Original Published Date: October 30, 2025
KB ID: 5068198
|
This article has guidance for:
Note: If you are an individual who owns a personal Windows device, please see the article Windows devices for home users, businesses, and schools with Microsoft-managed updates. |
|
Availability of this support
|
In this article:
-
Introduction
-
Group Policy Object (GPO) configuration method
Introduction
This document describes the support for deploying, managing, and monitoring the Secure Boot certificate updates using the Secure Boot Group Policy object. The settings consist of:
-
The ability to trigger deployment on a device
-
A setting to opt in/opt out of high-confidence buckets
-
A setting to opt in/opt out of Microsoft managing updates
Group Policy Object (GPO) configuration method
This method offers a straightforward Secure Boot Group Policy setting that domain administrators can set to deploy Secure Boot updates to all domain-joined Windows clients and servers. In addition, two Secure Boot assists can be managed with opt-in/opt-out settings.
To get the updates that include the policy for deploying Secure Boot certificate updates, download the latest version of the Administrative Templates published on or after October 23, 2025.
This policy can be found under the following path in the Group Policy UI:
Computer Configuration->Administrative Templates->Windows Components->Secure Boot
Available Configuration Settings
The three settings available for Secure Boot certificate deployment are described here. These settings correspond to the registry keys described in Registry key updates for Secure Boot: Windows devices with IT-managed updates.
Enable Secure Boot Certificate Deployment
Group Policy setting name: Enable Secure Boot Certificate Deployment
Description: This policy controls whether Windows initiates the Secure Boot certificate deployment process on devices.
-
Enabled: Windows automatically begins deploying updated Secure Boot certificates during scheduled maintenance.
-
Disabled: Windows does not deploy certificates automatically.
-
Not Configured: Default behavior applies (no automatic deployment).
Notes:
-
The task that processes this setting runs every 12 hours. Some updates may require a restart to complete safely.
-
Once certificates are applied to firmware, they cannot be removed from Windows. Clearing certificates must be done through the firmware interface.
-
This setting is considered a preference; if the GPO is removed, the registry value remains.
-
Corresponds to the registry key AvailableUpdates.
Automatic Certificate Deployment via Updates
Group Policy setting name: Automatic Certificate Deployment via Updates
Description: This policy controls whether Secure Boot certificate updates are applied automatically through Windows monthly security and non-security updates. Devices that Microsoft has validated as capable of processing Secure Boot variable updates will receive these updates as part of cumulative servicing and apply them automatically.
-
Enabled: Devices with validated update results will receive certificate updates automatically during servicing.
-
Disabled: Automatic deployment is blocked; updates must be managed manually.
-
Not Configured: Automatic deployment occurs by default.
Notes:
-
Intended for devices confirmed to process updates successfully.
-
Configure this policy to opt out of automatic deployment.
-
Corresponds to the registry key HighConfidenceOptOut.
Certificate Deployment via Controlled Feature Rollout
Group Policy setting name: Certificate Deployment via Controlled Feature Rollout
Description: This policy allows enterprises to participate in a Controlled Feature rollout of Secure Boot certificate updates managed by Microsoft.
-
Enabled: Microsoft assists with deploying certificates to devices enrolled in the rollout.
-
Disabled or Not Configured: No participation in controlled rollout.
Requirements:
-
Device must send required diagnostic data to Microsoft. For details, see Configure Windows diagnostic data in your organization - Windows Privacy | Microsoft Learn.
-
Corresponds to the registry key MicrosoftUpdateManagedOptIn.
GPO configuration overview
-
Policy name (tentative): “Enable Secure Boot Key Rollout” (under Computer Configuration).
-
Policy path: A new node under Computer Configuration > Administrative Templates > Windows Components > Secure Boot. For clarity, a subcategory like “Secure Boot Updates” should be created to store this policy.
-
Scope: Computer (machine-wide setting): It targets the HKEY_LOCAL_MACHINE hive and affects the device’s UEFI state.
-
Policy action: When enabled, the policy will set the following registry subkey.
Registry location
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecureBoot\Servicing
DWORD name
AvailableUpdatesPolicy
DWORD value
0x5944
Comments
This flags the device to install all available Secure Boot key updates on next opportunity.
