Policy

Automatic Certificate Deployment via Updates

Microsoft Windows

Back to Secure BootBack to main
Automatic Certificate Deployment via Updates
Jump to overview

Policy overview

Key metadata and intent for this policy.

Computer
Category
Windows Components > Secure Boot
Supported on
At least Windows Server 2012, Windows 8 or Windows RT

Supported OS tags: Windows10, Windows10RT, Windows11, Windows8, Windows81, WindowsRT, WindowsRT81, WindowsServer2012, WindowsServer2012R2, WindowsServer2016

For devices where test results are available that indicate that the device can process the certificate updates successfully, the updates will be initiated automatically as part of the servicing updates. This policy is enabled by default. For enterprises that desire managing automatic update, use this policy to explicitly enable or disable the feature. For more information, see: https://aka.ms/GetSecureBoot

Internal name
SecureBoot_HighConfidenceOptOut
Policy ID
b219f2dd3e9f
Elements
0

Registry values

How enabled and disabled states update the registry.

ScopeRegistry locationTypeEnabled valueDisabled valueCopy
Computer
Path
SYSTEM\CurrentControlSet\Control\SecureBoot
Value name
HighConfidenceOptOut
REG_DWORD
HKLM
1
HKLM
0
Registry location
Type REG_DWORD · Computer
Path
SYSTEM\CurrentControlSet\Control\SecureBoot
Value name
HighConfidenceOptOut
Hive
HKLM
Enabled value
1
Disabled value
0

Policy elements

Inputs and configuration options exposed by this policy.

This policy has no additional user input fields.