Sample Secure Boot E2E Automation Guide

S’applique à
Windows 10, version 1607, all editions Win 10 Ent LTSB 2016 Win 10 IoT Ent LTSB 2016 Windows 10, version 1809, all editions Win 10 Ent LTSC 2019 Win 10 IoT Ent LTSC 2019 Windows 10 ESU Windows 10 Enterprise LTSC 2021 Windows 10 IoT Enterprise LTSC 2021 Windows 11 version 23H2, all editions Windows 11 version 24H2, all editions Windows 11 version 25H2, all editions Windows 11 version 26H1, all editions Windows Server 2016 Windows Server 2019 Windows Server 2022 Windows Server, version 23H2 Windows Server 2025

Note

Original publish date: March 16, 2026
Last date updated: May 12, 2026
KB ID: 5084567

In this article

Overview

This guide describes the automated deployment system for Windows Secure Boot DB certificate updates using Group Policy and progressive rollout waves.

The Secure Boot Certificate Rollout Automation is a PowerShell-based system that deploys Windows Secure Boot DB certificate updates to domain-joined machines in a controlled, graduated manner.

back to top

Key Features

Feature Description
Graduated Rollout 1 > 2 > 4 > 8… devices per bucket
Automatic Blocking Buckets with unreachable devices are excluded
Automated GPO Deployment Single orchestrator script handles everything
Scheduled Task Execution No interactive prompts required
Real-time Monitoring Status viewer with progress bar

back to top

Certificate Updates Settings Reference

In this section

AvailableUpdatesPolicy Group policy

Registry location HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot
Name AvailableUpdatesPolicy
Value 0x5944 (DWORD)

This is the GPO/ADMX-controlled key that:

  • Persists across reboots
  • Is set by Group Policy / MDM
  • Does not cause retry loops (cleared via ClearRolloutFlags)
  • Is the correct key for policy-driven deployment

Reference: Group Policy Objects (GPO) method of Secure Boot for Windows devices with IT-managed updates

back to "Certificate Updates Settings Reference"

WinCSFlags - Windows Configuration System Flags

Domain administrators can alternatively use the Windows Configuration System (WinCS) released with Windows OS updates to deploy the Secure Boot updates across domain-joined Windows clients and servers. It consists of a command-line interface (CLI) utility to query and apply Secure Boot configurations locally to a machine.

Feature name WinCS Key Description
Feature_AllKeysAndBootMgrByWinCS F33E0C8E002 Enabling this key allows installation of the following Microsoft-provided Secure Boot new certificates on your device.
  • Microsoft Corporation KEK 2K CA 2023
  • Windows UEFI CA 2023
  • Microsoft UEFI CA 2023
  • Microsoft Option UEFI ROM CA 2023

Reference: Windows Configuration System (WinCS) APIs for Secure Boot

back to "Certificate Updates Settings Reference"

back to top

Architecture

Architecture workflow

back to top

Phase 1: Detection and Status Monitoring at Enterprise level

In this section

Scripts needed for Phase 1

Sample Secure Boot Inventory Data Collection scripts

Note

IMPORTANT The following articles containing the sample scripts have been retired. If you have installed a Windows update released on or after May 12, 2026, the sample scripts can be found in the %systemroot%\SecureBoot\ExampleRolloutScripts folder on your device.

Sample Script Name Purpose Runs On
Sample Detect-SecureBootCertUpdateStatus.ps1 script Collects device status data Each endpoint (via GPO)
Sample Aggregate-SecureBootData.ps1 script Generates reports and dashboards Admin workstation
Sample Deploy-GPO-SecureBootCollection.ps1 script Automates GPO creation for data collection Domain Controller
Sample Output from the above Phase 1 scripts

Secure Boot Certificate Status Dashboard

back to "Phase 1: Detection and Status Monitoring at Enterprise level"

Local Testing

Before deploying via GPO, test the collection script on a single machine to verify functionality.

