Check PBA Prerequisites - availibility of CA-certifiate "Microsoft Corporation UEFI CA 2011"
Many new notebook systems of the manufacturers HP and Lenovo are shipped with the CA-certifictate
"Microsoft Corporation UEFI CA 2011" disabled in their firmware settings.
The DriveLock-PBA is signed with this CA-certificate. So this CA-certificate needs to be enabled and
available on a system in advance of installing the DriveLock-PBA.
The installation routine of the DriveLock-PBA should verify if this CA-certifiacte is enabled and available on a system
when attepmpting to install the PBA, and write a message of level=Error when detecting this CA-certificate is not available
on a system.
With this enhancement the administrator of a DriveLock environment will become able to monitor for that event in the DOC and
will then know the DriveLock-PBA could not be installed on a certain system because that CA-certificate is not available.
Anonymous
shared this idea
Since version 23.1 there is a message with EventID=757 “SecureBoot is enabled but the Microsoft Corporation UEFI CA 2011 certificate is missing.”. This function is therefore already implemented. Please configure this event in a policy so that it is sent from clients to the DES.
-
Martin Reifenrath
commented
For me it seems this functionality is already available since version 23.1.
If configured/enabled in a policy, a client should report a message with EventID=757 "SecureBoot ist aktiviert aber das Microsoft Corporation UEFI CA 2011 Zertifikat fehlt." in this situation.