be back.
[01:02] Hey everybody, Jason Sandies.
[01:04] I am a PM architect on the Intune product team.
[01:07] Uh so yeah, working with these guys trying to make sure that uh everyone has the manageability across this whole stack.
[01:12] So also happy to be back and answer any questions.
[01:16] Okay.
[01:16] Uh so the first question uh if an OEM firmware update successfully updates
[01:22] OEM firmware update successfully updates DB default without issue can that.
[01:25] DB default without issue can that outcome be used as an indicator that the.
[01:27] outcome be used as an indicator that the platform falls into a high confidence.
[01:29] platform falls into a high confidence category for subsequently applying the.
[01:33] category for subsequently applying the Microsoft OS initiated secure boot.
[01:36] Microsoft OS initiated secure boot updates.
[01:40] The DB via available updates updates.
[01:40] The DB via available updates 5944.
[01:44] I I think the answer is no to that.
[01:49] Um I I think the answer is no to that.
[01:52] Um I mean it's I I we have we haven't seen problems or very few problems with.
[01:55] problems or very few problems with firmware.
[02:00] U but the the DB defaults are firmware.
[02:00] U but the the DB defaults are the defaults are updated through a.
[02:02] the defaults are updated through a firmware update through through actually.
[02:04] firmware update through through actually applying a capsule update for the.
[02:06] applying a capsule update for the firmware.
[02:09] firmware. uh and that's different than.
[02:11] the firmware actually being able to.
[02:12] apply uh directly to the active variables.
[02:16] Um it's highly likely that it'll still.
[02:18] it's highly likely that it'll still work, but it's just uh one doesn't imply.
[02:21] work, but it's just uh one doesn't imply the other one.
[02:22] Yeah, I I completely agree with what you're saying, Ardan.
[02:27] It's not it's not the same technology by any stretch, but the fact that the OEM is doing work specifically around this issue on that model makes it very highly likely that they've tested that scenario.
[02:41] So I think I would treat that as a very good sign.
[02:47] Remember to you can post your questions at aka AMAsecure boot.
[02:55] Um, yeah, I mean I was going to call out too, maybe you want to talk about DB default here a little bit too for folks who aren't familiar and and active because you mentioned those two things and
[03:03] sure just make sure that everyone knows what those two things are and why they're significant.
[03:09] So there's two sets of variables. The default variables uh and that's what the manufacturer sets as the starting point for uh the what's known as the active variables.
[03:20] the the active variables are the ones that are used on each boot
[03:23] the ones that are used on each boot cycle.
[03:28] So if you reset secure boot um the DB defaults or the defaults DB default default all those default values are put into the active variables and that's your starting point.
[03:39] uh and then uh from that point on generally uh the you know Windows will uh for example update the active variables.
[03:48] >> I I want to add a little bit of color there.
[03:51] What Ardan's describing is how it's described in the UI spec which is awesome.
[03:57] this space. A lot of OEMs build things in fairly custom ways and do things that are fairly difficult different.
[04:05] Um the surface devices um actually will reapply the profile settings when you change profiles.
[04:15] Um and so it's not always obvious when your device is picking things up from defaults.
[04:21] Sometimes there
[04:25] things up from defaults.
[04:27] Sometimes there is a very explicit call out in the menu that says reset to default secure boot keys or something like that.
[04:31] But sometimes the things that say that you do in the UI menu may reset you to those default keys in ways you didn't quite understand.
[04:40] So I' make sure to check with your OEM documentation.
[04:42] Make sure you understand what you're getting into.
[04:44] Right. Okay. So next question.
[04:48] Do I I need to update all our firmware before we move forward?
[04:52] uh start on this one.
[04:55] Okay. It's a question we've get quite a bit um and worth bringing some more clarity to.
[04:59] And so the simple answer is no.
[05:02] It is not a strict requirement that you get a firmware update in order to get the updated certificates through Windows.
[05:08] That said, we certainly recommend it as a best practice and it gets you a couple things.
[05:12] One, just bringing you up to date with all the fixes that your OEM uh has put in those firmware updates.
[05:20] It also in many cases will bring the new certificates into the defaults as we
[05:25] certificates into the defaults as we just described but not strictly requiring for Windows to be able to service the new certificates.
[05:31] There are also some cases where in the early days of this roll out we with our partners observe some compatibility issues and so we have put essentially a hold on delivering those updates until a firmware update is available for that device.
[05:48] Again, that's a specific class of devices.
[05:52] And in nearly all cases, the devices that do need a firmware update to proceed are documented either by Microsoft or by the OEM on our primary secure boot page, aka.mscure boot.
[06:07] Great. I add anything to that one.
[06:12] No, I think you covered it real well, Kevin. Thanks.
[06:16] Okay. So, uh why do a lot of devices that are under observation that have uh updated have been updated by Microsoft,
[06:26] Updated have been updated by Microsoft, we haven't set the registry and set any policies to do the updates.
[06:30] Is it that you're trying on some of those devices before you're before you're still not fully confident to set them in high confidence?
[06:38] Uh should we expect them to be handled by Microsoft before June?
[06:45] Um so yeah so so the all the data that we're getting including when Microsoft updates the devices uh is what drives that confidence data.
[07:01] So yes you'll see devices that are have already been updated uh and uh and then but still be under observation.
[07:08] So, we're we're taking it very cautiously and slowly to ensure that um the devices are able to update and and that you know that the data indicates that that's that's true.
[07:26] Um so I I want to add one thing to that.
[07:31] so I I want to add one thing to that.
[07:31] So, yes, we are trying to um to get all as many of those devices as we can get updated safely by June as we can.
[07:40] So, we're definitely uh we've got our eyes on the ball for that date.
[07:46] Um but I I don't know that we can expect 100%.
[07:53] Um as Ardan said, we're following the data.
[07:55] We're making sure we're doing what we think is safe.
[07:59] And just to be really clear, this is a point that uh we were discussing a little bit in the pregame.
[08:03] Uh one of the things I think it's important for people to understand is now that we've got the June expiry date coming up, uh making letting people understand exactly what um expires in June and what happens next.
[08:19] So uh the first key to expire is the K key um uh which is the the key that
[08:28] um uh which is the the key that authorizes updates to DB and DBX.
[08:32] So authorizes updates to DB and DBX.
[08:34] So what that means as soon as the KEK expires your device will no longer be able to take um new updates to DBX.
[08:44] If there's an existing update to DBX that you don't have that we published uh months ago, that one will still install just fine.
[08:52] But new DBX updates that we ship um later than that um I believe the first one will probably be July if we have any um will not be able to be installed on your machine.
[09:08] which means the the vulnerability that puts you um up for is if there's a vulnerable boot application um we can't revoke that vulnerable boot application on your machine.
[09:22] So, an attacker who has some hold on your machine already and is trying to install a boot kit or um some persistence
[09:30] A boot kit or um some persistence technology um will uh will be uh still potentially able to do that on your machine because we can't apply the revocation for that.
[09:44] Um it doesn't affect our ability to deliver new boot managers to you yet.
[09:48] That doesn't happen till October.
[09:51] Um so uh so like we said there are multiple stages.
[09:57] Um another important thing I wanted to go back one uh to the question uh Kevin was answering before about updating all of our firmware.
[10:09] Um I reread the question after we stopped after we moved on to the next question and I was reacting to the word all.
[10:16] I think an important thing to understand is whether you have the firmware updated is not a blocking issue.
[10:27] You're not vulnerable to a new security bug because the firmware isn't updated.
[10:29] Not applying
[10:32] the firmware isn't updated.
[10:35] Not applying the updates to active means you are missing security updates.
[10:40] So my personal guidance would be think very carefully about installing the the certificate updates even if you don't have all the firmware.
[10:48] Um get the updates installed.
[10:52] That is a more important a higher thing to worry about than the firmware.
[10:57] Firmware is a good belt and suspenders kind of thing that you should absolutely do.
[11:01] But if you can't do the firmware, maybe because it doesn't exist or the OEM hasn't gotten there yet, you're still better off having the uh certificate updates in place.
[11:12] >> Yeah.
[11:14] And to add to a little bit to what Scott said is the the certificate updates that we've put out uh are signed with the key exchange key, the existing key key exchange key.
[11:26] So even when that that certificate expires all these the certificate updates will still apply.
[11:31] So if you have a machine
[11:34] Still apply. So if you have a machine that that comes back late or or you know in July or whatever those certificate updates will still apply uh even though the the the certificate has expired.
[11:46] Or if you have a laptop that's been sitting in a drawer for six months those will still expire.
[11:50] Um, it's an important point because a lot of people understand PKI from other contexts and the way PKI is used in code signing and secure boot specifically is a little bit different in that the certificate expiration doesn't mean the signature is invalid.
[12:09] As long as the signature was signed during the validity period of the certificate, the device will trust that signature forever.
[12:15] So we can continue to sign things until the expiry date of the start.
[12:19] Your machine whenever it wakes up will continue to trust those signatures forever.
[12:28] Okay. Um so we've noticed that on a small number of machines approximately 25 out of 900 are waiting on Windows
[12:36] 25 out of 900 are waiting on Windows updates to finalize the secure boot.
[12:39] updates to finalize the secure boot activation sequence on so theerts are marked as active.
[12:45] It's apparent these computers, whilst updated on the latest cumulative update, do not have the file system 32 wincs flags.exe um which is apparently used to aid with communicating back uh to Microsoft.
[12:56] um which is apparently used to aid with communicating back uh to Microsoft.
[13:03] Can wins flags.exe become available as its own update or specific standalone applications on uh so this can be installed as well.
[13:14] installed as well. when needed.
[13:16] I uh I I think there's some confusion in this question or at least from me from my perspective when wincs is I I believe that's the the deploy one of the deployment methods for um deploying secure boot.
[13:30] the deployment methods for um deploying secure boot. Um and it should be it
[13:37] secure boot.
[13:38] Um and it should be it should be in the cumulative updates the latest cumulative updates.
[13:41] So I don't know why it wouldn't be there.
[13:44] Um I don't know if anybody else knows about when cs flags.exe
[13:49] >> I am not familiar with that one. No.
[13:52] >> So as I understand it so so wins is um a new technology that
[14:00] um is used for security updates mainly that are not enabled by default.
[14:07] And so it's a it's a mechanism to allow you to manage uh on devices where we can't turn on a security update because it could cause problems in your environment.
[14:17] And so this is a feature that secure boot the secure boot updates are using along with that.
[14:25] So I would expect that it's there number one and it's not the only mechanism for deploying.
[14:31] So you should be it should be fine. Um
[14:37] Yeah.
[14:39] Yeah.
[14:41] Um, um, thank you everyone at Microsoft.
[14:43] It has been announced that the certificates will expire in June 2026, but it is written in the docs that the PC can still be started.
[14:51] Please tell me the reason why I can't start up even though the certificates even though the certificate has expired.
[15:01] Awesome question.
[15:01] Uh, I was just talking about this a couple minutes ago.
[15:08] Um, so the reason even after the certificate expires in June, the reason your PC can still start up is because the place the signature gets checked is not looking at the wall clock time.
[15:20] It's not looking at the current date to determine whether the signature is valid.
[15:25] When it's trying to determine whether the signature is valid, it looks at the time the file was signed and it compares that with the validity period of the certificate.
[15:33] Um,
[15:38] Validity period of the certificate.
[15:38] Um, part of the reason for this, just going part of the reason for this, just going back historically, um, back historically, um, the bootup environment of your computer, the bootup environment of your computer generally didn't have a good date.
[15:48] For those of those of you who are old like me, um you probably remember when you booted up an old computer, the very first thing it would do when it came on is it would prompt you to enter the date and time.
[16:02] And the reason is because the computer doesn't inherently know what time it is.
[16:05] So the way the boot up sequence was built purposely avoided any reference to what time is it or what date is it now?
[16:15] So the reason your PC can still start is the the piece of code that's looking at whether that's that is a valid signature has no idea what today's date is.
[16:27] So your PC will continue to trust that certificate in that signature indefinitely.
[16:35] Hey Scott, I was going to ask you to um expand a little bit on the DBX that you
[16:38] Expand a little bit on the DBX that you talked about before.
[16:40] Sure.
[16:42] So very similar to the concept you just talked about where there's, you know, we can't necessarily trust the time because there's no source.
[16:47] There's no source. There's no way to get a certificate revocation list at that point as well and that's where DBX comes in.
[16:50] Can you expand on that a little bit or
[16:53] Yeah, absolutely. So in a normal PKI system, so PKI stands for uh public key infrastructure.
[16:58] It's the uh the system of trusting a hierarchy of certificates and it's used in TLS which establishes secure communications and encrypted email and code signing.
[17:14] Um and in most applications of PKI um the time of validation when you're doing the validation it cares about whether those those things are still valid but in um code signing specifically in secure boot it only cares about um when the signature was made.
[17:40] signature was made.
[17:42] And the other thing that that Jason was just alluding to is that that Jason was just alluding to is in normal PKI, there's a thing called in normal PKI, there's a thing called the certificate revocation list, a CRL.
[17:47] the certificate revocation list, a CRL.
[17:52] And frequently in most PKI systems, the validator, the person who's validating the certificate chain will try to go online, download the latest certificate revocation list, and say, "Okay, is this certificate still good?"
[18:01] certificate still good? Obviously during the bootup environment, your computer doesn't have access to your Wi-Fi and or any encryption information necessary to log you onto a network.
[18:12] So it doesn't have any ability to go download that certificate revocation list.
[18:20] So instead we have an offline revocation list called DBX, which is a database that's stored locally in Yui that knows what certificates are invalid.
[18:28] Um, and we use that in place of the certificate rev revocation list to mark things that have previously been signed or old certificates as invalid.
[18:38] Thanks for the
[18:41] certificates as invalid. Thanks for the question, Jason. That was great.
[18:43] question, Jason. That was great. >> Well, so that's a good segue into this
[18:45] Well, so that's a good segue into this next question about revocation. Uh, I
[18:48] next question about revocation. Uh, I saw a statement that a new notice will
[18:51] saw a statement that a new notice will be given six months before the PC will
[18:53] be given six months before the PC will no longer be able to start. Uh, is my
[18:57] no longer be able to start. Uh, is my understanding correct? when will the
[18:58] understanding correct? when will the enforcement phase begin? Uh so this is
[19:02] enforcement phase begin? Uh so this is um
[19:03] um so I what this is really asking about is
[19:06] so I what this is really asking about is one of the certificates the the the 2011
[19:09] one of the certificates the the the 2011 certificates we want to uh revoke or
[19:13] certificates we want to uh revoke or untrust uh because uh it just for
[19:16] untrust uh because uh it just for security reasons we want to prevent any
[19:19] security reasons we want to prevent any old boot managers from that were signed
[19:21] old boot managers from that were signed by that certificate to no longer be
[19:24] by that certificate to no longer be usable. Uh and um so the way that's
[19:29] usable. Uh and um so the way that's going to that will work is when all the
[19:33] going to that will work is when all the certificates are deployed and the uh
[19:36] certificates are deployed and the uh updated boot managers are available then
[19:40] updated boot managers are available then uh we will add the
[19:43] Uh we will add the the 2011 certificate to the the DPX.
[19:46] The 2011 certificate to the the DPX.
[19:46] That's the that's the premise.
[19:50] Uh and uh that's the that's the premise.
[19:50] Uh and uh we have not announced when we're going to do that because there's uh a lot of things that come before that.
[19:55] Uh getting all these certificates deployed to the whole world, ensuring that the boot manager is signed by the new certificates, all the media in the world is updated and then and then untrusting that 2011 certificate.
[20:12] And so we've put that off because it's there's just a lot that comes before that.
[20:18] Uh enterprises can do that when they're ready.
[20:21] So they can do that when they're ready.
[20:23] So they so they don't have to wait for us.
[20:27] Um and um what we've said uh publicly is that we'll give at least six months notice before we do that.
[20:32] Uh now, uh the question actually talks about not being able to boot.
[20:38] Um if the if the there's a request to put that
[20:46] if the there's a request to put that 2011 certificate into the DBX,
[20:49] 2011 certificate into the DBX, the Windows checks to make sure that the
[20:51] the Windows checks to make sure that the boot manager that on the system is
[20:54] boot manager that on the system is signed by the new certificate before it
[20:56] signed by the new certificate before it does that. So it won't put you in a an
[20:59] does that. So it won't put you in a an unbootable state. Uh so if you try to do
[21:02] unbootable state. Uh so if you try to do that it'll just uh defer that operation
[21:05] that it'll just uh defer that operation of untrusting that certificate uh until
[21:09] of untrusting that certificate uh until uh until the boot manager on the system
[21:11] uh until the boot manager on the system has been updated.
[21:15] >> Go ahead Kevin. You make a great point
[21:17] >> Go ahead Kevin. You make a great point about um kind of the announcement and
[21:19] about um kind of the announcement and when we are ready to make that plan, we
[21:21] when we are ready to make that plan, we will of course communicate that broadly.
[21:23] will of course communicate that broadly. But there are certainly things that
[21:25] But there are certainly things that especially enterprise customers can
[21:27] especially enterprise customers can start to do today to plan and prepare
[21:31] start to do today to plan and prepare especially around bootable media in
[21:34] especially around bootable media in their environment. And there's guidance
[21:36] their environment. And there's guidance that we've had out I think for the
[21:37] that we've had out I think for the better part of two years now on how to
[21:39] better part of two years now on how to do that inventory, how to find those
[21:42] do that inventory, how to find those like bootable media servers that may
[21:44] like bootable media servers that may need to be updated. uh and get those
[21:47] need to be updated. uh and get those moved to the new bit boot manager. So,
[21:49] moved to the new bit boot manager. So, that's something I'd certainly recommend
[21:51] that's something I'd certainly recommend checking out sooner than later. You
[21:52] checking out sooner than later. You don't need to wait for an official
[21:54] don't need to wait for an official announcement from uh Microsoft on that.
[21:56] announcement from uh Microsoft on that. That information is available and
[21:58] That information is available and something you can start to work towards.
[22:01] something you can start to work towards. >> Yeah, my comment was going to be a
[22:02] >> Yeah, my comment was going to be a little bit similar there, Kevin, with
[22:03] little bit similar there, Kevin, with the all the other boot media and Ardan,
[22:05] the all the other boot media and Ardan, you mentioned this a few times when you
[22:07] you mentioned this a few times when you were talking. It was one of the
[22:08] were talking. It was one of the discussions we had on the last AMA I
[22:10] discussions we had on the last AMA I think we dove into a lot. It's not just
[22:12] think we dove into a lot. It's not just the systems that you have in an
[22:14] the systems that you have in an enterprise. It's if you're using
[22:16] enterprise. It's if you're using configuration manager still and you're
[22:18] configuration manager still and you're doing operating system deployment,
[22:20] doing operating system deployment, you've probably got lots of USB sticks
[22:22] you've probably got lots of USB sticks out there with boot media on there.
[22:24] out there with boot media on there. There's other recovery tools that have
[22:25] There's other recovery tools that have boot media. Uh there's different ways of
[22:27] boot media. Uh there's different ways of putting WinP out there. So those things
[22:30] putting WinP out there. So those things all need to be updated as well because
[22:32] all need to be updated as well because they won't work. And you know that that
[22:34] they won't work. And you know that that awesome thing that Ardan described where
[22:35] awesome thing that Ardan described where we prevent you from shooting yourself in
[22:37] we prevent you from shooting yourself in the foot. That's clearly not going to
[22:39] the foot. That's clearly not going to happen with boot media because your
[22:40] happen with boot media because your system has no clue what boot is out
[22:42] system has no clue what boot is out there. So
[22:42] there. So >> that's right.
[22:43] >> that's right. >> Yeah. So one other thing I wanted to
[22:46] >> Yeah. So one other thing I wanted to added add to that question which I think
[22:48] added add to that question which I think is an important little bit of context
[22:52] is an important little bit of context like Kevin said the reason we need to
[22:56] like Kevin said the reason we need to revoke that old certificate or I think
[22:58] revoke that old certificate or I think Ardan said um is because there are
[23:02] Ardan said um is because there are vulnerabilities that have been signed
[23:04] vulnerabilities that have been signed with that certificate. there are old
[23:06] with that certificate. there are old vulnerable boot managers um that have
[23:10] vulnerable boot managers um that have been signed and technically your PC is
[23:13] been signed and technically your PC is not protected against all of the the
[23:17] not protected against all of the the vulnerabilities until we get to the
[23:19] vulnerabilities until we get to the point of revoking that certificate. So
[23:21] point of revoking that certificate. So it is really important from a security
[23:24] it is really important from a security perspective and protecting your machine
[23:27] perspective and protecting your machine from um uh some kinds of boot malware
[23:33] from um uh some kinds of boot malware that we are able to do that with
[23:36] that we are able to do that with Sometimes there is press that Microsoft
[23:38] Sometimes there is press that Microsoft uh is doing things for uh for reasons
[23:41] uh is doing things for uh for reasons that are not above board. And I just
[23:43] that are not above board. And I just want to be really clear that there's a
[23:44] want to be really clear that there's a really good reason we're doing that.
[23:46] really good reason we're doing that. We're we're working on that certificate
[23:48] We're we're working on that certificate revocation to protect you to protect
[23:51] revocation to protect you to protect your PC from malware, from boot kits,
[23:55] your PC from malware, from boot kits, from uh some of the the very difficult
[23:58] from uh some of the the very difficult to detect pieces of malware.
[24:00] to detect pieces of malware. >> And and Scott, you said in there that
[24:02] >> And and Scott, you said in there that that we signed the vulnerabilities. I
[24:04] that we signed the vulnerabilities. I know that's not exactly what you meant.
[24:05] know that's not exactly what you meant. We signed old things that were good at
[24:09] We signed old things that were good at the time that we had that
[24:10] the time that we had that vulnerabilities were then discovered in.
[24:12] vulnerabilities were then discovered in. Correct. And that's where the the trick.
[24:15] Correct. And that's where the the trick. So we both those things just I know
[24:18] So we both those things just I know that's not what you meant, but I want to
[24:19] that's not what you meant, but I want to make sure.
[24:19] make sure. >> No, it's a wonderful clarification.
[24:22] >> No, it's a wonderful clarification. Thank you. Yes. Uh for those of us who
[24:25] Thank you. Yes. Uh for those of us who work in software,
[24:27] work in software, all software has bugs. All software has
[24:30] all software has bugs. All software has vulnerabilities. uh perfect systems
[24:33] vulnerabilities. uh perfect systems don't exist. Um and uh the the game we
[24:38] don't exist. Um and uh the the game we play, the uh the work we do is making
[24:42] play, the uh the work we do is making sure that you know we keep things as up
[24:44] sure that you know we keep things as up to date as we can and we fix everything
[24:48] to date as we can and we fix everything that we know about that's bad in any of
[24:50] that we know about that's bad in any of the software we've shipped. So thank you
[24:52] the software we've shipped. So thank you for the clarification, Jason. I love
[24:54] for the clarification, Jason. I love that. It may be worth expanding that
[24:56] that. It may be worth expanding that many of the devices we see today new in
[24:59] many of the devices we see today new in market as well as those that we're
[25:01] market as well as those that we're bringing this update to are effectively
[25:03] bringing this update to are effectively what we call this hybrid mode. Meaning
[25:05] what we call this hybrid mode. Meaning they trust both the old 2011
[25:07] they trust both the old 2011 certificates as well as the new 2023
[25:10] certificates as well as the new 2023 certificates. However, we're starting to
[25:12] certificates. However, we're starting to see more devices that ship with only the
[25:15] see more devices that ship with only the 2023 certificates as a recommendation uh
[25:19] 2023 certificates as a recommendation uh that we've had out there. And also there
[25:21] that we've had out there. And also there are tools and guidance available to
[25:23] are tools and guidance available to customers who do want to remove trust
[25:26] customers who do want to remove trust from the 2011 certificate. So there's a
[25:28] from the 2011 certificate. So there's a lot of options out there depending on
[25:29] lot of options out there depending on the security profile and and what you
[25:31] the security profile and and what you want to accomplish in your environment.
[25:36] >> Okay. Um,
[25:38] >> Okay. Um, so I've updated administrative
