Kaido Järvemets

Join me docs.kaidojarvemets.com/training/secur…

In case you missed it in the February KB5077241 update, Microsoft quietly added two new PowerShell cmdlets for Secure Boot verification: Get-SecureBootSVN - checks the Secure Version Number of your firmware and bootloader and reports compliance status. This tells you whether your device is protected against boot manager rollback attacks (CVE-2023-24932). Get-SecureBootUEFI -Decoded - finally displays Secure Boot keys and certificates in a human-readable format.

This girl trained her birds to play dead when she goes “phew.” The last one had to make sure it was serious first.

What a great idea!

You can now schedule recurring cloud-based tasks on Claude Code. Set a repo (or repos), a schedule, and a prompt. Claude runs it via cloud infra on your schedule, so you don’t need to keep Claude Code running on your local machine.

“claude, spend 250k. no mistakes”

WatchTower Entra ID Investigator is now available. After months of building, testing, and one case-sensitive UPN that nearly broke us — it's live. WatchTower pulls sign-in data from Microsoft Graph API and organizes it into structured views so security teams can investigate any Entra ID account in minutes instead of hours. What you get: - Dashboard with data quality verification - Device, location, application, and timeline analysis - Session analytics with activity heatmaps - Conditional Access policy evaluation - AI-powered analysis - Full data export for evidence Built for incident responders, security analysts, and compliance teams who are tired of raw sign-in logs. Learn more: docs.kaidojarvemets.com/products/entra… And yes, there's cake.

@angry_tarsier Yes.

@kaidja Preparing for Secure Boot UEFI CA expiration?

This week From the field this week: pushing BIOS updates across the fleet. No major failures or issues so far. Discovered some Dell machines that required a physical screen connected to the workstation for the BIOS update to complete. Took a moment to figure out what was going on, but that is the reality of working across different vendors and models. Two machines shut down after the first reboot and needed a manual power-on. Nothing catastrophic. So far so good and hopefully it continues the same way over the next couple of months.

I'm running a 4-hour Secure Boot Workshop on April 8, 2026. Microsoft's Secure Boot certificates expire in June-October 2026. Every Windows device with Secure Boot enabled needs a BIOS update and certificate deployment before the deadline. I built the assessment and deployment tooling for this. In this workshop, I walk through all of it: - Fleet assessment for SCCM, Intune, and Azure VMs - BIOS version comparison against Dell, HP, and Lenovo minimum requirements - BIOS updates via SCCM packages and Intune driver update policies - Certificate deployment through Intune Settings Catalog, ConfigMgr baselines, and GPO - Live progress tracking with Teams and SharePoint 10 spots. €250 per person. All participants get access to the tools. Workshop details: docs.kaidojarvemets.com/training/secur…

This is the greatest video ever made

Jensen Huang: "If that $500,000 engineer did not consume at least $250,000 worth of tokens, I am going to be deeply alarmed. This is no different than a chip designer who says 'I'm just going to use paper and pencil. I don't think I'm going to need any CAD tools.'"

We just released Claude Code channels, which allows you to control your Claude Code session through select MCPs, starting with Telegram and Discord. Use this to message Claude Code directly from your phone.

@frankv1971 PowerShell?

@kaidja Is there an option to check your servers (physical and virtual) if secure boot has been updated with the new certificate without Intune?

Secure Boot BIOS Assessment v2.2 is out. Two new additions: Intune Fleet Assessment Module - a standalone package for Intune-managed (MDM-only) environments. Queries the Microsoft Graph API for device hardware inventory and runs it through the same BIOS comparison engine and vendor databases. Same report, different data source. Live Ops Tracker for Teams - a step-by-step blueprint for building live operational dashboards directly in Microsoft Teams. Covers SharePoint list creation via Graph API, Azure Automation with managed identity (fully passwordless), webhook processing, scheduled backend jobs, and view formatting. Not limited to Secure Boot. Works for any tracking scenario: Windows 11 migrations, compliance baselines, security incidents, hardware refresh planning. 14 weeks until the June 2026 enforcement deadline. #SecureBoot #Windows #UEFI #BIOS #Intune #SCCM #ConfigMgr #CyberSecurity #ITAdmin #Firmware #MicrosoftTeams #AzureAutomation

4-hour Secure Boot Workshop on April 8. Secure Boot certificates expire June-October 2026. I built the assessment tooling and I'll walk through the full process: fleet assessment (SCCM, Intune, Azure), BIOS updates, and certificate deployment. 10 spots. €250. Tools included. Register here: docs.kaidojarvemets.com/training/secur… #Windows #Azure

the catfu master chose not to argue 🐱

The Global Secure Boot Certificate Committee has officially recognized my contribution to the field and awarded me the Secure Boot Certificate Updater Ninja badge. It is an honor to be seen by the committee. It is an even greater honor to update certificates at this level. I do not do this for fame. I do it for boot integrity. #SecureBoot #Windows #PatchManagement #BadgeUnlocked #NinjaStatus

@PParantainen It is all on my docs.kaidojarvemets.com but for paid members only.

@kaidja Where you can find this?

Secure Boot BIOS Assessment v2 is out. The 2026 Secure Boot certificate deadline is approaching fast. Every physical Windows device needs a BIOS update and certificate deployment before enforcement hits. v2 makes it easier to track where your fleet stands. What's new: - Separate workstation and server assessment pipelines - Vendor databases expanded: Dell 1,272 models, HP 646 models, Lenovo 1,001 models - New CATALOG_ONLY status for models in vendor catalogs without a confirmed Secure Boot minimum version - INVESTIGATE flag for Lenovo machine type mismatches The fleet assessment tells you which devices need BIOS updates. More things on the pipeline. #SecureBoot #Windows #UEFI #BIOS #Intune #SCCM #ConfigMgr #CyberSecurity #ITAdmin #Firmware

Published a new guide on my docs site for paid members.