Applies To
Windows 10 Windows 10, version 1607, all editions Win 10 Ent LTSC 2019 Win 10 IoT Ent LTSC 2019 Windows 10 IoT Core LTSC Windows 10 Enterprise LTSC 2021 Windows 10 IoT Enterprise LTSC 2021 Windows 10, version 22H2, all editions Windows 11 Home and Pro, version 21H2 Windows 11 Enterprise Multi-Session, version 21H2 Windows 11 Enterprise and Education, version 21H2 Windows 11 IoT Enterprise, version 21H2 Windows 11 Home and Pro, version 22H2 Windows 11 Enterprise Multi-Session, version 22H2 Windows 11 Enterprise and Education, version 22H2 Windows 11 IoT Enterprise, version 22H2 Windows 11 SE, version 23H2 Windows 11 Home and Pro, version 23H2 Windows 11 Enterprise and Education, version 23H2 Windows 11 Enterprise Multi-Session, version 23H2 Windows 11 SE, version 24H2 Windows 11 Enterprise and Education, version 24H2 Windows 11 Enterprise Multi-Session, version 24H2 Windows 11 Home and Pro, version 24H2 Windows 11 IoT Enterprise, version 24H2 Windows Server 2012 ESU Windows Server 2012 R2 ESU Windows Server 2016 Windows Server 2019 Windows Server 2022 Windows Server 2025

Original publish date: October 14, 2025

KB ID: 5068197

This article has guidance for: 

  • Organizations that have their own IT department managing Windows devices and updates.

Note: If you are an individual who owns a personal Windows device, please go to the article Windows devices for home users, businesses, and schools with Microsoft-managed updates

Availability of this support:  

  • Included in Windows updates released on and after October 28, 2025, for Windows 11, version 24H2 and Windows 11, version 23H2.

  • Included in updates released on and after November 11, 2025, for other versions of Windows.

Secure Boot CLI using Windows Configuration System (WinCS)

Goal: Domain administrators can alternatively use the Windows Configuration System (WinCS) released with Windows OS updates to deploy the Secure Boot updates across domain-joined Windows clients and servers. It consists of a command-line interface (CLI) utility to query and apply Secure Boot configurations locally to a machine.  

WinCS works off a configuration key that can be used with the command-line utility to modify the Secure Boot configuration state on the machine. Once applied, the next scheduled Secure Boot will perform actions according to the key. 

WinCS supported platforms

The WinCS command-line utility is supported in Windows 11, version 23H2, Windows 11, version 24H2, Windows 11, version 25H2. This utility is available in the Windows updates released on and after October 28, 2025, for Windows 11, version 24H2 and Windows 11, version 23H2.

Note: We are working on bringing this WinCS support to Windows 10 platforms. We will update this article as soon as the support is enabled. 

Here’s the Secure Boot configuration feature key that domain admins will query and apply to devices through WinCS. 

Feature name

WinCS Key

Description

Feature_AllKeysAndBootMgrByWinCS

F33E0C8E002

Enabling this key allows installation of the following Microsoft-provided Secure Boot new certificates on your device. 

  • Microsoft Corporation KEK 2K CA 2023

  • Windows UEFI CA 2023

  • Microsoft UEFI CA 2023

  • Microsoft Option UEFI ROM CA 2023

WinCS key value: 

  • F33E0C8E002 – Secure Boot configuration state = Enabled

How to query Secure Boot configuration 

Secure Boot configuration can be queried with the following command line:

WinCsFlags.exe /query --key F33E0C8E002

This will return the following information (on a clean machine): 

Flag: F33E0C8E 

  Current Configuration: F33E0C8E001

  State: Disabled

  Pending Configuration: None 

  Pending Action: None  

  FwLink: https://aka.ms/getsecureboot 

  Available Configurations: 

    F33E0C8E002 

    F33E0C8E001 

Notice the current configuration on a device is F33E0C8E001, which means the Secure Boot key is in Disabled state.  

How to apply Secure Boot configuration  

The specific configuration to enable Secure Boot certificates can be configured in the following fashion: 

WinCsFlags.exe /apply –-key “F33E0C8E002”

A successful application of the key should return the following information: 

Flag: F33E0C8E 

  Current Configuration: F33E0C8E002

  State: Enabled

  Pending Configuration: None 

  Pending Action: None

  FwLink: https://aka.ms/getsecureboot 

 Available Configurations: 

    F33E0C8E002 

    F33E0C8E001  

How to audit Secure Boot configuration  

To determine the state of the Secure Boot configuration later, you can re-use the initial query command: 

WinCsFlags.exe /query --key F33E0C8E002 

The information returned will be similar to the following, depending on the state of the flag: 

Flag: F33E0C8E 

  Current Configuration: F33E0C8E002

  State: Enabled

  Pending Configuration: None 

  Pending Action: None

  FwLink: https://aka.ms/getsecureboot 

  Available Configurations: 

    F33E0C8E002 

    F33E0C8E001  

Notice that the state of the key is now Enabled, and the current configuration is F33E0C8E002. 

Note: Applying the Secure Boot key via WinCS does not mean that the Secure Boot certificate installation process has started or has finished.  It merely indicates that the machine will proceed with Secure Boot updates when the Secure Boot servicing task (TPMTasks) runs on that machine at the next available opportunity. When TPMTasks runs on that machine, it will detect 0x5944 and carry out the update. By design, the Secure-Boot-Update scheduled task runs every 12 hours to process such Secure Boot update flags. Admins can also expedite by manually running the task or restarting, if desired.  

You can also manually trigger the Secure Boot servicing task by following below steps: 

  1. Open a PowerShell prompt as an administrator and then run the following command:

    Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"​

  2. Restart the device two times after running the command to confirm that the device is starting with the updated database of trusted signatures (DB).

  3. To verify that the Secure Boot DB update was successful, open a PowerShell prompt as an administrator and then run the following command: 

    [System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match ‘Windows UEFI CA 2023’

    Boot Secure

    If the command returns True, the update was successful. ​​​​​​​In the case of errors while applying the DB update, see the article KB5016061: Addressing vulnerable and revoked Boot Managers

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center