[25:40] so I've updated administrative templates. Uh, and we are unable to find
[25:44] templates. Uh, and we are unable to find the secure boot settings in group
[25:46] the secure boot settings in group policies. Uh, computer administrative
[25:49] policies. Uh, computer administrative templates, Windows components, secure
[25:51] templates, Windows components, secure boot doesn't appear. Could you explain
[25:54] boot doesn't appear. Could you explain why?
[26:00] Yeah,
[26:02] Yeah, without digging into it, my guess there
[26:05] without digging into it, my guess there is how you updated the templates and
[26:07] is how you updated the templates and where you updated the templates. It's
[26:08] where you updated the templates. It's been a while since I've done active
[26:10] been a while since I've done active directory administration,
[26:12] directory administration, but you have to put the template in a
[26:14] but you have to put the template in a special place on the domain controller
[26:15] special place on the domain controller for them to actually show up. Don't
[26:18] for them to actually show up. Don't remember what that's called. Or a
[26:20] remember what that's called. Or a special location on your local PC for
[26:22] special location on your local PC for them to actually show up in in the GP
[26:24] them to actually show up in in the GP editor. Um, you can find more
[26:27] editor. Um, you can find more information about that in the docs. I
[26:28] information about that in the docs. I totally don't remember the full details
[26:30] totally don't remember the full details there. Um, that would be my speculation
[26:32] there. Um, that would be my speculation on why you're not seeing it in GP editor
[26:35] on why you're not seeing it in GP editor is you just haven't put the template in
[26:36] is you just haven't put the template in the right place.
[26:38] the right place. >> It's either that or perhaps uh there.
[26:42] >> It's either that or perhaps uh there. So, it last I knew it was the latest
[26:45] So, it last I knew it was the latest update of the group policy download. So,
[26:48] update of the group policy download. So, so you have to make sure that you get
[26:50] so you have to make sure that you get the latest one. Uh, it sounds like you
[26:53] the latest one. Uh, it sounds like you probably uh did that, but just uh double
[26:56] probably uh did that, but just uh double check that.
[26:57] check that. >> Yeah. My only other comment, and this is
[27:00] >> Yeah. My only other comment, and this is more of a follow on, slightly tangential
[27:02] more of a follow on, slightly tangential comment, is you really should be moving
[27:04] comment, is you really should be moving to Intune, and then in in tune, these
[27:05] to Intune, and then in in tune, these settings are straight up there in the
[27:07] settings are straight up there in the settings catalog. Um, I know that
[27:10] settings catalog. Um, I know that everyone can't get there overnight, but
[27:11] everyone can't get there overnight, but that's I mean, things are just there.
[27:13] that's I mean, things are just there. You're not going to have to worry about
[27:14] You're not going to have to worry about the ADMX templates and things like that
[27:16] the ADMX templates and things like that once you get to Intune.
[27:19] once you get to Intune. >> Okay. Um, can you comment on reboot
[27:22] >> Okay. Um, can you comment on reboot requirements? I've seen devices reach
[27:25] requirements? I've seen devices reach UFI 2023 status equals updated which is
[27:29] UFI 2023 status equals updated which is identified in KB
[27:32] identified in KB 5068202
[27:35] 5068202 as the authoritative authoritative
[27:37] as the authoritative authoritative deployment status indicator. Devices
[27:40] deployment status indicator. Devices seem to be need a second reboot to
[27:42] seem to be need a second reboot to actually be booting from the updated
[27:45] actually be booting from the updated 2023 signed boot manager. So, is the
[27:48] 2023 signed boot manager. So, is the second reboot a hard requirement or is
[27:51] second reboot a hard requirement or is achieving updated status truly
[27:54] achieving updated status truly sufficient?
[27:56] sufficient? Um,
[27:58] Um, I so so my experience that I've seen is
[28:01] I so so my experience that I've seen is that the certificates will update
[28:03] that the certificates will update without even needing a reboot. Um uh in
[28:07] without even needing a reboot. Um uh in most cases usually where the reboot is
[28:10] most cases usually where the reboot is needed is um that uh when it gets to the
[28:15] needed is um that uh when it gets to the boot manager update uh and then then
[28:17] boot manager update uh and then then it'll stop and ask for a reboot there.
[28:20] it'll stop and ask for a reboot there. Uh I don't know that there's any reason
[28:23] Uh I don't know that there's any reason why a second reboot is needed. Uh
[28:26] why a second reboot is needed. Uh >> well the second before the second reboot
[28:30] >> well the second before the second reboot the
[28:32] the it depends on how you're looking. So if
[28:35] it depends on how you're looking. So if you're looking at say a um attestation
[28:39] you're looking at say a um attestation report um for something like conditional
[28:42] report um for something like conditional access um the attestation that appears
[28:47] access um the attestation that appears in the TCG log that says what you booted
[28:50] in the TCG log that says what you booted through and what shows up in PCR7
[28:54] through and what shows up in PCR7 um won't be updated until after that
[28:57] um won't be updated until after that reboot after the new uh boot manager is
[29:00] reboot after the new uh boot manager is deployed. So it depends on exactly what
[29:04] deployed. So it depends on exactly what you're looking for. The boot manager can
[29:06] you're looking for. The boot manager can be deployed so that it's sitting on disk
[29:09] be deployed so that it's sitting on disk in the EFI partition, but the state of
[29:12] in the EFI partition, but the state of your system didn't boot through that
[29:15] your system didn't boot through that boot manager on this boot cycle, which
[29:17] boot manager on this boot cycle, which means the TCG log and the other boot
[29:19] means the TCG log and the other boot artifacts won't show that you are
[29:22] artifacts won't show that you are currently booted through that boot
[29:24] currently booted through that boot manager. So I think it depends exactly
[29:26] manager. So I think it depends exactly what you're looking at. And I also think
[29:28] what you're looking at. And I also think some of the events in the event log that
[29:32] some of the events in the event log that we uh measure the state. I'm not sure
[29:35] we uh measure the state. I'm not sure Ardin, do you remember? I thought there
[29:37] Ardin, do you remember? I thought there was one of them that only comes out on
[29:38] was one of them that only comes out on boot.
[29:40] boot. >> Uh the the 1801 and 1808 events come out
[29:44] >> Uh the the 1801 and 1808 events come out primarily I think uh I think it's five
[29:46] primarily I think uh I think it's five minutes after boot time. Yeah,
[29:48] minutes after boot time. Yeah, >> that was the the the other thing I was
[29:50] >> that was the the the other thing I was going to add to that is um you know
[29:53] going to add to that is um you know there there is some timing uh involved
[29:57] there there is some timing uh involved in that in the sense that that the this
[30:01] in that in the sense that that the this the task doesn't run right away when you
[30:04] the task doesn't run right away when you when you boot uh it runs you know five
[30:07] when you boot uh it runs you know five minutes after I think and then every 12
[30:09] minutes after I think and then every 12 minutes or 12 hours after that
[30:11] minutes or 12 hours after that >> 12 hours yeah
[30:11] >> 12 hours yeah >> so so there could be some timing issues
[30:13] >> so so there could be some timing issues in there but I think you know I'll stick
[30:16] in there but I think you know I'll stick with I don't know why you would need a
[30:18] with I don't know why you would need a second reboot. Um
[30:21] second reboot. Um um yeah.
[30:26] Um so for environments where secure boot
[30:29] Um so for environments where secure boot is currently disabled like VMs, can we
[30:32] is currently disabled like VMs, can we safely prepare the new secure boot trust
[30:35] safely prepare the new secure boot trust chain in advance without enabling secure
[30:38] chain in advance without enabling secure boot immediately? We would appreciate
[30:40] boot immediately? We would appreciate guidance specifically for Azure IAS
[30:45] guidance specifically for Azure IAS uh server workloads and enterprise Linux
[30:49] uh server workloads and enterprise Linux Windows server environments.
[30:53] Okay, tricky question. So if secure boot
[30:57] Okay, tricky question. So if secure boot is disabled and then you say like VMs.
[31:00] is disabled and then you say like VMs. So that gets us into some tricky uh
[31:03] So that gets us into some tricky uh situation
[31:05] situation uh in HyperV. So in Azure or in HyperV
[31:10] uh in HyperV. So in Azure or in HyperV environments, there are two different
[31:12] environments, there are two different kinds of VMs. Um in a HyperV environment
[31:16] kinds of VMs. Um in a HyperV environment on Windows Server, there's Gen 1 VMs and
[31:18] on Windows Server, there's Gen 1 VMs and Gen 2 VMs. Um many of the old VMs you'll
[31:23] Gen 2 VMs. Um many of the old VMs you'll have will be Gen One VMs, which don't
[31:25] have will be Gen One VMs, which don't support secure boot at all. So when we
[31:28] support secure boot at all. So when we look at it from inside the operating
[31:30] look at it from inside the operating system, we'll see secure boot capable
[31:32] system, we'll see secure boot capable false that the device isn't even capable
[31:35] false that the device isn't even capable of secure boot. So those aren't secure
[31:37] of secure boot. So those aren't secure boot disabled. Those are secure boot
[31:39] boot disabled. Those are secure boot incapable. Then there is gen two VMs um
[31:44] incapable. Then there is gen two VMs um which in a hyperv environment are gen
[31:46] which in a hyperv environment are gen two VMs. They are capable of secure
[31:49] two VMs. They are capable of secure boot. They boot through a UV environment
[31:51] boot. They boot through a UV environment um but can either be enabled or
[31:53] um but can either be enabled or disabled. In Azure there are um the
[31:58] disabled. In Azure there are um the standard VMs and then there are trusted
[32:02] standard VMs and then there are trusted launch VMs and the uh TVMs do support
[32:08] launch VMs and the uh TVMs do support secure boot. Um but the standard Azure
[32:11] secure boot. Um but the standard Azure VMs uh don't support secure boot. So
[32:14] VMs uh don't support secure boot. So it's going to depend a lot on exactly
[32:17] it's going to depend a lot on exactly what kind of an environment you're in
[32:20] what kind of an environment you're in and what it supports. Um
[32:24] and what it supports. Um whether you can deploy the trust chain
[32:27] whether you can deploy the trust chain in advance is a tricky question. Um we
[32:32] in advance is a tricky question. Um we generally don't do that. Um because
[32:37] generally don't do that. Um because the support isn't consistent across the
[32:40] the support isn't consistent across the board. Um,
[32:43] board. Um, in the UI spec, it is absolutely
[32:46] in the UI spec, it is absolutely possible if the device is in what's
[32:47] possible if the device is in what's called setup mode for you to deployer
[32:50] called setup mode for you to deployer deploy certificates into the UI
[32:53] deploy certificates into the UI variables. And there's a little bit of
[32:57] variables. And there's a little bit of ambiguity in this back here and OEMs
[32:59] ambiguity in this back here and OEMs have implemented this differently. So,
[33:00] have implemented this differently. So, it really depends on the EFI
[33:02] it really depends on the EFI implementation. Um, as soon as you set
[33:06] implementation. Um, as soon as you set the PK variable, secure boot becomes
[33:09] the PK variable, secure boot becomes enabled. So there are three variables in
[33:12] enabled. So there are three variables in the trust chain. PK at the top, KEK in
[33:14] the trust chain. PK at the top, KEK in the middle, the key exchange key, and
[33:16] the middle, the key exchange key, and then DB at the bottom. Um
[33:20] then DB at the bottom. Um the way it's recommended to set the keys
[33:22] the way it's recommended to set the keys is in reverse order. So when secure boot
[33:25] is in reverse order. So when secure boot is in setup mode, you set DB first, then
[33:29] is in setup mode, you set DB first, then kek, and at that point, you're still in
[33:31] kek, and at that point, you're still in setup mode and you've got some keys
[33:33] setup mode and you've got some keys deployed. But then as soon as you deploy
[33:36] deployed. But then as soon as you deploy PK secure boot is supposed to come on it
[33:40] PK secure boot is supposed to come on it varies across hardware and UI
[33:43] varies across hardware and UI implementations how that works on some
[33:45] implementations how that works on some UI implementations and according to my
[33:49] UI implementations and according to my interpretation of the spec secure boot
[33:51] interpretation of the spec secure boot is supposed to come on immediately. So
[33:53] is supposed to come on immediately. So you're supposed to have be uh secure
[33:56] you're supposed to have be uh secure boot enabled immediately although you
[33:58] boot enabled immediately although you haven't rebooted yet so that doesn't
[34:00] haven't rebooted yet so that doesn't really mean much until you hit the next
[34:02] really mean much until you hit the next boot sequence. Um, some uh UI
[34:06] boot sequence. Um, some uh UI implementations will not do the
[34:09] implementations will not do the enablement until the next boot cycle
[34:11] enablement until the next boot cycle happens. Some UI implementations require
[34:13] happens. Some UI implementations require you to go into the boot menu um and
[34:17] you to go into the boot menu um and enable secure boot separately. Um, and
[34:22] enable secure boot separately. Um, and some UI implementations have
[34:25] some UI implementations have interesting modes where you can say
[34:27] interesting modes where you can say secure boot is disabled but we're not in
[34:31] secure boot is disabled but we're not in setup mode. So some of the keys are set.
[34:33] setup mode. So some of the keys are set. So you can't necessarily set up the the
[34:36] So you can't necessarily set up the the keys in the trust chain. Um if you can
[34:40] keys in the trust chain. Um if you can if the UI is enabling you to that is
[34:43] if the UI is enabling you to that is totally fine and safe to do until you
[34:46] totally fine and safe to do until you enable secure boot those keys that are
[34:48] enable secure boot those keys that are are pre-provisioned should do nothing.
[34:51] are pre-provisioned should do nothing. But the general advice I would give is
[34:54] But the general advice I would give is whatever deployment you're trying to do
[34:57] whatever deployment you're trying to do test it first. So if you're in a VM
[35:00] test it first. So if you're in a VM environment, spin up a test VM that
[35:02] environment, spin up a test VM that mirrors the configuration you want to
[35:05] mirrors the configuration you want to test on, test it there. Make sure you
[35:07] test on, test it there. Make sure you understand the behavior and you see how
[35:09] understand the behavior and you see how it's working. Um, if you have servers,
[35:13] it's working. Um, if you have servers, ideally you have some test servers or
[35:16] ideally you have some test servers or some other equivalent hardware that you
[35:18] some other equivalent hardware that you can test on first. Um, and you know,
[35:22] can test on first. Um, and you know, testing before you roll into production
[35:23] testing before you roll into production is always a great idea. So that would be
[35:27] is always a great idea. So that would be the topline advice. Please test before
[35:29] the topline advice. Please test before you deploy.
[35:30] you deploy. >> I think there's a a few more nuances in
[35:33] >> I think there's a a few more nuances in this question too in the sense that it
[35:37] this question too in the sense that it it might make sense u if they're trying
[35:40] it might make sense u if they're trying to enable secure boot on their
[35:42] to enable secure boot on their infrastructure that the uh it might be
[35:46] infrastructure that the uh it might be the easiest way to spin up new VMs. new
[35:49] the easiest way to spin up new VMs. new VMs for most uh virtual environments I
[35:54] VMs for most uh virtual environments I think should have the certificates by
[35:55] think should have the certificates by now. Uh I know HyperV and Azure does and
[35:59] now. Uh I know HyperV and Azure does and I believe most of the other ones do. I
[36:02] I believe most of the other ones do. I I'm not entirely sure but u but so
[36:06] I'm not entirely sure but u but so starting up new VMs and uh shifting
[36:09] starting up new VMs and uh shifting pieces of the infrastructure over to
[36:10] pieces of the infrastructure over to those new VMs might be the easiest way
[36:12] those new VMs might be the easiest way to do that. Um and then I think there
[36:16] to do that. Um and then I think there was the last piece of this that um is
[36:19] was the last piece of this that um is the Linux Windows server environments.
[36:23] the Linux Windows server environments. So I think that opens up that that Linux
[36:26] So I think that opens up that that Linux actually has a a piece of this as well
[36:31] actually has a a piece of this as well in the sense that uh they are uh also
[36:35] in the sense that uh they are uh also responsible for updating uh secure boot
[36:37] responsible for updating uh secure boot in their environment. I think um maybe
[36:40] in their environment. I think um maybe Scott knows better than I do, but
[36:42] Scott knows better than I do, but >> yeah, I was going to say on a uh pure
[36:45] >> yeah, I was going to say on a uh pure Linux server where there is no Windows
[36:48] Linux server where there is no Windows um we can't update the certificates.
[36:50] um we can't update the certificates. When Windows doesn't run there, there's
[36:53] When Windows doesn't run there, there's nothing we can do. So, you need to work
[36:56] nothing we can do. So, you need to work with your DRO um vendor to make sure you
[37:00] with your DRO um vendor to make sure you understand the the instructions for
[37:02] understand the the instructions for updating the secure boot settings on
[37:04] updating the secure boot settings on your Linux environments. Um, I know all
[37:07] your Linux environments. Um, I know all of the distros are aware of this and are
[37:09] of the distros are aware of this and are working on it. Um, uh, I'm I'm not up to
[37:13] working on it. Um, uh, I'm I'm not up to date on the full status for every
[37:14] date on the full status for every distro. Um, so check the documentation
[37:18] distro. Um, so check the documentation for your Linux distribution and make
[37:19] for your Linux distribution and make sure you understand how that certificate
[37:22] sure you understand how that certificate update is supposed to happen on those
[37:23] update is supposed to happen on those machines. But like Ardan said, spinning
[37:25] machines. But like Ardan said, spinning up new VMs is a great idea if you can.
[37:28] up new VMs is a great idea if you can. um because not only will you get the
[37:30] um because not only will you get the newer configuration for secure boot,
[37:32] newer configuration for secure boot, there are a lot of other things that you
[37:34] there are a lot of other things that you get newer configuration
[37:36] get newer configuration uh when you spin up new VM. So that'll
[37:38] uh when you spin up new VM. So that'll be a good idea.
[37:40] be a good idea. >> One one quick question for you Ardan and
[37:42] >> One one quick question for you Ardan and and Scott really on this that there's no
[37:44] and Scott really on this that there's no Microsoft process to pre-stage this with
[37:47] Microsoft process to pre-stage this with secure boot disabled. Correct. Right. So
[37:50] secure boot disabled. Correct. Right. So if you have secure boot disabled on a
[37:51] if you have secure boot disabled on a system, there's no automatic process,
[37:54] system, there's no automatic process, let me throw that word in there, that
[37:55] let me throw that word in there, that will update those systems. you have to
[37:57] will update those systems. you have to go off and manually do some things.
[38:00] go off and manually do some things. >> Yeah.
[38:01] >> Yeah. >> If secure boot is disabled. Yeah.
[38:03] >> If secure boot is disabled. Yeah. >> Yeah. In general, I mean, uh, you would
[38:05] >> Yeah. In general, I mean, uh, you would need to enable secure boot first and
[38:07] need to enable secure boot first and then then Windows would update the
[38:10] then then Windows would update the certificates at that point.
[38:11] certificates at that point. >> Well, there's a trick there. Um, if
[38:14] >> Well, there's a trick there. Um, if secure boot is disabled, we update boot
[38:16] secure boot is disabled, we update boot manager to the 2023 signed boot manager.
[38:20] manager to the 2023 signed boot manager. So
[38:21] So um because we want you to be on the
[38:23] um because we want you to be on the latest uh boot manager and that's the
[38:26] latest uh boot manager and that's the 2023 signed boot manager. Um if you go
[38:30] 2023 signed boot manager. Um if you go if you're if you have secure boot
[38:33] if you're if you have secure boot certificates provisioned that are not
[38:36] certificates provisioned that are not trusting the the 2011 that are not
[38:40] trusting the the 2011 that are not trusting the 2023 CA and you enable
[38:43] trusting the 2023 CA and you enable secure boot um it won't boot off that
[38:47] secure boot um it won't boot off that 2023 signed boot manager. you have to do
[38:50] 2023 signed boot manager. you have to do the update of the certificates to trust
[38:53] the update of the certificates to trust that. Which means if you've had a
[38:56] that. Which means if you've had a firmware update that's updated, the
[38:58] firmware update that's updated, the defaults, um, resetting to defaults will
[39:01] defaults, um, resetting to defaults will fix that. Um, if you haven't, there is
[39:05] fix that. Um, if you haven't, there is an EFI application we have that will
[39:08] an EFI application we have that will just do the certificate updates. Um,
[39:12] just do the certificate updates. Um, Ardan, do you know where that's linked,
[39:13] Ardan, do you know where that's linked, the download for that? It's it's in the
[39:17] the download for that? It's it's in the uh I think it's in the troubleshooting
[39:19] uh I think it's in the troubleshooting guide. Uh and it's and it comes it's
[39:22] guide. Uh and it's and it comes it's been on disk. So it came with the the
[39:24] been on disk. So it came with the the updates um since last year, more than a
[39:28] updates um since last year, more than a year ago, I think. But I believe it's in
[39:30] year ago, I think. But I believe it's in the troubleshooting guide. Um and I'm
[39:33] the troubleshooting guide. Um and I'm going to give a reminder uh to look at
[39:36] going to give a reminder uh to look at akamsget
[39:38] akamsget secure boot to get more details. There's
[39:41] secure boot to get more details. There's a lot of good documentation up there.
[39:44] a lot of good documentation up there. >> Yeah. And um that EFI application will
[39:50] >> Yeah. And um that EFI application will update the secure boot certificates. Um
[39:53] update the secure boot certificates. Um and it's signed with the 2011 CA. So
[39:57] and it's signed with the 2011 CA. So it'll boot even if your certificates
[39:59] it'll boot even if your certificates aren't updated and it will update you to
[40:01] aren't updated and it will update you to the 2023 CA so that you can continue to
[40:04] the 2023 CA so that you can continue to boot.
[40:05] boot. >> Yeah. Uh to be clarify that a little
[40:07] >> Yeah. Uh to be clarify that a little bit, it up it applies only one of the
[40:10] bit, it up it applies only one of the certificates. it it applies the one you
[40:12] certificates. it it applies the one you need for the boot manager.
[40:15] need for the boot manager. >> Right.
[40:16] >> Right. >> Um Okay.
[40:18] >> Um Okay. So, next question. Is there a specific
[40:21] So, next question. Is there a specific day in June when certificates start
[40:23] day in June when certificates start expiring?
[40:26] expiring? >> Yes, there is. I don't remember it.
[40:30] >> Yes, there is. I don't remember it. >> I think for the KEK it's June 24th.
[40:33] >> I think for the KEK it's June 24th. >> That sounds really
[40:35] >> That sounds really >> There's several certificates, right? I
[40:36] >> There's several certificates, right? I think there's four and we've outlined
[40:38] think there's four and we've outlined them. Three of them expire in June, one
[40:41] them. Three of them expire in June, one in October.
[40:44] in October. >> U two two in June, one in October. Uh
[40:48] >> U two two in June, one in October. Uh and they're and I think you're probably
[40:49] and they're and I think you're probably right on the date that it's near the end
[40:51] right on the date that it's near the end of the month, but I don't remember what
[40:53] of the month, but I don't remember what the dates are. Um how about MacBooks
[40:56] the dates are. Um how about MacBooks running Windows in Boot Camp natively?
[41:00] running Windows in Boot Camp natively? Does this still apply? Uh and what would
[41:03] Does this still apply? Uh and what would be the process? Um so Windows cannot
[41:07] be the process? Um so Windows cannot update uh the secure boot active
[41:11] update uh the secure boot active variables in on a a device running boot
[41:14] variables in on a a device running boot camp. Uh it's uh boot camp just doesn't
[41:18] camp. Uh it's uh boot camp just doesn't allow it. U so uh I think that's a maybe
[41:22] allow it. U so uh I think that's a maybe a question for Apple. I if I remember
[41:25] a question for Apple. I if I remember correctly um that boot camp is for on
[41:27] correctly um that boot camp is for on older Apple devices and then I think
[41:30] older Apple devices and then I think parallels is what's running on the newer
[41:32] parallels is what's running on the newer ones. But um and I believe Parallels,
[41:35] ones. But um and I believe Parallels, the company that manufactured Parallels,
[41:39] the company that manufactured Parallels, is a is doing work to update them.
[41:44] is a is doing work to update them. It'd be best to check with them.
[41:47] It'd be best to check with them. >> I just went to look up the date and
[41:49] >> I just went to look up the date and looking at our support pages, it just
[41:50] looking at our support pages, it just all says the month, June 2026. So, I'm
[41:53] all says the month, June 2026. So, I'm going to try to look it up.
[41:54] going to try to look it up. >> I'll I'll take a note to update the
[41:56] >> I'll I'll take a note to update the dates for that.
[41:57] dates for that. >> That'll be great. Perfect.
[41:59] >> That'll be great. Perfect. >> And a clarification on uh four versus
[42:01] >> And a clarification on uh four versus three certificates. Um correct there are
[42:04] three certificates. Um correct there are three 2011 and in 2023 we replaced them
[42:08] three 2011 and in 2023 we replaced them with four. Um part of the reason there
[42:10] with four. Um part of the reason there and maybe others want to expand on it is
[42:12] and maybe others want to expand on it is that we split the UVCA into a Microsoft
[42:16] that we split the UVCA into a Microsoft UI and a Microsoft option ROM UVCA so
[42:19] UI and a Microsoft option ROM UVCA so that customers can have finer grain
[42:21] that customers can have finer grain control over what they choose to trust
[42:22] control over what they choose to trust on their PCs. So we had three that are
[42:25] on their PCs. So we had three that are expiring. there's four new ones that
[42:27] expiring. there's four new ones that replace it.
[42:30] replace it. >> Yeah, it's I think that's a good point.
[42:33] >> Yeah, it's I think that's a good point. I mean, in the sense that some devices
[42:35] I mean, in the sense that some devices may need the option ROM one for um you
