UPDATE! - Microsoft has added SBAT issues to their "KNOWN" issues list and added a work-around so that the latest KB can be applied without enabling the enforcement of SBAT.
https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-23H2#3377msgdesc
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\SBAT /v OptOut /d 1 /t REG_DWORD
“Workaround: If you haven’t finalized the installation of the August 2024 update with a reboot yet, you can use the below opt-out registry key, so your device doesn’t install this update. You will be able to delete the registry key if you want to install future SBAT updates later on. “
Note: OpenText is still working to ensure all of its UEFI Bootloaders are SBAT compatible and are making progress with both FDE and PXE. (Note: Please keep PXE to another thread.)
--
Important: Additional Testing Indicates that Disabling the PBA may not work. It may fail with any ZENworks FDE Encrypted Drive.
It may be necessary to disable "Secure Boot" to prevent the issue.
See - portal.microfocus.com/.../KM000033036
There is a potential conflict with KB5041580(Win10) and KB5041585(Win11) and the ZENworks FDE.
--
With FDE Installed, one may get the following error until "Secure Boot" is disabled.
If this happens disable secure boot.
Note: Before SecureBoot can be re-enabled, the assigned FDE Policy needs to be removed AND the device decrypted. Until both are done, the FDE UEFI bootloader remains in place and the error will remain. If "Encryption Lockdown" was enabled in the policy, then simply removing the FDE Policy or even removing the FDE Agent spoke will not unencrypt the drive remove the ZENworks FDE UEFI Bootloader until the device is explicitly decrypted. More details on this will be forthcoming.
--
If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button
Be sure to "Like" My (and a few others) Cool Solutions below!
https://community.microfocus.com/members/craigdwilson/bookmarks