I took a look at the scripts and the documentation
I'm no Powershell expert, but they seem to be designed for domain joined computers
No idea why we're seing these scrips on standalone computers
Side note,
@garlin, May updates/patches have not updated Secure Boot on either my SP9 or Dell Inspiron 3910
Pretty sure it's related to the fact that on those 2 computers telemetry is completly disabled
Whether you're allowing telemetry, has no bearing on Windows automatically pushing the update.
Let's imagine you're MS. You completely understand the update process, and have talked to the vendors. The big unknown is all the weird possible permutations of motherboards and BIOS versions. Maybe if you installed a later BIOS for this PC, it would naturally have the CA 2023 certs. But the older version of the BIOS doesn't support an easy upgrade. Say you know some older PC's have a really crappy BIOS that was commonly licensed to PC makers. Later on, everyone switched to a much better BIOS.
There's no way in a short, compressed schedule to test every combination out there. You could decide
YOLO ("
You Only Live Once") and just try your luck. Maybe the update will work, other times it will fail. Failure is unlikely to leave you with a broken PC, if you don't switch boot managers or ban PCA 2011 until all the CA 2023 certs are safely installed.
Sounds reasonable. But large companies are famously no fun. Who's going to be the first guinea pig?
Well, if MS captures their data (through Secure Boot task creating noisy TPM-WMI events, and voluntarily sending this data), they can get an idea of how the process worked. But that's only a small fraction of possible PC's out there.
A few large companies will be YOLO'ing as brave pioneers. But if nobody else is helping out, by either delaying updates to the last possible moment or not sharing telemetry, MS is running blind.
They could force the CA 2023 update process on everyone, and risk a sea of angry customers complaining that TPM-WMI event errors are popping up.
Because nobody's co-operating at a grand scale (or just hesitant), your PC doesn't get the green light to YOLO. This PC might have easily done the upgrade with no problem, or it end up as supported. You hiding your telemetry data from MS isn't going to move the needle. Because they need to collect a lot of data samples before green lighting your PC model.
Instead it says at "
More Data Needed" forever. Maybe one day you get moved to "
High Confidence" bucket. Or not... The reality is MS has blocked a lot of PC's because they're unsure what will happen.
What would be devious is to randomly pick some "More Data Needed" PC's and secretly run the update, just to collect feedback data. Eventually MS will be forced into this position, but for now they're trying not to annoy the big companies.
I have seen some of the Confidence data as presented inside the CAB files, and what they published on GitHub. The data is hot garbage of badly parsed HW details. And that doesn't include the MS internal
secret data, how many PC's out there are classified into which unique BucketID, and how many of those PC's succeeded. MS will never share the secret data used for decision making. So you're patiently waiting as an outsider for the day your PC gets moved to "High Confidence".
Don't believe the stupid E2E hype. Just test a stupid PC, and see if it worked. If you several of the exact same PC models, then force an update across all of them. Keep going model by model, until you run out of models. Does this sound terrible for an IT admin working at a large company? I hope your manager will give you additional resources.
The real deadline isn't so much the Oct 2026 date. It's the threat that a serious new boot manager bug is found after October, and it must be replaced immediately. And you're not done with the migration process in order to use the fixed boot file to close the security hole. Because if you don't have CA 2023 certs installed, and CA 2011 locked out, then your PC can be exposed to a very real problem in magnitude of Black Lotus.