[42:38] may need the option ROM one for um you know, devices that have uh built-in
[42:40] know, devices that have uh built-in firmware,
[42:42] firmware, >> but they don't need the third party uh
[42:46] >> but they don't need the third party uh um signing certificate. and not trusting
[42:49] um signing certificate. and not trusting that just reduces the amount of uh risk
[42:52] that just reduces the amount of uh risk that you uh or attack surface that is
[42:56] that you uh or attack surface that is possible.
[42:59] possible. Uh a comment was made regarding bootable
[43:02] Uh a comment was made regarding bootable media in regards to the secure boot
[43:04] media in regards to the secure boot certificates. We have several USB sticks
[43:07] certificates. We have several USB sticks and pees used to build systems. If the
[43:11] and pees used to build systems. If the certificates are expired in the boot
[43:14] certificates are expired in the boot media PE media, uh will those stop
[43:18] media PE media, uh will those stop working completely in June or only when
[43:21] working completely in June or only when the old certificates are certificates
[43:23] the old certificates are certificates are revoked?
[43:26] are revoked? Uh and it's uh the the answer to that is
[43:29] Uh and it's uh the the answer to that is o only when the PCA 2011 the the one
[43:33] o only when the PCA 2011 the the one that signs the Windows boot manager is
[43:36] that signs the Windows boot manager is revoked is when that media will stop
[43:38] revoked is when that media will stop working. and and so so for a enterprise
[43:43] working. and and so so for a enterprise environment it's getting the
[43:44] environment it's getting the certificates deployed getting the boot
[43:46] certificates deployed getting the boot managers updated on the devices and then
[43:50] managers updated on the devices and then getting all the
[43:52] getting all the media or um USB sticks or things like
[43:55] media or um USB sticks or things like that uh pixie boot getting that updated
[43:59] that uh pixie boot getting that updated and then untrusting that 2011
[44:01] and then untrusting that 2011 certificate is the rough order that you
[44:04] certificate is the rough order that you would want to do that in. That's right.
[44:06] would want to do that in. That's right. Though you may, some customers may start
[44:08] Though you may, some customers may start to see devices come into their
[44:10] to see devices come into their environment that only have the 2023s.
[44:14] environment that only have the 2023s. And so that's another one to plan for.
[44:16] And so that's another one to plan for. >> That's right. Yeah.
[44:19] >> That's right. Yeah. Okay. Similar question. Um, when should
[44:22] Okay. Similar question. Um, when should we expect to see the boot manager start
[44:24] we expect to see the boot manager start using the newerts? Also, when should we
[44:27] using the newerts? Also, when should we see an ISO with this? Should we open an
[44:30] see an ISO with this? Should we open an up an ISO and manually make a change or
[44:33] up an ISO and manually make a change or wait for Microsoft?
[44:37] Uh, so I think the first question is
[44:39] Uh, so I think the first question is easy. The the
[44:42] easy. The the boot manager the in Windows updates for
[44:45] boot manager the in Windows updates for the past year, there's been two versions
[44:48] the past year, there's been two versions of the boot manager. One that's signed
[44:50] of the boot manager. One that's signed with the 2011 certificate and one that's
[44:51] with the 2011 certificate and one that's signed with the 2023 certificate. So,
[44:54] signed with the 2023 certificate. So, both of them have been there for for
[44:56] both of them have been there for for probably at least a year. I can't I'm
[44:58] probably at least a year. I can't I'm not sure exactly how long.
[45:01] not sure exactly how long. Um but then then the I guess what we get
[45:05] Um but then then the I guess what we get into is when will we start seeing ISOs
[45:09] into is when will we start seeing ISOs with the new boot manager or the the
[45:13] with the new boot manager or the the booting from the 23 23 sign boot
[45:15] booting from the 23 23 sign boot manager. Um and I think that's going to
[45:19] manager. Um and I think that's going to vary on depending on the source. I um
[45:22] vary on depending on the source. I um for Microsoft we're uh plan in planning
[45:26] for Microsoft we're uh plan in planning stage right now for switching all the
[45:28] stage right now for switching all the media over. The the priority is to get
[45:31] media over. The the priority is to get the world switched to the new
[45:33] the world switched to the new certificates so that then as we switch
[45:35] certificates so that then as we switch the the media over it'll it'll continue
[45:38] the the media over it'll it'll continue to work. Um so I would expect that
[45:41] to work. Um so I would expect that coming uh later this year. Um
[45:45] coming uh later this year. Um and uh and then for other sources I
[45:48] and uh and then for other sources I don't think we can really comment on you
[45:50] don't think we can really comment on you know that. Um
[45:53] know that. Um the I guess the last question I'm not
[45:55] the I guess the last question I'm not sure exactly how to answer. Um is should
[45:59] sure exactly how to answer. Um is should we open up the ISO manually make changes
[46:01] we open up the ISO manually make changes or wait for Microsoft? Um
[46:05] or wait for Microsoft? Um yeah I'm not sure how to answer that
[46:07] yeah I'm not sure how to answer that question.
[46:10] I
[46:13] I So it depends. So if
[46:17] yeah I I agree with you Ardan in general
[46:22] yeah I I agree with you Ardan in general um I mean making new images is supported
[46:25] um I mean making new images is supported you you are able to customize media um
[46:30] you you are able to customize media um for the most part I think if you're
[46:32] for the most part I think if you're getting media from Microsoft there
[46:34] getting media from Microsoft there should be updated media um
[46:38] should be updated media um uh but if you're in many cases you'll be
[46:41] uh but if you're in many cases you'll be getting media from OEMs or from other
[46:43] getting media from OEMs or from other cases and uh so there are cases for sure
[46:46] cases and uh so there are cases for sure where you will need to update the media
[46:49] where you will need to update the media um and we have instructions for that on
[46:52] um and we have instructions for that on uh ak.ms/getsecure
[46:54] uh ak.ms/getsecure boot.
[46:58] >> Okay. Um what should be the overall
[47:01] >> Okay. Um what should be the overall advice to consider and take action on
[47:04] advice to consider and take action on for clients running Bit Locker or
[47:06] for clients running Bit Locker or similar encryption systems in
[47:08] similar encryption systems in conjunction with secure boot?
[47:12] conjunction with secure boot? Uh I think the the answer there is
[47:16] Uh I think the the answer there is uh Bit Locker uh if everything's working
[47:19] uh Bit Locker uh if everything's working correctly should not be uh an impact.
[47:22] correctly should not be uh an impact. The we've seen in a small number of
[47:25] The we've seen in a small number of cases where firmware was doing the wrong
[47:28] cases where firmware was doing the wrong thing and causing bit locker recoveries.
[47:30] thing and causing bit locker recoveries. Um uh but that's been a very limited
[47:33] Um uh but that's been a very limited cases. Uh we do everything we can to
[47:37] cases. Uh we do everything we can to ensure that there are no Bit Locker
[47:39] ensure that there are no Bit Locker recoveries. Uh it's just we know how
[47:42] recoveries. Uh it's just we know how impactful that is and it's u and we take
[47:45] impactful that is and it's u and we take that very seriously.
[47:50] >> Yeah. Yeah, I guess going back to one of
[47:51] >> Yeah. Yeah, I guess going back to one of Scott's previous question or previous uh
[47:53] Scott's previous question or previous uh statements, make sure you're testing so
[47:55] statements, make sure you're testing so that you can see those kinds of things.
[47:57] that you can see those kinds of things. And then of course, make sure that your
[48:00] And then of course, make sure that your Bit Locker keys are properly escroed
[48:02] Bit Locker keys are properly escroed somewhere, whatever management tool
[48:04] somewhere, whatever management tool you're using because you don't want that
[48:06] you're using because you don't want that or to find that out after you've skipped
[48:08] or to find that out after you've skipped your testing and gone straight to prod,
[48:10] your testing and gone straight to prod, right?
[48:11] right? >> Yeah.
[48:13] >> Yeah. And Bit Locker is something that all of
[48:15] And Bit Locker is something that all of our tools and all of our um all of our
[48:19] our tools and all of our um all of our testing pays very close attention to. Uh
[48:22] testing pays very close attention to. Uh Bit Locker is very important to us. So
[48:25] Bit Locker is very important to us. So um for sure our default tools um do
[48:30] um for sure our default tools um do properly reseal uh Bit Locker to the new
[48:34] properly reseal uh Bit Locker to the new state um so that you can actually take
[48:37] state um so that you can actually take the update with no gap in security
[48:40] the update with no gap in security coverage. So um that is uh in general
[48:45] coverage. So um that is uh in general how all the updates happen.
[48:49] >> Yeah. Um
[48:52] >> Yeah. Um this one may be for you Jason. Uh is
[48:54] this one may be for you Jason. Uh is there a report in in tune or entra that
[48:58] there a report in in tune or entra that shows the state of devices in the fleet
[49:00] shows the state of devices in the fleet for the updated searchs?
[49:03] for the updated searchs? >> Yeah, good question. So I was actually
[49:05] >> Yeah, good question. So I was actually just going to make sure I looked up the
[49:06] just going to make sure I looked up the report name. Not that it really has an
[49:08] report name. Not that it really has an official name here. We released this
[49:10] official name here. We released this two, three months ago. It was something
[49:12] two, three months ago. It was something that autopatch actually did. Uh and so
[49:14] that autopatch actually did. Uh and so it's actually called the secure boot
[49:16] it's actually called the secure boot status report. It's it's surfaced
[49:18] status report. It's it's surfaced through intoune. It was created by
[49:20] through intoune. It was created by autopatch. Uh so you can reference that
[49:22] autopatch. Uh so you can reference that report. Um Ardan, your team also
[49:25] report. Um Ardan, your team also published a way to create a remediation.
[49:28] published a way to create a remediation. So it's basically a PowerShell script.
[49:30] So it's basically a PowerShell script. Um and that's what remediations use in
[49:32] Um and that's what remediations use in Intune that will also do this. So kind
[49:35] Intune that will also do this. So kind of a I don't know double check if you
[49:37] of a I don't know double check if you will. uh you can have these two methods
[49:39] will. uh you can have these two methods of actually doing that. Uh it looks like
[49:41] of actually doing that. Uh it looks like uh we have a AKMS at the bottom here.
[49:44] uh we have a AKMS at the bottom here. AKMS/monitor
[49:46] AKMS/monitor seccure boot within tune. Uh so I don't
[49:49] seccure boot within tune. Uh so I don't remember which page that goes to. I'm
[49:50] remember which page that goes to. I'm thinking that goes to the remediations
[49:52] thinking that goes to the remediations page. Uh where you can actually manually
[49:55] page. Uh where you can actually manually add that PowerShell script as a
[49:56] add that PowerShell script as a remediation to do that. Again, the
[49:58] remediation to do that. Again, the report is built in. You don't need
[50:00] report is built in. You don't need anything else special to do that. None
[50:01] anything else special to do that. None of this is entra specific though. It is
[50:03] of this is entra specific though. It is all in tune specific. So kind of going
[50:05] all in tune specific. So kind of going back to the flare in that question
[50:07] back to the flare in that question there. So
[50:07] there. So >> yeah, and I think you can find some of
[50:09] >> yeah, and I think you can find some of that also uh when if you go to the akams
[50:14] that also uh when if you go to the akams get sec getse secure boot page near the
[50:17] get sec getse secure boot page near the bottom. Uh I believe there's uh uh one
[50:21] bottom. Uh I believe there's uh uh one on reports or I can't remember exactly
[50:23] on reports or I can't remember exactly what it is but but um I would use that
[50:26] what it is but but um I would use that page and all the supporting pages there
[50:29] page and all the supporting pages there as as as resources. Um there's a lot of
[50:33] as as as resources. Um there's a lot of a lot of good data there
[50:35] a lot of good data there >> and and there's no harm in doing both
[50:36] >> and and there's no harm in doing both here, right? I mean, we're just checking
[50:38] here, right? I mean, we're just checking things. They're just checking the event
[50:39] things. They're just checking the event viewer. They're just checking the
[50:41] viewer. They're just checking the registry. They're just checking others
[50:42] registry. They're just checking others signals. Uh so they all should show
[50:45] signals. Uh so they all should show exactly the same uh every effort. We've
[50:47] exactly the same uh every effort. We've I'm I'm sure every we've made every
[50:49] I'm I'm sure every we've made every effort to make sure everything looks
[50:50] effort to make sure everything looks exactly the same. So,
[50:53] exactly the same. So, >> okay. So for devices currently sitting
[50:56] >> okay. So for devices currently sitting in vendor storage awaiting deployment,
[50:58] in vendor storage awaiting deployment, do we need to update all of them before
[51:01] do we need to update all of them before June? For example, if a device remains
[51:03] June? For example, if a device remains in storage until the end of the year and
[51:06] in storage until the end of the year and is then shipped to a user, would we
[51:08] is then shipped to a user, would we still be able to update the secure boot
[51:11] still be able to update the secure boot certificate by scoping that device into
[51:14] certificate by scoping that device into the remediations or would the
[51:16] the remediations or would the certificates be too far expired at that
[51:18] certificates be too far expired at that point to be remediated remediated in the
[51:24] point to be remediated remediated in the BIOS if the BIOS is up to date?
[51:27] BIOS if the BIOS is up to date? >> Yeah, this is a good one. I I think we
[51:29] >> Yeah, this is a good one. I I think we would say simply there's no deadline on
[51:31] would say simply there's no deadline on your ability to update the device. So
[51:35] your ability to update the device. So whether it's in storage in channel in a
[51:38] whether it's in storage in channel in a lock desk when it comes online it'll
[51:41] lock desk when it comes online it'll need the update but as Scott explained
[51:43] need the update but as Scott explained earlier those updates are signed with
[51:45] earlier those updates are signed with the existing searchs and so u we won't
[51:49] the existing searchs and so u we won't lose the opportunity to update when they
[51:50] lose the opportunity to update when they do come online or get into the end
[51:52] do come online or get into the end customer's hands.
[51:55] customer's hands. Yeah, I think there's a there's an
[51:56] Yeah, I think there's a there's an interesting caveat in here as well or in
[51:57] interesting caveat in here as well or in the question at least they were talking
[51:59] the question at least they were talking about scoping the change. There's really
[52:02] about scoping the change. There's really no way to target this change. It's
[52:03] no way to target this change. It's coming down via Windows update, right?
[52:06] coming down via Windows update, right? You could potentially set one of the
[52:08] You could potentially set one of the settings. There are the three settings.
[52:09] settings. There are the three settings. One of them says don't ever do anything
[52:11] One of them says don't ever do anything on this device. Um, but I don't know why
[52:14] on this device. Um, but I don't know why you would explicitly want to do that.
[52:15] you would explicitly want to do that. So, I guess after the fact you could
[52:17] So, I guess after the fact you could potentially manipulate this, but I would
[52:19] potentially manipulate this, but I would see maybe getting yourself into some
[52:21] see maybe getting yourself into some trouble by doing that, right? I I think
[52:24] trouble by doing that, right? I I think there's another likely two more
[52:26] there's another likely two more likelihoods here. One is that if it's a
[52:28] likelihoods here. One is that if it's a relatively new machine past year and a
[52:30] relatively new machine past year and a half, uh it'll probably already have the
[52:33] half, uh it'll probably already have the certificates, maybe not the updated boot
[52:35] certificates, maybe not the updated boot manager. Uh and as soon as you install,
[52:40] manager. Uh and as soon as you install, let's say it's December or January of
[52:42] let's say it's December or January of next year, you install the cumulative
[52:44] next year, you install the cumulative update, uh it will more more than likely
[52:47] update, uh it will more more than likely be in the high confidence data at that
[52:50] be in the high confidence data at that point. And then the cumulative update
[52:53] point. And then the cumulative update will actually uh apply the certificates
[52:56] will actually uh apply the certificates and apply the boot manager.
[53:00] and apply the boot manager. >> Great point.
[53:01] >> Great point. >> Uh how do we deal with legacy devices
[53:04] >> Uh how do we deal with legacy devices that don't support automatic updates?
[53:10] >> Not sure what automatic updates means in
[53:13] >> Not sure what automatic updates means in this c in this context. I assume
[53:18] this c in this context. I assume that that's an OEM automatic update. So,
[53:21] that that's an OEM automatic update. So, Windows update has been supported in
[53:23] Windows update has been supported in Windows as far back as I can remember.
[53:27] Windows as far back as I can remember. Um, so Windows supports automatic
[53:30] Um, so Windows supports automatic updates going way far back. I'm not
[53:33] updates going way far back. I'm not entirely sure what automatic updates the
[53:36] entirely sure what automatic updates the question is referring to.
[53:39] question is referring to. >> Could be for devices that have Windows
[53:41] >> Could be for devices that have Windows support as well.
[53:43] support as well. >> I was taking it as maybe a UFI issue
[53:46] >> I was taking it as maybe a UFI issue here where it just won't take our update
[53:48] here where it just won't take our update for the certificates.
[53:50] for the certificates. It's got some older weird UFI firmware
[53:53] It's got some older weird UFI firmware that has one of the many caveats or
[53:55] that has one of the many caveats or strangenesses that you guys have pointed
[53:56] strangenesses that you guys have pointed out and won't take the updates for
[53:58] out and won't take the updates for whatever reason.
[54:00] whatever reason. >> If it's if it's on a a list that we know
[54:04] >> If it's if it's on a a list that we know that device will have problems with the
[54:07] that device will have problems with the update, um then yes, there's a reason
[54:11] update, um then yes, there's a reason we're we're not recommending that device
[54:13] we're we're not recommending that device take the update. Um
[54:15] take the update. Um >> yeah and in that case uh the OEM
[54:18] >> yeah and in that case uh the OEM partners who have been working with us
[54:20] partners who have been working with us on those specific devices have very
[54:23] on those specific devices have very exhaustive support pages that will
[54:26] exhaustive support pages that will describe the devices that have an update
[54:29] describe the devices that have an update available how to go get it and then for
[54:32] available how to go get it and then for cases where the update may not be
[54:33] cases where the update may not be available what their recommendation is.
[54:40] >> Okay. Uh, can you explain what not
[54:43] >> Okay. Uh, can you explain what not applicable unknown means in the secure
[54:46] applicable unknown means in the secure boot status report in in tune?
[54:49] boot status report in in tune? >> Yeah, I'll start this one off because
[54:51] >> Yeah, I'll start this one off because I'm not a I mean I don't know every
[54:53] I'm not a I mean I don't know every status or every possibility that's out
[54:55] status or every possibility that's out there, but not applicable is typically
[54:57] there, but not applicable is typically because secure boot itself is not
[54:58] because secure boot itself is not enabled. We talked a little bit about
[54:59] enabled. We talked a little bit about that before where the automatic updates
[55:01] that before where the automatic updates won't actually apply. Um, the unknown
[55:05] won't actually apply. Um, the unknown would be that we just haven't heard back
[55:06] would be that we just haven't heard back from that device. We just don't have any
[55:08] from that device. We just don't have any information about what's going on that
[55:10] information about what's going on that device. That's typically what unknown
[55:11] device. That's typically what unknown means is that device just has not
[55:13] means is that device just has not reported back through the autopatch
[55:15] reported back through the autopatch system through the autopack reporting
[55:16] system through the autopack reporting auto patch reporting mechanism so that
[55:18] auto patch reporting mechanism so that we just don't know exactly what's going
[55:20] we just don't know exactly what's going on with it. Those are the two most
[55:22] on with it. Those are the two most common ones. Anything else you guys have
[55:24] common ones. Anything else you guys have seen?
[55:26] seen? >> We certainly see in our data cases where
[55:29] >> We certainly see in our data cases where uh a device will just go away. Somebody
[55:32] uh a device will just go away. Somebody closed the lid and it's been in a
[55:34] closed the lid and it's been in a backpack for two weeks because somebody
[55:36] backpack for two weeks because somebody went on vacation. So when you're looking
[55:39] went on vacation. So when you're looking at big data, you obvious you see lots of
[55:41] at big data, you obvious you see lots of those kind of things. And if you're
[55:43] those kind of things. And if you're looking at an enterprise environment,
[55:44] looking at an enterprise environment, you may be seeing users who are on
[55:47] you may be seeing users who are on vacation or something like that. Um
[55:49] vacation or something like that. Um that's certainly a case we've seen. Um
[55:53] that's certainly a case we've seen. Um >> yeah, that's that's the unknown, right?
[55:54] >> yeah, that's that's the unknown, right? Where we haven't heard back from the
[55:55] Where we haven't heard back from the device and people, why haven't I heard
[55:57] device and people, why haven't I heard back from the device? Well, I don't
[55:59] back from the device? Well, I don't know. Why didn't that person call you
[56:01] know. Why didn't that person call you back yesterday? you kind of have to ask
[56:03] back yesterday? you kind of have to ask that person because you know that person
[56:05] that person because you know that person could have won the lottery and doesn't
[56:07] could have won the lottery and doesn't want to talk to you anymore you know
[56:08] want to talk to you anymore you know something along those lines.
[56:13] Okay. So, uh I think this is our last
[56:15] Okay. So, uh I think this is our last question. Uh for for Surface devices, we
[56:19] question. Uh for for Surface devices, we see two options for secure boot. One is
[56:22] see two options for secure boot. One is Microsoft only and two is Microsoft and
[56:25] Microsoft only and two is Microsoft and thirdparty CA. Is there any guidance on
[56:28] thirdparty CA. Is there any guidance on selecting one or the other to get
[56:30] selecting one or the other to get certificates updated? Uh Scott,
[56:35] certificates updated? Uh Scott, >> yeah, so either one. Uh so those two
[56:38] >> yeah, so either one. Uh so those two options select different certificates
[56:40] options select different certificates into DB. So Microsoft only selects just
[56:43] into DB. So Microsoft only selects just the Microsoft uh CA that boots Windows.
[56:47] the Microsoft uh CA that boots Windows. Microsoft and third-party includes the
[56:50] Microsoft and third-party includes the Microsoft CA plus the UI thirdparty CA
[56:53] Microsoft CA plus the UI thirdparty CA that allows Linux and thirdparty
[56:56] that allows Linux and thirdparty software to boot on that device. In
[56:59] software to boot on that device. In either case, whichever one is selected,
[57:02] either case, whichever one is selected, Windows will apply the appropriate
[57:04] Windows will apply the appropriate updates. If you have Microsoft only
[57:07] updates. If you have Microsoft only selected, we will only apply the update
[57:10] selected, we will only apply the update to the certificate you have. So we will
[57:12] to the certificate you have. So we will only apply the new Microsoft uh Windows
[57:16] only apply the new Microsoft uh Windows certificate. If you have Microsoft and
[57:18] certificate. If you have Microsoft and third party selected, we will apply the
[57:21] third party selected, we will apply the new Windows certificate plus the new
[57:23] new Windows certificate plus the new thirdparty certificate. So we will match
[57:25] thirdparty certificate. So we will match the configuration you've chosen with the
[57:28] the configuration you've chosen with the new certificates.
[57:32] Uh, so is there one more piece to that?
[57:35] Uh, so is there one more piece to that? Is it It almost sounds like they're
[57:37] Is it It almost sounds like they're trying to update the certificates by
[57:39] trying to update the certificates by selecting one of these options.
[57:43] selecting one of these options. >> So if you if your Surface is up to date
[57:46] >> So if you if your Surface is up to date and you have the latest Yui
[57:48] and you have the latest Yui um and the UI is still being updated.
[57:52] um and the UI is still being updated. So, I'm not sure this applies to the
[57:53] So, I'm not sure this applies to the very oldest Surface devices, but um if
[57:57] very oldest Surface devices, but um if you have the latest UI, I believe that
[58:00] you have the latest UI, I believe that changing one of the options and clicking
[58:03] changing one of the options and clicking save in UI will apply a new template
[58:06] save in UI will apply a new template that includes the new certificates. Um,
[58:10] that includes the new certificates. Um, but I'm not 100% sure that that's in all
[58:13] but I'm not 100% sure that that's in all Surface Yui at this point. Yeah, the
[58:15] Surface Yui at this point. Yeah, the service team has a detailed site that we
[58:18] service team has a detailed site that we link to uh for what's available, the
[58:20] link to uh for what's available, the minimum versions that have the new
[58:22] minimum versions that have the new certificates and we can also ask one of
[58:24] certificates and we can also ask one of our service teammates to come into the
[58:26] our service teammates to come into the comments here and try to answer that
[58:27] comments here and try to answer that more directly.
[58:30] >> Okay, I think uh we're all set here. Uh
[58:34] >> Okay, I think uh we're all set here. Uh thank you everyone for tuning in and uh
[58:37] thank you everyone for tuning in and uh joining us uh and all your questions.
[58:40] joining us uh and all your questions. Uh, one thing we'd love to hear is if
[58:44] Uh, one thing we'd love to hear is if you'd like another AMA in early June.
[58:47] you'd like another AMA in early June. Uh, so let us know in the the uh chat
[58:50] Uh, so let us know in the the uh chat session. Uh, and remember to bookmark
[58:54] session. Uh, and remember to bookmark akamscure
[58:56] akamscure boot.
[58:59] boot. Thank you everyone. Thank you everybody.

