Sign in Subscribe
Intune

Prepare for the expiration of the Secure Boot certificates on Windows - using Intune

Dumitru Razvan

3 min read
Prepare for the expiration of the Secure Boot certificates on Windows - using Intune
#Secure #Boot #Windows #Certificates

Introduction

A huge attack vector in today's world is to load malware even before booting your PC / Windows OS on your device, commonly known as a RootKit or a boot-level malware. To combat this, Secure Boot (a feature of UEFI) was invented, so that by using certificates and cryptography, we can make sure that everything that loads is pairing up with the right certificate and is approved to run on your system.

What's happening

So, Secure Boot works based on these certificates that come preinstalled on "older" devices, even on those from 1-2 years ago. These certificates were issued in 2011 and are bound to expire in 2026 which marks the end of their 15 years validity.

Microsoft is committed to pushing new certificates through normal Windows Updates, but there are a few things that need to happen for this to work. If you centrally manage devices using Intune, what you need to ensure is that:

  1. You have a centralized way of distributing Windows Updates enabled and working (Windows Update Rings / Windows Autopatch)
  2. You enable Telemetry Reporting back to Microsoft with at least Required level, and also make sure these are not blocked on the outbound direction by your company's firewall.

If the above are not met, there are a couple of other ways to make sure you'll be getting these, one of which is a reg key which you can deploy via a Remediation Script and Detection script (samples shared below - provided as is, use/adapt with caution). Devices that don't update often such as ATMs or business critical servers might need a delicate touch to secure.

Remediation Script:

# ==============================
# Intune Remediation Script - SecureBoot Registry Fix
# ==============================
# Defining log path
$LogDir  = "C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\SecureBoot"
$LogFile = Join-Path $LogDir "SecureBootFix.log"

# Logging Function
function Write-Log {
    param (
        [string]$Message,
        [string]$Level = "INFO"
    )
    try {
        if (-not (Test-Path $LogDir)) {
            New-Item -Path $LogDir -ItemType Directory -Force | Out-Null
        }
        $TimeStamp = (Get-Date).ToString("yyyy-MM-dd HH:mm:ss")
        $Entry = "$TimeStamp [$Level] $Message"
        Add-Content -Path $LogFile -Value $Entry
    } catch {
        # If logging fails, we don't stop script execution
    }
}

# Registry Variables
$RegPath   = "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot"
$KeyName   = "MicrosoftUpdateManagedOptIn"
$KeyValue  = 0x5944

Write-Log "Script started execution"

try {
    # Checking if the key exists
    if (-not (Test-Path -Path $RegPath)) {
        Write-Log "$RegPath doesn't exist. Trying to create..."
        try {
            New-Item -Path $RegPath -Force | Out-Null
            Write-Log "$RegPath created successfully."
        } catch {
            Write-Log "Error creating the key $RegPath: $($_.Exception.Message)" "ERROR"
            exit 1
        }
    } else {
        Write-Log "The key $RegPath exists already."
    }

    # Setting the value
    try {
        Set-ItemProperty -Path $RegPath -Name $KeyName -Value $KeyValue -Type DWord -Force
        Write-Log "Value $KeyName was set to $KeyValue in $RegPath."
    } catch {
        Write-Log "Error setting the value $KeyName: $($_.Exception.Message)" "ERROR"
        exit 1
    }

} catch {
    Write-Log "Unexpected error in script: $($_.Exception.Message)" "ERROR"
    exit 1
} finally {
    Write-Log "Execution ended."
}

Detection Script:

# ==============================
# Intune Detection Script - SecureBoot Registry Check
# ==============================

# Define log path
$LogDir  = "C:\ProgramData\Microsoft\IntuneManagementExtension\Logs\SecureBoot"
$LogFile = Join-Path $LogDir "SecureBootFix-Detection.log"

# Logging function
function Write-Log {
    param (
        [string]$Message,
        [string]$Level = "INFO"
    )
    try {
        if (-not (Test-Path $LogDir)) {
            New-Item -Path $LogDir -ItemType Directory -Force | Out-Null
        }
        $TimeStamp = (Get-Date).ToString("yyyy-MM-dd HH:mm:ss")
        $Entry = "$TimeStamp [$Level] $Message"
        Add-Content -Path $LogFile -Value $Entry
    } catch {
        # Do not block execution if logging fails
    }
}

# Registry variables
$RegPath   = "HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot"
$KeyName   = "MicrosoftUpdateManagedOptIn"
$ExpectedValue = 0x5944

Write-Log "Detection script execution started."

try {
    if (-not (Test-Path -Path $RegPath)) {
        Write-Log "Registry key $RegPath does not exist." "WARN"
        exit 1
    }

    $CurrentValue = (Get-ItemProperty -Path $RegPath -Name $KeyName -ErrorAction SilentlyContinue).$KeyName

    if ($null -eq $CurrentValue) {
        Write-Log "Registry value $KeyName not found in $RegPath." "WARN"
        exit 1
    }

    if ($CurrentValue -eq $ExpectedValue) {
        Write-Log "Registry value $KeyName is set correctly to $ExpectedValue." "INFO"
        exit 0
    } else {
        Write-Log "Registry value $KeyName is $CurrentValue, expected $ExpectedValue." "WARN"
        exit 1
    }

} catch {
    Write-Log "Unexpected error: $($_.Exception.Message)" "ERROR"
    exit 1
} finally {
    Write-Log "Detection script execution finished."
}

Conclusion

If security is a concern for you and your team or organization, you should take this seriously and make sure you get the updated certificates. The above steps should help you achieve this, otherwise you can consult the official articles from Microsoft that explain in much more technical detail this topic (reference1, reference2). As usual, thanks for the read, hope you found it useful. Become a member if you want to keep up with the latest posts and be able to access premium content.

Sign up for exclusive free content

Enter your email
Subscribe