Applies To
Windows 10 Windows 10, version 1607, all editions Win 10 Ent LTSC 2019 Win 10 IoT Ent LTSC 2019 Windows 10 IoT Core LTSC Windows 10 Enterprise LTSC 2021 Windows 10 IoT Enterprise LTSC 2021 Windows 10, version 22H2, all editions Windows 11 Home and Pro, version 21H2 Windows 11 Enterprise Multi-Session, version 21H2 Windows 11 Enterprise and Education, version 21H2 Windows 11 IoT Enterprise, version 21H2 Windows 11 Home and Pro, version 22H2 Windows 11 Enterprise Multi-Session, version 22H2 Windows 11 Enterprise and Education, version 22H2 Windows 11 IoT Enterprise, version 22H2 Windows 11 SE, version 23H2 Windows 11 Home and Pro, version 23H2 Windows 11 Enterprise and Education, version 23H2 Windows 11 Enterprise Multi-Session, version 23H2 Windows 11 SE, version 24H2 Windows 11 Enterprise and Education, version 24H2 Windows 11 Enterprise Multi-Session, version 24H2 Windows 11 Home and Pro, version 24H2 Windows 11 IoT Enterprise, version 24H2 Windows Server 2012 ESU Windows Server 2012 R2 ESU Windows Server 2016 Windows Server 2019 Windows Server 2022 Windows Server 2025

Original Published Date: October 14, 2025

KB ID: 5068202

This article has guidance for:  

  • Organizations with IT-managed Windows devices and updates.

Availability of this support:  

  • AvailableUpdates, UEFICA2023Status, UEFICA2023ErrorHighConfidenceOptOut and MicrosoftUpdateManagedOptIn registry keys are included in updates released on or after the following dates:

    • October 14, 2025: Supported versions include Windows 10, version 22H2 and newer versions (including 21H2 LTSC), all supported versions of Windows 11 as well as Windows Server 2022 and later.

    • November 11, 2025: For versions of Windows still in support.

In this article

Introduction

This document describes support for deploying, managing, and monitoring the Secure Boot certificate updates using Windows registry keys. The keys consist of the following: 

  • One key to trigger the deployment of the certificates and boot manager on the device.

  • Two keys for monitoring status of the deployment.

  • Two keys for managing the opt-in/opt-out settings for the two available deployment assists.

These registry keys can be set manually on the device or remotely through available fleet management software. Other deployment methods, such as Group Policy, Intune, and WinCS are described in the article Windows devices for businesses and organizations with IT-managed updates.  

Secure Boot registry keys

In this section

Registry keys

All Secure Boot registry keys described in this document are located under this registry path: 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing

The following table describes each of the registry values. 

Registry Value

Type

Description & Usage

AvailableUpdates

REG_DWORD (bitmask)

Update trigger flags.

Controls which Secure Boot update actions to perform on the device. Setting the appropriate bitfield here initiates the deployment of new Secure Boot certificates and related updates. For enterprise deployment, this should be set to 0x5944 (hex) – a value that enables all relevant updates (adding the new 2023 CA certificates, updating the KEK, and installing the new boot manager). 

Settings: 

  • 0 or not set - No Secure Boot key update are performed.

  • 0x5944 – Deploy all needed certificates and update to the PCA2023 signed boot manager

UEFICA2023Status

REG_SZ (string)

Deployment status indicator.

Reflects the current state of the Secure Boot key update on the device. It will be set to one of the following text values:

  • NotStarted: The update has not yet run.

  • InProgress: The update is actively in progress.

  • Updated: The update has completed successfully.

Initially the status is NotStarted. It changes to InProgress once the update begins, and finally to Updated when all new keys and the new boot manager have been deployed. If there is an error, then the UEFICA2023Error registry value is set to a non-zero code.

UEFICA2023Error

REG_DWORD (code)

Error code (if any).

This value remains 0 on success. If the update process encounters a fault, UEFICA2023Error is set to a non-zero error code corresponding to the first error encountered. An error here implies the Secure Boot update did not fully succeed and may require investigation or remediation on that device.  

For example, if updating the DB (database of trusted signatures) failed due to a firmware issue, this registry key might show an error code that can be mapped to an event log or documented error ID in Secure Boot DB and DBX variable update events

HighConfidenceOptOut

REG_DWORD

An opt-out option.

For enterprises that want to opt out of high confidence buckets that will automatically be applied as part of the LCU.

You can set this key to a non-zero value to opt-out of the high confidence buckets. 

Settings 

  • 0 or key does not exist – Opt-in

  • 1 – Opt-in

MicrosoftUpdateManagedOptIn

REG_DWORD

An opt-in option.

For enterprises that want to opt-in to Controlled Feature Rollout (CFR) servicing, also known as Microsoft Managed.

In addition to setting this key, allow the sending of required diagnostic data (see Configure Windows diagnostic data in your organization). 

Settings

  • 0 or key does not exist – Opt-out

  • 1 – Opt-in

How these keys work together​​​​​​​

The IT admin configures the AvailableUpdates registry value to 0x5944, which signals Windows to execute the Secure Boot key update and installation on the device.