Full Transcript

https://www.youtube.com/watch?v=lcrRANfSAZg
Translation: fr

[00:21] Bonjour tout le monde.
[00:21] Euh, bonjour de Redmond.
[00:24] Bonjour tout le monde.
[00:24] Euh, bonjour de Redmond.
[00:24] Bienvenue à notre dernière AMA sur le démarrage sécurisé.
[00:27] Je suis Ardan White.
[00:27] Euh, et euh, je vais laisser mes amis se présenter.
[00:36] Kevin, salut.
[00:38] C'est bon d'être de retour ici.
[00:38] Je suis Kevin Sullivan de notre équipe d'écosystème Windows et d'engagement commercial.
[00:41] Euh, mon équipe travaille avec nos partenaires OEM du monde entier qui ont travaillé dur pour préparer les mises à jour du démarrage sécurisé.
[00:50] Je suis Scott Shell.
[00:53] Je suis architecte dans notre équipe d'entreprise et de sécurité et nous gérons euh beaucoup des technologies de sécurité dans Windows.
[00:58] Euh, c'est super d'être de retour.
[01:02] Salut tout le monde, Jason Sandies.
[01:04] Je suis architecte PM sur l'équipe produit Intune.
[01:07] Euh, donc oui, travailler avec ces gars pour s'assurer que euh tout le monde a la gérabilité sur toute cette pile.
[01:12] Donc aussi heureux d'être de retour et de répondre à toutes les questions.
[01:16] D'accord.
[01:16] Euh, donc la première question, euh si une mise à jour du firmware OEM met à jour avec succès
[01:22] La mise à jour du micrologiciel OEM met à jour avec succès la valeur par défaut de la base de données sans problème, cela peut-il.
[01:25] La valeur par défaut de la base de données sans problème peut-elle être utilisée comme indicateur que la.
[01:27] résultat soit utilisé comme indicateur que la plateforme tombe dans une catégorie de haute confiance.
[01:29] la plateforme tombe dans une catégorie de haute confiance pour appliquer ultérieurement le.
[01:33] catégorie pour appliquer ultérieurement les mises à jour de démarrage sécurisé initiées par le système d'exploitation Microsoft.
[01:36] mises à jour de démarrage sécurisé initiées par le système d'exploitation Microsoft.
[01:40] La base de données via les mises à jour disponibles met à jour.
[01:40] La base de données via les mises à jour disponibles 5944.
[01:44] Je je pense que la réponse est non à cela.
[01:49] Euh je je pense que la réponse est non à cela.
[01:52] Euh je veux dire c'est je je nous n'avons pas vu de problèmes ou très peu de problèmes avec.
[01:55] problèmes ou très peu de problèmes avec le micrologiciel.
[02:00] U mais les les valeurs par défaut de la base de données sont le micrologiciel.
[02:00] U mais les les valeurs par défaut de la base de données sont mises à jour via une.
[02:02] les valeurs par défaut sont mises à jour via une mise à jour du micrologiciel via en fait.
[02:04] mise à jour du micrologiciel via en fait l'application d'une mise à jour capsule pour le.
[02:06] l'application d'une mise à jour capsule pour le micrologiciel.
[02:09] micrologiciel. euh et c'est différent de.
[02:11] le micrologiciel étant réellement capable de.
[02:12] appliquer euh directement aux variables actives.
[02:16] Euh il est très probable que cela fonctionnera toujours.
[02:18] il est très probable que cela fonctionnera toujours, mais c'est juste euh l'un n'implique pas.
[02:21] fonctionnera, mais c'est juste euh l'un n'implique pas l'autre.
[02:22] Oui, je suis tout à fait d'accord avec ce que vous dites, Ardan.
[02:27] Ce n'est pas la même technologie, loin de là, mais le fait que l'OEM travaille spécifiquement sur cette question sur ce modèle rend très probable qu'ils aient testé ce scénario.
[02:41] Donc, je considérerais cela comme un très bon signe.
[02:47] N'oubliez pas que vous pouvez poser vos questions sur aka AMAsecure boot.
[02:55] Euh, oui, je voulais aussi mentionner, peut-être voulez-vous parler un peu de la DB par défaut ici aussi pour les personnes qui ne sont pas familières et actives parce que vous avez mentionné ces deux choses et
[03:03] sûr, assurez-vous simplement que tout le monde sait ce que sont ces deux choses et pourquoi elles sont importantes.
[03:09] Il y a donc deux ensembles de variables. Les variables par défaut euh et c'est ce que le fabricant définit comme point de départ pour euh ce qui est connu sous le nom de variables actives.
[03:20] les variables actives sont celles qui sont utilisées à chaque démarrage
[03:23] ceux qui sont utilisés à chaque cycle de démarrage.
[03:28] Donc, si vous réinitialisez la sécurité de démarrage, euh, les valeurs par défaut de la DB ou les valeurs par défaut de la DB, toutes ces valeurs par défaut sont placées dans les variables actives et c'est votre point de départ.
[03:39] euh et ensuite, euh, à partir de ce moment-là, généralement, euh, vous savez, Windows mettra à jour, par exemple, les variables actives.
[03:48] >> Je je veux ajouter un peu de couleur là.
[03:51] Ce qu'Ardan décrit, c'est comment c'est décrit dans la spécification de l'interface utilisateur, ce qui est génial.
[03:57] cet espace. Beaucoup de fabricants d'équipement d'origine construisent des choses de manière assez personnalisée et font des choses assez difficiles, différentes.
[04:05] Euh, les appareils Surface, euh, réappliqueront en fait les paramètres du profil lorsque vous changez de profil.
[04:15] Euh, et donc, il n'est pas toujours évident de savoir quand votre appareil récupère des choses à partir des valeurs par défaut.
[04:21] Parfois, il y a
[04:25] les choses à partir des valeurs par défaut.
[04:27] Parfois, il y a un appel très explicite dans le menu qui dit réinitialiser les clés de démarrage sécurisé par défaut ou quelque chose comme ça.
[04:31] Mais parfois, les choses qui disent que vous faites dans le menu de l'interface utilisateur peuvent vous réinitialiser à ces clés par défaut d'une manière que vous n'avez pas tout à fait comprise.
[04:40] Alors, assurez-vous de vérifier la documentation de votre OEM.
[04:42] Assurez-vous de comprendre dans quoi vous vous engagez.
[04:44] D'accord. D'accord. Alors, prochaine question.
[04:48] Dois-je mettre à jour tous nos micrologiciels avant d'aller de l'avant ?
[04:52] euh commencez par celui-ci.
[04:55] D'accord. C'est une question que nous recevons assez souvent et qui mérite d'être clarifiée.
[04:59] Et donc la réponse simple est non.
[05:02] Ce n'est pas une exigence stricte que vous obteniez une mise à jour du micrologiciel afin d'obtenir les certificats mis à jour via Windows.
[05:08] Cela dit, nous le recommandons certainement comme une bonne pratique et cela vous apporte quelques avantages.
[05:12] Premièrement, vous tenir à jour avec toutes les corrections que votre OEM a apportées à ces mises à jour du micrologiciel.
[05:20] Il apporte également dans de nombreux cas les nouveaux certificats dans les valeurs par défaut comme nous
[05:25] certificats dans les valeurs par défaut comme nous venons de le décrire, mais sans exiger strictement que Windows puisse gérer les nouveaux certificats.
[05:31] Il existe également des cas où, aux débuts de ce déploiement, nous avons observé avec nos partenaires certains problèmes de compatibilité et nous avons donc mis une pause sur la livraison de ces mises à jour jusqu'à ce qu'une mise à jour du micrologiciel soit disponible pour cet appareil.
[05:48] Encore une fois, c'est une classe spécifique d'appareils.
[05:52] Et dans presque tous les cas, les appareils qui ont besoin d'une mise à jour du micrologiciel pour continuer sont documentés soit par Microsoft, soit par le fabricant d'équipement d'origine sur notre page principale de démarrage sécurisé, aka.mscure boot.
[06:07] Super. J'ajoute quelque chose à cela.
[06:12] Non, je pense que tu as très bien couvert cela, Kevin. Merci.
[06:16] D'accord. Alors, euh pourquoi beaucoup d'appareils qui sont sous observation qui ont été mis à jour par Microsoft,
[06:26] Mis à jour ont été mis à jour par Microsoft, nous n'avons pas défini le registre et défini de politiques pour effectuer les mises à jour.
[06:30] Est-ce que vous essayez sur certains de ces appareils avant de ne pas être encore pleinement confiant pour les définir avec une grande confiance ?
[06:38] Devrions-nous nous attendre à ce qu'ils soient gérés par Microsoft avant juin ?
[06:45] Euh donc oui donc donc toutes les données que nous recevons, y compris lorsque Microsoft met à jour les appareils, c'est ce qui génère ces données de confiance.
[07:01] Donc oui, vous verrez des appareils qui ont déjà été mis à jour et puis qui seront toujours sous observation.
[07:08] Donc, nous procédons très prudemment et lentement pour nous assurer que les appareils sont capables de se mettre à jour et que les données indiquent que c'est vrai.
[07:26] Euh donc je je veux ajouter une chose à cela.
[07:31] Donc je je veux ajouter une chose à cela.
[07:31] Alors oui, nous essayons d'obtenir autant de ces appareils que possible mis à jour en toute sécurité d'ici juin.
[07:40] Donc, nous avons définitivement nos yeux sur la balle pour cette date.
[07:46] Mais je ne sais pas si nous pouvons nous attendre à 100%.
[07:53] Comme Ardan l'a dit, nous suivons les données.
[07:55] Nous nous assurons de faire ce que nous pensons être sûr.
[07:59] Et pour être très clair, c'est un point que nous discutions un peu avant le match.
[08:03] L'une des choses que je pense qu'il est important que les gens comprennent, c'est que maintenant que la date d'expiration de juin approche, il faut faire comprendre aux gens exactement ce qui expire en juin et ce qui se passe ensuite.
[08:19] Donc euh la première clé à expirer est la clé K euh euh qui est la clé qui
[08:28] euh euh qui est la la clé qui autorise les mises à jour de DB et DBX.
[08:32] Donc autorise les mises à jour de DB et DBX.
[08:34] Donc ce que cela signifie, dès que le KEK expire, votre appareil ne pourra plus euh prendre de nouvelles mises à jour pour DBX.
[08:44] S'il y a une mise à jour existante de DBX que vous n'avez pas et que nous avons publiée euh il y a des mois, celle-ci s'installera toujours très bien.
[08:52] Mais les nouvelles mises à jour DBX que nous expédions euh plus tard que cela euh je crois que la première sera probablement en juillet si nous en avons euh ne pourront pas être installées sur votre machine.
[09:08] ce qui signifie que la vulnérabilité pour laquelle vous êtes euh exposé est que s'il y a une application de démarrage vulnérable euh nous ne pouvons pas révoquer cette application de démarrage vulnérable sur votre machine.
[09:22] Donc, un attaquant qui a déjà une certaine emprise sur votre machine et qui essaie d'installer un kit de démarrage ou euh une certaine persistance
[09:30] Un kit de démarrage ou une technologie de persistance pourra potentiellement faire cela sur votre machine car nous ne pouvons pas appliquer la révocation pour cela.
[09:44] Cela n'affecte pas encore notre capacité à vous livrer de nouveaux gestionnaires de démarrage.
[09:48] Cela n'arrive pas avant octobre.
[09:51] Donc, comme nous l'avons dit, il y a plusieurs étapes.
[09:57] Une autre chose importante que je voulais revenir à la question à laquelle Kevin répondait auparavant concernant la mise à jour de tous nos micrologiciels.
[10:09] J'ai relu la question après nous être arrêtés, après être passés à la question suivante et je réagissais au mot tous.
[10:16] Je pense qu'une chose importante à comprendre est que le fait d'avoir le micrologiciel mis à jour n'est pas un problème bloquant.
[10:27] Vous n'êtes pas vulnérable à un nouveau bogue de sécurité parce que le micrologiciel n'est pas mis à jour.
[10:29] Ne pas appliquer
[10:32] Le micrologiciel n'est pas mis à jour.
[10:35] Ne pas appliquer les mises à jour à l'actif signifie que vous manquez des mises à jour de sécurité.
[10:40] Donc, mes conseils personnels seraient de réfléchir très attentivement à l'installation des mises à jour de certificats, même si vous n'avez pas tout le micrologiciel.
[10:48] Euh, faites installer les mises à jour.
[10:52] C'est une chose plus importante, une chose plus importante à laquelle il faut s'inquiéter qu'au micrologiciel.
[10:57] Le micrologiciel est une sorte de chose de type ceinture et bretelles que vous devriez absolument faire.
[11:01] Mais si vous ne pouvez pas faire le micrologiciel, peut-être parce qu'il n'existe pas ou que le fabricant n'y est pas encore parvenu, vous avez toujours intérêt à avoir les mises à jour de certificats en place.
[11:12] >> Oui.
[11:14] Et pour ajouter un peu à ce que Scott a dit, les mises à jour de certificats que nous avons publiées sont signées avec la clé d'échange de clés, la clé d'échange de clés existante.
[11:26] Donc, même lorsque ce certificat expire, toutes ces mises à jour de certificats s'appliqueront toujours.
[11:31] Donc, si vous avez une machine
[11:34] S'appliquent toujours. Donc, si vous avez une machine qui revient tard ou ou vous savez en juillet ou quoi que ce soit, ces mises à jour de certificat s'appliqueront toujours, même si le certificat a expiré.
[11:46] Ou si vous avez un ordinateur portable qui est resté dans un tiroir pendant six mois, ceux-ci expireront toujours.
[11:50] C'est un point important car beaucoup de gens comprennent la PKI dans d'autres contextes et la façon dont la PKI est utilisée dans la signature de code et le démarrage sécurisé spécifiquement est un peu différente en ce que l'expiration du certificat ne signifie pas que la signature est invalide.
[12:09] Tant que la signature a été signée pendant la période de validité du certificat, l'appareil fera confiance à cette signature pour toujours.
[12:15] Nous pouvons donc continuer à signer des choses jusqu'à la date d'expiration du début.
[12:19] Votre machine, chaque fois qu'elle se réveille, continuera à faire confiance à ces signatures pour toujours.
[12:28] D'accord. Nous avons remarqué que sur un petit nombre de machines, environ 25 sur 900 attendent sur Windows.
[12:36] 25 sur 900 attendent les mises à jour Windows pour finaliser le démarrage sécurisé.
[12:39] mises à jour pour finaliser la séquence d'activation du démarrage sécurisé afin que les assertions soient marquées comme actives.
[12:45] Il est évident que ces ordinateurs, bien que mis à jour avec la dernière mise à jour cumulative, n'ont pas le système de fichiers 32 wincs flags.exe euh qui est apparemment utilisé pour aider à communiquer avec Microsoft.
[12:56] euh qui est apparemment utilisé pour aider à communiquer avec Microsoft.
[13:03] Can wins flags.exe être disponible en tant que mise à jour autonome ou applications autonomes spécifiques sur euh afin que cela puisse également être installé.
[13:14] installé également. quand nécessaire.
[13:16] Je euh je je pense qu'il y a une certaine confusion dans cette question ou du moins de ma part de ma perspective lorsque wincs est je crois que c'est la méthode de déploiement pour euh déployer le démarrage sécurisé.
[13:30] les méthodes de déploiement pour euh déployer le démarrage sécurisé. Euh et ça devrait l'être
[13:37] démarrage sécurisé.
[13:38] Euh et il devrait être, il devrait être dans les mises à jour cumulatives, les dernières mises à jour cumulatives.
[13:41] Donc, je ne sais pas pourquoi il ne serait pas là.
[13:44] Euh, je ne sais pas si quelqu'un d'autre connaît cs flags.exe
[13:49] >> Je ne connais pas celui-là. Non.
[13:52] >> Donc, si je comprends bien, wins est une nouvelle technologie qui
[14:00] est utilisée pour les mises à jour de sécurité principalement qui ne sont pas activées par défaut.
[14:07] Et donc c'est un, c'est un mécanisme pour vous permettre de gérer euh sur les appareils où nous ne pouvons pas activer une mise à jour de sécurité car cela pourrait causer des problèmes dans votre environnement.
[14:17] Et donc c'est une fonctionnalité que le démarrage sécurisé, les mises à jour du démarrage sécurisé utilisent avec cela.
[14:25] Donc, je m'attendrais à ce qu'il soit là, numéro un, et ce n'est pas le seul mécanisme de déploiement.
[14:31] Donc, vous devriez, ça devrait aller. Euh
[14:37] Oui.
[14:39] Oui.
[14:41] Euh, euh, merci à tous chez Microsoft.
[14:43] Il a été annoncé que les certificats expireront en juin 2026, mais il est écrit dans la documentation que le PC peut toujours démarrer.
[14:51] Veuillez m'indiquer la raison pour laquelle je ne peux pas démarrer même si les certificats, même si le certificat a expiré.
[15:01] Excellente question.
[15:01] Euh, j'étais justement en train de parler de ça il y a quelques minutes.
[15:08] Euh, donc la raison pour laquelle même après l'expiration du certificat en juin, votre PC peut toujours démarrer, c'est parce que l'endroit où la signature est vérifiée ne regarde pas l'heure de l'horloge murale.
[15:20] Il ne regarde pas la date actuelle pour déterminer si la signature est valide.
[15:25] Lorsqu'il essaie de déterminer si la signature est valide, il regarde l'heure à laquelle le fichier a été signé et il compare cela avec la période de validité du certificat.
[15:33] Euh,
[15:38] Période de validité du certificat.
[15:38] Euh, une partie de la raison pour cela, juste pour revenir historiquement, euh, historiquement, euh, l'environnement de démarrage de votre ordinateur, l'environnement de démarrage de votre ordinateur n'avait généralement pas une bonne date.
[15:48] Pour ceux d'entre vous qui sont vieux comme moi, euh, vous vous souvenez probablement quand vous démarriez un vieil ordinateur, la toute première chose qu'il ferait quand il s'allumerait serait de vous demander d'entrer la date et l'heure.
[16:02] Et la raison est que l'ordinateur ne sait pas intrinsèquement quelle heure il est.
[16:05] Donc, la façon dont la séquence de démarrage a été construite a délibérément évité toute référence à quelle heure il est ou quelle est la date actuelle.
[16:15] Donc, la raison pour laquelle votre PC peut toujours démarrer est que le morceau de code qui vérifie si c'est une signature valide n'a aucune idée de la date d'aujourd'hui.
[16:27] Donc, votre PC continuera à faire confiance à ce certificat et à cette signature indéfiniment.
[16:35] Salut Scott, j'allais te demander de euh développer un peu sur le DBX que tu
[16:38] Pouvez-vous en dire un peu plus sur le DBX dont vous avez parlé précédemment.
[16:40] Bien sûr.
[16:42] Donc, très similaire au concept dont vous venez de parler où, vous savez, nous ne pouvons pas nécessairement faire confiance au temps car il n'y a pas de source.
[16:47] Il n'y a pas de source. Il n'y a aucun moyen d'obtenir une liste de révocation de certificats à ce stade également, et c'est là qu'intervient DBX.
[16:50] Pouvez-vous développer un peu plus ou
[16:53] Oui, absolument. Donc, dans un système PKI normal, PKI signifie infrastructure à clé publique.
[16:58] C'est le système de confiance d'une hiérarchie de certificats et il est utilisé dans TLS, qui établit des communications sécurisées, des e-mails cryptés et la signature de code.
[17:14] Et dans la plupart des applications de PKI, le moment de la validation, lorsque vous effectuez la validation, il se soucie de savoir si ces choses sont toujours valides, mais dans la signature de code spécifiquement dans le démarrage sécurisé, il se soucie uniquement du moment où la signature a été faite.
[17:40] la signature a été faite.
[17:42] Et l'autre chose à laquelle Jason faisait allusion est à laquelle Jason faisait allusion est que dans le PKI normal, il y a une chose appelée dans le PKI normal, il y a une chose appelée la liste de révocation de certificats, une CRL.
[17:47] la liste de révocation de certificats, une CRL.
[17:52] Et fréquemment dans la plupart des systèmes PKI, le validateur, la personne qui valide la chaîne de certificats essaiera d'aller en ligne, de télécharger la dernière liste de révocation de certificats, et de dire : « D'accord, ce certificat est-il toujours valide ? »
[18:01] certificat toujours bon ? Évidemment, pendant l'environnement de démarrage, votre ordinateur n'a pas accès à votre Wi-Fi ou à toute information de cryptage nécessaire pour vous connecter à un réseau.
[18:12] Donc, il n'a aucune capacité de télécharger cette liste de révocation de certificats.
[18:20] Donc, nous avons une liste de révocation hors ligne appelée DBX, qui est une base de données stockée localement dans Yui et qui sait quels certificats sont invalides.
[18:28] Euh, et nous utilisons cela à la place de la liste de révocation de certificats pour marquer comme invalides les éléments qui ont été précédemment signés ou les anciens certificats.
[18:38] Merci pour le
[18:41] les certificats comme invalides. Merci pour la question, Jason. C'était super.
[18:43] question, Jason. C'était super. >> Eh bien, c'est une bonne transition vers cette
[18:45] Eh bien, c'est une bonne transition vers cette prochaine question sur la révocation. Euh, j'ai
[18:48] prochaine question sur la révocation. Euh, j'ai vu une déclaration selon laquelle un nouvel avis sera
[18:51] vu une déclaration selon laquelle un nouvel avis sera donné six mois avant que le PC ne
[18:53] donné six mois avant que le PC ne puisse plus démarrer. Euh, est-ce que mon
[18:57] puisse plus démarrer. Euh, ma compréhension est-elle correcte ? quand la
[18:58] compréhension est-elle correcte ? quand la phase d'application commencera-t-elle ? Euh donc c'est
[19:02] phase d'application commencera-t-elle ? Euh donc c'est euh
[19:03] euh donc je ce que cela demande vraiment concerne
[19:06] donc je ce que cela demande vraiment concerne l'un des certificats les les les 2011
[19:09] l'un des certificats les les les certificats 2011 que nous voulons euh révoquer ou
[19:13] certificats que nous voulons euh révoquer ou rendre non fiables euh parce que euh c'est juste pour
[19:16] rendre non fiables euh parce que euh c'est juste pour des raisons de sécurité nous voulons empêcher tout
[19:19] raisons de sécurité nous voulons empêcher tout ancien gestionnaire de démarrage qui a été signé
[19:21] ancien gestionnaire de démarrage signé par ce certificat de ne plus être
[19:24] par ce certificat de ne plus être utilisable. Euh et euh donc la façon dont cela
[19:29] utilisable. Euh et euh donc la façon dont cela va fonctionner, c'est quand tous les
[19:33] va fonctionner, c'est quand tous les certificats sont déployés et les euh
[19:36] certificats sont déployés et les euh gestionnaires de démarrage mis à jour sont disponibles alors
[19:40] gestionnaires de démarrage mis à jour sont disponibles alors euh nous ajouterons le
[19:43] Nous ajouterons le certificat 2011 au DPX.
[19:46] Le certificat 2011 au DPX.
[19:46] C'est la prémisse.
[19:50] Euh et euh c'est la prémisse.
[19:50] Euh et euh nous n'avons pas annoncé quand nous allons le faire car il y a beaucoup de choses qui viennent avant.
[19:55] Euh déployer tous ces certificats dans le monde entier, s'assurer que le gestionnaire de démarrage est signé par les nouveaux certificats, que tous les médias du monde sont mis à jour et ensuite ensuite ne plus faire confiance à ce certificat 2011.
[20:12] Et donc nous avons repoussé cela car il y a beaucoup de choses qui viennent avant.
[20:18] Euh les entreprises peuvent le faire quand elles sont prêtes.
[20:21] Donc elles peuvent le faire quand elles sont prêtes.
[20:23] Donc elles n'ont pas à attendre après nous.
[20:27] Euh et euh ce que nous avons dit publiquement, c'est que nous donnerons un préavis d'au moins six mois avant de le faire.
[20:32] Euh maintenant, euh la question parle en fait de ne pas pouvoir démarrer.
[20:38] Euh si la si la il y a une demande pour mettre ça

Full Transcript (Bilingual)

https://www.youtube.com/watch?v=lcrRANfSAZg
Translation: fr

[00:21] Hi everyone.
Bonjour tout le monde.

[00:21] Um, hello from Redmond.
Euh, bonjour de Redmond.

[00:24] Hi everyone.
Bonjour tout le monde.

[00:24] Um, hello from Redmond.
Euh, bonjour de Redmond.

[00:24] Welcome to our latest AMA on secure boot.
Bienvenue à notre dernière AMA sur le démarrage sécurisé.

