Add Environment Validator TSG: AzStackHci_Security_SecureBootStatus (Secure Boot 2023 certificate status)#320
Conversation
…Secure Boot 2023 certificate status) Remediation guide for the Security Environment Validator check AzStackHci_Security_SecureBootStatus, which reports each node's 2023 Secure Boot certificate rollout posture (the CVE-2023-24932 mitigation; the 2011 certificates expire in June 2026). The validator is informational and always reports a SUCCESS status, so the guide's detection reads the result Detail (a certificate Installed: False, or a Boot Manager status other than BootManagerUpdatedAndInUse), not the status field, and cross-checks the product cmdlet Test-AzSSecureBootUpdateCompleted. It documents when the check runs (pre-deployment readiness and the pre-update health check), the failure signatures, how to identify affected nodes, the remediation via the Azure Local 2603+ Solution Update orchestration plus OEM BIOS firmware where required, and how to re-validate to passing. It cross-links the canonical Secure Boot update guides for the detailed procedure: - TSG/Security/TSG-Azure-Local-UEFI-2023-Secure-Boot-Update.md - the Manage Secure Boot updates article on Microsoft Learn Adds the TSG markdown and a README index entry.
There was a problem hiding this comment.
Pull request overview
This PR adds a new Environment Validator troubleshooting guide (TSG) for the Security check AzStackHci_Security_SecureBootStatus, which reports each node's 2023 Secure Boot certificate rollout posture (the CVE-2023-24932 / BlackLotus mitigation ahead of the 2011 Secure Boot certificates expiring in June 2026). It fits into the existing TSG/EnvironmentValidator collection of remediation guides and cross-links to the canonical TSG/Security/TSG-Azure-Local-UEFI-2023-Secure-Boot-Update.md. The guide's core message is that this validator is informational (always SUCCESS status), so detection must read the result Detail and cross-check the product cmdlet Test-AzSSecureBootUpdateCompleted.
The content is documentation-only, uses read-only PowerShell (Get-/Test-/Invoke-Command reads, plus the state-neutral Invoke-SolutionUpdatePrecheck -SystemHealth), and is internally consistent with the canonical Secure Boot TSG (registry path/values, verbose components, BIOS cmdlet) and with established repo patterns (Invoke-SolutionUpdatePrecheck/Get-SolutionUpdateEnvironment usage matches Known-Issue-AllResults-...md). The README link matches the new filename, the cross-linked TSG exists, and the external Microsoft Learn link correctly omits a release version.
Changes:
- Adds
Troubleshoot-AzStackHci_Security_SecureBootStatus.md: detection (read Detail not Status), failure signatures, affected-node identification, consequences, remediation via the 2603+ Solution Update / OEM BIOS, and verification. - Registers the new guide in the EnvironmentValidator
README.mdtable of contents.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| TSG/EnvironmentValidator/Troubleshoot-AzStackHci_Security_SecureBootStatus.md | New TSG documenting detection, failure signatures, remediation, and verification for the Secure Boot 2023 certificate status check. |
| TSG/EnvironmentValidator/README.md | Adds a TOC entry linking to the new TSG. |
What
Adds an Environment Validator remediation guide for the Security check
AzStackHci_Security_SecureBootStatus, which reports each node's 2023 Secure Boot certificate rollout posture (the CVE-2023-24932 / BlackLotus mitigation; the 2011 Secure Boot certificates expire in June 2026).The check
It reports whether the Windows Boot Manager is updated to the Windows UEFI CA 2023 signed version and in use, and whether the four 2023 certificates are installed (Windows UEFI CA 2023, Microsoft UEFI CA 2023, Microsoft Option ROM UEFI CA 2023 in
db, and Microsoft Corporation KEK 2K CA 2023 inKEK).What the guide covers
Detail(a certificateInstalled: False, or a Boot Manager status other thanBootManagerUpdatedAndInUse) and cross-checks the product cmdletTest-AzSSecureBootUpdateCompleted.Test-AzSSecureBootUpdateCompletedand a re-run of the pre-update health check.Cross-links (background + detailed procedure)
Notes