Secure Boot Certificate Installation Instructions

Minimum Version

This DEX Pack requires SysTrack version 11.4 or higher.

Notes

• After this DEX Pack is installed, it may take up to 24 hours for data to appear.

• If you update or reinstall this DEX Pack, you must reassign any Views created below to the SF_SecureBootCert Role.

Import Kit

To use this DEX Pack, the corresponding Kit must be imported to SysTrack.

If you have already imported the DEX Pack directly from the Kits page, the Import Kit step is complete. You may move on to the next step.

If you are viewing this DEX Pack in the Customer Gateway, follow these steps to import this DEX Pack Kit:

1. On the DEX Pack page, download the DEX Pack ZIP file.

2. In SysTrack, open Kits.

3. Under Local, click Select Kit File.

4. Select the DEX Pack ZIP File.

Enable Action

1. Verify you have unlocked the tenant next to your username.

2. In Configure, click Collection Extensions on the left.

3. Select Action Governance.

4. Find the SecureBootCert action in the list and check approved and enabled on the far right for all.

5. Click Save Changes at the top right.

SecureBootCert View

The Secure Boot Certificate Dashboard requires you to make a View for the SF_SecureBootCert Role.

1. Go to Configure > Views,

2. Click the padlock in the upper-right to edit.

3. Click the plus to add a new View.

4. Enter the following Settings:

   1. View Name: SecureBootCert

   2. Expires in: Never

   3. Existing Category: Custom

   4. When Expired: Overwrite Data

   5. Do not check when overdue by 1 day(s)

   6. Set the Refresh drop-downs to Daily, Inside 24x7, and Every Day

5. Copy this SQL query, and paste it under SQL Selection > Generic

6. Click Test SQL. A Test Success message should appear. If the test fails, the query may have been copied incorrectly.

7. Click Create View at the top-right.

To assign the new View:

1. Navigate to Configure > Roles.

2. Use the drop-down at the top to select the SF_SecureBootCert Role.

3. Click Views, then check the box next to SecureBootCert.

4. Click Save Changes at the top-right.

SecureBootCert SQL Query

SELECT
    T0.WGUID,
    T0.NextStep AS [NextStep],
    T0.Step1_BitLockerKeysBackedUp AS [Step1_BitLockerKeysBackedUp],
    T0.Step2_SecureBootUpdateTriggered AS [Step2_SecureBootUpdateTriggered],
    T0.Step3_SecureBootTaskRan AS [Step3_SecureBootTaskRan],
    T0.Step4_NewCertsStaged AS [Step4_NewCertsStaged],
    T0.Step5_Reboot1_ToApplyCerts AS [Step5_Reboot1_ToApplyCerts],
    T0.Step6_Reboot2_ToUpdateBootMgr AS [Step6_Reboot2_ToUpdateBootMgr],
    T0.Step7_SecureBootComplete AS [Step7_SecureBootComplete],
    T0.Step1_ViaSysTrack AS [Step1_ViaSysTrack],
    T0.Step2_ViaSysTrack AS [Step2_ViaSysTrack],
    T0.Step3_ViaSysTrack AS [Step3_ViaSysTrack],
    T0.SoonestMsCertExpiryDate AS [SoonestMsCertExpiryDate],
    T1.STRVALUE AS [SoonestMsCertExpiryName],
    T0.SoonestOemCertExpiryDate AS [SoonestOemCertExpiryDate],
    T2.STRVALUE AS [SoonestOemCertExpiryName],
    T3.STRVALUE AS [UpdateError]
FROM DYNI_SecureBootCertCheck AS T0
LEFT JOIN SASTR_DYN T1 ON T1.STRINGID = T0.SoonestMsCertExpiryName
LEFT JOIN SASTR_DYN T2 ON T2.STRINGID = T0.SoonestOemCertExpiryName
LEFT JOIN SASTR_DYN T3 ON T3.STRINGID = T0.UpdateError

SF_SecureBootCert Role

The Secure Boot Certificate DEX Pack requires you to assign the SF_SecureBootCert Role to the relevant Configurations:

1. Navigate to Configure > Configurations.

2. Click the padlock icon in the upper-right to enable editing.

3. Use the drop-down at the top to select a relevant Configuration, or create a new Configuration.

4. Assign the SF_SecureBootCert Role to the Configuration by dragging it from Available Roles to Assigned Roles.

5. Click Save Changes at the top-right.

6. Repeat this process for any other relevant Configurations.