[00:27] I'm Ardan White.
Je suis Ardan White.

[00:27] Uh, and um, I'm gonna let my friends introduce themselves.
Euh, et euh, je vais laisser mes amis se présenter.

[00:36] Kevin, hi.
Kevin, salut.

[00:38] It's good to be back here.
C'est bon d'être de retour ici.

[00:38] I'm Kevin Sullivan from our Windows ecosystem and commercial engagement team.
Je suis Kevin Sullivan de notre équipe d'écosystème Windows et d'engagement commercial.

[00:41] Uh, my team works with our OEM partners around the world who have been working hard to prepare for the secure boot updates.
Euh, mon équipe travaille avec nos partenaires OEM du monde entier qui ont travaillé dur pour préparer les mises à jour du démarrage sécurisé.

[00:50] I'm Scott Shell.
Je suis Scott Shell.

[00:53] I am an architect in our enterprise and security team and we run uh a lot of the security technologies in Windows.
Je suis architecte dans notre équipe d'entreprise et de sécurité et nous gérons euh beaucoup des technologies de sécurité dans Windows.

[00:58] Uh it's great to be back.
Euh, c'est super d'être de retour.

[01:02] Hey everybody, Jason Sandies.
Salut tout le monde, Jason Sandies.

[01:04] I am a PM architect on the Intune product team.
Je suis architecte PM sur l'équipe produit Intune.

[01:07] Uh so yeah, working with these guys trying to make sure that uh everyone has the manageability across this whole stack.
Euh, donc oui, travailler avec ces gars pour s'assurer que euh tout le monde a la gérabilité sur toute cette pile.

[01:12] So also happy to be back and answer any questions.
Donc aussi heureux d'être de retour et de répondre à toutes les questions.

[01:16] Okay.
D'accord.

[01:16] Uh so the first question uh if an OEM firmware update successfully updates
Euh, donc la première question, euh si une mise à jour du firmware OEM met à jour avec succès

[01:22] OEM firmware update successfully updates DB default without issue can that.
La mise à jour du micrologiciel OEM met à jour avec succès la valeur par défaut de la base de données sans problème, cela peut-il.

[01:25] DB default without issue can that outcome be used as an indicator that the.
La valeur par défaut de la base de données sans problème peut-elle être utilisée comme indicateur que la.

[01:27] outcome be used as an indicator that the platform falls into a high confidence.
résultat soit utilisé comme indicateur que la plateforme tombe dans une catégorie de haute confiance.

[01:29] platform falls into a high confidence category for subsequently applying the.
la plateforme tombe dans une catégorie de haute confiance pour appliquer ultérieurement le.

[01:33] category for subsequently applying the Microsoft OS initiated secure boot.
catégorie pour appliquer ultérieurement les mises à jour de démarrage sécurisé initiées par le système d'exploitation Microsoft.

[01:36] Microsoft OS initiated secure boot updates.
mises à jour de démarrage sécurisé initiées par le système d'exploitation Microsoft.

[01:40] The DB via available updates updates.
La base de données via les mises à jour disponibles met à jour.

[01:40] The DB via available updates 5944.
La base de données via les mises à jour disponibles 5944.

[01:44] I I think the answer is no to that.
Je je pense que la réponse est non à cela.

[01:49] Um I I think the answer is no to that.
Euh je je pense que la réponse est non à cela.

[01:52] Um I mean it's I I we have we haven't seen problems or very few problems with.
Euh je veux dire c'est je je nous n'avons pas vu de problèmes ou très peu de problèmes avec.

[01:55] problems or very few problems with firmware.
problèmes ou très peu de problèmes avec le micrologiciel.

[02:00] U but the the DB defaults are firmware.
U mais les les valeurs par défaut de la base de données sont le micrologiciel.

[02:00] U but the the DB defaults are the defaults are updated through a.
U mais les les valeurs par défaut de la base de données sont mises à jour via une.

[02:02] the defaults are updated through a firmware update through through actually.
les valeurs par défaut sont mises à jour via une mise à jour du micrologiciel via en fait.

[02:04] firmware update through through actually applying a capsule update for the.
mise à jour du micrologiciel via en fait l'application d'une mise à jour capsule pour le.

[02:06] applying a capsule update for the firmware.
l'application d'une mise à jour capsule pour le micrologiciel.

[02:09] firmware. uh and that's different than.
micrologiciel. euh et c'est différent de.

[02:11] the firmware actually being able to.
le micrologiciel étant réellement capable de.

[02:12] apply uh directly to the active variables.
appliquer euh directement aux variables actives.

[02:16] Um it's highly likely that it'll still.
Euh il est très probable que cela fonctionnera toujours.

[02:18] it's highly likely that it'll still work, but it's just uh one doesn't imply.
il est très probable que cela fonctionnera toujours, mais c'est juste euh l'un n'implique pas.

[02:21] work, but it's just uh one doesn't imply the other one.
fonctionnera, mais c'est juste euh l'un n'implique pas l'autre.

[02:22] Yeah, I I completely agree with what you're saying, Ardan.
Oui, je suis tout à fait d'accord avec ce que vous dites, Ardan.

[02:27] It's not it's not the same technology by any stretch, but the fact that the OEM is doing work specifically around this issue on that model makes it very highly likely that they've tested that scenario.
Ce n'est pas la même technologie, loin de là, mais le fait que l'OEM travaille spécifiquement sur cette question sur ce modèle rend très probable qu'ils aient testé ce scénario.

[02:41] So I think I would treat that as a very good sign.
Donc, je considérerais cela comme un très bon signe.

[02:47] Remember to you can post your questions at aka AMAsecure boot.
N'oubliez pas que vous pouvez poser vos questions sur aka AMAsecure boot.

[02:55] Um, yeah, I mean I was going to call out too, maybe you want to talk about DB default here a little bit too for folks who aren't familiar and and active because you mentioned those two things and
Euh, oui, je voulais aussi mentionner, peut-être voulez-vous parler un peu de la DB par défaut ici aussi pour les personnes qui ne sont pas familières et actives parce que vous avez mentionné ces deux choses et

[03:03] sure just make sure that everyone knows what those two things are and why they're significant.
sûr, assurez-vous simplement que tout le monde sait ce que sont ces deux choses et pourquoi elles sont importantes.

[03:09] So there's two sets of variables. The default variables uh and that's what the manufacturer sets as the starting point for uh the what's known as the active variables.
Il y a donc deux ensembles de variables. Les variables par défaut euh et c'est ce que le fabricant définit comme point de départ pour euh ce qui est connu sous le nom de variables actives.

[03:20] the the active variables are the ones that are used on each boot
les variables actives sont celles qui sont utilisées à chaque démarrage

[03:23] the ones that are used on each boot cycle.
ceux qui sont utilisés à chaque cycle de démarrage.

[03:28] So if you reset secure boot um the DB defaults or the defaults DB default default all those default values are put into the active variables and that's your starting point.
Donc, si vous réinitialisez la sécurité de démarrage, euh, les valeurs par défaut de la DB ou les valeurs par défaut de la DB, toutes ces valeurs par défaut sont placées dans les variables actives et c'est votre point de départ.

[03:39] uh and then uh from that point on generally uh the you know Windows will uh for example update the active variables.
euh et ensuite, euh, à partir de ce moment-là, généralement, euh, vous savez, Windows mettra à jour, par exemple, les variables actives.

[03:48] >> I I want to add a little bit of color there.
>> Je je veux ajouter un peu de couleur là.

[03:51] What Ardan's describing is how it's described in the UI spec which is awesome.
Ce qu'Ardan décrit, c'est comment c'est décrit dans la spécification de l'interface utilisateur, ce qui est génial.

[03:57] this space. A lot of OEMs build things in fairly custom ways and do things that are fairly difficult different.
cet espace. Beaucoup de fabricants d'équipement d'origine construisent des choses de manière assez personnalisée et font des choses assez difficiles, différentes.

[04:05] Um the surface devices um actually will reapply the profile settings when you change profiles.
Euh, les appareils Surface, euh, réappliqueront en fait les paramètres du profil lorsque vous changez de profil.

[04:15] Um and so it's not always obvious when your device is picking things up from defaults.
Euh, et donc, il n'est pas toujours évident de savoir quand votre appareil récupère des choses à partir des valeurs par défaut.

[04:21] Sometimes there
Parfois, il y a

[04:25] things up from defaults.
les choses à partir des valeurs par défaut.

[04:27] Sometimes there is a very explicit call out in the menu that says reset to default secure boot keys or something like that.
Parfois, il y a un appel très explicite dans le menu qui dit réinitialiser les clés de démarrage sécurisé par défaut ou quelque chose comme ça.

[04:31] But sometimes the things that say that you do in the UI menu may reset you to those default keys in ways you didn't quite understand.
Mais parfois, les choses qui disent que vous faites dans le menu de l'interface utilisateur peuvent vous réinitialiser à ces clés par défaut d'une manière que vous n'avez pas tout à fait comprise.

[04:40] So I' make sure to check with your OEM documentation.
Alors, assurez-vous de vérifier la documentation de votre OEM.

[04:42] Make sure you understand what you're getting into.
Assurez-vous de comprendre dans quoi vous vous engagez.

[04:44] Right. Okay. So next question.
D'accord. D'accord. Alors, prochaine question.

[04:48] Do I I need to update all our firmware before we move forward?
Dois-je mettre à jour tous nos micrologiciels avant d'aller de l'avant ?

[04:52] uh start on this one.
euh commencez par celui-ci.

[04:55] Okay. It's a question we've get quite a bit um and worth bringing some more clarity to.
D'accord. C'est une question que nous recevons assez souvent et qui mérite d'être clarifiée.

[04:59] And so the simple answer is no.
Et donc la réponse simple est non.

[05:02] It is not a strict requirement that you get a firmware update in order to get the updated certificates through Windows.
Ce n'est pas une exigence stricte que vous obteniez une mise à jour du micrologiciel afin d'obtenir les certificats mis à jour via Windows.

[05:08] That said, we certainly recommend it as a best practice and it gets you a couple things.
Cela dit, nous le recommandons certainement comme une bonne pratique et cela vous apporte quelques avantages.

[05:12] One, just bringing you up to date with all the fixes that your OEM uh has put in those firmware updates.
Premièrement, vous tenir à jour avec toutes les corrections que votre OEM a apportées à ces mises à jour du micrologiciel.

[05:20] It also in many cases will bring the new certificates into the defaults as we
Il apporte également dans de nombreux cas les nouveaux certificats dans les valeurs par défaut comme nous

[05:25] certificates into the defaults as we just described but not strictly requiring for Windows to be able to service the new certificates.
certificats dans les valeurs par défaut comme nous venons de le décrire, mais sans exiger strictement que Windows puisse gérer les nouveaux certificats.

[05:31] There are also some cases where in the early days of this roll out we with our partners observe some compatibility issues and so we have put essentially a hold on delivering those updates until a firmware update is available for that device.
Il existe également des cas où, aux débuts de ce déploiement, nous avons observé avec nos partenaires certains problèmes de compatibilité et nous avons donc mis une pause sur la livraison de ces mises à jour jusqu'à ce qu'une mise à jour du micrologiciel soit disponible pour cet appareil.

[05:48] Again, that's a specific class of devices.
Encore une fois, c'est une classe spécifique d'appareils.

[05:52] And in nearly all cases, the devices that do need a firmware update to proceed are documented either by Microsoft or by the OEM on our primary secure boot page, aka.mscure boot.
Et dans presque tous les cas, les appareils qui ont besoin d'une mise à jour du micrologiciel pour continuer sont documentés soit par Microsoft, soit par le fabricant d'équipement d'origine sur notre page principale de démarrage sécurisé, aka.mscure boot.

[06:07] Great. I add anything to that one.
Super. J'ajoute quelque chose à cela.

[06:12] No, I think you covered it real well, Kevin. Thanks.
Non, je pense que tu as très bien couvert cela, Kevin. Merci.

[06:16] Okay. So, uh why do a lot of devices that are under observation that have uh updated have been updated by Microsoft,
D'accord. Alors, euh pourquoi beaucoup d'appareils qui sont sous observation qui ont été mis à jour par Microsoft,

[06:26] Updated have been updated by Microsoft, we haven't set the registry and set any policies to do the updates.
Mis à jour ont été mis à jour par Microsoft, nous n'avons pas défini le registre et défini de politiques pour effectuer les mises à jour.

[06:30] Is it that you're trying on some of those devices before you're before you're still not fully confident to set them in high confidence?
Est-ce que vous essayez sur certains de ces appareils avant de ne pas être encore pleinement confiant pour les définir avec une grande confiance ?

[06:38] Uh should we expect them to be handled by Microsoft before June?
Devrions-nous nous attendre à ce qu'ils soient gérés par Microsoft avant juin ?

[06:45] Um so yeah so so the all the data that we're getting including when Microsoft updates the devices uh is what drives that confidence data.
Euh donc oui donc donc toutes les données que nous recevons, y compris lorsque Microsoft met à jour les appareils, c'est ce qui génère ces données de confiance.

[07:01] So yes you'll see devices that are have already been updated uh and uh and then but still be under observation.
Donc oui, vous verrez des appareils qui ont déjà été mis à jour et puis qui seront toujours sous observation.

[07:08] So, we're we're taking it very cautiously and slowly to ensure that um the devices are able to update and and that you know that the data indicates that that's that's true.
Donc, nous procédons très prudemment et lentement pour nous assurer que les appareils sont capables de se mettre à jour et que les données indiquent que c'est vrai.

[07:26] Um so I I want to add one thing to that.
Euh donc je je veux ajouter une chose à cela.

[07:31] so I I want to add one thing to that.
Donc je je veux ajouter une chose à cela.

[07:31] So, yes, we are trying to um to get all as many of those devices as we can get updated safely by June as we can.
Alors oui, nous essayons d'obtenir autant de ces appareils que possible mis à jour en toute sécurité d'ici juin.

[07:40] So, we're definitely uh we've got our eyes on the ball for that date.
Donc, nous avons définitivement nos yeux sur la balle pour cette date.

[07:46] Um but I I don't know that we can expect 100%.
Mais je ne sais pas si nous pouvons nous attendre à 100%.

[07:53] Um as Ardan said, we're following the data.
Comme Ardan l'a dit, nous suivons les données.

[07:55] We're making sure we're doing what we think is safe.
Nous nous assurons de faire ce que nous pensons être sûr.

[07:59] And just to be really clear, this is a point that uh we were discussing a little bit in the pregame.
Et pour être très clair, c'est un point que nous discutions un peu avant le match.

[08:03] Uh one of the things I think it's important for people to understand is now that we've got the June expiry date coming up, uh making letting people understand exactly what um expires in June and what happens next.
L'une des choses que je pense qu'il est important que les gens comprennent, c'est que maintenant que la date d'expiration de juin approche, il faut faire comprendre aux gens exactement ce qui expire en juin et ce qui se passe ensuite.

[08:19] So uh the first key to expire is the K key um uh which is the the key that
Donc euh la première clé à expirer est la clé K euh euh qui est la clé qui

[08:28] um uh which is the the key that authorizes updates to DB and DBX.
euh euh qui est la la clé qui autorise les mises à jour de DB et DBX.

[08:32] So authorizes updates to DB and DBX.
Donc autorise les mises à jour de DB et DBX.

[08:34] So what that means as soon as the KEK expires your device will no longer be able to take um new updates to DBX.
Donc ce que cela signifie, dès que le KEK expire, votre appareil ne pourra plus euh prendre de nouvelles mises à jour pour DBX.

[08:44] If there's an existing update to DBX that you don't have that we published uh months ago, that one will still install just fine.
S'il y a une mise à jour existante de DBX que vous n'avez pas et que nous avons publiée euh il y a des mois, celle-ci s'installera toujours très bien.

[08:52] But new DBX updates that we ship um later than that um I believe the first one will probably be July if we have any um will not be able to be installed on your machine.
Mais les nouvelles mises à jour DBX que nous expédions euh plus tard que cela euh je crois que la première sera probablement en juillet si nous en avons euh ne pourront pas être installées sur votre machine.

[09:08] which means the the vulnerability that puts you um up for is if there's a vulnerable boot application um we can't revoke that vulnerable boot application on your machine.
ce qui signifie que la vulnérabilité pour laquelle vous êtes euh exposé est que s'il y a une application de démarrage vulnérable euh nous ne pouvons pas révoquer cette application de démarrage vulnérable sur votre machine.

[09:22] So, an attacker who has some hold on your machine already and is trying to install a boot kit or um some persistence
Donc, un attaquant qui a déjà une certaine emprise sur votre machine et qui essaie d'installer un kit de démarrage ou euh une certaine persistance

[09:30] A boot kit or um some persistence technology um will uh will be uh still potentially able to do that on your machine because we can't apply the revocation for that.
Un kit de démarrage ou une technologie de persistance pourra potentiellement faire cela sur votre machine car nous ne pouvons pas appliquer la révocation pour cela.

[09:44] Um it doesn't affect our ability to deliver new boot managers to you yet.
Cela n'affecte pas encore notre capacité à vous livrer de nouveaux gestionnaires de démarrage.

[09:48] That doesn't happen till October.
Cela n'arrive pas avant octobre.

[09:51] Um so uh so like we said there are multiple stages.
Donc, comme nous l'avons dit, il y a plusieurs étapes.

[09:57] Um another important thing I wanted to go back one uh to the question uh Kevin was answering before about updating all of our firmware.
Une autre chose importante que je voulais revenir à la question à laquelle Kevin répondait auparavant concernant la mise à jour de tous nos micrologiciels.

[10:09] Um I reread the question after we stopped after we moved on to the next question and I was reacting to the word all.
J'ai relu la question après nous être arrêtés, après être passés à la question suivante et je réagissais au mot tous.

[10:16] I think an important thing to understand is whether you have the firmware updated is not a blocking issue.
Je pense qu'une chose importante à comprendre est que le fait d'avoir le micrologiciel mis à jour n'est pas un problème bloquant.

[10:27] You're not vulnerable to a new security bug because the firmware isn't updated.
Vous n'êtes pas vulnérable à un nouveau bogue de sécurité parce que le micrologiciel n'est pas mis à jour.

[10:29] Not applying
Ne pas appliquer

[10:32] the firmware isn't updated.
Le micrologiciel n'est pas mis à jour.

[10:35] Not applying the updates to active means you are missing security updates.
Ne pas appliquer les mises à jour à l'actif signifie que vous manquez des mises à jour de sécurité.

[10:40] So my personal guidance would be think very carefully about installing the the certificate updates even if you don't have all the firmware.
Donc, mes conseils personnels seraient de réfléchir très attentivement à l'installation des mises à jour de certificats, même si vous n'avez pas tout le micrologiciel.

[10:48] Um get the updates installed.
Euh, faites installer les mises à jour.

[10:52] That is a more important a higher thing to worry about than the firmware.
C'est une chose plus importante, une chose plus importante à laquelle il faut s'inquiéter qu'au micrologiciel.

[10:57] Firmware is a good belt and suspenders kind of thing that you should absolutely do.
Le micrologiciel est une sorte de chose de type ceinture et bretelles que vous devriez absolument faire.

[11:01] But if you can't do the firmware, maybe because it doesn't exist or the OEM hasn't gotten there yet, you're still better off having the uh certificate updates in place.
Mais si vous ne pouvez pas faire le micrologiciel, peut-être parce qu'il n'existe pas ou que le fabricant n'y est pas encore parvenu, vous avez toujours intérêt à avoir les mises à jour de certificats en place.

[11:12] >> Yeah.
>> Oui.

[11:14] And to add to a little bit to what Scott said is the the certificate updates that we've put out uh are signed with the key exchange key, the existing key key exchange key.
Et pour ajouter un peu à ce que Scott a dit, les mises à jour de certificats que nous avons publiées sont signées avec la clé d'échange de clés, la clé d'échange de clés existante.

[11:26] So even when that that certificate expires all these the certificate updates will still apply.
Donc, même lorsque ce certificat expire, toutes ces mises à jour de certificats s'appliqueront toujours.

[11:31] So if you have a machine
Donc, si vous avez une machine

[11:34] Still apply. So if you have a machine that that comes back late or or you know in July or whatever those certificate updates will still apply uh even though the the the certificate has expired.
S'appliquent toujours. Donc, si vous avez une machine qui revient tard ou ou vous savez en juillet ou quoi que ce soit, ces mises à jour de certificat s'appliqueront toujours, même si le certificat a expiré.

[11:46] Or if you have a laptop that's been sitting in a drawer for six months those will still expire.
Ou si vous avez un ordinateur portable qui est resté dans un tiroir pendant six mois, ceux-ci expireront toujours.

[11:50] Um, it's an important point because a lot of people understand PKI from other contexts and the way PKI is used in code signing and secure boot specifically is a little bit different in that the certificate expiration doesn't mean the signature is invalid.
C'est un point important car beaucoup de gens comprennent la PKI dans d'autres contextes et la façon dont la PKI est utilisée dans la signature de code et le démarrage sécurisé spécifiquement est un peu différente en ce que l'expiration du certificat ne signifie pas que la signature est invalide.

[12:09] As long as the signature was signed during the validity period of the certificate, the device will trust that signature forever.
Tant que la signature a été signée pendant la période de validité du certificat, l'appareil fera confiance à cette signature pour toujours.

[12:15] So we can continue to sign things until the expiry date of the start.
Nous pouvons donc continuer à signer des choses jusqu'à la date d'expiration du début.

[12:19] Your machine whenever it wakes up will continue to trust those signatures forever.
Votre machine, chaque fois qu'elle se réveille, continuera à faire confiance à ces signatures pour toujours.

[12:28] Okay. Um so we've noticed that on a small number of machines approximately 25 out of 900 are waiting on Windows
D'accord. Nous avons remarqué que sur un petit nombre de machines, environ 25 sur 900 attendent sur Windows.

[12:36] 25 out of 900 are waiting on Windows updates to finalize the secure boot.
25 sur 900 attendent les mises à jour Windows pour finaliser le démarrage sécurisé.

[12:39] updates to finalize the secure boot activation sequence on so theerts are marked as active.
mises à jour pour finaliser la séquence d'activation du démarrage sécurisé afin que les assertions soient marquées comme actives.

[12:45] It's apparent these computers, whilst updated on the latest cumulative update, do not have the file system 32 wincs flags.exe um which is apparently used to aid with communicating back uh to Microsoft.
Il est évident que ces ordinateurs, bien que mis à jour avec la dernière mise à jour cumulative, n'ont pas le système de fichiers 32 wincs flags.exe euh qui est apparemment utilisé pour aider à communiquer avec Microsoft.

[12:56] um which is apparently used to aid with communicating back uh to Microsoft.
euh qui est apparemment utilisé pour aider à communiquer avec Microsoft.

[13:03] Can wins flags.exe become available as its own update or specific standalone applications on uh so this can be installed as well.
Can wins flags.exe être disponible en tant que mise à jour autonome ou applications autonomes spécifiques sur euh afin que cela puisse également être installé.

[13:14] installed as well. when needed.
installé également. quand nécessaire.

[13:16] I uh I I think there's some confusion in this question or at least from me from my perspective when wincs is I I believe that's the the deploy one of the deployment methods for um deploying secure boot.
Je euh je je pense qu'il y a une certaine confusion dans cette question ou du moins de ma part de ma perspective lorsque wincs est je crois que c'est la méthode de déploiement pour euh déployer le démarrage sécurisé.

[13:30] the deployment methods for um deploying secure boot. Um and it should be it
les méthodes de déploiement pour euh déployer le démarrage sécurisé. Euh et ça devrait l'être

[13:37] secure boot.
démarrage sécurisé.

[13:38] Um and it should be it should be in the cumulative updates the latest cumulative updates.
Euh et il devrait être, il devrait être dans les mises à jour cumulatives, les dernières mises à jour cumulatives.

[13:41] So I don't know why it wouldn't be there.
Donc, je ne sais pas pourquoi il ne serait pas là.

[13:44] Um I don't know if anybody else knows about when cs flags.exe
Euh, je ne sais pas si quelqu'un d'autre connaît cs flags.exe

[13:49] >> I am not familiar with that one. No.
>> Je ne connais pas celui-là. Non.

[13:52] >> So as I understand it so so wins is um a new technology that
>> Donc, si je comprends bien, wins est une nouvelle technologie qui

[14:00] um is used for security updates mainly that are not enabled by default.
est utilisée pour les mises à jour de sécurité principalement qui ne sont pas activées par défaut.

[14:07] And so it's a it's a mechanism to allow you to manage uh on devices where we can't turn on a security update because it could cause problems in your environment.
Et donc c'est un, c'est un mécanisme pour vous permettre de gérer euh sur les appareils où nous ne pouvons pas activer une mise à jour de sécurité car cela pourrait causer des problèmes dans votre environnement.