Note: Due to the nature of Group Policy, the policy will be reapplied over time, and the bits of the AvailableUpdates are cleared as they are processed. Therefore, it is necessary to have a separate registry key named AvailableUpdatesPolicy so that the underlying logic can track if the keys have been deployed. When AvailableUpdatesPolicy is set to 0x5944, TPMTasks will set AvailableUpdates to 0x5944 and make note that this has been done to prevent reapplying to AvailableUpdates multiple times. Setting AvailableUpdatesPolicy to Diabled will cause TPMTasks to clear, or set to 0 AvailableUpdates and make note that this has been completed.
-
Disabled/Not Configured: When set to Not Configured, the policy makes no changes (Secure Boot updates remain as opt-in and won’t run unless triggered by other means). If set to Disabled, the policy should set AvailableUpdates to 0, to explicitly ensure the device does not attempt the Secure Boot key roll or to stop the rollout if something goes wrong.
-
HighConfidenceOptOut can be enabled or disabled. Enabling will set this key to 1 and disabling will set it to 0.
ADMX implementation: This policy will be implemented using a standard administrative template (ADMX). It uses the registry policy mechanism to write the value. For example, the ADMX definition would specify:
-
Registry key: Software\Policies\... Note: Group Policy normally writes to the Policies branch, but in this case, we need to affect the HKEY_LOCAL_MACHINE\SYSTEM hive. We will use Group Policy’s ability to write directly to the HKEY_LOCAL_MACHINE hive for machine policies. The ADMX can use the element with the real target path.
-
Name: AvailableUpdatesPolicy
-
DWORD value: 0x5944
When the GPO is applied, the Group Policy client service on each targeted machine will create or update this registry value. The next time the Secure Boot servicing task (TPMTasks) runs on that machine, it will detect 0x5944 and carry out the update.
Note: By design, on Windows the “TPMTask” scheduled task runs every 12 hours to process such Secure Boot update flags. Admins can also expedite by manually running the task or restarting, if desired.
Example policy UI
-
Setting Enable Secure Boot Key Rollout: When enabled, the device will install the updated Secure Boot certificates (2023 CAs) and associated boot manager update. The device’s firmware Secure Boot keys and configurations will be updated in the next maintenance window. Status can be tracked via the registry (UEFICA2023Status and UEFICA2023Error) or Windows Event Log.
-
Options Enabled / Disabled / Not Configured
This single setting approach keeps it simple for all customers (always using the recommended 0x5944 value).
Important: If in the future more granular control is needed, additional policies or options could be introduced. However, current guidance is that all new Secure Boot keys and the new boot manager should be deployed together in nearly all scenarios, so a one-toggle deployment is appropriate.
Security & permissions: Writing to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet hive requires administrative privileges. Group Policy runs as Local System on clients, which has the necessary rights. The GPO itself can be edited by administrators with Group Policy management rights. Standard GPO security can prevent non-admins from altering the policy.
The English text used when configuring the policy is as follows.
|
Text element |
Description |
|
Node in Group Policy Hierarchy |
Secure Boot |
|
AvailableUpdates/AvailableUpdatesPolicy |
|
|
Setting name |
Enable Secure Boot certificate deployment |
|
Options |
Options <no options needed – just “Not Configured”, “Enabled”, and “Disabled”> |
|
Description |
This policy setting allows you to enable or disable the Secure Boot certificate deployment process on devices. When enabled, Windows will automatically begin the certificate deployment process to devices where this policy has been applied. Note: This registry setting is not stored in a policy key, and this is considered a preference. Therefore, if the Group Policy Object that implements this setting is ever removed, this registry setting will remain. Note: The Windows task that runs and processes this setting, runs every 12 hours. In some cases, the updates will be held until the system restarts to safely sequence the updates. Note: Once the certificates are applied to the firmware, you cannot undo them from Windows. If clearing the certificates is necessary, it must be done from the firmware menu interface. For more information, see https://aka.ms/GetSecureBoot. |
|
HighConfidenceOptOut |
|
|
Setting name |
Automatic Certificate Deployment via Updates |
|
Options |
<no options needed – just “Not Configured”, “Enabled”, and “Disabled”> |
|
Description |
For devices where test results are available that indicate that the device can process the certificate updates successfully, the updates will be initiated automatically as part of the servicing updates. This policy is enabled by default. For enterprises that desire managing automatic update, use this policy to explicitly enable or disable the feature. For more information, see https://aka.ms/GetSecureBoot. |