  • Run Collection Script Locally

    Open an elevated PowerShell prompt and execute:

    Note

    & .\Detect-SecureBootCertUpdateStatus.ps1 -OutputPath "C:\Temp\SecureBootTest"

  • Verify JSON Output

    Note

    # View the collected data 
    Get-Content "C:\Temp\SecureBootTest\*_latest.json" | ConvertFrom-Json | Format-List

    Key Fields to Verify  
    •    SecureBootEnabled – Should be True or False 
    •    OverallStatus – Complete, ReadyForUpdate, NeedsData, or Error 
    •    BucketHash – Device bucket for confidence data matching 
    •    SecureBootTaskEnabled  - Shows status of Secure Boot Update Task.

  • Test Aggregation Script

    Note

    # Generate reports from collected data 
    & ".\Aggregate-SecureBootData.ps1" `
        -InputPath "C:\Temp\SecureBootTest" ` 
        -OutputPath "C:\Temp\SecureBootReports" 
     

    Open the HTML dashboard 

    Start-Process "C:\Temp\SecureBootReports\SecureBoot_Dashboard_*.html"

back to "Phase 1: Detection and Status Monitoring at Enterprise level"

Network Share Setup

  • Create the Network Share

    On your file server, create a dedicated share for collection data:

    Note

    # Run on file server as Administrator 
    $SharePath = "D:\SecureBootCollection" 
    $ShareName = "SecureBootData$"   
     

    Create folder 

    New-Item -ItemType Directory -Path $SharePath -Force 
     

    Create hidden share ($ suffix hides from browse list) 

    New-SmbShare -Name $ShareName -Path $SharePath ` 
        -Description "Secure Boot Certificate Status Collection" ` 
        -FullAccess "Domain Admins" ` 
        -ChangeAccess "Domain Computers"

  • Configure NTFS Permissions

    Note

    # Get current ACL 
    $Acl = Get-Acl $SharePath 
     

    Allow Authenticated Users to write files 

    $WriteRule = New-Object System.Security.AccessControl.FileSystemAccessRule( 
    "Domain Computers" and
    "Modify", 
        "ContainerInherit,ObjectInherit", 
        "None", 
        "Allow" 

    $Acl.AddAccessRule($WriteRule) 
     

    Allow Domain Admins full control (for aggregation) 

    $AdminRule = New-Object System.Security.AccessControl.FileSystemAccessRule( 
        "Domain Admins", 
        "FullControl", 
        "ContainerInherit,ObjectInherit", 
        "None", 
        "Allow" 

    $Acl.AddAccessRule($AdminRule) 
     

    Apply permissions 

    Set-Acl -Path $SharePath -AclObject $Acl 

  • Verify Share Access

    Note

    # Test from a domain-joined workstation 
    Test-Path "\\fileserver\SecureBootData$" 

    Should return: True

back to "Phase 1: Detection and Status Monitoring at Enterprise level"

GPO Deployment

Use the automation script provided from a domain controller:

Note

Run on Domain Controller as Domain Admin for interactive OU Section – Recommended 

Replace the “Contoso.com”, “Contoso” with the name of the domain 

Replace FILESERVER with the file server name.  Script shows list of OUs to deploy GPO on

.\Deploy-GPO-SecureBootCollection.ps1 ` 
    -DomainName "contoso.com" ` 
    -AutoDetectOU ` 
    -CollectionSharePath "\\FILESERVER\SecureBootData$"
    -ScriptSourcePath ".\Detect-SecureBootCertUpdateStatus.ps1" ` 
    -Schedule "Daily" ` 
    -ScheduleTime "14:00" ` 
    -RandomDelayHours 4 

This script will perform the following:

  • Creates new GPO with specified name
  • Copies collection script to SYSVOL for high availability
  • Configures Computer Startup Script
  • Links GPO to target OU
  • Optionally creates scheduled task for periodic collection

The following table provides guidance in how long the delay will be based on your fleet size.