[14:17] And so this is a feature that secure boot the secure boot updates are using along with that.
Et donc c'est une fonctionnalité que le démarrage sécurisé, les mises à jour du démarrage sécurisé utilisent avec cela.

[14:25] So I would expect that it's there number one and it's not the only mechanism for deploying.
Donc, je m'attendrais à ce qu'il soit là, numéro un, et ce n'est pas le seul mécanisme de déploiement.

[14:31] So you should be it should be fine. Um
Donc, vous devriez, ça devrait aller. Euh

[14:37] Yeah.
Oui.

[14:39] Yeah.
Oui.

[14:41] Um, um, thank you everyone at Microsoft.
Euh, euh, merci à tous chez Microsoft.

[14:43] It has been announced that the certificates will expire in June 2026, but it is written in the docs that the PC can still be started.
Il a été annoncé que les certificats expireront en juin 2026, mais il est écrit dans la documentation que le PC peut toujours démarrer.

[14:51] Please tell me the reason why I can't start up even though the certificates even though the certificate has expired.
Veuillez m'indiquer la raison pour laquelle je ne peux pas démarrer même si les certificats, même si le certificat a expiré.

[15:01] Awesome question.
Excellente question.

[15:01] Uh, I was just talking about this a couple minutes ago.
Euh, j'étais justement en train de parler de ça il y a quelques minutes.

[15:08] Um, so the reason even after the certificate expires in June, the reason your PC can still start up is because the place the signature gets checked is not looking at the wall clock time.
Euh, donc la raison pour laquelle même après l'expiration du certificat en juin, votre PC peut toujours démarrer, c'est parce que l'endroit où la signature est vérifiée ne regarde pas l'heure de l'horloge murale.

[15:20] It's not looking at the current date to determine whether the signature is valid.
Il ne regarde pas la date actuelle pour déterminer si la signature est valide.

[15:25] When it's trying to determine whether the signature is valid, it looks at the time the file was signed and it compares that with the validity period of the certificate.
Lorsqu'il essaie de déterminer si la signature est valide, il regarde l'heure à laquelle le fichier a été signé et il compare cela avec la période de validité du certificat.

[15:33] Um,
Euh,

[15:38] Validity period of the certificate.
Période de validité du certificat.

[15:38] Um, part of the reason for this, just going part of the reason for this, just going back historically, um, back historically, um, the bootup environment of your computer, the bootup environment of your computer generally didn't have a good date.
Euh, une partie de la raison pour cela, juste pour revenir historiquement, euh, historiquement, euh, l'environnement de démarrage de votre ordinateur, l'environnement de démarrage de votre ordinateur n'avait généralement pas une bonne date.

[15:48] For those of those of you who are old like me, um you probably remember when you booted up an old computer, the very first thing it would do when it came on is it would prompt you to enter the date and time.
Pour ceux d'entre vous qui sont vieux comme moi, euh, vous vous souvenez probablement quand vous démarriez un vieil ordinateur, la toute première chose qu'il ferait quand il s'allumerait serait de vous demander d'entrer la date et l'heure.

[16:02] And the reason is because the computer doesn't inherently know what time it is.
Et la raison est que l'ordinateur ne sait pas intrinsèquement quelle heure il est.

[16:05] So the way the boot up sequence was built purposely avoided any reference to what time is it or what date is it now?
Donc, la façon dont la séquence de démarrage a été construite a délibérément évité toute référence à quelle heure il est ou quelle est la date actuelle.

[16:15] So the reason your PC can still start is the the piece of code that's looking at whether that's that is a valid signature has no idea what today's date is.
Donc, la raison pour laquelle votre PC peut toujours démarrer est que le morceau de code qui vérifie si c'est une signature valide n'a aucune idée de la date d'aujourd'hui.

[16:27] So your PC will continue to trust that certificate in that signature indefinitely.
Donc, votre PC continuera à faire confiance à ce certificat et à cette signature indéfiniment.

[16:35] Hey Scott, I was going to ask you to um expand a little bit on the DBX that you
Salut Scott, j'allais te demander de euh développer un peu sur le DBX que tu

[16:38] Expand a little bit on the DBX that you talked about before.
Pouvez-vous en dire un peu plus sur le DBX dont vous avez parlé précédemment.

[16:40] Sure.
Bien sûr.

[16:42] So very similar to the concept you just talked about where there's, you know, we can't necessarily trust the time because there's no source.
Donc, très similaire au concept dont vous venez de parler où, vous savez, nous ne pouvons pas nécessairement faire confiance au temps car il n'y a pas de source.

[16:47] There's no source. There's no way to get a certificate revocation list at that point as well and that's where DBX comes in.
Il n'y a pas de source. Il n'y a aucun moyen d'obtenir une liste de révocation de certificats à ce stade également, et c'est là qu'intervient DBX.

[16:50] Can you expand on that a little bit or
Pouvez-vous développer un peu plus ou

[16:53] Yeah, absolutely. So in a normal PKI system, so PKI stands for uh public key infrastructure.
Oui, absolument. Donc, dans un système PKI normal, PKI signifie infrastructure à clé publique.

[16:58] It's the uh the system of trusting a hierarchy of certificates and it's used in TLS which establishes secure communications and encrypted email and code signing.
C'est le système de confiance d'une hiérarchie de certificats et il est utilisé dans TLS, qui établit des communications sécurisées, des e-mails cryptés et la signature de code.

[17:14] Um and in most applications of PKI um the time of validation when you're doing the validation it cares about whether those those things are still valid but in um code signing specifically in secure boot it only cares about um when the signature was made.
Et dans la plupart des applications de PKI, le moment de la validation, lorsque vous effectuez la validation, il se soucie de savoir si ces choses sont toujours valides, mais dans la signature de code spécifiquement dans le démarrage sécurisé, il se soucie uniquement du moment où la signature a été faite.

[17:40] signature was made.
la signature a été faite.

[17:42] And the other thing that that Jason was just alluding to is that that Jason was just alluding to is in normal PKI, there's a thing called in normal PKI, there's a thing called the certificate revocation list, a CRL.
Et l'autre chose à laquelle Jason faisait allusion est à laquelle Jason faisait allusion est que dans le PKI normal, il y a une chose appelée dans le PKI normal, il y a une chose appelée la liste de révocation de certificats, une CRL.

[17:47] the certificate revocation list, a CRL.
la liste de révocation de certificats, une CRL.

[17:52] And frequently in most PKI systems, the validator, the person who's validating the certificate chain will try to go online, download the latest certificate revocation list, and say, "Okay, is this certificate still good?"
Et fréquemment dans la plupart des systèmes PKI, le validateur, la personne qui valide la chaîne de certificats essaiera d'aller en ligne, de télécharger la dernière liste de révocation de certificats, et de dire : « D'accord, ce certificat est-il toujours valide ? »

[18:01] certificate still good? Obviously during the bootup environment, your computer doesn't have access to your Wi-Fi and or any encryption information necessary to log you onto a network.
certificat toujours bon ? Évidemment, pendant l'environnement de démarrage, votre ordinateur n'a pas accès à votre Wi-Fi ou à toute information de cryptage nécessaire pour vous connecter à un réseau.

[18:12] So it doesn't have any ability to go download that certificate revocation list.
Donc, il n'a aucune capacité de télécharger cette liste de révocation de certificats.

[18:20] So instead we have an offline revocation list called DBX, which is a database that's stored locally in Yui that knows what certificates are invalid.
Donc, nous avons une liste de révocation hors ligne appelée DBX, qui est une base de données stockée localement dans Yui et qui sait quels certificats sont invalides.

[18:28] Um, and we use that in place of the certificate rev revocation list to mark things that have previously been signed or old certificates as invalid.
Euh, et nous utilisons cela à la place de la liste de révocation de certificats pour marquer comme invalides les éléments qui ont été précédemment signés ou les anciens certificats.

[18:38] Thanks for the
Merci pour le

[18:41] certificates as invalid. Thanks for the question, Jason. That was great.
les certificats comme invalides. Merci pour la question, Jason. C'était super.

[18:43] question, Jason. That was great. >> Well, so that's a good segue into this
question, Jason. C'était super. >> Eh bien, c'est une bonne transition vers cette

[18:45] Well, so that's a good segue into this next question about revocation. Uh, I
Eh bien, c'est une bonne transition vers cette prochaine question sur la révocation. Euh, j'ai

[18:48] next question about revocation. Uh, I saw a statement that a new notice will
prochaine question sur la révocation. Euh, j'ai vu une déclaration selon laquelle un nouvel avis sera

[18:51] saw a statement that a new notice will be given six months before the PC will
vu une déclaration selon laquelle un nouvel avis sera donné six mois avant que le PC ne

[18:53] be given six months before the PC will no longer be able to start. Uh, is my
donné six mois avant que le PC ne puisse plus démarrer. Euh, est-ce que mon

[18:57] no longer be able to start. Uh, is my understanding correct? when will the
puisse plus démarrer. Euh, ma compréhension est-elle correcte ? quand la

[18:58] understanding correct? when will the enforcement phase begin? Uh so this is
compréhension est-elle correcte ? quand la phase d'application commencera-t-elle ? Euh donc c'est

[19:02] enforcement phase begin? Uh so this is um
phase d'application commencera-t-elle ? Euh donc c'est euh

[19:03] um so I what this is really asking about is
euh donc je ce que cela demande vraiment concerne

[19:06] so I what this is really asking about is one of the certificates the the the 2011
donc je ce que cela demande vraiment concerne l'un des certificats les les les 2011

[19:09] one of the certificates the the the 2011 certificates we want to uh revoke or
l'un des certificats les les les certificats 2011 que nous voulons euh révoquer ou

[19:13] certificates we want to uh revoke or untrust uh because uh it just for
certificats que nous voulons euh révoquer ou rendre non fiables euh parce que euh c'est juste pour

[19:16] untrust uh because uh it just for security reasons we want to prevent any
rendre non fiables euh parce que euh c'est juste pour des raisons de sécurité nous voulons empêcher tout

[19:19] security reasons we want to prevent any old boot managers from that were signed
raisons de sécurité nous voulons empêcher tout ancien gestionnaire de démarrage qui a été signé

[19:21] old boot managers from that were signed by that certificate to no longer be
ancien gestionnaire de démarrage signé par ce certificat de ne plus être

[19:24] by that certificate to no longer be usable. Uh and um so the way that's
par ce certificat de ne plus être utilisable. Euh et euh donc la façon dont cela

[19:29] usable. Uh and um so the way that's going to that will work is when all the
utilisable. Euh et euh donc la façon dont cela va fonctionner, c'est quand tous les

[19:33] going to that will work is when all the certificates are deployed and the uh
va fonctionner, c'est quand tous les certificats sont déployés et les euh

[19:36] certificates are deployed and the uh updated boot managers are available then
certificats sont déployés et les euh gestionnaires de démarrage mis à jour sont disponibles alors

[19:40] updated boot managers are available then uh we will add the
gestionnaires de démarrage mis à jour sont disponibles alors euh nous ajouterons le

[19:43] Uh we will add the the 2011 certificate to the the DPX.
Nous ajouterons le certificat 2011 au DPX.

[19:46] The 2011 certificate to the the DPX.
Le certificat 2011 au DPX.

[19:46] That's the that's the premise.
C'est la prémisse.

[19:50] Uh and uh that's the that's the premise.
Euh et euh c'est la prémisse.

[19:50] Uh and uh we have not announced when we're going to do that because there's uh a lot of things that come before that.
Euh et euh nous n'avons pas annoncé quand nous allons le faire car il y a beaucoup de choses qui viennent avant.

[19:55] Uh getting all these certificates deployed to the whole world, ensuring that the boot manager is signed by the new certificates, all the media in the world is updated and then and then untrusting that 2011 certificate.
Euh déployer tous ces certificats dans le monde entier, s'assurer que le gestionnaire de démarrage est signé par les nouveaux certificats, que tous les médias du monde sont mis à jour et ensuite ensuite ne plus faire confiance à ce certificat 2011.

[20:12] And so we've put that off because it's there's just a lot that comes before that.
Et donc nous avons repoussé cela car il y a beaucoup de choses qui viennent avant.

[20:18] Uh enterprises can do that when they're ready.
Euh les entreprises peuvent le faire quand elles sont prêtes.

[20:21] So they can do that when they're ready.
Donc elles peuvent le faire quand elles sont prêtes.

[20:23] So they so they don't have to wait for us.
Donc elles n'ont pas à attendre après nous.

[20:27] Um and um what we've said uh publicly is that we'll give at least six months notice before we do that.
Euh et euh ce que nous avons dit publiquement, c'est que nous donnerons un préavis d'au moins six mois avant de le faire.

[20:32] Uh now, uh the question actually talks about not being able to boot.
Euh maintenant, euh la question parle en fait de ne pas pouvoir démarrer.

[20:38] Um if the if the there's a request to put that
Euh si la si la il y a une demande pour mettre ça

[20:46] if the there's a request to put that 2011 certificate into the DBX,

[20:49] 2011 certificate into the DBX, the Windows checks to make sure that the

[20:51] the Windows checks to make sure that the boot manager that on the system is

[20:54] boot manager that on the system is signed by the new certificate before it

[20:56] signed by the new certificate before it does that. So it won't put you in a an

[20:59] does that. So it won't put you in a an unbootable state. Uh so if you try to do

[21:02] unbootable state. Uh so if you try to do that it'll just uh defer that operation

[21:05] that it'll just uh defer that operation of untrusting that certificate uh until

[21:09] of untrusting that certificate uh until uh until the boot manager on the system

[21:11] uh until the boot manager on the system has been updated.

[21:15] >> Go ahead Kevin. You make a great point

[21:17] >> Go ahead Kevin. You make a great point about um kind of the announcement and

[21:19] about um kind of the announcement and when we are ready to make that plan, we

[21:21] when we are ready to make that plan, we will of course communicate that broadly.

[21:23] will of course communicate that broadly. But there are certainly things that

[21:25] But there are certainly things that especially enterprise customers can

[21:27] especially enterprise customers can start to do today to plan and prepare

[21:31] start to do today to plan and prepare especially around bootable media in

[21:34] especially around bootable media in their environment. And there's guidance

[21:36] their environment. And there's guidance that we've had out I think for the

[21:37] that we've had out I think for the better part of two years now on how to

[21:39] better part of two years now on how to do that inventory, how to find those

[21:42] do that inventory, how to find those like bootable media servers that may

[21:44] like bootable media servers that may need to be updated. uh and get those

[21:47] need to be updated. uh and get those moved to the new bit boot manager. So,

[21:49] moved to the new bit boot manager. So, that's something I'd certainly recommend

[21:51] that's something I'd certainly recommend checking out sooner than later. You

[21:52] checking out sooner than later. You don't need to wait for an official

[21:54] don't need to wait for an official announcement from uh Microsoft on that.

[21:56] announcement from uh Microsoft on that. That information is available and

[21:58] That information is available and something you can start to work towards.

[22:01] something you can start to work towards. >> Yeah, my comment was going to be a

[22:02] >> Yeah, my comment was going to be a little bit similar there, Kevin, with

[22:03] little bit similar there, Kevin, with the all the other boot media and Ardan,

[22:05] the all the other boot media and Ardan, you mentioned this a few times when you

[22:07] you mentioned this a few times when you were talking. It was one of the

[22:08] were talking. It was one of the discussions we had on the last AMA I

[22:10] discussions we had on the last AMA I think we dove into a lot. It's not just

[22:12] think we dove into a lot. It's not just the systems that you have in an

[22:14] the systems that you have in an enterprise. It's if you're using

[22:16] enterprise. It's if you're using configuration manager still and you're

[22:18] configuration manager still and you're doing operating system deployment,

[22:20] doing operating system deployment, you've probably got lots of USB sticks

[22:22] you've probably got lots of USB sticks out there with boot media on there.

[22:24] out there with boot media on there. There's other recovery tools that have

[22:25] There's other recovery tools that have boot media. Uh there's different ways of

[22:27] boot media. Uh there's different ways of putting WinP out there. So those things

[22:30] putting WinP out there. So those things all need to be updated as well because

[22:32] all need to be updated as well because they won't work. And you know that that

[22:34] they won't work. And you know that that awesome thing that Ardan described where

[22:35] awesome thing that Ardan described where we prevent you from shooting yourself in

[22:37] we prevent you from shooting yourself in the foot. That's clearly not going to

[22:39] the foot. That's clearly not going to happen with boot media because your

[22:40] happen with boot media because your system has no clue what boot is out

[22:42] system has no clue what boot is out there. So

[22:42] there. So >> that's right.

[22:43] >> that's right. >> Yeah. So one other thing I wanted to

[22:46] >> Yeah. So one other thing I wanted to added add to that question which I think

[22:48] added add to that question which I think is an important little bit of context

[22:52] is an important little bit of context like Kevin said the reason we need to

[22:56] like Kevin said the reason we need to revoke that old certificate or I think

[22:58] revoke that old certificate or I think Ardan said um is because there are

[23:02] Ardan said um is because there are vulnerabilities that have been signed

[23:04] vulnerabilities that have been signed with that certificate. there are old

[23:06] with that certificate. there are old vulnerable boot managers um that have

[23:10] vulnerable boot managers um that have been signed and technically your PC is

[23:13] been signed and technically your PC is not protected against all of the the

[23:17] not protected against all of the the vulnerabilities until we get to the

[23:19] vulnerabilities until we get to the point of revoking that certificate. So

[23:21] point of revoking that certificate. So it is really important from a security

[23:24] it is really important from a security perspective and protecting your machine

[23:27] perspective and protecting your machine from um uh some kinds of boot malware

[23:33] from um uh some kinds of boot malware that we are able to do that with

[23:36] that we are able to do that with Sometimes there is press that Microsoft

[23:38] Sometimes there is press that Microsoft uh is doing things for uh for reasons

[23:41] uh is doing things for uh for reasons that are not above board. And I just

[23:43] that are not above board. And I just want to be really clear that there's a

[23:44] want to be really clear that there's a really good reason we're doing that.

[23:46] really good reason we're doing that. We're we're working on that certificate

[23:48] We're we're working on that certificate revocation to protect you to protect

[23:51] revocation to protect you to protect your PC from malware, from boot kits,

[23:55] your PC from malware, from boot kits, from uh some of the the very difficult

[23:58] from uh some of the the very difficult to detect pieces of malware.

[24:00] to detect pieces of malware. >> And and Scott, you said in there that

[24:02] >> And and Scott, you said in there that that we signed the vulnerabilities. I

[24:04] that we signed the vulnerabilities. I know that's not exactly what you meant.

[24:05] know that's not exactly what you meant. We signed old things that were good at

[24:09] We signed old things that were good at the time that we had that

[24:10] the time that we had that vulnerabilities were then discovered in.

[24:12] vulnerabilities were then discovered in. Correct. And that's where the the trick.

[24:15] Correct. And that's where the the trick. So we both those things just I know

[24:18] So we both those things just I know that's not what you meant, but I want to

[24:19] that's not what you meant, but I want to make sure.

[24:19] make sure. >> No, it's a wonderful clarification.

[24:22] >> No, it's a wonderful clarification. Thank you. Yes. Uh for those of us who

[24:25] Thank you. Yes. Uh for those of us who work in software,

[24:27] work in software, all software has bugs. All software has

[24:30] all software has bugs. All software has vulnerabilities. uh perfect systems

[24:33] vulnerabilities. uh perfect systems don't exist. Um and uh the the game we

[24:38] don't exist. Um and uh the the game we play, the uh the work we do is making

[24:42] play, the uh the work we do is making sure that you know we keep things as up

[24:44] sure that you know we keep things as up to date as we can and we fix everything

[24:48] to date as we can and we fix everything that we know about that's bad in any of

[24:50] that we know about that's bad in any of the software we've shipped. So thank you

[24:52] the software we've shipped. So thank you for the clarification, Jason. I love

[24:54] for the clarification, Jason. I love that. It may be worth expanding that

[24:56] that. It may be worth expanding that many of the devices we see today new in

[24:59] many of the devices we see today new in market as well as those that we're

[25:01] market as well as those that we're bringing this update to are effectively

[25:03] bringing this update to are effectively what we call this hybrid mode. Meaning

[25:05] what we call this hybrid mode. Meaning they trust both the old 2011

[25:07] they trust both the old 2011 certificates as well as the new 2023

[25:10] certificates as well as the new 2023 certificates. However, we're starting to

[25:12] certificates. However, we're starting to see more devices that ship with only the

[25:15] see more devices that ship with only the 2023 certificates as a recommendation uh

[25:19] 2023 certificates as a recommendation uh that we've had out there. And also there

[25:21] that we've had out there. And also there are tools and guidance available to

[25:23] are tools and guidance available to customers who do want to remove trust

[25:26] customers who do want to remove trust from the 2011 certificate. So there's a

[25:28] from the 2011 certificate. So there's a lot of options out there depending on

[25:29] lot of options out there depending on the security profile and and what you

[25:31] the security profile and and what you want to accomplish in your environment.

[25:36] >> Okay. Um,

[25:38] >> Okay. Um, so I've updated administrative

[25:40] so I've updated administrative templates. Uh, and we are unable to find

[25:44] templates. Uh, and we are unable to find the secure boot settings in group

[25:46] the secure boot settings in group policies. Uh, computer administrative

[25:49] policies. Uh, computer administrative templates, Windows components, secure

[25:51] templates, Windows components, secure boot doesn't appear. Could you explain

[25:54] boot doesn't appear. Could you explain why?

[26:00] Yeah,

[26:02] Yeah, without digging into it, my guess there

[26:05] without digging into it, my guess there is how you updated the templates and

[26:07] is how you updated the templates and where you updated the templates. It's

[26:08] where you updated the templates. It's been a while since I've done active

[26:10] been a while since I've done active directory administration,

[26:12] directory administration, but you have to put the template in a

[26:14] but you have to put the template in a special place on the domain controller

[26:15] special place on the domain controller for them to actually show up. Don't

[26:18] for them to actually show up. Don't remember what that's called. Or a

[26:20] remember what that's called. Or a special location on your local PC for

[26:22] special location on your local PC for them to actually show up in in the GP

[26:24] them to actually show up in in the GP editor. Um, you can find more

[26:27] editor. Um, you can find more information about that in the docs. I

[26:28] information about that in the docs. I totally don't remember the full details

[26:30] totally don't remember the full details there. Um, that would be my speculation

[26:32] there. Um, that would be my speculation on why you're not seeing it in GP editor

[26:35] on why you're not seeing it in GP editor is you just haven't put the template in

[26:36] is you just haven't put the template in the right place.

[26:38] the right place. >> It's either that or perhaps uh there.

[26:42] >> It's either that or perhaps uh there. So, it last I knew it was the latest

[26:45] So, it last I knew it was the latest update of the group policy download. So,

[26:48] update of the group policy download. So, so you have to make sure that you get

[26:50] so you have to make sure that you get the latest one. Uh, it sounds like you

[26:53] the latest one. Uh, it sounds like you probably uh did that, but just uh double

[26:56] probably uh did that, but just uh double check that.

[26:57] check that. >> Yeah. My only other comment, and this is

[27:00] >> Yeah. My only other comment, and this is more of a follow on, slightly tangential

[27:02] more of a follow on, slightly tangential comment, is you really should be moving

[27:04] comment, is you really should be moving to Intune, and then in in tune, these

[27:05] to Intune, and then in in tune, these settings are straight up there in the

[27:07] settings are straight up there in the settings catalog. Um, I know that

[27:10] settings catalog. Um, I know that everyone can't get there overnight, but

[27:11] everyone can't get there overnight, but that's I mean, things are just there.

[27:13] that's I mean, things are just there. You're not going to have to worry about

[27:14] You're not going to have to worry about the ADMX templates and things like that

[27:16] the ADMX templates and things like that once you get to Intune.

[27:19] once you get to Intune. >> Okay. Um, can you comment on reboot

[27:22] >> Okay. Um, can you comment on reboot requirements? I've seen devices reach

[27:25] requirements? I've seen devices reach UFI 2023 status equals updated which is

[27:29] UFI 2023 status equals updated which is identified in KB

[27:32] identified in KB 5068202

[27:35] 5068202 as the authoritative authoritative

[27:37] as the authoritative authoritative deployment status indicator. Devices

[27:40] deployment status indicator. Devices seem to be need a second reboot to

[27:42] seem to be need a second reboot to actually be booting from the updated

[27:45] actually be booting from the updated 2023 signed boot manager. So, is the

[27:48] 2023 signed boot manager. So, is the second reboot a hard requirement or is

[27:51] second reboot a hard requirement or is achieving updated status truly

[27:54] achieving updated status truly sufficient?

[27:56] sufficient? Um,

[27:58] Um, I so so my experience that I've seen is

[28:01] I so so my experience that I've seen is that the certificates will update

[28:03] that the certificates will update without even needing a reboot. Um uh in

[28:07] without even needing a reboot. Um uh in most cases usually where the reboot is

[28:10] most cases usually where the reboot is needed is um that uh when it gets to the

[28:15] needed is um that uh when it gets to the boot manager update uh and then then

[28:17] boot manager update uh and then then it'll stop and ask for a reboot there.

