Content Release: Support for Microsoft Windows Secure Boot Certificate Updates

Release Announcements Patch (Release Announcements)
1

The BigFix Patch Team is pleased to announce the release of new content in the Patches for Windows site to support the assessment and renewal of Microsoft Secure Boot Certificates.

Background

Starting in June 2026, the three original Certificate Authorities (CAs) provided by Microsoft for Secure Boot (KEK CA 2011, Windows Production PCA 2011, and UEFI CA 2011) will begin to expire. To maintain Secure Boot functionality and ensure devices can continue to receive security updates for boot components, systems must be updated to the new 2023 certificates.

What is Included

1. Assessment: Microsoft Windows Secure Boot Inventory Data

  • Analysis ID: 660
  • Site: Patches for Windows
  • Details: This analysis allows you to monitor the transition and verify the Secure Boot status across your environment. It retrieves critical data points including UEFI CA 2023 Status, Error codes, Secure Boot enablement, and OEM-specific firmware details.

2. Remediation: Windows Secure Boot certificate expiration and CA updates

  • Fixlet ID: 506820201 (KB5068202)
  • Site: Patches for Windows
  • Details: This Fixlet automates the registry configuration (AvailableUpdates set to 0x5944) required to signal Windows to execute the certificate update.
  • Action: The Fixlet includes two actions, both of which require a reboot to complete the firmware-level update process.

Important Deployment Notes

  • Test Before Mass Deployment: Because this process involves firmware/UEFI variables, we strongly recommend testing this content on representative hardware models in your environment before a broad rollout.
  • OEM Compatibility: Please consult your Original Equipment Manufacturer (OEM) documentation to ensure your hardware supports these Secure Boot updates.
  • Success Criteria: Once the Fixlet is applied and the system is rebooted, the UEFICA2023Status (tracked via Analysis 660) should transition from NotStarted to Updated.

For full technical details, please refer to the official KB article: KB0129014 - BigFix Support for Windows Secure Boot Certificate Updates

Published site version:
Patches for Windows, version 4680

Additional Links:
Microsoft Secure Boot Certificate updates: Guidance for IT professionals and organizations

3 Likes