Fleet size Delay range
1-10K devices 4 hours
10K-50K devices 8 hours
50K+ devices 12-24 hours

back to "Phase 1: Detection and Status Monitoring at Enterprise level"

GPO Settings Summary

Setting Location Value
Startup Script Computer Config → Scripts Detect-SecureBootCertUpdateStatus.ps1
Script Parameters (same) -OutputPath "\\server\share$"
Execution Policy Computer Config → Admin Templates → PowerShell Allow local and remote signed
Scheduled Task Computer Config → Preferences → Scheduled Tasks Daily/Weekly collection

back to "Phase 1: Detection and Status Monitoring at Enterprise level"

Verification

  • Force GPO Update on Test Machine

    Note

    ## On a test workstation 
    gpupdate /force 
     

    Reboot the client machines to startup script or it will trigger on next schedule.

    Restart-Computer -Force

  • Verify Data Collection

    Note

    Check if data was collected (on file server or from any machine) 

    Get-ChildItem "\\fileserver\SecureBootData$" |  
        Sort-Object LastWriteTime -Descending |  
        Select-Object -First 10 
     

    Verify JSON content 

    Get-Content "\\fileserver\SecureBootData$\TESTPC_latest.json" | ConvertFrom-Json 

  • Check GPO Application

    Note

    Verify GPO is applied to the computer 

    Select-String "SecureBoot"
    The script also saves a local copy for redundancy: 
    Get-ChildItem "C:\ProgramData\SecureBootCollection\" 

back to "Phase 1: Detection and Status Monitoring at Enterprise level"

back to top

Phase 2: Secure Boot Certificate Update Orchestration Scripts

Important

Ensure Phase1 is completed including data collection on each end point to remote server shares.

In this section

Scripts needed for Phase 2

Sample Secure Boot Inventory Data Collection scripts

Note

IMPORTANT The following articles containing the sample scripts have been retired. If you have installed a Windows update released on or after May 12, 2026, the sample scripts can be found in the %systemroot%\SecureBoot\ExampleRolloutScripts folder on your device.

Sample script name Purpose Runs on
Sample Detect-SecureBootCertUpdateStatus.ps1 script Collects device status data Each endpoint (via GPO)
Sample Aggregate-SecureBootData.ps1 script Generates reports and dashboards Admin workstation
Sample Deploy-GPO-SecureBootCollection.ps1 script Automates GPO creation for data collection Domain Controller
Sample Start-SecureBootRolloutOrchestrator.ps1 script Fully automated, continuous orchestration with automated GPO deployment for certificate installation Admin workstation
Sample Deploy-OrchestratorTask.ps1 script Deploys Orchestrator script as scheduled task for automated rollout Domain Controller
Sample Get-SecureBootRolloutStatus.ps1 script View Secure Boot Certificate Roll out status from any workstation Admin Workstation
Sample Enable-SecureBootUpdateTask.ps1 script Enables Secure Boot Update Task On End points where task is disabled (Run only once to enable the task if disabled)

back to "Phase 2: Secure Boot Certificate Update Orchestration Scripts"

Start-SecureBootRolloutOrchestrator.ps1

  • Purpose: Fully automated, continuous orchestration with automated GPO deployment.

  • What it does

    • Calls Aggregate-SecureBootData.ps1 for device status

    • Generates rollout waves using progressive doubling

    • Creates GPO for certificate deployment using one of following methods

      • Secure boot Group policy AvailableUpdatesPolicy = 0x5944  (Default)
      • WinCS method (Parameter –UseWinCS)
    • Creates AD security groups for targeting

    • Adds computer accounts to security groups

    • Configures GPO security filtering

    • Links GPO to target OU

    • Monitors for blocked buckets (unreachable devices)

    • Auto-unblocks when devices recover

  • Usage

    Note

    # Interactive (testing)
    .\Start-SecureBootRolloutOrchestrator.ps1 `
        -AggregationInputPath "\\fileserver\SecureBootData$" `
        -ReportBasePath "C:\SecureBootReports" `
        -PollIntervalMinutes 30