[28:20] it'll stop and ask for a reboot there. Uh I don't know that there's any reason

[28:23] Uh I don't know that there's any reason why a second reboot is needed. Uh

[28:26] why a second reboot is needed. Uh >> well the second before the second reboot

[28:30] >> well the second before the second reboot the

[28:32] the it depends on how you're looking. So if

[28:35] it depends on how you're looking. So if you're looking at say a um attestation

[28:39] you're looking at say a um attestation report um for something like conditional

[28:42] report um for something like conditional access um the attestation that appears

[28:47] access um the attestation that appears in the TCG log that says what you booted

[28:50] in the TCG log that says what you booted through and what shows up in PCR7

[28:54] through and what shows up in PCR7 um won't be updated until after that

[28:57] um won't be updated until after that reboot after the new uh boot manager is

[29:00] reboot after the new uh boot manager is deployed. So it depends on exactly what

[29:04] deployed. So it depends on exactly what you're looking for. The boot manager can

[29:06] you're looking for. The boot manager can be deployed so that it's sitting on disk

[29:09] be deployed so that it's sitting on disk in the EFI partition, but the state of

[29:12] in the EFI partition, but the state of your system didn't boot through that

[29:15] your system didn't boot through that boot manager on this boot cycle, which

[29:17] boot manager on this boot cycle, which means the TCG log and the other boot

[29:19] means the TCG log and the other boot artifacts won't show that you are

[29:22] artifacts won't show that you are currently booted through that boot

[29:24] currently booted through that boot manager. So I think it depends exactly

[29:26] manager. So I think it depends exactly what you're looking at. And I also think

[29:28] what you're looking at. And I also think some of the events in the event log that

[29:32] some of the events in the event log that we uh measure the state. I'm not sure

[29:35] we uh measure the state. I'm not sure Ardin, do you remember? I thought there

[29:37] Ardin, do you remember? I thought there was one of them that only comes out on

[29:38] was one of them that only comes out on boot.

[29:40] boot. >> Uh the the 1801 and 1808 events come out

[29:44] >> Uh the the 1801 and 1808 events come out primarily I think uh I think it's five

[29:46] primarily I think uh I think it's five minutes after boot time. Yeah,

[29:48] minutes after boot time. Yeah, >> that was the the the other thing I was

[29:50] >> that was the the the other thing I was going to add to that is um you know

[29:53] going to add to that is um you know there there is some timing uh involved

[29:57] there there is some timing uh involved in that in the sense that that the this

[30:01] in that in the sense that that the this the task doesn't run right away when you

[30:04] the task doesn't run right away when you when you boot uh it runs you know five

[30:07] when you boot uh it runs you know five minutes after I think and then every 12

[30:09] minutes after I think and then every 12 minutes or 12 hours after that

[30:11] minutes or 12 hours after that >> 12 hours yeah

[30:11] >> 12 hours yeah >> so so there could be some timing issues

[30:13] >> so so there could be some timing issues in there but I think you know I'll stick

[30:16] in there but I think you know I'll stick with I don't know why you would need a

[30:18] with I don't know why you would need a second reboot. Um

[30:21] second reboot. Um um yeah.

[30:26] Um so for environments where secure boot

[30:29] Um so for environments where secure boot is currently disabled like VMs, can we

[30:32] is currently disabled like VMs, can we safely prepare the new secure boot trust

[30:35] safely prepare the new secure boot trust chain in advance without enabling secure

[30:38] chain in advance without enabling secure boot immediately? We would appreciate

[30:40] boot immediately? We would appreciate guidance specifically for Azure IAS

[30:45] guidance specifically for Azure IAS uh server workloads and enterprise Linux

[30:49] uh server workloads and enterprise Linux Windows server environments.

[30:53] Okay, tricky question. So if secure boot

[30:57] Okay, tricky question. So if secure boot is disabled and then you say like VMs.

[31:00] is disabled and then you say like VMs. So that gets us into some tricky uh

[31:03] So that gets us into some tricky uh situation

[31:05] situation uh in HyperV. So in Azure or in HyperV

[31:10] uh in HyperV. So in Azure or in HyperV environments, there are two different

[31:12] environments, there are two different kinds of VMs. Um in a HyperV environment

[31:16] kinds of VMs. Um in a HyperV environment on Windows Server, there's Gen 1 VMs and

[31:18] on Windows Server, there's Gen 1 VMs and Gen 2 VMs. Um many of the old VMs you'll

[31:23] Gen 2 VMs. Um many of the old VMs you'll have will be Gen One VMs, which don't

[31:25] have will be Gen One VMs, which don't support secure boot at all. So when we

[31:28] support secure boot at all. So when we look at it from inside the operating

[31:30] look at it from inside the operating system, we'll see secure boot capable

[31:32] system, we'll see secure boot capable false that the device isn't even capable

[31:35] false that the device isn't even capable of secure boot. So those aren't secure

[31:37] of secure boot. So those aren't secure boot disabled. Those are secure boot

[31:39] boot disabled. Those are secure boot incapable. Then there is gen two VMs um

[31:44] incapable. Then there is gen two VMs um which in a hyperv environment are gen

[31:46] which in a hyperv environment are gen two VMs. They are capable of secure

[31:49] two VMs. They are capable of secure boot. They boot through a UV environment

[31:51] boot. They boot through a UV environment um but can either be enabled or

[31:53] um but can either be enabled or disabled. In Azure there are um the

[31:58] disabled. In Azure there are um the standard VMs and then there are trusted

[32:02] standard VMs and then there are trusted launch VMs and the uh TVMs do support

[32:08] launch VMs and the uh TVMs do support secure boot. Um but the standard Azure

[32:11] secure boot. Um but the standard Azure VMs uh don't support secure boot. So

[32:14] VMs uh don't support secure boot. So it's going to depend a lot on exactly

[32:17] it's going to depend a lot on exactly what kind of an environment you're in

[32:20] what kind of an environment you're in and what it supports. Um

[32:24] and what it supports. Um whether you can deploy the trust chain

[32:27] whether you can deploy the trust chain in advance is a tricky question. Um we

[32:32] in advance is a tricky question. Um we generally don't do that. Um because

[32:37] generally don't do that. Um because the support isn't consistent across the

[32:40] the support isn't consistent across the board. Um,

[32:43] board. Um, in the UI spec, it is absolutely

[32:46] in the UI spec, it is absolutely possible if the device is in what's

[32:47] possible if the device is in what's called setup mode for you to deployer

[32:50] called setup mode for you to deployer deploy certificates into the UI

[32:53] deploy certificates into the UI variables. And there's a little bit of

[32:57] variables. And there's a little bit of ambiguity in this back here and OEMs

[32:59] ambiguity in this back here and OEMs have implemented this differently. So,

[33:00] have implemented this differently. So, it really depends on the EFI

[33:02] it really depends on the EFI implementation. Um, as soon as you set

[33:06] implementation. Um, as soon as you set the PK variable, secure boot becomes

[33:09] the PK variable, secure boot becomes enabled. So there are three variables in

[33:12] enabled. So there are three variables in the trust chain. PK at the top, KEK in

[33:14] the trust chain. PK at the top, KEK in the middle, the key exchange key, and

[33:16] the middle, the key exchange key, and then DB at the bottom. Um

[33:20] then DB at the bottom. Um the way it's recommended to set the keys

[33:22] the way it's recommended to set the keys is in reverse order. So when secure boot

[33:25] is in reverse order. So when secure boot is in setup mode, you set DB first, then

[33:29] is in setup mode, you set DB first, then kek, and at that point, you're still in

[33:31] kek, and at that point, you're still in setup mode and you've got some keys

[33:33] setup mode and you've got some keys deployed. But then as soon as you deploy

[33:36] deployed. But then as soon as you deploy PK secure boot is supposed to come on it

[33:40] PK secure boot is supposed to come on it varies across hardware and UI

[33:43] varies across hardware and UI implementations how that works on some

[33:45] implementations how that works on some UI implementations and according to my

[33:49] UI implementations and according to my interpretation of the spec secure boot

[33:51] interpretation of the spec secure boot is supposed to come on immediately. So

[33:53] is supposed to come on immediately. So you're supposed to have be uh secure

[33:56] you're supposed to have be uh secure boot enabled immediately although you

[33:58] boot enabled immediately although you haven't rebooted yet so that doesn't

[34:00] haven't rebooted yet so that doesn't really mean much until you hit the next

[34:02] really mean much until you hit the next boot sequence. Um, some uh UI

[34:06] boot sequence. Um, some uh UI implementations will not do the

[34:09] implementations will not do the enablement until the next boot cycle

[34:11] enablement until the next boot cycle happens. Some UI implementations require

[34:13] happens. Some UI implementations require you to go into the boot menu um and

[34:17] you to go into the boot menu um and enable secure boot separately. Um, and

[34:22] enable secure boot separately. Um, and some UI implementations have

[34:25] some UI implementations have interesting modes where you can say

[34:27] interesting modes where you can say secure boot is disabled but we're not in

[34:31] secure boot is disabled but we're not in setup mode. So some of the keys are set.

[34:33] setup mode. So some of the keys are set. So you can't necessarily set up the the

[34:36] So you can't necessarily set up the the keys in the trust chain. Um if you can

[34:40] keys in the trust chain. Um if you can if the UI is enabling you to that is

[34:43] if the UI is enabling you to that is totally fine and safe to do until you

[34:46] totally fine and safe to do until you enable secure boot those keys that are

[34:48] enable secure boot those keys that are are pre-provisioned should do nothing.

[34:51] are pre-provisioned should do nothing. But the general advice I would give is

[34:54] But the general advice I would give is whatever deployment you're trying to do

[34:57] whatever deployment you're trying to do test it first. So if you're in a VM

[35:00] test it first. So if you're in a VM environment, spin up a test VM that

[35:02] environment, spin up a test VM that mirrors the configuration you want to

[35:05] mirrors the configuration you want to test on, test it there. Make sure you

[35:07] test on, test it there. Make sure you understand the behavior and you see how

[35:09] understand the behavior and you see how it's working. Um, if you have servers,

[35:13] it's working. Um, if you have servers, ideally you have some test servers or

[35:16] ideally you have some test servers or some other equivalent hardware that you

[35:18] some other equivalent hardware that you can test on first. Um, and you know,

[35:22] can test on first. Um, and you know, testing before you roll into production

[35:23] testing before you roll into production is always a great idea. So that would be

[35:27] is always a great idea. So that would be the topline advice. Please test before

[35:29] the topline advice. Please test before you deploy.

[35:30] you deploy. >> I think there's a a few more nuances in

[35:33] >> I think there's a a few more nuances in this question too in the sense that it

[35:37] this question too in the sense that it it might make sense u if they're trying

[35:40] it might make sense u if they're trying to enable secure boot on their

[35:42] to enable secure boot on their infrastructure that the uh it might be

[35:46] infrastructure that the uh it might be the easiest way to spin up new VMs. new

[35:49] the easiest way to spin up new VMs. new VMs for most uh virtual environments I

[35:54] VMs for most uh virtual environments I think should have the certificates by

[35:55] think should have the certificates by now. Uh I know HyperV and Azure does and

[35:59] now. Uh I know HyperV and Azure does and I believe most of the other ones do. I

[36:02] I believe most of the other ones do. I I'm not entirely sure but u but so

[36:06] I'm not entirely sure but u but so starting up new VMs and uh shifting

[36:09] starting up new VMs and uh shifting pieces of the infrastructure over to

[36:10] pieces of the infrastructure over to those new VMs might be the easiest way

[36:12] those new VMs might be the easiest way to do that. Um and then I think there

[36:16] to do that. Um and then I think there was the last piece of this that um is

[36:19] was the last piece of this that um is the Linux Windows server environments.

[36:23] the Linux Windows server environments. So I think that opens up that that Linux

[36:26] So I think that opens up that that Linux actually has a a piece of this as well

[36:31] actually has a a piece of this as well in the sense that uh they are uh also

[36:35] in the sense that uh they are uh also responsible for updating uh secure boot

[36:37] responsible for updating uh secure boot in their environment. I think um maybe

[36:40] in their environment. I think um maybe Scott knows better than I do, but

[36:42] Scott knows better than I do, but >> yeah, I was going to say on a uh pure

[36:45] >> yeah, I was going to say on a uh pure Linux server where there is no Windows

[36:48] Linux server where there is no Windows um we can't update the certificates.

[36:50] um we can't update the certificates. When Windows doesn't run there, there's

[36:53] When Windows doesn't run there, there's nothing we can do. So, you need to work

[36:56] nothing we can do. So, you need to work with your DRO um vendor to make sure you

[37:00] with your DRO um vendor to make sure you understand the the instructions for

[37:02] understand the the instructions for updating the secure boot settings on

[37:04] updating the secure boot settings on your Linux environments. Um, I know all

[37:07] your Linux environments. Um, I know all of the distros are aware of this and are

[37:09] of the distros are aware of this and are working on it. Um, uh, I'm I'm not up to

[37:13] working on it. Um, uh, I'm I'm not up to date on the full status for every

[37:14] date on the full status for every distro. Um, so check the documentation

[37:18] distro. Um, so check the documentation for your Linux distribution and make

[37:19] for your Linux distribution and make sure you understand how that certificate

[37:22] sure you understand how that certificate update is supposed to happen on those

[37:23] update is supposed to happen on those machines. But like Ardan said, spinning

[37:25] machines. But like Ardan said, spinning up new VMs is a great idea if you can.

[37:28] up new VMs is a great idea if you can. um because not only will you get the

[37:30] um because not only will you get the newer configuration for secure boot,

[37:32] newer configuration for secure boot, there are a lot of other things that you

[37:34] there are a lot of other things that you get newer configuration

[37:36] get newer configuration uh when you spin up new VM. So that'll

[37:38] uh when you spin up new VM. So that'll be a good idea.

[37:40] be a good idea. >> One one quick question for you Ardan and

[37:42] >> One one quick question for you Ardan and and Scott really on this that there's no

[37:44] and Scott really on this that there's no Microsoft process to pre-stage this with

[37:47] Microsoft process to pre-stage this with secure boot disabled. Correct. Right. So

[37:50] secure boot disabled. Correct. Right. So if you have secure boot disabled on a

[37:51] if you have secure boot disabled on a system, there's no automatic process,

[37:54] system, there's no automatic process, let me throw that word in there, that

[37:55] let me throw that word in there, that will update those systems. you have to

[37:57] will update those systems. you have to go off and manually do some things.

[38:00] go off and manually do some things. >> Yeah.

[38:01] >> Yeah. >> If secure boot is disabled. Yeah.

[38:03] >> If secure boot is disabled. Yeah. >> Yeah. In general, I mean, uh, you would

[38:05] >> Yeah. In general, I mean, uh, you would need to enable secure boot first and

[38:07] need to enable secure boot first and then then Windows would update the

[38:10] then then Windows would update the certificates at that point.

[38:11] certificates at that point. >> Well, there's a trick there. Um, if

[38:14] >> Well, there's a trick there. Um, if secure boot is disabled, we update boot

[38:16] secure boot is disabled, we update boot manager to the 2023 signed boot manager.

[38:20] manager to the 2023 signed boot manager. So

[38:21] So um because we want you to be on the

[38:23] um because we want you to be on the latest uh boot manager and that's the

[38:26] latest uh boot manager and that's the 2023 signed boot manager. Um if you go

[38:30] 2023 signed boot manager. Um if you go if you're if you have secure boot

[38:33] if you're if you have secure boot certificates provisioned that are not

[38:36] certificates provisioned that are not trusting the the 2011 that are not

[38:40] trusting the the 2011 that are not trusting the 2023 CA and you enable

[38:43] trusting the 2023 CA and you enable secure boot um it won't boot off that

[38:47] secure boot um it won't boot off that 2023 signed boot manager. you have to do

[38:50] 2023 signed boot manager. you have to do the update of the certificates to trust

[38:53] the update of the certificates to trust that. Which means if you've had a

[38:56] that. Which means if you've had a firmware update that's updated, the

[38:58] firmware update that's updated, the defaults, um, resetting to defaults will

[39:01] defaults, um, resetting to defaults will fix that. Um, if you haven't, there is

[39:05] fix that. Um, if you haven't, there is an EFI application we have that will

[39:08] an EFI application we have that will just do the certificate updates. Um,

[39:12] just do the certificate updates. Um, Ardan, do you know where that's linked,

[39:13] Ardan, do you know where that's linked, the download for that? It's it's in the

[39:17] the download for that? It's it's in the uh I think it's in the troubleshooting

[39:19] uh I think it's in the troubleshooting guide. Uh and it's and it comes it's

[39:22] guide. Uh and it's and it comes it's been on disk. So it came with the the

[39:24] been on disk. So it came with the the updates um since last year, more than a

[39:28] updates um since last year, more than a year ago, I think. But I believe it's in

[39:30] year ago, I think. But I believe it's in the troubleshooting guide. Um and I'm

[39:33] the troubleshooting guide. Um and I'm going to give a reminder uh to look at

[39:36] going to give a reminder uh to look at akamsget

[39:38] akamsget secure boot to get more details. There's

[39:41] secure boot to get more details. There's a lot of good documentation up there.

[39:44] a lot of good documentation up there. >> Yeah. And um that EFI application will

[39:50] >> Yeah. And um that EFI application will update the secure boot certificates. Um

[39:53] update the secure boot certificates. Um and it's signed with the 2011 CA. So

[39:57] and it's signed with the 2011 CA. So it'll boot even if your certificates

[39:59] it'll boot even if your certificates aren't updated and it will update you to

[40:01] aren't updated and it will update you to the 2023 CA so that you can continue to

[40:04] the 2023 CA so that you can continue to boot.

[40:05] boot. >> Yeah. Uh to be clarify that a little

[40:07] >> Yeah. Uh to be clarify that a little bit, it up it applies only one of the

[40:10] bit, it up it applies only one of the certificates. it it applies the one you

[40:12] certificates. it it applies the one you need for the boot manager.

[40:15] need for the boot manager. >> Right.

[40:16] >> Right. >> Um Okay.

[40:18] >> Um Okay. So, next question. Is there a specific

[40:21] So, next question. Is there a specific day in June when certificates start

[40:23] day in June when certificates start expiring?

[40:26] expiring? >> Yes, there is. I don't remember it.

[40:30] >> Yes, there is. I don't remember it. >> I think for the KEK it's June 24th.

[40:33] >> I think for the KEK it's June 24th. >> That sounds really

[40:35] >> That sounds really >> There's several certificates, right? I

[40:36] >> There's several certificates, right? I think there's four and we've outlined

[40:38] think there's four and we've outlined them. Three of them expire in June, one

[40:41] them. Three of them expire in June, one in October.

[40:44] in October. >> U two two in June, one in October. Uh

[40:48] >> U two two in June, one in October. Uh and they're and I think you're probably

[40:49] and they're and I think you're probably right on the date that it's near the end

[40:51] right on the date that it's near the end of the month, but I don't remember what

[40:53] of the month, but I don't remember what the dates are. Um how about MacBooks

[40:56] the dates are. Um how about MacBooks running Windows in Boot Camp natively?

[41:00] running Windows in Boot Camp natively? Does this still apply? Uh and what would

[41:03] Does this still apply? Uh and what would be the process? Um so Windows cannot

[41:07] be the process? Um so Windows cannot update uh the secure boot active

[41:11] update uh the secure boot active variables in on a a device running boot

[41:14] variables in on a a device running boot camp. Uh it's uh boot camp just doesn't

[41:18] camp. Uh it's uh boot camp just doesn't allow it. U so uh I think that's a maybe

[41:22] allow it. U so uh I think that's a maybe a question for Apple. I if I remember

[41:25] a question for Apple. I if I remember correctly um that boot camp is for on

[41:27] correctly um that boot camp is for on older Apple devices and then I think

[41:30] older Apple devices and then I think parallels is what's running on the newer

[41:32] parallels is what's running on the newer ones. But um and I believe Parallels,

[41:35] ones. But um and I believe Parallels, the company that manufactured Parallels,

[41:39] the company that manufactured Parallels, is a is doing work to update them.

[41:44] is a is doing work to update them. It'd be best to check with them.

[41:47] It'd be best to check with them. >> I just went to look up the date and

[41:49] >> I just went to look up the date and looking at our support pages, it just

[41:50] looking at our support pages, it just all says the month, June 2026. So, I'm

[41:53] all says the month, June 2026. So, I'm going to try to look it up.

[41:54] going to try to look it up. >> I'll I'll take a note to update the

[41:56] >> I'll I'll take a note to update the dates for that.

[41:57] dates for that. >> That'll be great. Perfect.

[41:59] >> That'll be great. Perfect. >> And a clarification on uh four versus

[42:01] >> And a clarification on uh four versus three certificates. Um correct there are

[42:04] three certificates. Um correct there are three 2011 and in 2023 we replaced them

[42:08] three 2011 and in 2023 we replaced them with four. Um part of the reason there

[42:10] with four. Um part of the reason there and maybe others want to expand on it is

[42:12] and maybe others want to expand on it is that we split the UVCA into a Microsoft

[42:16] that we split the UVCA into a Microsoft UI and a Microsoft option ROM UVCA so

[42:19] UI and a Microsoft option ROM UVCA so that customers can have finer grain

[42:21] that customers can have finer grain control over what they choose to trust

[42:22] control over what they choose to trust on their PCs. So we had three that are

[42:25] on their PCs. So we had three that are expiring. there's four new ones that

[42:27] expiring. there's four new ones that replace it.

[42:30] replace it. >> Yeah, it's I think that's a good point.

[42:33] >> Yeah, it's I think that's a good point. I mean, in the sense that some devices

[42:35] I mean, in the sense that some devices may need the option ROM one for um you

[42:38] may need the option ROM one for um you know, devices that have uh built-in

[42:40] know, devices that have uh built-in firmware,

[42:42] firmware, >> but they don't need the third party uh

[42:46] >> but they don't need the third party uh um signing certificate. and not trusting

[42:49] um signing certificate. and not trusting that just reduces the amount of uh risk

[42:52] that just reduces the amount of uh risk that you uh or attack surface that is

[42:56] that you uh or attack surface that is possible.

[42:59] possible. Uh a comment was made regarding bootable

[43:02] Uh a comment was made regarding bootable media in regards to the secure boot

[43:04] media in regards to the secure boot certificates. We have several USB sticks

[43:07] certificates. We have several USB sticks and pees used to build systems. If the

[43:11] and pees used to build systems. If the certificates are expired in the boot

[43:14] certificates are expired in the boot media PE media, uh will those stop

[43:18] media PE media, uh will those stop working completely in June or only when

[43:21] working completely in June or only when the old certificates are certificates

[43:23] the old certificates are certificates are revoked?

[43:26] are revoked? Uh and it's uh the the answer to that is

[43:29] Uh and it's uh the the answer to that is o only when the PCA 2011 the the one

[43:33] o only when the PCA 2011 the the one that signs the Windows boot manager is

[43:36] that signs the Windows boot manager is revoked is when that media will stop

[43:38] revoked is when that media will stop working. and and so so for a enterprise

[43:43] working. and and so so for a enterprise environment it's getting the

[43:44] environment it's getting the certificates deployed getting the boot

[43:46] certificates deployed getting the boot managers updated on the devices and then

[43:50] managers updated on the devices and then getting all the

[43:52] getting all the media or um USB sticks or things like

[43:55] media or um USB sticks or things like that uh pixie boot getting that updated

[43:59] that uh pixie boot getting that updated and then untrusting that 2011

[44:01] and then untrusting that 2011 certificate is the rough order that you

[44:04] certificate is the rough order that you would want to do that in. That's right.

[44:06] would want to do that in. That's right. Though you may, some customers may start

[44:08] Though you may, some customers may start to see devices come into their

[44:10] to see devices come into their environment that only have the 2023s.

[44:14] environment that only have the 2023s. And so that's another one to plan for.

[44:16] And so that's another one to plan for. >> That's right. Yeah.

[44:19] >> That's right. Yeah. Okay. Similar question. Um, when should

[44:22] Okay. Similar question. Um, when should we expect to see the boot manager start

[44:24] we expect to see the boot manager start using the newerts? Also, when should we

[44:27] using the newerts? Also, when should we see an ISO with this? Should we open an

[44:30] see an ISO with this? Should we open an up an ISO and manually make a change or

[44:33] up an ISO and manually make a change or wait for Microsoft?

[44:37] Uh, so I think the first question is

[44:39] Uh, so I think the first question is easy. The the

[44:42] easy. The the boot manager the in Windows updates for

[44:45] boot manager the in Windows updates for the past year, there's been two versions

[44:48] the past year, there's been two versions of the boot manager. One that's signed

[44:50] of the boot manager. One that's signed with the 2011 certificate and one that's

[44:51] with the 2011 certificate and one that's signed with the 2023 certificate. So,

[44:54] signed with the 2023 certificate. So, both of them have been there for for

[44:56] both of them have been there for for probably at least a year. I can't I'm

[44:58] probably at least a year. I can't I'm not sure exactly how long.

