A Closer Look at the High Confidence Database

Original publish date: March 10, 2026

KB ID: 5084464

In this article

Introduction and scope
What the High Confidence Database represents
Limitations and coverage considerations
Data structure and classification
- Confidence classifications
Publishing the High Confidence Database

Introduction and scope

The High Confidence Database supports how Windows delivers Secure Boot certificate updates by identifying device and firmware configurations that have demonstrated successful update behavior based on observed servicing and reliability signals.

This article explains what the High Confidence Database represents, how confidence is determined, and how the data is published and used by Windows servicing. It is intended for IT professionals, security teams, and support engineers who want to understand how confidence data informs Secure Boot certificate update decisions, including how this data is surfaced through cumulative updates and published for customer visibility.

What the High Confidence Database represents

The High Confidence Database reflects Microsoft’s assessment of which device and firmware configurations are ready to receive Secure Boot certificate updates based on observed servicing and reliability signals.

Given the scale and diversity of hardware and firmware combinations in the Windows ecosystem, the database provides a practical way to evaluate update readiness by grouping devices with similar characteristics and measuring real‑world update outcomes. This confidence data is included in cumulative updates to help Windows deliver Secure Boot certificate updates in a controlled manner that prioritizes successful outcomes.

Limitations and coverage considerations

The High Confidence Database reflects where Microsoft has sufficient observed servicing data to assess Secure Boot certificate update readiness. Most of this data comes from Windows client devices, where servicing signals are broad and consistent. As a result, client platforms are more heavily represented.

Other device types, such as Windows Server and Windows IoT, have lower representation due to differences in deployment patterns, telemetry availability, and update workflows. This does not indicate reduced support for these platforms. It reflects that fewer observed signals are available to inform confidence assessments. Customers deploying Secure Boot certificate updates in these environments should plan deployments with additional focus and validation aligned to their deployment model and operational requirements.

Data structure and classification

The High Confidence Database is organized into device buckets that group devices sharing common hardware, firmware, and platform attributes. This approach allows Windows servicing to evaluate Secure Boot update behavior at a device class level rather than per individual system.

Each bucket is assigned a confidence classification that reflects the current assessment of Secure Boot certificate update readiness. These classifications are surfaced through Windows events, including events 1801, 1802, 1803, and 1808. For more information, see Secure Boot DB and DBX variable update events. The confidence classification is also available through the ConfidenceLevel registry key. See Registry key updates for Secure Boot: Windows devices with IT‑managed updates for details.

Confidence classifications

The High Confidence Database groups devices into confidence classifications that reflect Microsoft’s current assessment of Secure Boot certificate update readiness and are used to guide deployment decisions.

High Confidence: Devices in this group have demonstrated, through observed data, that they can successfully update firmware using the new Secure Boot certificates.
Temporarily Paused: Devices in this group are affected by a known issue. To reduce risk, Secure Boot certificate updates are temporarily paused while Microsoft and partners work toward a supported resolution. This may require a firmware update. Look for an 1802 event for more details.
Not Supported - Known Limitation: Devices in this group do not support the automated Secure Boot certificate update path due to hardware or firmware limitations. No supported automatic resolution is currently available for this configuration.
Under Observation - More Data Needed: Devices in this group are not currently blocked, but there is not yet enough data to classify them as high confidence. Secure Boot certificate updates may be deferred until sufficient data is available.
No Data Observed - Action Required: Microsoft has not observed this device in Secure Boot update data. As a result, automatic certificate updates cannot be evaluated for this device, and administrator action is likely required. This classification is not included in the High Confidence Database and is emitted by Windows when the device is not found in the database.

Publishing the High Confidence Database

The High Confidence Database is published through two complementary mechanisms. One supports automated Windows servicing. The other provides visibility into confidence data for customers and partners.

Accessing the data on GitHub

Microsoft publishes a human‑readable version of the High Confidence Database on GitHub to provide transparency into the data used to assess Secure Boot certificate update readiness. This version includes the device attributes used to form confidence buckets and is intended for inspection and analysis by humans. It is not used directly by Windows servicing.

The data is available in the Microsoft Secure Boot Objects GitHub Repository and may be useful to the following audiences:

IT administrators and security teams: Evaluate Secure Boot deployment readiness and understand which device classes may be eligible for certificate updates delivered through cumulative updates.
Device manufacturers: Review how device and firmware configurations are represented across the Windows ecosystem.
Other operating system vendors, including Linux distributions: Understand how device and firmware configurations are classified and, where applicable, align with Microsoft’s phased rollout approach.

The data is updated twice monthly, aligned with monthly security updates on the second Tuesday of the month and optional non‑security preview updates on the fourth Tuesday of the month.

High Confidence data included in servicing updates

A signed version of the High Confidence Database is included with Windows cumulative updates and is used directly by Windows servicing to evaluate Secure Boot certificate update readiness. This data is integrity protected and evaluated locally, allowing servicing decisions even when a device is not visible to Microsoft telemetry.

On the device, the data is stored as BucketConfidenceData.cab under:

%SystemRoot%\System32\SecureBootUpdates\

This servicing‑integrated version contains a compact, structured representation of confidence buckets. It includes only the attributes required to determine bucket membership and the associated confidence classification. Version and timestamp metadata ensure the most recent applicable data is used. This version is optimized for reliability, size, and security and is not intended for direct inspection or modification.

Receiving High Confidence Database updates more frequently

Devices running Windows 11, version 24H2 or 25H2 can receive High Confidence Database updates more frequently than the monthly security update cadence. In addition to monthly security updates, these versions also receive optional non‑security preview updates, which may include newer confidence data. Installing these updates allows customers to stay closer to the latest confidence data while remaining within standard Windows servicing.

Reusing High Confidence data across Windows versions

In some environments, administrators may choose to deploy the High Confidence Database to supported Windows versions older than Windows 11, version 24H2 or 25H2.

In this scenario, the database is sourced from Windows 11, version 24H2 or 25H2, which receive newer confidence data through optional non‑security preview updates. Deploying this database allows newer confidence assessments to be evaluated on older supported Windows versions sooner than through monthly security updates alone. This does not change how confidence is calculated or how Secure Boot certificate updates are applied.

Deploying the High Confidence Database to other Windows versions

To deploy BucketConfidenceData.cab, use a process aligned with your organization’s deployment tooling and practices.

Obtain BucketConfidenceData.cab from a Windows 11, version 24H2 or 25H2 system running the latest non‑security updates. The file is located at:

%SystemRoot%\System32\SecureBootUpdates\
On target devices, as Administrator, create the following directory if it does not already exist:

%ProgramData%\Microsoft\Windows\SecureBootUpdates
Deploy BucketConfidenceData.cab to that directory.

The next time the scheduled task runs, typically within 12 hours, Windows will use this file if it is newer than the version included with servicing updates.

How Windows selects confidence data

A device may contain more than one copy of the High Confidence Database. To ensure consistent behavior, Windows applies a defined precedence model when evaluating confidence data.

When a signed confidence data file is included with a cumulative update, that servicing copy is used by default. If multiple copies are present, Windows selects the most recent applicable version based on version and timestamp metadata.