    Note

    # Interactive (testing), leveraging WinCS method
    .\Start-SecureBootRolloutOrchestrator.ps1 `
        -AggregationInputPath "\\fileserver\SecureBootData$" `
        -ReportBasePath "C:\SecureBootReports" `
        -PollIntervalMinutes 30 `
        -UseWinCS

  • Admin commands

    Note

    # List blocked buckets
    .\Start-SecureBootRolloutOrchestrator.ps1 -ReportBasePath "C:\SecureBootReports" -ListBlockedBuckets

    Note

    # Unblock specific bucket
    .\Start-SecureBootRolloutOrchestrator.ps1 -ReportBasePath "C:\SecureBootReports" -UnblockBucket "Dell|Latitude5520|BIOS1.2"

    Note

    # Unblock all
    .\Start-SecureBootRolloutOrchestrator.ps1 -ReportBasePath "C:\SecureBootReports" -UnblockAll​​​​​​​

  • Parameters

    Parameter Default Description
    AggregationInputPath Required UNC path to endpoint JSON files
    ReportBasePath Required Local path for reports and state
    TargetOU Domain root OU to link GPOs
    WavePrefix SecureBoot-Rollout GPO/group naming prefix
    MaxWaitHours 72 Hours before checking device reachability
    PollIntervalMinutes 1440 Minutes between status checks
    DryRun False Show what would happen without changes

    Note

    Note on PollIntervalMinutes: When running the orchestrator directly, the default is 1440 minutes (24 hours). When deployed via Deploy-OrchestratorTask.ps1, the default is 30 minutes. The deploy script passes its own default to the orchestrator. Use 30 minutes for active rollout, 1440 for maintenance monitoring.

    Optional Parameters

    Parameter Default Description
    UseWinCS False Use WinCS method instead of AvailableUpdatesPolicy GPO
    WinCSKey F33E0C8E002 WinCS key for Secure Boot configuration
    AllowListPath (none) Path to file with hostnames to ALLOW for targeted/pilot rollout. Supports .txt or .csv.
    AllowADGroup (none) AD security group of computer accounts to ALLOW. Example: "SecureBoot-Pilot-Computers"
    ExclusionListPath (none) Path to file with hostnames to EXCLUDE from rollout (VIP/executive devices)
    ExcludeADGroup (none) AD security group of computer accounts to exclude. Example: "VIP-Computers"
    ListBlockedBuckets False Display currently blocked device buckets
    UnblockBucket (none) Unblock a specific bucket. Format: "Manufacturer|Model|BIOS"
    UnblockAll False Unblock all blocked device buckets

back to "Phase 2: Secure Boot Certificate Update Orchestration Scripts"

Deploy-OrchestratorTask.ps1

  • Purpose: Deploys the orchestrator as a Windows Scheduled Task.

  • Benefits

    • No PowerShell security prompts (ExecutionPolicy Bypass)
    • Runs in background continuously
    • No user interaction required
    • Survives reboots
  • Usage

    • Deploy with domain service account (recommended)

      • Use AvailableUpdates Group Policy (Default Method)

        Note

        .\Deploy-OrchestratorTask.ps1 `
            -AggregationInputPath "\\server\SecureBootData$" `
            -ReportBasePath "C:\SecureBootReports" `
            -ServiceAccount "DOMAIN\svc_secureboot"

      • Use WinCS method

        Note

        .\Deploy-OrchestratorTask.ps1 `
            -AggregationInputPath "\\server\SecureBootData$" `
            -ReportBasePath "C:\SecureBootReports" `
            -ServiceAccount "DOMAIN\svc_secureboot" -UseWinCS

    • Deploy with SYSTEM account

      • Use AvailableUpdates Group Policy (Default Method)

        Note

        .\Deploy-OrchestratorTask.ps1 `
            -AggregationInputPath "\\server\SecureBootData$" `
            -ReportBasePath "C:\SecureBootReports"