[45:01] not sure exactly how long. Um but then then the I guess what we get

[45:05] Um but then then the I guess what we get into is when will we start seeing ISOs

[45:09] into is when will we start seeing ISOs with the new boot manager or the the

[45:13] with the new boot manager or the the booting from the 23 23 sign boot

[45:15] booting from the 23 23 sign boot manager. Um and I think that's going to

[45:19] manager. Um and I think that's going to vary on depending on the source. I um

[45:22] vary on depending on the source. I um for Microsoft we're uh plan in planning

[45:26] for Microsoft we're uh plan in planning stage right now for switching all the

[45:28] stage right now for switching all the media over. The the priority is to get

[45:31] media over. The the priority is to get the world switched to the new

[45:33] the world switched to the new certificates so that then as we switch

[45:35] certificates so that then as we switch the the media over it'll it'll continue

[45:38] the the media over it'll it'll continue to work. Um so I would expect that

[45:41] to work. Um so I would expect that coming uh later this year. Um

[45:45] coming uh later this year. Um and uh and then for other sources I

[45:48] and uh and then for other sources I don't think we can really comment on you

[45:50] don't think we can really comment on you know that. Um

[45:53] know that. Um the I guess the last question I'm not

[45:55] the I guess the last question I'm not sure exactly how to answer. Um is should

[45:59] sure exactly how to answer. Um is should we open up the ISO manually make changes

[46:01] we open up the ISO manually make changes or wait for Microsoft? Um

[46:05] or wait for Microsoft? Um yeah I'm not sure how to answer that

[46:07] yeah I'm not sure how to answer that question.

[46:10] I

[46:13] I So it depends. So if

[46:17] yeah I I agree with you Ardan in general

[46:22] yeah I I agree with you Ardan in general um I mean making new images is supported

[46:25] um I mean making new images is supported you you are able to customize media um

[46:30] you you are able to customize media um for the most part I think if you're

[46:32] for the most part I think if you're getting media from Microsoft there

[46:34] getting media from Microsoft there should be updated media um

[46:38] should be updated media um uh but if you're in many cases you'll be

[46:41] uh but if you're in many cases you'll be getting media from OEMs or from other

[46:43] getting media from OEMs or from other cases and uh so there are cases for sure

[46:46] cases and uh so there are cases for sure where you will need to update the media

[46:49] where you will need to update the media um and we have instructions for that on

[46:52] um and we have instructions for that on uh ak.ms/getsecure

[46:54] uh ak.ms/getsecure boot.

[46:58] >> Okay. Um what should be the overall

[47:01] >> Okay. Um what should be the overall advice to consider and take action on

[47:04] advice to consider and take action on for clients running Bit Locker or

[47:06] for clients running Bit Locker or similar encryption systems in

[47:08] similar encryption systems in conjunction with secure boot?

[47:12] conjunction with secure boot? Uh I think the the answer there is

[47:16] Uh I think the the answer there is uh Bit Locker uh if everything's working

[47:19] uh Bit Locker uh if everything's working correctly should not be uh an impact.

[47:22] correctly should not be uh an impact. The we've seen in a small number of

[47:25] The we've seen in a small number of cases where firmware was doing the wrong

[47:28] cases where firmware was doing the wrong thing and causing bit locker recoveries.

[47:30] thing and causing bit locker recoveries. Um uh but that's been a very limited

[47:33] Um uh but that's been a very limited cases. Uh we do everything we can to

[47:37] cases. Uh we do everything we can to ensure that there are no Bit Locker

[47:39] ensure that there are no Bit Locker recoveries. Uh it's just we know how

[47:42] recoveries. Uh it's just we know how impactful that is and it's u and we take

[47:45] impactful that is and it's u and we take that very seriously.

[47:50] >> Yeah. Yeah, I guess going back to one of

[47:51] >> Yeah. Yeah, I guess going back to one of Scott's previous question or previous uh

[47:53] Scott's previous question or previous uh statements, make sure you're testing so

[47:55] statements, make sure you're testing so that you can see those kinds of things.

[47:57] that you can see those kinds of things. And then of course, make sure that your

[48:00] And then of course, make sure that your Bit Locker keys are properly escroed

[48:02] Bit Locker keys are properly escroed somewhere, whatever management tool

[48:04] somewhere, whatever management tool you're using because you don't want that

[48:06] you're using because you don't want that or to find that out after you've skipped

[48:08] or to find that out after you've skipped your testing and gone straight to prod,

[48:10] your testing and gone straight to prod, right?

[48:11] right? >> Yeah.

[48:13] >> Yeah. And Bit Locker is something that all of

[48:15] And Bit Locker is something that all of our tools and all of our um all of our

[48:19] our tools and all of our um all of our testing pays very close attention to. Uh

[48:22] testing pays very close attention to. Uh Bit Locker is very important to us. So

[48:25] Bit Locker is very important to us. So um for sure our default tools um do

[48:30] um for sure our default tools um do properly reseal uh Bit Locker to the new

[48:34] properly reseal uh Bit Locker to the new state um so that you can actually take

[48:37] state um so that you can actually take the update with no gap in security

[48:40] the update with no gap in security coverage. So um that is uh in general

[48:45] coverage. So um that is uh in general how all the updates happen.

[48:49] >> Yeah. Um

[48:52] >> Yeah. Um this one may be for you Jason. Uh is

[48:54] this one may be for you Jason. Uh is there a report in in tune or entra that

[48:58] there a report in in tune or entra that shows the state of devices in the fleet

[49:00] shows the state of devices in the fleet for the updated searchs?

[49:03] for the updated searchs? >> Yeah, good question. So I was actually

[49:05] >> Yeah, good question. So I was actually just going to make sure I looked up the

[49:06] just going to make sure I looked up the report name. Not that it really has an

[49:08] report name. Not that it really has an official name here. We released this

[49:10] official name here. We released this two, three months ago. It was something

[49:12] two, three months ago. It was something that autopatch actually did. Uh and so

[49:14] that autopatch actually did. Uh and so it's actually called the secure boot

[49:16] it's actually called the secure boot status report. It's it's surfaced

[49:18] status report. It's it's surfaced through intoune. It was created by

[49:20] through intoune. It was created by autopatch. Uh so you can reference that

[49:22] autopatch. Uh so you can reference that report. Um Ardan, your team also

[49:25] report. Um Ardan, your team also published a way to create a remediation.

[49:28] published a way to create a remediation. So it's basically a PowerShell script.

[49:30] So it's basically a PowerShell script. Um and that's what remediations use in

[49:32] Um and that's what remediations use in Intune that will also do this. So kind

[49:35] Intune that will also do this. So kind of a I don't know double check if you

[49:37] of a I don't know double check if you will. uh you can have these two methods

[49:39] will. uh you can have these two methods of actually doing that. Uh it looks like

[49:41] of actually doing that. Uh it looks like uh we have a AKMS at the bottom here.

[49:44] uh we have a AKMS at the bottom here. AKMS/monitor

[49:46] AKMS/monitor seccure boot within tune. Uh so I don't

[49:49] seccure boot within tune. Uh so I don't remember which page that goes to. I'm

[49:50] remember which page that goes to. I'm thinking that goes to the remediations

[49:52] thinking that goes to the remediations page. Uh where you can actually manually

[49:55] page. Uh where you can actually manually add that PowerShell script as a

[49:56] add that PowerShell script as a remediation to do that. Again, the

[49:58] remediation to do that. Again, the report is built in. You don't need

[50:00] report is built in. You don't need anything else special to do that. None

[50:01] anything else special to do that. None of this is entra specific though. It is

[50:03] of this is entra specific though. It is all in tune specific. So kind of going

[50:05] all in tune specific. So kind of going back to the flare in that question

[50:07] back to the flare in that question there. So

[50:07] there. So >> yeah, and I think you can find some of

[50:09] >> yeah, and I think you can find some of that also uh when if you go to the akams

[50:14] that also uh when if you go to the akams get sec getse secure boot page near the

[50:17] get sec getse secure boot page near the bottom. Uh I believe there's uh uh one

[50:21] bottom. Uh I believe there's uh uh one on reports or I can't remember exactly

[50:23] on reports or I can't remember exactly what it is but but um I would use that

[50:26] what it is but but um I would use that page and all the supporting pages there

[50:29] page and all the supporting pages there as as as resources. Um there's a lot of

[50:33] as as as resources. Um there's a lot of a lot of good data there

[50:35] a lot of good data there >> and and there's no harm in doing both

[50:36] >> and and there's no harm in doing both here, right? I mean, we're just checking

[50:38] here, right? I mean, we're just checking things. They're just checking the event

[50:39] things. They're just checking the event viewer. They're just checking the

[50:41] viewer. They're just checking the registry. They're just checking others

[50:42] registry. They're just checking others signals. Uh so they all should show

[50:45] signals. Uh so they all should show exactly the same uh every effort. We've

[50:47] exactly the same uh every effort. We've I'm I'm sure every we've made every

[50:49] I'm I'm sure every we've made every effort to make sure everything looks

[50:50] effort to make sure everything looks exactly the same. So,

[50:53] exactly the same. So, >> okay. So for devices currently sitting

[50:56] >> okay. So for devices currently sitting in vendor storage awaiting deployment,

[50:58] in vendor storage awaiting deployment, do we need to update all of them before

[51:01] do we need to update all of them before June? For example, if a device remains

[51:03] June? For example, if a device remains in storage until the end of the year and

[51:06] in storage until the end of the year and is then shipped to a user, would we

[51:08] is then shipped to a user, would we still be able to update the secure boot

[51:11] still be able to update the secure boot certificate by scoping that device into

[51:14] certificate by scoping that device into the remediations or would the

[51:16] the remediations or would the certificates be too far expired at that

[51:18] certificates be too far expired at that point to be remediated remediated in the

[51:24] point to be remediated remediated in the BIOS if the BIOS is up to date?

[51:27] BIOS if the BIOS is up to date? >> Yeah, this is a good one. I I think we

[51:29] >> Yeah, this is a good one. I I think we would say simply there's no deadline on

[51:31] would say simply there's no deadline on your ability to update the device. So

[51:35] your ability to update the device. So whether it's in storage in channel in a

[51:38] whether it's in storage in channel in a lock desk when it comes online it'll

[51:41] lock desk when it comes online it'll need the update but as Scott explained

[51:43] need the update but as Scott explained earlier those updates are signed with

[51:45] earlier those updates are signed with the existing searchs and so u we won't

[51:49] the existing searchs and so u we won't lose the opportunity to update when they

[51:50] lose the opportunity to update when they do come online or get into the end

[51:52] do come online or get into the end customer's hands.

[51:55] customer's hands. Yeah, I think there's a there's an

[51:56] Yeah, I think there's a there's an interesting caveat in here as well or in

[51:57] interesting caveat in here as well or in the question at least they were talking

[51:59] the question at least they were talking about scoping the change. There's really

[52:02] about scoping the change. There's really no way to target this change. It's

[52:03] no way to target this change. It's coming down via Windows update, right?

[52:06] coming down via Windows update, right? You could potentially set one of the

[52:08] You could potentially set one of the settings. There are the three settings.

[52:09] settings. There are the three settings. One of them says don't ever do anything

[52:11] One of them says don't ever do anything on this device. Um, but I don't know why

[52:14] on this device. Um, but I don't know why you would explicitly want to do that.

[52:15] you would explicitly want to do that. So, I guess after the fact you could

[52:17] So, I guess after the fact you could potentially manipulate this, but I would

[52:19] potentially manipulate this, but I would see maybe getting yourself into some

[52:21] see maybe getting yourself into some trouble by doing that, right? I I think

[52:24] trouble by doing that, right? I I think there's another likely two more

[52:26] there's another likely two more likelihoods here. One is that if it's a

[52:28] likelihoods here. One is that if it's a relatively new machine past year and a

[52:30] relatively new machine past year and a half, uh it'll probably already have the

[52:33] half, uh it'll probably already have the certificates, maybe not the updated boot

[52:35] certificates, maybe not the updated boot manager. Uh and as soon as you install,

[52:40] manager. Uh and as soon as you install, let's say it's December or January of

[52:42] let's say it's December or January of next year, you install the cumulative

[52:44] next year, you install the cumulative update, uh it will more more than likely

[52:47] update, uh it will more more than likely be in the high confidence data at that

[52:50] be in the high confidence data at that point. And then the cumulative update

[52:53] point. And then the cumulative update will actually uh apply the certificates

[52:56] will actually uh apply the certificates and apply the boot manager.

[53:00] and apply the boot manager. >> Great point.

[53:01] >> Great point. >> Uh how do we deal with legacy devices

[53:04] >> Uh how do we deal with legacy devices that don't support automatic updates?

[53:10] >> Not sure what automatic updates means in

[53:13] >> Not sure what automatic updates means in this c in this context. I assume

[53:18] this c in this context. I assume that that's an OEM automatic update. So,

[53:21] that that's an OEM automatic update. So, Windows update has been supported in

[53:23] Windows update has been supported in Windows as far back as I can remember.

[53:27] Windows as far back as I can remember. Um, so Windows supports automatic

[53:30] Um, so Windows supports automatic updates going way far back. I'm not

[53:33] updates going way far back. I'm not entirely sure what automatic updates the

[53:36] entirely sure what automatic updates the question is referring to.

[53:39] question is referring to. >> Could be for devices that have Windows

[53:41] >> Could be for devices that have Windows support as well.

[53:43] support as well. >> I was taking it as maybe a UFI issue

[53:46] >> I was taking it as maybe a UFI issue here where it just won't take our update

[53:48] here where it just won't take our update for the certificates.

[53:50] for the certificates. It's got some older weird UFI firmware

[53:53] It's got some older weird UFI firmware that has one of the many caveats or

[53:55] that has one of the many caveats or strangenesses that you guys have pointed

[53:56] strangenesses that you guys have pointed out and won't take the updates for

[53:58] out and won't take the updates for whatever reason.

[54:00] whatever reason. >> If it's if it's on a a list that we know

[54:04] >> If it's if it's on a a list that we know that device will have problems with the

[54:07] that device will have problems with the update, um then yes, there's a reason

[54:11] update, um then yes, there's a reason we're we're not recommending that device

[54:13] we're we're not recommending that device take the update. Um

[54:15] take the update. Um >> yeah and in that case uh the OEM

[54:18] >> yeah and in that case uh the OEM partners who have been working with us

[54:20] partners who have been working with us on those specific devices have very

[54:23] on those specific devices have very exhaustive support pages that will

[54:26] exhaustive support pages that will describe the devices that have an update

[54:29] describe the devices that have an update available how to go get it and then for

[54:32] available how to go get it and then for cases where the update may not be

[54:33] cases where the update may not be available what their recommendation is.

[54:40] >> Okay. Uh, can you explain what not

[54:43] >> Okay. Uh, can you explain what not applicable unknown means in the secure

[54:46] applicable unknown means in the secure boot status report in in tune?

[54:49] boot status report in in tune? >> Yeah, I'll start this one off because

[54:51] >> Yeah, I'll start this one off because I'm not a I mean I don't know every

[54:53] I'm not a I mean I don't know every status or every possibility that's out

[54:55] status or every possibility that's out there, but not applicable is typically

[54:57] there, but not applicable is typically because secure boot itself is not

[54:58] because secure boot itself is not enabled. We talked a little bit about

[54:59] enabled. We talked a little bit about that before where the automatic updates

[55:01] that before where the automatic updates won't actually apply. Um, the unknown

[55:05] won't actually apply. Um, the unknown would be that we just haven't heard back

[55:06] would be that we just haven't heard back from that device. We just don't have any

[55:08] from that device. We just don't have any information about what's going on that

[55:10] information about what's going on that device. That's typically what unknown

[55:11] device. That's typically what unknown means is that device just has not

[55:13] means is that device just has not reported back through the autopatch

[55:15] reported back through the autopatch system through the autopack reporting

[55:16] system through the autopack reporting auto patch reporting mechanism so that

[55:18] auto patch reporting mechanism so that we just don't know exactly what's going

[55:20] we just don't know exactly what's going on with it. Those are the two most

[55:22] on with it. Those are the two most common ones. Anything else you guys have

[55:24] common ones. Anything else you guys have seen?

[55:26] seen? >> We certainly see in our data cases where

[55:29] >> We certainly see in our data cases where uh a device will just go away. Somebody

[55:32] uh a device will just go away. Somebody closed the lid and it's been in a

[55:34] closed the lid and it's been in a backpack for two weeks because somebody

[55:36] backpack for two weeks because somebody went on vacation. So when you're looking

[55:39] went on vacation. So when you're looking at big data, you obvious you see lots of

[55:41] at big data, you obvious you see lots of those kind of things. And if you're

[55:43] those kind of things. And if you're looking at an enterprise environment,

[55:44] looking at an enterprise environment, you may be seeing users who are on

[55:47] you may be seeing users who are on vacation or something like that. Um

[55:49] vacation or something like that. Um that's certainly a case we've seen. Um

[55:53] that's certainly a case we've seen. Um >> yeah, that's that's the unknown, right?

[55:54] >> yeah, that's that's the unknown, right? Where we haven't heard back from the

[55:55] Where we haven't heard back from the device and people, why haven't I heard

[55:57] device and people, why haven't I heard back from the device? Well, I don't

[55:59] back from the device? Well, I don't know. Why didn't that person call you

[56:01] know. Why didn't that person call you back yesterday? you kind of have to ask

[56:03] back yesterday? you kind of have to ask that person because you know that person

[56:05] that person because you know that person could have won the lottery and doesn't

[56:07] could have won the lottery and doesn't want to talk to you anymore you know

[56:08] want to talk to you anymore you know something along those lines.

[56:13] Okay. So, uh I think this is our last

[56:15] Okay. So, uh I think this is our last question. Uh for for Surface devices, we

[56:19] question. Uh for for Surface devices, we see two options for secure boot. One is

[56:22] see two options for secure boot. One is Microsoft only and two is Microsoft and

[56:25] Microsoft only and two is Microsoft and thirdparty CA. Is there any guidance on

[56:28] thirdparty CA. Is there any guidance on selecting one or the other to get

[56:30] selecting one or the other to get certificates updated? Uh Scott,

[56:35] certificates updated? Uh Scott, >> yeah, so either one. Uh so those two

[56:38] >> yeah, so either one. Uh so those two options select different certificates

[56:40] options select different certificates into DB. So Microsoft only selects just

[56:43] into DB. So Microsoft only selects just the Microsoft uh CA that boots Windows.

[56:47] the Microsoft uh CA that boots Windows. Microsoft and third-party includes the

[56:50] Microsoft and third-party includes the Microsoft CA plus the UI thirdparty CA

[56:53] Microsoft CA plus the UI thirdparty CA that allows Linux and thirdparty

[56:56] that allows Linux and thirdparty software to boot on that device. In

[56:59] software to boot on that device. In either case, whichever one is selected,

[57:02] either case, whichever one is selected, Windows will apply the appropriate

[57:04] Windows will apply the appropriate updates. If you have Microsoft only

[57:07] updates. If you have Microsoft only selected, we will only apply the update

[57:10] selected, we will only apply the update to the certificate you have. So we will

[57:12] to the certificate you have. So we will only apply the new Microsoft uh Windows

[57:16] only apply the new Microsoft uh Windows certificate. If you have Microsoft and

[57:18] certificate. If you have Microsoft and third party selected, we will apply the

[57:21] third party selected, we will apply the new Windows certificate plus the new

[57:23] new Windows certificate plus the new thirdparty certificate. So we will match

[57:25] thirdparty certificate. So we will match the configuration you've chosen with the

[57:28] the configuration you've chosen with the new certificates.

[57:32] Uh, so is there one more piece to that?

[57:35] Uh, so is there one more piece to that? Is it It almost sounds like they're

[57:37] Is it It almost sounds like they're trying to update the certificates by

[57:39] trying to update the certificates by selecting one of these options.

[57:43] selecting one of these options. >> So if you if your Surface is up to date

[57:46] >> So if you if your Surface is up to date and you have the latest Yui

[57:48] and you have the latest Yui um and the UI is still being updated.

[57:52] um and the UI is still being updated. So, I'm not sure this applies to the

[57:53] So, I'm not sure this applies to the very oldest Surface devices, but um if

[57:57] very oldest Surface devices, but um if you have the latest UI, I believe that

[58:00] you have the latest UI, I believe that changing one of the options and clicking

[58:03] changing one of the options and clicking save in UI will apply a new template

[58:06] save in UI will apply a new template that includes the new certificates. Um,

[58:10] that includes the new certificates. Um, but I'm not 100% sure that that's in all

[58:13] but I'm not 100% sure that that's in all Surface Yui at this point. Yeah, the

[58:15] Surface Yui at this point. Yeah, the service team has a detailed site that we

[58:18] service team has a detailed site that we link to uh for what's available, the

[58:20] link to uh for what's available, the minimum versions that have the new

[58:22] minimum versions that have the new certificates and we can also ask one of

[58:24] certificates and we can also ask one of our service teammates to come into the

[58:26] our service teammates to come into the comments here and try to answer that

[58:27] comments here and try to answer that more directly.

[58:30] >> Okay, I think uh we're all set here. Uh

[58:34] >> Okay, I think uh we're all set here. Uh thank you everyone for tuning in and uh

[58:37] thank you everyone for tuning in and uh joining us uh and all your questions.

[58:40] joining us uh and all your questions. Uh, one thing we'd love to hear is if

[58:44] Uh, one thing we'd love to hear is if you'd like another AMA in early June.

[58:47] you'd like another AMA in early June. Uh, so let us know in the the uh chat

[58:50] Uh, so let us know in the the uh chat session. Uh, and remember to bookmark

[58:54] session. Uh, and remember to bookmark akamscure

[58:56] akamscure boot.

[58:59] boot. Thank you everyone. Thank you everybody.

https://www.youtube.com/watch?v=lcrRANfSAZg

Summary

TL;DR — Microsoft is addressing concerns about Secure Boot updates, clarifying that while OEM firmware updates for DB defaults are a good sign, they don't guarantee compatibility with Microsoft's OS-initiated Secure Boot updates. A firmware update is not strictly required to receive updated certificates through Windows, though it's recommended. The expiration of the KEK key in June will prevent new updates to DBX, impacting the ability to revoke vulnerable boot applications.

Key points

• Updating OEM firmware for DB defaults doesn't automatically confirm compatibility with Microsoft's Secure Boot updates.

• Firmware updates are recommended but not mandatory for receiving new certificates via Windows.

• The KEK key expiration in June will stop new DBX updates, hindering the revocation of vulnerable boot applications.

• Certificate expiration dates do not invalidate signatures made during their validity period; devices will continue to trust them.

• Microsoft is cautiously proceeding with updates, using data to ensure safety and aiming for widespread updates before the June deadline.

• Enterprises can proactively plan and prepare for these changes, especially regarding bootable media.

Takeaway — While firmware updates are beneficial, prioritizing the installation of Secure Boot certificate updates is crucial for maintaining security, even if firmware updates are not yet available.

Résumé / Summary (fr)

En bref — Microsoft aborde les préoccupations concernant les mises à jour de Secure Boot, précisant que si les mises à jour du firmware OEM pour les valeurs par défaut de DB sont un bon signe, elles ne garantissent pas la compatibilité avec les mises à jour de Secure Boot initiées par le système d'exploitation de Microsoft. Une mise à jour du firmware n'est pas strictement nécessaire pour recevoir les certificats mis à jour via Windows, bien qu'elle soit recommandée. L'expiration de la clé KEK en juin empêchera les nouvelles mises à jour de DBX, impactant la capacité à révoquer les applications de démarrage vulnérables.

Points clés

• La mise à jour du firmware OEM pour les valeurs par défaut de DB ne confirme pas automatiquement la compatibilité avec les mises à jour de Secure Boot de Microsoft.

• Les mises à jour du firmware sont recommandées mais pas obligatoires pour recevoir de nouveaux certificats via Windows.

• L'expiration de la clé KEK en juin arrêtera les nouvelles mises à jour de DBX, entravant la révocation des applications de démarrage vulnérables.

• Les dates d'expiration des certificats n'invalident pas les signatures faites pendant leur période de validité ; les appareils continueront à leur faire confiance.

• Microsoft procède avec prudence aux mises à jour, utilisant les données pour assurer la sécurité et visant des mises à jour généralisées avant la date limite de juin.

• Les entreprises peuvent planifier et se préparer de manière proactive à ces changements, en particulier en ce qui concerne les supports de démarrage.

À retenir — Bien que les mises à jour du firmware soient bénéfiques, il est crucial de prioriser l'installation des mises à jour des certificats Secure Boot pour maintenir la sécurité, même si les mises à jour du firmware ne sont pas encore disponibles.