As the process runs, the system updates UEFICA2023Status from NotStarted to InProgress, and finally to Updated upon success. As each bit in 0x5944 is processed successfully, it is cleared.

If any step fails, an error code is recorded in UEFICA2023Error (and the status remains InProgress).

This mechanism gives administrators a clear way to trigger and track the rollout per device. 

Deployment using registry keys 

Deployment to a group of devices consists of the following steps: 

  1. Set the AvailableUpdates registry value to 0x5944 on each of the devices to be updated.

  2. Monitor the UEFICA2023Status and UEFICA2023Error registry keys to see that the devices are making progress. Remember that the task that processes these updates runs once every 12 hours. Note that the boot manager update may not happen until after a restart occurs.

  3. Investigate issues if they occur. If UEFICA2023Error is non-zero on a device, you can check the event log for events related to this issue. See Secure Boot DB and DBX variable update events for a complete list of Secure Boot events.

A note about restarts: While a restart might be required to complete the process, initiating the deployment of the Secure Boot updates will not cause a restart. If a restart is needed, the Secure Boot deployment relies on restarts happening as the normal course of using the device. 

Device testing using registry keys 

When testing individual devices to ensure that the devices will process the updates correctly, the registry keys can be a straightforward way to test. 

To test, run each of the following commands separately from an administrator PowerShell prompt: 

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f

Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

The first command initiates the certificate and boot manager deployment on the device. The second command causes the task that processes the AvailableUpdates registry key to run right away. Normally the task runs every 12 hours. 

You can find the results by observing the UEFICA2023Status and UEFICA2023Error registry keys and the event logs as described in Secure Boot DB and DBX variable update events

Opt-in and opt-out for assists 

The HighConfidenceOptOut and MicrosoftUpdateManagedOptIn registry keys can be used to manage the two deployment “assists” described in Windows devices with IT-managed updates

  • The HighConfidenceOptOut registry key controls the automatic update of devices through the cumulative updates. For the devices where Microsoft has observed specific devices updating successfully, they will be considered “high confidence” devices, and the Secure Boot certificate updates will happen automatically. The default setting for this opted in.

  • The MicrosoftUpdateManagedOptIn registry key allows IT departments to opt-in to automatic deployment managed by Microsoft. This setting is disabled by default and setting it to 1 opts-in. This setting also requires that the device send optional diagnostic data.

Supported versions of Windows

This table further breaks down the support based on registry key. 

Key 

Supported versions of Windows 

AvailableUpdates 

UEFICA2023Status 

UEFICA2023Error 

All versions of Windows that support Secure Boot (Windows Server 2012 and later Windows versions).  

Note: While the confidence data is gathered on Windows 10, versions LTSC, 22H2 and later versions of Windows, it can be applied to devices running on earlier versions of Windows.    

  • Windows 10, versions LTSC and 22H2

  • Windows 11, versions 22H2 and 23H2

  • Windows 11, version 24H2

  • Windows Server 2025

HighConfidenceOptOut 

MicrosoftUpdateManagedOptIn 

​​​​​​​Secure Boot error events

​​​​​​​​​​​​​​Error events have a critical reporting function to inform about Secure Boot Status and progress.  For information about the error events, see Secure Boot DB and DBX variable update events. The error events are being updated with additional event information for Secure Boot. 

Additional component changes for Secure Boot 

In this section

TPMTasks changes 

Modify TPMTasks to determine if the state of the device has the updated Secure Boot certificates. Currently it can make that determination but only if CFR selects a machine for update. That determination and subsequent logging should happen in every boot session regardless of the CFR. If the Secure Boot certificates are not fully up to date, then they will emit the two error events described above. If the certificates are up to date, then they will emit the Information event. The Secure Boot certificates that will be checked are:  

  • Windows UEFI CA 2023

  • Microsoft UEFI CA 2023 and Microsoft Option ROM UEFI CA 2023 – These two CAs must be present only if the Microsoft UEFI CA 2011 is present. If the Microsoft UEFI CA 2011 is not present, then no check is necessary.

  • Microsoft Corporation KEK 2K CA 2023

Machine metadata event 

This event will gather the machine meta-data and issue the following event:

  • BucketId + Confidence Rating event   

This event will use the meta-data of the machine to find the corresponding entry in the database of machines (bucket entry). The machine will format and emit an event with this data along with any confidence information regarding the bucket. ​​​​​​​ 

High-confident device assist 

For devices in high-confidence buckets, the Secure Boot certificates and 2023 signed boot manager will automatically be applied.   

The update will be triggered at the same time as the two error events are generated, and the BucketId + Confidence Rating event includes a high-confidence rating.   

Opt-out

For customers who want to opt-out, a new registry key will be available as follows:   

Registry location

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot

Key name

HighConfidenceOptOut

Key type

DWORD

DWORD value

0 or key does not exist – High-confidence assist is enabled.    

1 – High-confidence assist is disabled   

Any other value is undefined   

Facebook LinkedIn Email
SUBSCRIBE RSS FEEDS

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Microsoft 365 subscription benefits

Microsoft 365 training

Microsoft security

Accessibility center