      • Use WinCS method.\Deploy-OrchestratorTask.ps1

        Note

        -AggregationInputPath "\\server\SecureBootData$" `
            -ReportBasePath "C:\SecureBootReports"  -UseWinCS​​​​​​​

      • Service Account Requirements

        • Domain Admin (for New-GPO, New-ADGroup, Add-ADGroupMember)
        • Read access to JSON file share
        • Write access to ReportBasePath

back to "Phase 2: Secure Boot Certificate Update Orchestration Scripts"

Get-SecureBootRolloutStatus.ps1

  • Purpose: View rollout progress from any workstation.

  • What it shows

    • Scheduled task state (Running/Ready/Stopped)
    • Current wave number
    • Devices targeted vs updated
    • Visual progress bar
    • Blocked buckets summary
    • Link to latest HTML dashboard
  • Usage

    Note

    # Quick status check
    .\Get-SecureBootRolloutStatus.ps1 -ReportBasePath "C:\SecureBootReports"

    Note

    # Continuous monitoring (refreshes every 30 seconds)
    .\Get-SecureBootRolloutStatus.ps1 -ReportBasePath "C:\SecureBootReports" -Watch 30

    Note

    # View blocked buckets
    .\Get-SecureBootRolloutStatus.ps1 -ReportBasePath "C:\SecureBootReports" -ShowBlocked

    Note

    # View wave history
    .\Get-SecureBootRolloutStatus.ps1 -ReportBasePath "C:\SecureBootReports" -ShowWaves

    Note

    # View recent log
    .\Get-SecureBootRolloutStatus.ps1 -ReportBasePath "C:\SecureBootReports" -ShowLog

    Note

    # Open dashboard in browser
    .\Get-SecureBootRolloutStatus.ps1 -ReportBasePath "C:\SecureBootReports" -OpenDashboard

  • Parameters

    Parameter Required? Default Description
    ReportBasePath Required Local path to reports and state files
    ShowLog Optional False Display recent orchestrator log entries
    ShowBlocked Optional False Display blocked buckets details
    ShowWaves Optional False Display wave history
    Watch Optional 0 (disabled) Auto-refresh interval in seconds. Example: -Watch 30 refreshes every 30 seconds.
    OpenDashboard Optional False Open the latest HTML dashboard in the default browser
  • Sample output

    Note

    • ==============================================================
         SECURE BOOT ROLLOUT STATUS
         2026-02-17 19:30:00
      ======================================================
    • Scheduled Task: Running
    • ROLLOUT PROGRESS

    Status:              InProgress
    Current Wave:        5
    Total Targeted:      1250
    Total Updated:       847

    • Progress: [█████████████████████░░░░░░░░░░░░░░░░░░░] 67.8%
    • BLOCKED BUCKETS: 2 buckets need attention
        Run with -ShowBlocked for details
    • LATEST DASHBOARD
      C:\SecureBootReports\Aggregation_20260217_193000\SecureBoot_Dashboard.html
      __________________________________________________________________________________________

back to "Phase 2: Secure Boot Certificate Update Orchestration Scripts"

back to top

E2E Deployment Steps (Quick Reference Guide)

In this section

Phase 1: Detection Infrastructure

  • Step 1: Create Collection Share

    Note

    # On file server
    $sharePath = "D:\SecureBootData"
    New-Item -ItemType Directory -Path $sharePath -Force
    New-SmbShare -Name "SecureBootData$" -Path $sharePath -FullAccess "Domain Admins" -ChangeAccess "Domain Computers"

    Note

    # Set NTFS permissions
    $acl = Get-Acl $sharePath
    $rule = New-Object System.Security.AccessControl.FileSystemAccessRule("Domain Computers","Modify","Allow")
    $acl.AddAccessRule($rule)
    Set-Acl $sharePath $acl

