Skip to content

Add Environment Validator TSG: AzStackHci_Security_SecureBootStatus (Secure Boot 2023 certificate status)#320

Open
1008covingtonlane wants to merge 1 commit into
Azure:mainfrom
1008covingtonlane:tsg-security-secureboot-status
Open

Add Environment Validator TSG: AzStackHci_Security_SecureBootStatus (Secure Boot 2023 certificate status)#320
1008covingtonlane wants to merge 1 commit into
Azure:mainfrom
1008covingtonlane:tsg-security-secureboot-status

Conversation

@1008covingtonlane

Copy link
Copy Markdown
Collaborator

What

Adds an Environment Validator remediation guide for the Security check AzStackHci_Security_SecureBootStatus, which reports each node's 2023 Secure Boot certificate rollout posture (the CVE-2023-24932 / BlackLotus mitigation; the 2011 Secure Boot certificates expire in June 2026).

The check

It reports whether the Windows Boot Manager is updated to the Windows UEFI CA 2023 signed version and in use, and whether the four 2023 certificates are installed (Windows UEFI CA 2023, Microsoft UEFI CA 2023, Microsoft Option ROM UEFI CA 2023 in db, and Microsoft Corporation KEK 2K CA 2023 in KEK).

What the guide covers

  • Read the Detail, not the Status: the validator is informational and always reports a SUCCESS status, so detection reads the result Detail (a certificate Installed: False, or a Boot Manager status other than BootManagerUpdatedAndInUse) and cross-checks the product cmdlet Test-AzSSecureBootUpdateCompleted.
  • When it runs: pre-deployment readiness and the pre-update health check (pre-update prechecks verify the Secure Boot cert state from release 2604+).
  • Failure signatures, how to identify affected nodes, and consequences.
  • Remediation via the supported product path: apply the Azure Local 2603+ Solution Update (built-in orchestration installs the certs node-by-node), plus OEM BIOS firmware where a node is below the OEM minimum. It does not hand-roll registry edits.
  • Re-validate to passing with Test-AzSSecureBootUpdateCompleted and a re-run of the pre-update health check.

Cross-links (background + detailed procedure)

Notes

  • Lint Grade A (H1 = canonical check name, severity, where-it-appears, verify-the-fix, balanced fences); prose follows the no spaced double-hyphen convention.
  • Internally validated: the env-checker detection and the product verify cmdlet were confirmed live and agree on a lab node. The certificate-install remediation is the product-owned Solution Update orchestration (validated by the product team; not reproducible on a nested VM). INTERNAL USE ONLY -- findings must be independently validated before action.

…Secure Boot 2023 certificate status)

Remediation guide for the Security Environment Validator check
AzStackHci_Security_SecureBootStatus, which reports each node's 2023 Secure Boot
certificate rollout posture (the CVE-2023-24932 mitigation; the 2011 certificates
expire in June 2026).

The validator is informational and always reports a SUCCESS status, so the guide's
detection reads the result Detail (a certificate Installed: False, or a Boot Manager
status other than BootManagerUpdatedAndInUse), not the status field, and cross-checks
the product cmdlet Test-AzSSecureBootUpdateCompleted. It documents when the check runs
(pre-deployment readiness and the pre-update health check), the failure signatures,
how to identify affected nodes, the remediation via the Azure Local 2603+ Solution
Update orchestration plus OEM BIOS firmware where required, and how to re-validate to
passing.

It cross-links the canonical Secure Boot update guides for the detailed procedure:
- TSG/Security/TSG-Azure-Local-UEFI-2023-Secure-Boot-Update.md
- the Manage Secure Boot updates article on Microsoft Learn

Adds the TSG markdown and a README index entry.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a new Environment Validator troubleshooting guide (TSG) for the Security check AzStackHci_Security_SecureBootStatus, which reports each node's 2023 Secure Boot certificate rollout posture (the CVE-2023-24932 / BlackLotus mitigation ahead of the 2011 Secure Boot certificates expiring in June 2026). It fits into the existing TSG/EnvironmentValidator collection of remediation guides and cross-links to the canonical TSG/Security/TSG-Azure-Local-UEFI-2023-Secure-Boot-Update.md. The guide's core message is that this validator is informational (always SUCCESS status), so detection must read the result Detail and cross-check the product cmdlet Test-AzSSecureBootUpdateCompleted.

The content is documentation-only, uses read-only PowerShell (Get-/Test-/Invoke-Command reads, plus the state-neutral Invoke-SolutionUpdatePrecheck -SystemHealth), and is internally consistent with the canonical Secure Boot TSG (registry path/values, verbose components, BIOS cmdlet) and with established repo patterns (Invoke-SolutionUpdatePrecheck/Get-SolutionUpdateEnvironment usage matches Known-Issue-AllResults-...md). The README link matches the new filename, the cross-linked TSG exists, and the external Microsoft Learn link correctly omits a release version.

Changes:

  • Adds Troubleshoot-AzStackHci_Security_SecureBootStatus.md: detection (read Detail not Status), failure signatures, affected-node identification, consequences, remediation via the 2603+ Solution Update / OEM BIOS, and verification.
  • Registers the new guide in the EnvironmentValidator README.md table of contents.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
TSG/EnvironmentValidator/Troubleshoot-AzStackHci_Security_SecureBootStatus.md New TSG documenting detection, failure signatures, remediation, and verification for the Secure Boot 2023 certificate status check.
TSG/EnvironmentValidator/README.md Adds a TOC entry linking to the new TSG.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants