Policy

Enable Secure Boot Certificate Deployment

Microsoft Windows

Back to Secure BootBack to main
Enable Secure Boot Certificate Deployment
Jump to overview

Policy overview

Key metadata and intent for this policy.

Computer
Category
Windows Components > Secure Boot
Supported on
At least Windows Server 2012, Windows 8 or Windows RT

Supported OS tags: Windows10, Windows10RT, Windows11, Windows8, Windows81, WindowsRT, WindowsRT81, WindowsServer2012, WindowsServer2012R2, WindowsServer2016

This policy setting allows you to enable or disable the Secure Boot Certificate Deployment process on devices. When enabled, Windows will automatically begin the certificate deployment process to devices where this policy has been applied. Note: This registry setting is not stored in a policy key, and this is considered a preference. Therefore, if the Group Policy Object that implements this setting is ever removed, this registry setting will remain. Note: The Windows task that runs and processes this setting, runs every 12 hours. In some cases, the updates will be held until the system reboots to safely sequence the updates. Note: Once the certificates are applied to the firmware, you cannot undo them from Windows. If clearing the certificates is necessary, it must be done from the firmware menu interface. For more information, see: https://aka.ms/GetSecureBoot

Internal name
SecureBoot_AvailableUpdatesPolicy
Policy ID
3c6fc7e4fc9a
Elements
0

Registry values

How enabled and disabled states update the registry.

ScopeRegistry locationTypeEnabled valueDisabled valueCopy
Computer
Path
SYSTEM\CurrentControlSet\Control\SecureBoot
Value name
AvailableUpdatesPolicy
REG_DWORD
HKLM
22852
HKLM
0
Registry location
Type REG_DWORD · Computer
Path
SYSTEM\CurrentControlSet\Control\SecureBoot
Value name
AvailableUpdatesPolicy
Hive
HKLM
Enabled value
22852
Disabled value
0

Policy elements

Inputs and configuration options exposed by this policy.

This policy has no additional user input fields.