  • Step 2: Deploy Detection GPO

    Note

    .\Deploy-GPO-SecureBootCollection.ps1 `
        -DomainName "contoso.com" `
        -OUPath "OU=Workstations,DC=contoso,DC=com" `
        -CollectionSharePath "\\server\SecureBootData$"

  • Step 3: Wait for Endpoints to Report (24-48 hours)

    Note

    Check collection progress

    (Get-ChildItem "\\server\SecureBootData$" -Filter "*.json").Count

back to "E2E Deployment Steps (Quick Reference Guide)"

Phase 2: Orchestrated Rollout

  • Step 4: Prerequisites Check

    • Detection GPO deployed (Step 2)
    • At least 50+ endpoints reporting JSON
    • Service account with Domain Admin rights
    • Management server with PowerShell 5.1+
  • Step 5: Deploy Orchestrator as Scheduled Task

    Note

    .\Deploy-OrchestratorTask.ps1 `
        -AggregationInputPath "\\server\SecureBootData$" `
        -ReportBasePath "C:\SecureBootReports" `
        -ServiceAccount "DOMAIN\svc_secureboot"

  • Step 6: Monitor Progress

    Note

    .\Get-SecureBootRolloutStatus.ps1 -ReportBasePath "C:\SecureBootReports"

  • Step 7: View Dashboard

    Note

    .\Get-SecureBootRolloutStatus.ps1 -ReportBasePath "C:\SecureBootReports" -OpenDashboard

  • Step 8: Manage Blocked Buckets

    Note

    # List blocked
    .\Start-SecureBootRolloutOrchestrator.ps1 -ReportBasePath "C:\SecureBootReports" -ListBlockedBuckets

    Note

    # Investigate and unblock
    .\Start-SecureBootRolloutOrchestrator.ps1 -ReportBasePath "C:\SecureBootReports" -UnblockBucket "Manufacturer|Model|BIOS"

  • Step 9: Verify Completion

    Note

    .\Get-SecureBootRolloutStatus.ps1 -ReportBasePath "C:\SecureBootReports"

    Status should show "Completed"

back to "E2E Deployment Steps (Quick Reference Guide)"

State Files

The orchestrator maintains state in ReportBasePath\RolloutState\:

File Description
RolloutState.json Wave history, targeted devices, status
BlockedBuckets.json Buckets needing investigation
DeviceHistory.json Device tracking by hostname
Orchestrator_YYYYMMDD.log Daily activity logs

back to "E2E Deployment Steps (Quick Reference Guide)"

back to top

Troubleshooting

In this section

Orchestrator Not Progressing

  1. Check scheduled task

    Note

    Get-ScheduledTask -TaskName "SecureBoot-Rollout-Orchestrator"

  2. Check logs

    Note

    Get-Content "C:\SecureBootReports\RolloutState\Orchestrator_*.log" -Tail 50

  3. Verify JSON data freshness

    Note

    (Get-ChildItem "\\server\SecureBootData$" -Filter "*.json" | Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-1) }).Count

back to "Troubleshooting"

Blocked Buckets

  1. List blocked.

    Note

    .\Start-SecureBootRolloutOrchestrator.ps1 -ReportBasePath "C:\SecureBootReports" -ListBlockedBuckets

  2. Investigate device reachability.

  3. Check for firmware issues.

  4. Unblock after investigation.

back to "Troubleshooting"

GPO Not Applying

  1. Verify GPO exists.

    Note

    Get-GPO -Name "SecureBoot-Rollout-Wave*"

  2. Check security filtering.

    Note

    Get-GPPermission -Name "GPO-Name" -All

  3. Verify computer is in security group.

  4. Apply the GPO on the target.

    Note

    gpupdate /force

back to "Troubleshooting"

back to top

Change log

Change date Change description
May 12, 2026 Previously, each sample script file was published as individual articles from which you would copy-and-paste the script. Starting with the Windows updates released on and after May 12, 2026, the sample scripts are located in the %systemroot%\SecureBoot\ExampleRolloutScripts folder on your device.